Too many alerts is as bad as none — analysts stop trusting a noisy queue. Triage efficiently, ruthlessly cut false positives, and automate the repetitive response steps.
Why: analysts face more alerts than they can deeply investigate, so triage is a fast classification — is this a true positive worth escalating, a false positive to tune out, or benign — using enrichment and context. When: work the queue by severity and asset criticality, timeboxing each alert. Where: efficient triage is what keeps a SOC from drowning; every alert needs a clear next action.
For each alert, quickly decide:
TRUE POSITIVE real malicious/suspicious -> escalate to IR (DFIR course)
FALSE POSITIVE benign activity that matched -> TUNE the rule
BENIGN TRUE real but authorized (a known admin task) -> document/allowlist
Use enrichment (asset criticality, user context, intel) to triage in
seconds, not minutes. Prioritize crown-jewel assets.Why: a rule that cries wolf trains analysts to ignore it, so false positives must be tuned aggressively — refining conditions, allowlisting known-good behavior, and adjusting thresholds — because alert fatigue causes real alerts to be missed. When: every false positive is a tuning task, not something to endure. Where: the goal is a queue where a firing alert is trusted to mean something.
ALERT FATIGUE is a security risk: a noisy queue hides the real alert.
Tune every false positive:
- tighten the condition (add context that excludes the benign case)
- allowlist known-good actors/behaviors (documented, reviewed)
- adjust thresholds/timeframes to the environment's baseline
- suppress duplicates; group related alerts into one case
Target: high signal. A firing alert should be worth an analyst's time.Why: many triage and response steps are repetitive (enrich an IP, isolate a host, open a ticket), so SOAR (Security Orchestration, Automation and Response) runs them as playbooks — freeing analysts for judgment work. When: automate the deterministic, low-risk steps first; keep humans in the loop for consequential actions. Where: automation scales the SOC, but destructive actions (isolating a server) still warrant human approval.
SOAR playbook for a "malware on endpoint" alert:
1. auto-enrich: hash -> VirusTotal, host -> asset owner + criticality
2. auto-contain: isolate the host from the network [human approval]
3. auto-ticket: open a case with all evidence attached
4. hand to an analyst for the judgment calls
Automate the repetitive + deterministic. Gate the destructive on a human.