Reducing SOC Analysts Alert Fatigue via Real-Time CTI Correlation and Deduplication
摘要
Security Operations Centers (SOCs) grapple with analyst fatigue driven by over-whelming alert volumes and repetitive, low-value notifications. This work investigates whether verified Cyber Threat Intelligence (CTI) feeds can be leveraged, in real time, to suppress noise and surface genuine risk across a distributed Network Intrusion Detection System (NIDS) of Suricata sensors. We present a streaming methodology that (i) correlates each alert group with curated, verified CTI indicators (e.g., URL, Domains, IPv4, IPv6, SHA256, MD5 etc.) and (ii) deduplicates and groups recurrent, identical alerts across sensors within a configurable time window, to adjust triage priority. Suricata’s native severities (1–3, with 3 being lowest) are treated as an initial signal that can be dynamically recalibrated by CTI context, campaign prevalence, indicator freshness, and observed recurrence across sites. Using this approach, we demonstrate that the total number of alerts presented to analysts can be reduced to a small fraction of the baseline over the same interval—without sacrificing coverage—by suppressing groups with negative or stale CTI evidence and by collapsing duplicates. Conversely, we show that alerts initially labeled with severity 3 can warrant promotion when corroborated by high-confidence CTI (e.g., active infrastructure, recent sightings, or linkage to ongoing campaigns), thereby preventing critical misses hidden among “low” severity events. The results suggest that real-time CTI correlation paired with alert grouping meaningfully lowers cognitive load, improves prioritization fidelity, and provides a principled path to balancing recall and workload in production SOCs.