IT Central Station is now PeerSpot: Here's why

How do you decide about the alert severity in your Security Operations Center (SOC)?

Hi SOC analysts and other infosec professionals,

Which standard/custom method do you use to decide about the alert severity in your SOC? 

Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?

PeerSpot user
67 Answers

Luis Apodaca - PeerSpot reviewer
Top 5User

I think first of all you need to establish what resources you want to handle in your operation and then how important is each. Once you get it a try based on a "Venn diagram" or an "Eisenhower chart" to apply the resolution tools fatigue is coming from not knowing what tool should use or if the resource with an incident is in danger or not. 

Only then you can configure some rules, the information coming from there is gonna give the necessary details for making more decisions.

Maybe, I'm very subjective but there is a very large group of solutions and strategies. Not always it's gonna be the same scenario.

So what you need is a criterion, professional skills, and then... being patient and embracing yourself

Good luck!

Robert Cheruiyot - PeerSpot reviewer
Top 5Real User

Hi @Evgeny Belenky,

I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.

But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence. 

Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.

Evgeny Belenky - PeerSpot reviewerEvgeny Belenky
Community Manager

@Robert Cheruiyot thank you for such an in-detail answer!

reviewer1331706 - PeerSpot reviewer
Top 5LeaderboardReal User

It depends on the information in your current alerts. E.g if the alert has the priority or the severity field, it will be normal to use this field. 

I will assume tha in your current alert system you do not have the severity or priority field. 

The next option would be to look at the alert code. Most alarms have a number or a code, indicating the alarm, and it is the reference to documentation - what this alarm means and how to resolve it.  

I would then recommend to use this code. Get a list of alarm codes, discuss and determine the severity for this code. Once you have this, you should be able to use this list to match alarms and set the automatic severity, timelines, etc.

Jairo Willian Pereira - PeerSpot reviewer
Top 5LeaderboardReal User

1. Original thresholds from your tool.

2. Number #1 plus an internal business sense for each asset (other tools, CMDB attribute, SID - Security ID and/or classification tags (baseline, stringent, internet-facing, workstation...).

3. A combination of both, for example, and an extra risk-machine indicator, vulnerability exposure, correlation together with other critical processes.

4. Using a reference framework (NIST) or a mandate from regulators (SEC, ENISA, PCI, HIPAA, ...).

For alert fatigue, you'll need to optimize step-by-step (manual or using automatic/AI features) controls, tunning false-positive and filtering inconsistencies based on PDCA/baby-steps/Continuous Improvement models.

ITSecuri7cfd - PeerSpot reviewer
Top 5LeaderboardReal User

I think the first step is configuration. 

When teams are 1st deploying a new tool, working closely with the vendor to set up the best configuration possible to tune down the alerting for the least false positives, is critical to the success of your soc. 

Even paying the extra for a 3rd party tool configuration assessment can be the difference in millions of alerts from vendor recommended alerting. 

Then there is a phase of "tuning" where you are in the monitor mode to see what the worst and best alerting is and you go from 80% to 90% false positives. That last 10% is hardest with each tool and causes the most work and the most pain, but if successful you have less critical alerting firing off each device. 

Feeding this to the SIEM is where you get the biggest bang for your buck when doing correlation of events, setting proper alerting triggers even for critical alerts can help you prioritize even those. 

If you are looking for 10 alerts in the SEIM out of 6 million, you have to prioritize what sets those 10 above the rest so they stick out the most, critical assets, hashtags, threat feeds, UEBA, etc. - all of the things mentioned above are critical to that endeavor.

Shibu Babuchandran - PeerSpot reviewer
ExpertModeratorReal User

Hi @Evgeny Belenky​,

Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC.

1. Threat intelligence

2. Native integration

3. Machine learning

4. Watchlists

5. UEBA (User and Entity Behavior Analytics)

6. Automation

Buyer's Guide
Network Monitoring Software
May 2022
Find out what your peers are saying about Zabbix, Datadog, LogicMonitor and others in Network Monitoring Software. Updated: May 2022.
598,116 professionals have used our research since 2012.