Hey Community!
We've all been there: is this one suspicious login just noise, or is it the first step in a larger, sophisticated attack?
It's the difference between playing "whack-a-mole" with individual alerts and discovering a coordinated attack chain. This new demo is all about how to find that chain.
Greg Kushmerek from the Google team shows how to use "composite detections" built on the MITRE ATT&CK framework. Instead of getting 10 separate low-level alerts, you can get one high-confidence case by writing a rule that looks for a pattern of tactics (like those used by an APT) on a single machine over a 10-day window.
It's not just about collecting signals; it's about connecting them.
In this video, you'll see:
- How Google's 2,000+ curated detections are all tagged with MITRE ATT&CK.
- A demo of a "composite rule" that finds a chain of different tactics.
- How the Gemini summary instantly shows an analyst the scope of a multi-day attack.
- Using pre-built or AI-generated SOAR playbooks to guide your response.
After you watch, let's discuss: What's your biggest challenge in connecting individual alerts into a full attack chain?