14
Vent: Coworker said my detection rules were too noisy, he was right
I had this rule that flagged any login from a new IP, caught 200 alerts a day. Nobody looked at them after the first week. Now I tune everything to at least 3 failed attempts before firing, what's your threshold for ignoring false positives?
2 comments
Log in to join the discussion
Log In2 Comments
blake_martinez16d ago
That threshold of 3 failed attempts is solid but you might be missing patterns from insider threats or credential stuffing where they get the password right on the first try... another angle is to look at the time of day and geo-location together, like a login from a totally different continent within an hour of a normal one. Pairing those two things cuts my noise way down without needing to wait for failures. Also consider the user's role, a developer logging in at 3am is normal but an accountant doing the same thing might be worth a peek.
5
the_tara16d ago
Wait, you actually have developers who log in at 3am and it's normal? That's wild to me. In my world, nobody is logging on at that hour unless something's on fire or they're up to no good. I get what you're saying about role-based monitoring though, that's smart. It just never occurred to me that some places have folks working all hours like that and it's completely okay. I'd probably flag every single 3am login out of reflex if I was setting up the alerts.
7