Tim (Wadhwa-)Brown 
What parts of #detection #engineering do people find difficult?
Richard "mtfnpy" Harman (he/him)@timb_machine spinning wheels trying to produce detection content when the source telemetry is A) inconsistent, B) missing vital information, C) misconfigured by customers and D) the "engineering" department doesn't take constructive criticism.
@timb_machine [ this is a toot about a job I had trying to detect badness through netflow, JFC netflow is such a shitshow ]
@timb_machine me: "I only see half the traffic"
me: "wait this is sampled at 1 every 10,000 flows"
me: "oh cute, this biflow only captures the ingress part of the flow and doesn't record the egress interface because it didn't know where it was headed at the time"