Cloud Security / Detection Engineering
Cloud Detection & Alerting Pipeline
Built and tuned a cloud detection and alerting workflow that connected cloud security findings to actionable notifications while reducing low-value noise.
Problem
Cloud security tools generated high volumes of alerts, many of which were low-value or duplicated. On-call engineers spent excessive time triaging noise instead of responding to real threats.
Constraints
Small security team, limited on-call bandwidth, multiple AWS accounts, need to maintain compliance visibility while reducing alert fatigue.
Approach
Built a Terraform-managed detection and alerting pipeline that ingested findings from cloud security services, applied suppression logic for known low-value patterns, and routed actionable alerts through event-driven notification paths.
Outcome
Reduced false positives by 60%, improved on-call signal quality, and established a repeatable pattern for adding new detection rules without increasing toil.
Terminal
# GuardDuty finding hits EventBridge rule$ aws events put-rule --name guardduty-high-sev \$ --event-pattern '{"source":["aws.guardduty"],"detail":{"severity":[{"numeric":[">",7]}]}}'RuleArn: arn:aws:events:us-east-1:***:rule/guardduty-high-sev# lambda enriches the finding and routes to slack + pagerduty$ aws lambda invoke --function-name security-alert-router /dev/stdout{"routed": true, "channel": "#sec-alerts", "pagerduty": "P1", "suppressed": false}# suppression check: known benign pattern? skip the page.$ cat suppression-rules.json | jq '.rules | length'47# 47 suppression rules, each validated against real incidents
Tools
Key Highlights
- Event-driven security notifications
- Terraform-managed workflow
- Cloud security finding ingestion
- Auto-suppression for low-value findings
- Reduced on-call toil without losing signal