Read about assessing the value of log sources here
Understanding Your Alert Rules
Seculyze optimizes your monitoring by introducing alert rule management and value assessment. Through this, you receive most coverage with least amount of false positive alerts. This is a tricky balance, because you want the most alerts without being hit by alert fatigue. Therefore assessing the value of the alert rules is especially powerful combined with our tuning module.
Here, you are able to:
Pinpoint the value of each individual alert rule
Follow our recommendations for optimizing the use of alert rules
Our approach evaluates each alert rule by analyzing its cost against its gain. When these factors then are plotted in a value matrix, the alert rule overall worth is attained.
Cost: The amount of time used. High cost is attributed alert rules with many alerts and many many false positives. Low cost is attributed alert rules that generate few alerts and no false positives.
Gain: The certainty of the alert rule. High gain is a narrow alert rule scope with large certainty in the alerts validity. Low gain is a broad alert rule scope which will have more unimportant alerts.
The Importance of Alert Rules Value Assessment
In the context of Microsoft Sentinel and Defender, alert rules can be a accelerator of alert fatigue. By assessing the value of each alert rule, you can make informed decisions to activate or deactivate them, optimizing your system’s performance and alert management.
Evaluating Your System
To assess your alert rule value:
Navigate to 'Alert rules' under the 'Health' tab.
Review the value assessment and act accordingly, typically enabling or disabling the alert rule as recommended.
Or, apply all suggestions from the summary section for a comprehensive adjustment