When you ingest alerts, what is your process of handling them?
I’ve been in places that have had a strictly manual process, some that have had playbooks to guide analysts, etc
I’m surprised by how little automation happens in this space. Most of the resistance I’ve seen is the feeling that having an actual person create the event prevents errors and reduces noise.
Not only do I see an issue where SOCs don’t know what actually comprises an alert that’s worth their time, they often don’t even have the right data coming in. Some good thoughts on this from Specter Ops