Ever have deja-vu? Security analysts will tell you, they get it all the time. It’s frustrating when you see activity that feels familiar, but you can’t quite place how and when you’ve seen it before … that’s how alert fatigue starts.
Identifying alerts that are similar can help analysts make better decisions. But searching for related alerts can be tricky. You might try searching on metadata like matching signatures, assets, or other indicators. That’s helpful, but it won’t fully capture an analyst’s intuition about what really makes alerts similar. Expel is exploring different ways to define a general concept of alert similarity. They believe meaningful similarity opens up use cases which can dramatically improve operational agility and quality.
This workshop is a deep dive into methodology for defining alert similarity using vector similarity search techniques. The use case may be unique, but we break it down so you can apply these learnings to problems you’re experiencing in your organization.
0:00 Introduction
3:05 Problem: Alert Fatigue
6:25 Prior Art: Vectorization and Similarity Search
22:49 Applying Security Intuition
34:01 Architecture
39:18 The Last Mile
49:34 Q&A
Add comment