How to use Packet Analysis to Identify False Positives

In the first two parts of this webcast series (Proving the negative - no we didn't breach you & Closing logging gaps with packets), we used packet capture to disprove the theory that our web server was used to compromise a business partner. Then we used packet capture to understand detection gaps in our SOC monitoring the web server logs. Since the SOC is now hyper-sensitive to web server intrusions, they’ve been referring an unsustainable number of false positive alarms to the IR team. In this webcast, we’ll continue to look at web server logs, but this time with a focus on using packet capture to identify log entries that don’t reliably demonstrate exploitation.