The problem with using bin in your detection rules: https://attackthesoc.com/posts/practical-temporal-proximity-with-kql/#bin-there-done-that-why-we-dont-detect-with-bins
Really more useful for gathering general statistics vs finding meaningful connections and meeting your set event thresholds.

Comments

Posting Rules

  • Be respectful to others
  • No spam or self-promotion
  • Stay on topic
  • Follow Bluesky's terms of service