Reporting

Five Ws: Who, what, when, where, and why.

Core Metrics

• Alert Counts (AC): AC = Total Count of Alerts Received
• False Positive Rate (FPR): FPR = False Positives / Total Alerts
• Alert Escalation Rate (AER): AER = Escalated Alerts / Total Alerts
• Threat Detection Response (TDR): TDR = Detected Threats / Total Threats

SLA: document signed by internal SOC team and company management or my MSSP and its customers.

• Threat detection measured by MTTD
• Alert acknowledgement measured by MTTA
• Response measured by MTTR

Ways to improve: exclude system updates and trusted activities. Automate alerts using custom scripts, tune detection rules, make sure logs are being collected in real-time without a delay. Evenly distribute alerts between analysts. Escalate as quickly as possible, use workbooks.

Workbooks: defines step required in an investigation.

EDR

Endpoint Detection and Response.

• Deep-level protection to endpoints
• Visibility → Detection → Response

Visibility:

• Process modification, registry modifications, file and folder modifications, user actions, etc. Analyst can see entire process tree.