BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//speaker//EWVGQA
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-7LUWPZ@pretalx.com
DTSTART;TZID=PST:20260602T110000
DTEND;TZID=PST:20260602T112000
DESCRIPTION:Nine months. That's how long a Sigma detection rule for AWS IAM
  privilege escalation sat in a production SIEM without firing. Not because
  there were no attacks because the rule referenced a CloudTrail field that
  doesn't exist. It matched nothing. It looked healthy. It was dead.\nWe bu
 ilt sigma-lens\, an open-source quality analyzer\, and ran it against the 
 two largest public cloud rule repositories: SigmaHQ and Elastic. Across 2\
 ,000+ cloud detection rules\, we found that 1 in 3 contained significant q
 uality defects.\nThis talk reveals the results of our audit: rules referen
 cing non-existent log fields\, logic that misses 80% of realistic attack v
 ariants\, and "hallucinated" fields in AI-generated rules. We will release
  sigma-lens and a new database of 400+ validated CloudTrail log schemas\, 
 equipping you to test your detection rules with the same rigor you apply t
 o application code.
DTSTAMP:20260502T113342Z
LOCATION:Room 1
SUMMARY:Schrödinger’s Detection: Finding the "Zombie" Rules in Your SIEM
  - Gowthamaraj
URL:https://pretalx.com/fwd-cloudsec-2026/talk/7LUWPZ/
END:VEVENT
END:VCALENDAR