How to Reduce Alert Noise in Security Operations Centers

Alert fatigue isn’t about too many alerts - it’s about bad data. Most alerts are triggered by unstructured, noisy, and misaligned telemetry data that was never meant to support detection. This overwhelms analysts, delays response, and lets threats through. Nearly 70% of security professionals admit to ignoring alerts due to fatigue (Ponemon Institute). SIEMs and XDRs don’t generate signal - they match patterns. Feed them noise, and they flood you with irrelevant alerts, and security teams are paying the price. It’s time to stop blaming the analyst and start fixing the pipeline. Most alert fatigue write-ups focus on SOC workflows: triage better, automate more, throw some ML at it. But those are band-aids. Until we fix the pipeline, the fatigue will remain. A modern SOC doesn’t need more alerts. It needs smarter data pipelines that are built to: - Consolidate preprocess and normalize data , so that your tools aren’t reconciling a dozen formats on the fly. When logs from endpoints, identity systems, and cloud services speak the same language, correlation becomes intelligence—not noise. That failed login from a workstation means something different when it's paired with a privilege escalation and a large outbound transfer. You don’t catch that unless the pipeline is unified and context-aware. Drop what doesn’t matter. A log that doesn’t support a detection, investigation, or response decision doesn’t belong in the SIEM. Route it to cold storage, summarize it, or don’t collect it at all. Most environments are filled with verbose, duplicative, or irrelevant logs that generate alerts no one asked for. Use threat intelligence strategically—not universally. Pulling in every IP from a threat feed doesn't help unless that feed aligns with your risk surface. Contextual TI means tagging what matters to you, not just what’s noisy globally. Your DNS logs don’t need to explode every time an off-the-shelf IOC list gets updated. Apply meaningful prioritization frameworks at ingestion. Don’t wait for analysts to triage alerts—start triaging them in the pipeline. Align event severity to frameworks like MITRE ATT&CK or your own critical asset map. An alert from a privileged system running in production isn't the same as one from a dev box. Your pipeline should know that. You don’t fix alert fatigue by muting rules - you can fix it by sending only data that supports detection or response. Fix the data. The alerts will fix themselves.

As a SOC/IR Manager with Security Engineer experience, I’m always looking for ways to reduce noise, eliminate manual triage, and give my team more time for high-value work like threat hunting. Like most security teams, we were overwhelmed by alert volume. My analysts were spending way too much time chasing false positives and not enough time going on offense. That’s when I led the rollout of Autonomous SOC AI. But I didn’t stop there. 🔧 I engineered a measurable feedback loop: Integrated comment-based tagging into our Microsoft Sentinel incident triage Built custom KQL queries to detect auto-closed false positives Calculated the estimated triage time saved Created monthly visual trends to show how much work was offloaded No more vague claims. Now our dashboards show actual FTE hours recovered and the shift from reactive to proactive operations. 📊 Results: ✅ 60% increase in auto-closed false positives ✅ 15+ analyst hours saved weekly ✅ Greater bandwidth for proactive threat hunting ✅ Clear ROI data ✅ Better alignment between AI capability and SOC strategy This isn’t theory — it’s measurable impact. Autonomous SOC tools are still evolving, but the benefits are real when paired with practical engineering and IR strategy. 🧠 Shared the code: I’ve open-sourced the KQL logic so other teams — regardless of the platform — can measure their own automation success. 📂 GitHub: https://lnkd.in/edsHfX_F #MicrosoftSentinel #KQL #Automation #SOAR #SecurityLeadership #BlueTeam #IntezerIntezer

Over the past few weeks, I’ve shared a series of posts on the foundations of detection engineering, highlighting the critical role it plays in building a strong SOC. I’ve discussed how solid, purpose-driven detection engineering practices and effective threat research are the backbone of any proactive detection strategy. But, once this foundation is in place, the question becomes: What’s the next step? For me, the answer lies in maturing detection engineering into a process that seamlessly integrates data science, automation, and collaboration across key SOC functions. Here’s how I did it: Instead of having data scientists work with raw telemetry (which creates more noise than signal), I shifted them downstream to work with enriched, context-aware detection outputs and pulled this all together into something I call, The Detection Engineering Escalation & Recommendation (DEER) Framework. What does the framework do in a nutshell? 1. Creates synergy between the threat research team (intelligence backbone), DE team (signal creators), threat hunting team (pattern finders), and data science (insight amplifiers). 2. Leverages data science where it matters most for the SOC with things like: Natural Language Processing (NLP) for entity extractions and embeddings, Learning-to-Rank (LTR) for alert prioritization, LLMs for analysis, escalation & tuning, and clustering for peripheral context. Here’s what I saw happen after implementing this framework: ✓ 𝗕𝗲𝘁𝘁𝗲𝗿 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗲𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝗰𝘆: With a constant feedback loop and a process for these functions to work together, this reduced the workload across the team and gave them the time to focus on what matters most with our threat priorities. ✓ 𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗖𝗮𝗽𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀: Behavioral-based detections + NLP and Alert Clustering have provided context-rich alerts, improving the accuracy of detections. ✓ 𝗥𝗲𝗱𝘂𝗰𝗲𝗱 𝗔𝗹𝗲𝗿𝘁 𝗙𝗮𝘁𝗶𝗴𝘂𝗲: Automated rule tuning + real-time feedback with the DEER pipeline = more time for your SOC analysts to focus on genuine threats.    ✓ 𝗖𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗜𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁: Embedding data science into the DE process brings automation that will ensure your detections can evolve as quickly as new threats do.  If your detection strategy is starting to feel a bit outdated and you’re considering integrating data science into your practice - this approach might be worth exploring. Curious to hear from others, how are you thinking about the integration of data science into your SOC? You can grab my exact framework, and get more specifics on how we implemented this in my latest blog here: https://lnkd.in/gVYtMJwY

“Shifting left” is not optional. But that doesn’t mean application security teams can ignore what happens after attackers strike. And SBOMs can help. Some potential security operations use cases include: 1/ PRIORITIZING ALERTS Security operations centers (SOCs) are inundated with alerts. What could be a malicious actor moving across a network or attempting to exploit a vulnerability can often just be the result of normal business operations. That makes finding - and taking action against - true positives such an important task for SOC members. That’s where SBOMs can come into play. If an organization knows there is an exploitable - but still unpatched - vulnerability in their network via a Vulnerability Exploitability eXchange (VEX) report from a vendor or other stakeholder, its defenders can elevate any alerts suggesting ongoing exploitation of that issue. 2/ SKIPPING FALSE POSITIVES Conversely, SBOMs can help SOCs identify and eliminate false positives by providing a detailed inventory of software components and their associated vulnerabilities. If a given alert for a signature of malware known to exploit a certain vulnerability does not correspond to any known flaws present in the network (as per the organization’s SBOM registry), it could be deprioritized or ruled out entirely. This approach would require having a comprehensive asset inventory (and process for keeping it updated) because otherwise it would be difficult to know if such alerts were false positives or merely associated with unmanaged organizational systems. With that said, being able to rule out erroneous findings by using an accurate picture of the network would be a huge benefit to SOC analysts. 3/ FORENSIC ANALYSIS In the unfortunate event of a breach, rapid and accurate investigation and communication are crucial. SBOMs can facilitate both of these by providing structured data allowing examination of likely attack paths and facilitating determination of the magnitude of damage in a given breach. Narrowing down the potential avenues for evidence collection can speed up the process and allow organizations to understand what exactly happened more effectively. Knowing what resources were connected to each other can also help to illuminate which assets and data types might have been compromised. TL;DR - SBOMs can help with: 1/ Prioritizing SOC alerts 2/ Sifting through false positives 3/ Helping with forensic analysis How else can you apply them to security operations?

One of the biggest lessons I’ve learned in the SOC is this: A detection rule is only as good as the context it has. When I see a noisy or repetitive alert, I follow a simple 3-step approach to tune it: - Review the alert history How often has it triggered in the last week/month? Is it tied to known benign activity or an actual threat pattern? Check raw logs for full context. - Cross-check with threat intel Compare IOCs against trusted feeds (MISP, VirusTotal, AbuseIPDB). See if the behavior aligns with active campaigns or scanning activity. - Refine the logic Narrow the scope with additional conditions (source, destination, process name, time range). Add exclusions for known safe hosts or users. Document changes in a shared knowledge base. Result? Less alert fatigue. More accurate detections. Analysts spending time on what really matters. Pro tip: Every time you tune a rule, write down why. Six months later, your future self (or teammate) will thank you. How do you approach rule tuning in your environment? Do you prefer to refine existing rules or write new ones from scratch? #SOCAnalyst #SIEM #RuleTuning #CyberSecurity #DetectionEngineering #BlueTeam #IncidentResponse #Wazuh #ThreatHunting #SecurityOperations

🔐 5 Key Considerations for SIEM Solutions 🔐 SIEM (Security Information and Event Management) systems are essential for cybersecurity, but their effectiveness depends on how well they fit an organization's needs—especially for SMBs. Here are five critical factors to consider: ✅ 1. Cost Matters While SIEM solutions often seem built for large enterprises, accessible and cost-effective options can help SMBs strengthen their security posture. 🚨 2. Too Many Alerts = Alert Fatigue Overwhelming security teams with excessive alerts and false positives wastes time and increases the risk of missing real threats. A well-optimized SIEM should filter out noise and focus on meaningful alerts. ⚙️ 3. Default Rules vs. Custom Alarms Predefined rules are a good starting point, but true protection comes from custom alarms tailored to your organization's unique infrastructure and threat landscape. 🔄 4. Keeping Custom Alarms Updated A static SIEM is a weak SIEM. Since cyber threats evolve, custom alarms must be continuously updated and tested. Automation and threat intelligence integration can also reduce costs while improving efficiency. 🛠 5. Reducing Dependence on External Services SMBs should have the ability to design and manage their own security alerts. While external support may be needed for complex cases, minimizing reliance on third parties allows businesses to maintain better control over their security strategy. 🚀 Are you making the most of your SIEM solution? Let’s discuss! #CyberSecurity #SIEM #ThreatDetection #SMB #CloudSecurity #SecurityOperations