## **PoC** [the code](https://github.com/chainguard-dev/kolide-pipeline-bot/blob/56fe2343697b85a4cb7b2fe69c980908085273c1/score.go#L44) by [tstromburg](https://github.com/tstromberg) ## **Details** Avoids issues with risk prioritization (which LLMs are currently poor at) by creating a conditional alert system using an LLM as a filter. In tstromburgs words: "To catch subtle nation-state attacks, we have a large corpus of low-criticality state-based alerts, such as "an unexpected program has been running for days, and the start time is within 5s of the program landing on disk". To decrease alert fatigue, I updated our algorithm to only fire low-criticality alerts if one of these match: - Gemini 2.0 (Google's LLM) thinks it's sus - VirusTotal thinks a binary or IP is sus - Another kind of alert recently fired for this device 💥 BAM! 40% reduction in false positives."