Alert quality management in SIEM based on risk-oriented scoring and SOC feedback (alert quality management)

Abstract

This paper proposes a methodology for managing alert quality in Security Information and Event Management (SIEM) systems based on risk-oriented scoring and a closed-loop feedback mechanism from the Security Operations Centre (SOC). The relevance of the study is driven by the overload of SOC analysts caused by excessive numbers of alerts, a large share of which have low analytical value and do not result in confirmed security incidents. Unlike approaches that primarily focus on improving event correlation or increasing detection accuracy, the proposed methodology treats an alert as a controllable operational object and formalizes its quality using an integral indicator, the Alert Quality Index (AQI). This indicator accounts for the alert’s usefulness for response, the time relevance of its processing, the level of alert duplication, and the consumption of SOC analytical resources. Alert risk scoring is adjusted by asset criticality, user roles, and the threat context, thereby aligning SIEM technical signals with the potential impact of incidents on the enterprise’s business processes. To mitigate alert flooding, deduplication mechanisms and alert stitching are applied to consolidate similar notifications into more informative cases using a similarity metric within a specified time window. SOC analyst decisions (TP, FP, BENIGN, TUNE) are used as a control signal for adaptive tuning of thresholds and parameters of SIEM rules. Experimental evaluation across a series of nominal and stress scenarios demonstrated a reduction in the false positive rate, shorter MTTD and MTTR, decreased SOC workload, and an increase in the average AQI, confirming the effectiveness of systematic alert flow management under real operational conditions.