CoursesDetection engineeringDeception & alert quality

Alert quality & tuning

Precision over volume; beat alert fatigue.

Advanced30 min · lesson 14 of 15

The most sophisticated detection is worthless if its alerts are ignored, and alerts get ignored when there are too many low-value ones. Alert quality — precision, context, and prioritization — is what keeps a detection program alive and trusted.

The cost of noise

Alert fatigue is the silent killer of detection programs: a flood of low-signal alerts trains responders to skim, dismiss, and eventually ignore the queue, so the one alert that matters scrolls past unseen. High volume is not high security — it is the opposite, because it buries the signal. The goal is not more alerts but better ones: high precision (a large fraction of alerts represent real risk) and actionable context (each alert carries enough information to triage without pivoting to five other tools). Measuring and reducing your false-positive rate is one of the highest-leverage things a detection engineer does.

tune for precision, do not disable
# A noisy rule fires on a known-good batch job. WRONG fix: delete the rule.
# RIGHT fix: a scoped exception that keeps the malicious case covered.
detection:
selection: { EventID: 4688, NewProcessName: '*\powershell.exe' }
filter_known_good:
ParentProcessName: '*\scheduled-batch-runner.exe' # our sanctioned job
User: 'svc-batch'
condition: selection and not filter_known_good
# Still fires for PowerShell spawned by anything else — precision, not blindness.

Enrich, dedupe, prioritize

Three techniques turn a noisy stream into a trusted one. Enrichment attaches context — asset owner, user risk, severity, threat-intel — so an alert is immediately actionable. Deduplication and grouping collapse repetitive alerts into a single incident, so responders see the event, not five hundred copies of it. Prioritization ranks by severity and asset criticality, so attention flows to what matters. Tune noisy rules with scoped exceptions rather than deleting them (keep the malicious case covered), and treat tuning as continuous, not one-time. A smaller stream of high-confidence, well-contextualized alerts that responders trust beats a firehose every single time.

From noise to signal
1raw alerts
high volume, mixed value
2enrich
asset, user, severity, intel
3dedupe + group
one incident, not 500 copies
4prioritize
severity + asset criticality
Enrich, dedupe, and prioritize — and tune by exception, not deletion. A trusted low-noise queue is the goal; an ignored one catches nothing.
Disabling a noisy rule throws away the coverage
When a valuable detection is too noisy, the reflex to disable it removes the coverage entirely — the malicious case now goes unseen. Instead, add scoped exceptions for the known-good activity so the rule stays precise and still fires on the real threat; tune for precision rather than turning detection off.