Eliminating Alert Fatigue: Reducing False Positives Through Better Engineering

False Positive alerts (FPs) are the bane of blue teams everywhere. Countless hours are lost as Security Operation Center (SOC) analysts attempt to separate the wheat from the alert chaff to find the real indicators of an attack. Reducing FPs is thus a critical goal for any security platform. Yet reducing FPs at the expense of missing the signs of an actual threat is inviting disaster. The solution to this conundrum lies in better engineering: building the right tools to accurately assess alerts at scale.

In this talk, we explore our approach at Microsoft Defender Advanced Threat Protection (MDATP) to reducing alert FPs. Our engineering-driven methodology evaluates logical units along the entire alert generation and monitoring process, identifies potential high-volume FPs, prototypes viable solutions, and delivers new tools that directly reduce FPs. These tools implement a variety of advanced techniques, including clustering, supervised learning, real-time analysis and sampling optimization.

This approach has proven highly effective at improving alert quality, driving significant enhancements to our customers’ investigation experience and making the entire process more efficient. This work is highly applicable to blue teams faced with scaling up to meet increased demands on their limited resources.