Purple Team Strategies by David Routin Simon Thoores and Samuel Rossier

Author:David Routin, Simon Thoores, and Samuel Rossier
Language: eng
Format: epub
Publisher: Packt Publishing Ltd.
Published: 2022-05-19T00:00:00+00:00

This is not intended to be an exhasutive list of criteria but only some of the questions and features that may impact our organization collection and correlation capabilities.

Tips and Tricks

Handling a large volume of AV/EDR alerts can be done using multiple approaches. The first one relies on the analysis of the events already generated, such as severity level, types of threats, and whether blocked or not. For example, we want to generate an alert for each High severity event or Sigma rule match (pattern approach). First, we should review and assess the volume of potential alerts. Another approach will be described in the next chapter (in the SIEM section) and is based on both aggregation (counting distinct alerts over 24 hours by host) and frequency detection (for example, a malicious program was removed but the same threat came back the next day). So, the best way for AV/EDR alerting and triaging is a combination of both pattern matching and a statistical approach.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.