BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsidesluxembourg-2026//speaker//GNUZAA BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsidesluxembourg-2026-9JT9GR@pretalx.com DTSTART;TZID=CET:20260507T112000 DTEND;TZID=CET:20260507T120000 DESCRIPTION:What if I told you the security tool you trust the most (your X DR) is also an attacker's favorite weapon? You spent time\, money\, and ef fort deploying it\, testing it\, fine tuning it\, believing it had your ba ck. But what if\, instead of stopping threats\, it was helping them?\n\nYo ur XDR isn't broken\, in fact\, it's doing exactly what it's designed to d o and what you set it up to do. The problem? Attackers have figured out ho w to make it work for them instead of against them. \n\nIn this session\, we'll discuss how the bad guys manipulate XDR implementations\, abuse dete ction logic\, weaponize built-in components\, and turn trusted security co ntrols into defensive tools. From abusing existing workflows to full explo itation\, you'll see why your XDR might not be protecting you the way you think it is. DTSTAMP:20260411T233857Z LOCATION:Main Stage SUMMARY:The Spy Who Logged Me - When your XDR joins the attackers - Melina Phillips URL:https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/ END:VEVENT BEGIN:VEVENT UID:pretalx-bsidesluxembourg-2026-C93MZK@pretalx.com DTSTART;TZID=CET:20260507T170000 DTEND;TZID=CET:20260507T174000 DESCRIPTION:Security teams don't miss alerts because they don't care\, they miss them because their SIEM never shuts up. Alerts fire constantly\, at the wrong time\, for expected behavior\, until everything starts to sound the same. At some point\, it's no longer an alarm. It's just noise.\n\nThi s talk starts with a simple idea: when an alert fires matters just as much as what it detects. Like a whistle blaring at 2 a.m.\, many detections te chnically work\, but fail operationally because they lack timing\, throttl ing\, or basic context. Alerts trigger during business hours\, outside mea ningful windows\, or so often that everyone learns to ignore them.\n\nUsin g practical examples\, we'll look at common alerting mistakes\, why "more alerts" doesn't mean better security\, and how small changes\, such as thr ottling\, prioritization\, and temporal context\, can dramatically reduce noise.\n\nFrom there\, we'll walk through what alerts actually matter acro ss application\, network\, Active Directory\, and DNS telemetry\, and how to design them so they fire when someone should actually care. The goal is n't silence\, it's a SIEM that acts like an alarm clock\, not a whistle th at goes “woo woo” all night. DTSTAMP:20260411T233857Z LOCATION:IFEN room 1\, Workshops and Detection Engineering village (Buildin g D) SUMMARY:The whistles go woo woo: SIEM alerts\, threat detection and tuning unnecessary noise - Melina Phillips URL:https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/ END:VEVENT END:VCALENDAR