Today, organisations are faced with the increasingly difficult task of trying to protect their expanding digital manor from sophisticated cybersecurity threats. Migration to the cloud and a mobile workforce has dissolved the network boundary and projected the digital estate beyond its traditional restricts. Data, customers, and systems are everywhere. Additionally, these systems are increasingly residence in the cloud and making a considerable amount of security data. To add to this, on average, corporations with over 1,000 employees maintain about 70 security products from 35 different dealers, according to a recent report by CCS Insight. The end make? A vast amount of alerts that security procedures centre( SOC) teams have to contend with. Unsurprisingly, according to an ESG1 study, 44 percent of these alerts move uninvestigated due to a combination of talent scarcity and the multiplicity of security answers generating a huge volume of alerts.

To help our clients address alert fatigue but still maintain detecting efficacy, Microsoft is leveraging the power of Threat Intelligence, native answer integration, AI, and automation to deliver a unique SIEM and XDR approach–to help tackle the challenge of alert fatigue. But first things first–what exactly are alerts, events, and incidents in the context of security runnings? Below is a graphic that will help answer this question before we delve deeper into how Microsoft technology is helping SOC teams sift through high volumes of alertings and narrow down to manageable high-fidelity incidents.

Diagram distinguishing between events, alerts and incidents

Let us now look at the six strategies that Microsoft utilizes to help our customers deal with the alert fatigue difficulty 😛 TAGEND 1. Threat intelligence

To combat cyberthreats, Microsoft amalgamates trillions of daily signals, across all clouds and all platforms, for a holistic position of the world security ecosystem. Using the latest in machine learning and artificial intelligence techniques–plus the power of smart-alecky humans–we put these signals to work on behalf of our patrons taking automated acts when threats are seen, and providing actionable intelligence to security teams when further contextual analysis is required.

2. Native integration

Microsoft leveragings the tight consolidation across its menace protection solution stack to help customers connect the dots between disparate menace signals and develop incidents by grouping quality alertings from different parts of their environment and stitching together the elements of a threat. First-party security answers within the Microsoft 365 Defender offering enable our customers to benefit from real-time interactions amongst the tools, backed by insights from the Intelligent Security Graph. As a ensue, the quality of alarms is improved, false positives are significantly reduced at source, and in some cases, automatic remediation is completed at the threat protection level. Additionally, this can be combined with log data drawn from third-party answers such as network firewalls and other Microsoft solutions to deliver an end-to-end investigation and remediation experience, as depicted in the image below.

Image showing integration of Microsoft's XDR offering

3. Machine read

The third strategy that we apply is the ingestion of billions of signals into our security information and event management( SIEM) solution( Azure Sentinel) then passing those signals through proven machine learning frameworks. Machine Learning is at the heart of what constructs Azure Sentinel a game-changer in the SOC, especially in terms of alert fatigue reduction. With Azure Sentinel we are focusing on three machine learning pillars: Fusion, Built-in Machine Learning, and” Bring your own machine learning .” Our Fusion technology applies state-of-the-art scalable study algorithms to correlate millions of lower accuracy anomalous activities into tens of high fidelity incidents. With Fusion, Azure Sentinel can automatically detect multistage attacks by identifying combinations of anomalous behaviours and suspicious activities that are observed at various stages of the kill-chain.

On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be difficult to catch. Secondly, with built-in machine learning, we pair years of experience securing Microsoft and other major enterprises with advanced capabilities around techniques such as transferred learning to bring machine learning to the reach of our patrons, allowing them to quickly identify menaces that would be difficult to find using traditional methods. Thirdly, for organizations with in-house capabilities to build machine learning modelings, we enabled them to bring those into Azure Sentinel to achieve the same end-goal of alert noise reduction in the SOC. Below is a real-life depiction captured within a certain month where machine learning in Azure Sentinel was used effectively to reduce signal noise.

4. Watchlists

Watchlists required to ensure that alertings with the listed entities are promoted, either by assigning them a higher severity or by alerting only on the entities defined in the watchlist. Among other use-cases, Azure Sentinel leveragings Watchlists as a high-fidelity data source that can be used to reduce alert fatigue. For instance, this is achieved by creating ” allow” lists to suppress alertings from a group of users or devices that perform tasks that would normally trigger the alerting, thereby preventing benign events from becoming alerts.


User and entity behaviour analytics( UEBA) is natively built into Azure Sentinel targeting use-cases such as abuse of privileged identities, compromised entities, data exfiltration, and insider menace detecting. Azure Sentinel compiles logs and alarms from all of its connected data sources, then analyzes them and constructs baseline behavioral profiles of your organization’s entities( customers, hosts, IP addresses, applications, and more) across peer groups and time horizons. With the UEBA capability, SOC analysts are now empowered to reduce not just false positives but likewise false negatives. UEBA achieves this by automatically leveraging contextual and behavioral information from peers and the organization that typical alarm rules tend to lack. The image below depicts how UEBA in Azure Sentinel narrows down to only the security-relevant data to improve detecting efficiency 😛 TAGEND

image showing UEBA efficiency funnel

6. Automation

The lower tiers of a SOC are typically tasked with triaging alerts, and this is where the critical decisions need to be made as to whether alerts are worth analyse further or not. It is likewise at this point that automation of well-known tasks that do not require human judgment can have the most significant impact in terms of alert noise reduction. Azure Sentinel leverages Logic Apps native to Azure to build playbooks that automate tasks of varying complexity. Using real-time automation, response squads can significantly reduce their workload by amply automating routine responses to recurring types of alertings, letting SOC squads to concentrate more on unique alarms, analyzing patterns, or threat hunting. Below is an example of a security playbook that will open a ticket in ServiceNow and send a message to an approver. With a click of a button, if they substantiate activity from a malicious IP as a true-life positive, then automatically that IP is blocked at the firewall level, and the user’s ID is incapacitated in Azure Active Directory.

cross-vendor security remediation playbook


We have looked at 6 effective strategies that organizations can use to minimize alert fatigue and false positives in the SOC. When combined together across a unified ecosystem including Threat Intelligence, the Microsoft Security suite, UEBA, automation, and orchestration abilities tightly integrated with the Azure platform and Azure Sentinel alerting noise can be significantly reduced. Additionally, Azure Sentinel offers abilities such as alert grouping and the intuitive Investigation Graph which automatically surfaces prioritized alerts for investigation and also provides automated expert counseling when investigating incidents. To significantly increase your detection rates and reduce false positives while simplifying your security infrastructure, including our unique SIEM and XDR solution comprise Azure Sentinel and Microsoft Defender abilities into your threat defense and response strategy.

Unified security ecosystem funnel

Additional resources

Microsoft Threat Protection stops assault sprawl and auto-heals enterprise assets with built-in intelligence and automation. Azure Sentinel uncovers the real threats hidden in billions of low accuracy signals. Microsoft applies threat intelligence to protect, detect, and is submitted in response to menaces. Tutorial: Set up automated threat responses in Azure Sentinel. How a customer significantly reduced alert fatigue using machine learning in Azure Sentinel. Use Azure Sentinel Watchlists. What’s new: Azure Sentinel User and Entity Behavior Analytics in Preview–Microsoft Tech Community

To learn more about Microsoft Security answers, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Sarah Young, Chi Nguyen, Ofer Shezaf, and Rafik Gerges for their input.

1ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019.

The post 6 strategies to reduce cybersecurity alert fatigue in your SOC showed first on Microsoft Security .

Read more: