🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for Instant-Triage SIEM Detections
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

Instant-Triage SIEM Detections

A week ago, I posted on LinkedIn that I felt like a kid the day after Christmas, eager to play with a new toy:

Case Summary

That “new toy” is Wirespeed’s new twist on SIEM detections. I’m excited because the most painful part of detection engineering isn’t writing the queries, although we help that with natural language queries using AI (a type 2 decision), the painful part is what to do with the alerts when they fire. That is what we’ve solved. That is the new toy on the day after Christmas.

Detection UI We expose all the data and give you natural language AI enabled queries in our detection UI

#Our Special Twist

Wirespeed already has an amazing verdict engine under the hood. So when you develop a new custom detection rule:

  • we already know the category
  • we already know your detection logic
  • we already know all of the common fields to triage the detection
  • we instantly triage your new detections!

New detection rules tend to be too loose and fire more alerts than your SOC is ready to handle. So you apologize to the SOC analysts, tune the rule, lather, rinse, repeat, until it’s dialed into a reasonable level. But with Wirespeed, aggressive rules result in fully triaged alerts, grouped properly into cases, with ChatOps and automatic containment based on your preferences.

Wirespeed Documentation Right there in our public documentation, we automatically triage!

#Let’s see an example in the wild!

With identity problems everywhere, not enough customers having detection coverage with their current tech stack, and the complexities of properly triaging identity alerts, we wrote an Anonymized Login detection, leveraging our IPInfo enrichment. We assigned the Login category which instructs Wirespeed how to investigate. Here’s that rule:

Anonymized Login Detection Example Yes, we give you full access to your data!

We turned it on for an evaluation customer whose tenant wasn’t even 24 hours old:

Data Lake Brand new tenant!

Then we got dozens of hits in the first few hours, because this customer doesn’t block the use of privacy VPNs, but note how they’re all closed! We didn’t inundate them with alerts.

Detection Matches Many detection matches, all closed!

By triangulating their endpoint data, Wirespeed instantly identified these privacy VPN logins were coming from managed devices and closed the detections. No alert flood! We didn’t need weeks of data or time to manually tune. Just out of the box, add the integrations, turn on the rule, and we have instant accuracy and super fast investigation!

Automatically Triaged Detection Automatically handled privacy VPN login

#Bottom Line

Writing detections is hard. Building processes to handle them is even harder, but not with Wirespeed.

It’s also very amazing that we have a complete audit of every single privacy VPN login with confirmed review. Microsoft and other ITDR vendors do a pretty good job, but there’s always room for improvement and they’re typically a black box to the customer. It’s too hard to know when, where, and why they fire (or don’t).

For most customers, building a detection rule, then testing it out, usually means there is no expectation around how the SOC will process the alert until after they’ve dealt with a few of them, let alone the workload impact to the team. With Wirespeed, that is all solved before the rule is created.

THAT is our new twist on decades-old SIEM detections.

Want to learn more about how Wirespeed can make security painless for you? Contact us to start a FREE TRIAL today.