⭐ Day 13 – SIEM Tuning, False Positives & Noise Reduction (SOC-Level Skills)

Today students learn how to make SIEM alerts accurate, clean, and useful.

Most beginners think SOC = detecting attacks.
But in real life SOC:

• 80% of alerts are noise
• 20% are useful
• Tuning SIEM = REDUCE noise

If SIEM is not tuned → analysts get hundreds of useless alerts → burnout.

🧠 1. What Are False Positives? (Simple Explanation)

False Positive = SIEM shows an alert but no real attack happened.

Example:

• User typed wrong password → SIEM shows brute force
• Admin created a new user → SIEM shows persistence
• Normal PowerShell command → SIEM shows malware alert

SOC must reduce false positives so they don’t waste time.

🔥 2. What Causes SIEM Noise?

✔ Misconfigured rules

✔ Overly sensitive thresholds

✔ Normal user behavior triggering alerts

✔ Monitoring too many logs

✔ Duplicate data

✔ Missing whitelists

🛠 3. What Is SIEM Tuning? (Easy Explanation)

SIEM tuning = adjusting the SIEM so it shows useful alerts only.

SOC does this by:

• Whitelisting trusted IPs
• Increasing thresholds
• Removing duplicate alerts
• Filtering noise
• Narrowing the search
• Reducing unnecessary log sources

🔧 4. Tuning Techniques (Beginner-Friendly)

✔ Technique 1 — Whitelisting

Don’t alert on:

• Company internal IPs
• IT admin accounts
• Known servers

Example:

| search NOT IpAddress=10.0.0.0/8

✔ Technique 2 — Threshold Tuning

Too many failures? Increase limit.

Before:

where count > 2

After:

where count > 6

✔ Technique 3 — Noise Filtering

Ignore “normal” behavior.

Example:

| search NOT (user="backup" OR user="scanner")

✔ Technique 4 — Reducing Log Volume

Unnecessary logs → remove:

• Debug logs
• Application info logs
• Old logs

✔ Technique 5 — Tuning Based on Behavior

If a genuine admin uses PowerShell:

Whitelist:

| search NOT user=admin

📊 5. Real SIEM Tuning Example (Beginner-Friendly)

Before Tuning

index=* fail | stats count by user

Too many alerts because normal users mistype passwords.

After Tuning

index=* fail 
| search NOT user IN ("backup", "printer1", "scanner")
| stats count by user
| where count > 5

Now real brute force stands out.

🔍 6. Reducing Alerts Using MITRE

MITRE categories help reduce noise:

• If a technique rarely happens → alert
• If a technique happens daily → whitelist or tune

Example:

T1136 Create Account
If your company rarely adds new users → high alert.

🧪 7. Hands-On Lab for Students

Task 1 — Tune a Brute-force Query

Original:

index=* fail

Tuned:

index=* fail 
| search NOT user=admin
| stats count by IP 
| where count > 5

Task 2 — Tune RDP Alert

Original:

index=* EventCode=4624 Logon_Type=10

Tuned:

index=* EventCode=4624 Logon_Type=10
| search NOT IpAddress="192.168.1.10"

Task 3 — Reduce PowerShell Noise

Original:

index=* powershell

Tuned:

index=* powershell 
| search "EncodedCommand"

🎤 Trainer Script

Say this:

“Anyone can create alerts.
A real SOC analyst knows how to tune alerts.
Tuning reduces 80% noise and focuses on real attacks.”

📝 Homework for Day 13

Students submit:

1. One original query
2. Their tuned version
3. Explanation of how they reduced false positives
4. MITRE mapping