SpecterSignal

Most SOCs don’t fail because of tooling. They fail because of signal quality. Senior SOC Analyst focused on: • Detection engineering • Alert tuning • Reducing false positives • Better investigations SpecterSignal Signal > Noise.

Generic triggers. Broad conditions. Lots of noise. Tuning is what sharpens them: • Adjust thresholds • Refine logic • Add context • Remove known noise Better tuning = clearer signal. If you’re not tuning, you’re guessing. #SIEM #DetectionEngineering #SOC #SpecterSignal

What’s your most noisy rule right now? Why haven’t you tuned it? #SIEM #SOC #DetectionEngineering #CyberSecurity #SOCs #CyberSec #infosec

False positives aren’t failure. Untuned detections are. #SIEM #SOC #CyberSecurity #SOCs #CyberSec #infosec #SecurityAnalyst #DetectionEngineering

Tier 1 tip: Always check: • User • Host • Parent process • Command line That alone solves half your alerts. #SOCAnalyst #CyberSec #SOC #infosec #DetectionEngineering

@CyberRacheal C) The file's cryptographic hash If a single letter number or anything is changed with in the file the hash value will change.

A security analyst is reviewing a file that was downloaded from a vendor's portal. To ensure the file has not been altered by a Man-in-the-Middle attack during transit, which of the following should the analyst verify? A) The file's digital certificate B) The file's encryption key C) The file's cryptographic hash D) The file's metadata

@cyb3rshi3ld Senior Security Analyst within the SOC.

SOC reality: Most alerts aren’t attacks. But the one real one looks exactly the same at first glance. That’s the job. Signal vs noise. #SOC #BlueTeam #CyberSecurity #infosec #SpecterSignal

Good analysts look at alerts. Great analysts look at behaviour chains. Parent, Child, grandparent, Network, Lateral movement. Think patterns, not popups. #ThreatHunting #SpecterSignal #BlueTeam #CyberSecurity #SOC #DetectionEngineering

1️⃣ Monitor alerts 2️⃣ Validate signal vs noise 3️⃣ Investigate context (user, host, process) 4️⃣ Correlate activity across tools 5️⃣ Decide: false positive or incident 6️⃣ Contain + document properly It’s not watching screens. It’s critical thinking under pressure. #SOC #CyberSecurity

EDR sees endpoint behaviour. It does NOT see: • Full network traffic • Cloud logs • Identity-wide patterns That’s why SIEM + EDR together = power. #CyberSecurity #infosec #SOC #DetectionEngineering #security

Different systems log differently. The SIEM translates all that messy data into a common format so it can be searched and correlated. Otherwise it’s chaos. #cyber #CyberSecurity #SOCs #CyberSec #infosec

#CyberSecurity #cyberpunk #SOC #dystopia

Word spawns PowerShell reaches out to random IP downloads payload. That chain matters more than the file hash. Attack patterns. How would you investigate this. #cyber #CyberSecurity #SOCs #CyberSec #infosec

@xmodulo Ubuntu and Debain were my first choice and I still like using both to this day.

What was your first #Linux distro, and why did you pick it? For me it was Fedora. I knew basically nothing about Linux at the time, but the logo just clicked 😁 It also felt more up to date and actively worked on, so I figured it was a good place to start. What about you? 🙄

@CyberRacheal It is both for sure but most the time it is over complex explanations that have caused me issue and made me ask why not just make it simple and straight to the point.

Let’s settle this: Is cybersecurity harder because 1. The concept are complex 2. The explanation are bad

Servers. Endpoints. Firewalls. Cloud apps. Identity systems. If it makes noise, the SIEM can ingest it. Think of it as a giant log warehouse. #CyberSecurity #infosec #SOC #Security

Let's talk about EDR How does it actually detect threats? Not the marketing version. The real one. #EDR #BlueTeam #SpecterSignal #CyberSecurity #SOC #infosec

@CyberRacheal A little from section A and a little from section B

Be honest: Do you struggle more with A. Remembering commands B. Understanding what they do

An alert = “This matches a rule.” Important: An alert is NOT proof of compromise. It’s a signal to investigate. #SOC #CyberSecurity #SIEM #EDR #Security

How does a SIEM actually work? No vendor fluff. Just straight talk. #SOC #SIEM #SpecterSignal #CyberSecurity