Hardening Password Spray Detection Beyond The Classroom
Operational Question
How do you catch broad spray behavior without paging analysts for every auth issue spike?
Methodology
Start with source concentration plus distinct-user spread, then replay the rule on noisy windows and document which benign patterns still collide.
Production Change
Move from a simple spread query to a thresholded rule with explicit false-positive notes and analyst-ready evidence fields.
Employer Proof
Shows that the analyst can turn a basic hunt into a production-aware detection, not just find the right row once.
Impossible Travel Needs Confidence Tiers, Not Binary Logic
Operational Question
When should impossible travel actually trigger containment instead of a weak watchlist event?
Methodology
Sequence user logins, measure plausibility, then raise confidence only when device novelty, session risk, or post-auth behavior supports compromise.
Production Change
Replace one-size-fits-all impossible travel alerts with tiered logic and a responder note explaining why the event is high confidence.
Employer Proof
Demonstrates judgment, tradeoff awareness, and ability to explain a detection decision to another analyst or manager.
Replay Validation Is What Makes A Rule Credible
Operational Question
What evidence makes a detection rule believable to a detection lead or hiring manager?
Methodology
Run the rule against noisy datasets, inspect recall/precision tradeoffs, and record the rule changes required to reduce analyst pain.
Production Change
Treat replay metrics and tuning rationale as part of the rule artifact, not optional supporting material.
Employer Proof
Signals that the operator understands production-readiness, not just lab completion.
Beaconing Detection Lives Or Dies On Benign Exclusions
Operational Question
How do you surface suspicious periodic traffic without paging the team on every updater or telemetry forwarder?
Methodology
Start with periodicity candidates, then tune against known software update domains, security tooling, backup agents, and maintenance windows before ranking true outliers.
Production Change
Bundle periodicity logic with a documented exclusion list, responder pivot guidance, and a replay note explaining why certain lookalikes remain allowed.
Employer Proof
Shows the analyst can tune a noisy network analytic into something a SOC would actually keep enabled.
OAuth Consent Abuse Requires Identity And Cloud Context
Operational Question
What makes a new cloud-app consent event urgent instead of just new SaaS usage?
Methodology
Combine publisher trust, scope breadth, source novelty, and post-consent token activity rather than looking at consent events in isolation.
Production Change
Move from a flat consent alert to a confidence-tiered workflow that explains revoke/block decisions and records false-positive conditions.
Employer Proof
Signals cross-domain reasoning across cloud, identity, and user-risk context rather than narrow query syntax.
Role-Grant Abuse Should Read Like A Change-Control Failure
Operational Question
What turns a privileged role assignment into a containment event instead of a routine admin change?
Methodology
Sequence the grant, actor identity, device novelty, and nearby logging or credential events before scoring confidence.
Production Change
Package the detection with a rollback recommendation, impacted roles summary, and evidence fields the IAM owner can act on immediately.
Employer Proof
Shows that the analyst can bridge cloud control-plane telemetry with stakeholder-ready remediation language.
Exfiltration Queries Need Business Context To Be Useful
Operational Question
How do you separate a critical outbound transfer from legitimate bulk movement?
Methodology
Blend transfer size, sensitivity cues, user baseline, session risk, and destination novelty instead of trusting volume alone.
Production Change
Move from a byte threshold to a scored investigative artifact with confidence tiers and preservation steps.
Employer Proof
Signals that the operator can turn a raw spike into a defensible escalation narrative.
Endpoint Triage Needs Parent-Child Context Before Verdicts
Operational Question
How do you turn suspicious script-host execution into a defendable endpoint escalation instead of a noisy process list?
Methodology
Start with parent-child lineage, then add signer trust, device role, maintenance window context, and follow-on behavior before raising confidence.
Production Change
Move from one-off process hits to an analyst workflow that explains why a chain is suspicious, what benign automation was excluded, and what host pivots come next.
Employer Proof
Shows that the operator can move beyond syntax and produce endpoint triage that another analyst or responder can trust.
Email Triage Should Separate Delivery From User Risk
Operational Question
What makes a suspicious email event worth escalation instead of a noisy inbox artifact?
Methodology
Blend sender novelty, URL or attachment risk, user targeting pattern, and follow-on click or auth behavior rather than stopping at message headers.
Production Change
Package email detection logic with user-impact framing, likely blast radius, and the exact response question the next analyst should answer.
Employer Proof
Signals that the analyst can connect email telemetry to user and identity risk instead of treating email as an isolated log source.