Real world examples

SOC Analyst:

An applied example of this perspective is a SOC analyst using third-party security products. They are a consumer when leveraging detection capabilities, but at the same time producing any custom rules or logic puts them in the position of producer. We can better see the implications when handling an alert. In this case, an analyst’s role would be to triage and analyze the alert for resolution. Specifically, they may tune the logic for the custom rule if false positives occur , or open a ticket to the vendor if it is a product rule.

Vendor Analyst:

On the other hand, if a vendor detection engineer got the same alert, they would leverage it for tuning the rule based on observations. However, the tuning strategies and measures of success will differ between the two, with the analyst (consumer) tuning it to the specific environment, minimizing false positives, and maximizing the efficacy of the logic, whereas the vendor’s detection engineer (producer) will need to tune it with balance across the broad environments represented by the customer base as well as balancing efficacy with performance and completeness. The vendor has to account for other consumers of the rules, meaning they cannot simply tune it based on this specific environment.