|
|
|
|
|
|
by emanuele-em
67 days ago
|
|
|
The 10-second correlation window for file access + network connection is a smart heuristic for catching exfiltration. Scanning /proc/pid/fd every few seconds is lightweight enough to not annoy people. How granular is the network allowlist? Some dev workflows hit a lot of dynamic endpoints. |
|
|