Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search

arXiv:2405.04691v1 Announce Type: cross
Abstract: "Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today, with analysts spending more than half of their time reviewing false alerts. Endpoint detection products raise alerts by pattern matching on event telemetry against behavioral rules that describe potentially malicious behavior, but can suffer from high false positives that distract from actual attacks. While alert triage techniques based on data provenance may show promise, these techniques can take over …

abstract alert alert fatigue alerts analysts arxiv carbon center challenges clustering cs.cr cs.lg detection event false filter operations pattern products raise real-time rules scale search security security operations security operations center soc spending telemetry type