Enhancing SOC Efficiency: Automated Attack Investigation to Combat Alert Fatigue

Security Operations Centres (SOCs) play a central role in organisational defence and are responsible for continuous monitoring, detecting, investigating and responding to cyber attacks. Organisations increasingly depend on security tools to flag suspicious activity. These tools generate alerts that analysts must examine to determine whether they represent real attacks or false positives. However, the volume of alerts continues to grow at a pace that far exceeds what human analysts can realistically review. In addition, false positives remain common, with benign behaviours frequently misclassified as malicious. The investigation work required to validate each alert also remains highly manual and mentally demanding. Together, these factors contribute to alert fatigue, a state in which analysts become overwhelmed, slower to respond, and more likely to overlook genuine indicators of compromise.

A range of methods have been explored to reduce false alerts, including provenance-based analysis and deep learning techniques. This project will systematically review existing work and explore the development and evaluation of automated approaches for alert validation and attack investigation, with the aim of reducing false positives and easing the workload on SOC analysts.