Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search

arXiv:2405.04691v1 Announce Type: new
Abstract: "Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today, with analysts spending more than half of their time reviewing false alerts. Endpoint detection products raise alerts by pattern matching on event telemetry against behavioral rules that describe potentially malicious behavior, but can suffer from high false positives that distract from actual attacks. While alert triage techniques based on data provenance may show promise, these techniques can take over …

alert alert fatigue alerts alert triage analysts arxiv carbon center challenges clustering cs.cr cs.lg detection endpoint endpoint detection event fast fatigue filter large operations products real rules scale search security security operations security operations center soc spending telemetry today triage