Contextualizing alerts with relevant logs and events without queries or LLMs
Event description
Contextualizing alerts with relevant logs and events without queries or LLMs
Level of Instruction: Intermediate
Instructed by: Ezz Tahoun
Abstract:
This workshop is for SOC analysts, threat hunters, and defenders dealing with alert fatigue, fragmented telemetry, and the challenge of spotting coordinated attacks. Instead of large language models or costly vendor tools, we’ll use open-source, explainable ML to map alerts, logs, and events into contextualized attack stories.
Attendees will work hands-on with real-world-style data to find root causes, build kill chains, and generate actionable tickets—False Positive, Incident, and Attack Story—that mirror real SOC workflows. We’ll use the Attack Flow Detector tool, which runs in Google Colab—no install needed.
No data science experience required. The class is technical but beginner-friendly, with guided exercises and examples. Basic knowledge of logs and MITRE ATT\&CK helps but isn’t required. The focus is on outcomes: understanding what happened, why, and how to respond—without black-box AI or complex queries.
By the end, students will know how to clean noisy data, map alerts to attacker techniques, cluster related events, and build end-to-end attack narratives. All tools and content are open-source, transparent, and ready to use in real environments.
Tickets for good, not greed Humanitix dedicates 100% of profits from booking fees to charity
