SO-CON 2020
Contact Us

Josh Prager

The complexity of defensive tooling in the current industry can cause an abundance of alerts that are often dismissed without substantial justification. With the necessary context added to alert event data, we can decipher exactly what the analyst needs to know to properly prioritize and triage alerts. In this talk, we'll describe our approach to building a prioritization of composite event fields and defining a score to address alerts programmatically. We will show you how creating questions via the composite events and scoring those same questions can alter the priority list of alerts as they come into the queue.