EP149 Canned Detections: From Educational Samples to Production-Ready Code

Topics covered:

• In your experience, past and present, what would make clients trust vendor detection content?
• Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?
• What is more important, seeing the detection or being able to change it, or both?
• If this is about seeing the detection code/content, what about ML and algorithms?
• What about the SOC analysts who don't read the code?
• What about “tuning” - is tuning detections a bad word now in 2023?
• Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?