I have a question regarding false positive SIEM alerts. How long, on average, does it take for an analyst to manually triage an alert?
the answer to that question really depends on the culture of the organisation that the analysts works in , for example i had a client where the SIEM was generating humongous amounts of false positive authentication failures , and the security consultancy that was working with the client to get thier SIEM up never at any point mentioned it , this was over a 6 month period - the failures where due to layer two authentication order for the Ethernet ( Dot1Q 1st MAB 2nd) so all the phones and printers and anything else not capable of PKI at layer 2 cut an error against Dot1Q these where just legitimate devices just wanting to use MAB
whats needed here is a shared responsibility model that all the cloud players use for their security , which is the provider is responsible for the infrastructure security and the client is responsible for the security of the data - but in the case of SIEM through a partner etc , the client has a responsibility to weed out these false positives as well there is a shared responsibility no body knows the network better that the people who are actually responsible for it
in this case it was an easy fix at layer 2 or dedicate a switch for all the MAB devices or just change the authentication order port by port
it seems to be a recurring theme in this industry - companies dont do the basics well enough - in security terms they got a big padlock on the front door- but the windows are left wide open