18
Our SIEM alert volume dropped by 60% after one config change
Been fighting alert fatigue for months at our SOC in Austin. We had over 4,000 alerts a day and maybe 15 were real. Found out our senior analyst tweaked some correlation rules last Tuesday and now we're down to about 1,600 alerts. The trick was grouping similar low-severity events into single alerts instead of blasting us for every single failed login. Anyone else seen big drops from just rule grouping?
2 comments
Log in to join the discussion
Log In2 Comments
hunt.jana5d ago
15 failed login attempts from one IP in 5 minutes used to fire off 15 separate alerts for me. I actually thought that was better for a while, like having the raw data was safer or something lol. But after a month of drowning in noise my senior just merged those into a single alert with a count field and I was honestly annoyed at first. Now I can't believe we didn't do this years ago. The reduction in mental load is insane, I can actually focus on the weird outliers now instead of clicking through pages of useless stuff. Its crazy how much of our alerting was just redundant noise.
3
hunt.jana5d ago
Read a similar thing in a security blog last week, glad it worked out for you.
4