🐿️
-1

That time I realized my SIEM rules were too broad after a false positive flood last Tuesday

I caught a tip from a vendor webinar about tuning for specific port ranges instead of general traffic and it cut our alerts by 60% overnight, has anyone else had luck with narrowing their correlation rules that drastically?
2 comments

Log in to join the discussion

Log In
2 Comments
lee.cole
lee.cole2d ago
Cut mine down by about three quarters after I locked down SSH monitoring to just port 22 and our jump boxes.
6
jade47
jade473d ago
Honestly I used to think the whole "just tune your rules" thing was overhyped until I did what you're describing with port specific filtering. Last month I was drowning in alerts from a generic HTTP traffic rule that was catching all sorts of normal web browsing. After I locked it down to just the 443 and 8443 ports our security team actually monitors, my alert count dropped from like 200 a day to maybe 15. It felt too easy but it really worked.
-3