Hi, I would like to know how other security team use the IOC matches alerts. Where I work, we are using the IOC matches without other IOC feed than the default feed(US DHS AIS, ESET threat intel and Open Source Intel). Team members are complaining about values of those alerts(people says that they are mostly false positive).Do your sec ops team are looking at it? are you pre-triage it into soar to bring relevant IOC matches to analyst?
What are you doing for not suffering from alert fatigue?
In our security team, we proactively address IOC matches and combat alert fatigue by employing a pre-triage process through SOAR tools. This involves refining alerting criteria, incorporating targeted IOC feeds, and automating initial triage to filter out false positives. We maintain ongoing collaboration with analysts, conduct regular training, and periodically review IOC match criteria to adapt to evolving threats. This approach ensures that only relevant and accurate alerts reach analysts, mitigating the impact of false positives and enhancing overall threat detection efficacy.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.