Alert Fatigue Therapy: How to Write Detection Rules That Don't Suck
Details
Join us for a meetup on November 19th in our Elastic office in Amsterdam! Doors open at 17.45 and the presentations begin at 18.00. Food, refreshments, and networking to follow. We wrap up around 20.00.
We are rating our talks as follows:
🟢 = Beginner content
🟡 = Intermediate content
🔵 = Expert content
Address: Elastic's office, Keizersgracht 281, 1016 ED Amsterdam
Agenda:
17.45: Doors open
18.00: Alert Fatigue Therapy: How to Write Detection Rules That Don’t Suck
18.45: Catching up with the latest Detection Engineering developments in Elastic Security
19.30: Networking, food with drinks
20.00: Wrap up
Talks:
Alert Fatigue Therapy: How to Write Detection Rules That Don’t Suck
False positives burn out analysts. False negatives burn down businesses. Every detection rule we write lives in the tension between those two extremes.In this talk, we’ll explore what it really means to write great rules; not just technically sound ones, but sustainable ones. We’ll unpack how false positives and false negatives are inseparably linked, why perfect rules don’t exist, and how the smartest SOCs continuously tune, test, and enrich their analytics to reach higher fidelity.You’ll also see how data enrichment, contextual correlation, and thoughtful rule design can transform noisy detections into trusted analytics; improving not only accuracy, but also analyst confidence and overall SOC health. And of course, we’ll showcase some of these capabilities in action with Elastic Security!
Key Takeaways:
• Cut the noise: balance false positives and missed detections.
• Use context and enrichment to turn alerts into insights.
• Build rules that analysts trust — tested, tuned, and efficient.
Speaker: Marvin Ngoma, Principal Solutions Architect, Elastic
Catching up with the latest Detection Engineering developments in Elastic Security
More details to follow soon.