{"id":367,"date":"2025-10-23T09:15:55","date_gmt":"2025-10-23T09:15:55","guid":{"rendered":"https:\/\/logsmith.io\/?p=367"},"modified":"2025-10-23T09:15:56","modified_gmt":"2025-10-23T09:15:56","slug":"the-cost-of-crying-wolf","status":"publish","type":"post","link":"https:\/\/logsmith.io\/index.php\/2025\/10\/23\/the-cost-of-crying-wolf\/","title":{"rendered":"The Cost of Crying Wolf: Why False Positives Are Killing Your SOC"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Introduction<\/strong><\/p>\n\n\n\n<p>It\u2019s not the alerts you miss that break a SOC \u2014 it\u2019s the <em>thousands you never should have seen in the first place.<\/em><\/p>\n\n\n\n<p>False positives eat up analyst time, erode trust in the tooling, and slowly kill detection strategies from the inside out.<\/p>\n\n\n\n<p>The worst part? Most of them are entirely avoidable.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>How False Positives Happen<\/strong><\/p>\n\n\n\n<p>Let\u2019s call it out: false positives usually come from rushed or misaligned detection logic \u2014 rules built without:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Asset awareness<\/li>\n\n\n\n<li>Suppression logic<\/li>\n\n\n\n<li>Realistic thresholds<\/li>\n\n\n\n<li>Contextual enrichment<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<p>We\u2019ve all seen it:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<ul class=\"wp-block-list\">\n<li>A \u201csuspicious login\u201d from a known admin<\/li>\n\n\n\n<li>A \u201ccritical vulnerability\u201d alert\u2026 from a printer<\/li>\n\n\n\n<li>A \u201clateral movement\u201d detection on an air-gapped box<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<p>Every one of these eats up analyst minutes \u2014 and multiplies across a noisy system.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>The Real Impact<\/strong><\/p>\n\n\n\n<p>\ud83d\udd25 Burnout<br>\ud83e\udd16 Automation mistrust<br>\ud83d\udcc9 Leadership loses confidence<\/p>\n\n\n\n<p>Analysts <em>stop investigating real alerts<\/em> because they&#8217;ve been trained to ignore the console. That\u2019s how breaches happen.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Fixes That Work<\/strong><\/p>\n\n\n\n<p>\u2705 Suppression based on historical patterns<br>\u2705 Logic that says <em>\u201conly trigger if X + Y + Z\u201d<\/em><br>\u2705 External context: identity, business role, asset criticality<br>\u2705 Use of <strong>macros<\/strong> to isolate noise-generating index sources<br>\u2705 Detection-as-code processes that allow version control and review<\/p>\n<\/blockquote>\n\n\n\n<p>Start simple: audit your <strong>Top 10 Noisiest Rules<\/strong>.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>If they\u2019ve never resulted in escalation or meaningful triage in the last 30 days \u2014 fix them, or kill them.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Final Word<\/strong><\/p>\n\n\n\n<p>False positives are expensive. They waste time. They dull sharp teams.<\/p>\n\n\n\n<p>A good detection engineer doesn\u2019t just <em>write new rules<\/em>.<br>They <strong>ruthlessly cut the ones that shouldn\u2019t exist.<\/strong><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Introduction It\u2019s not the alerts you miss that break a SOC \u2014 it\u2019s the thousands you never should have seen&#8230; <\/p>\n<div class=\"art-el-more\"><a href=\"https:\/\/logsmith.io\/index.php\/2025\/10\/23\/the-cost-of-crying-wolf\/\" class=\"art-link art-color-link art-w-chevron\">Read more<\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"iawp_total_views":28,"footnotes":""},"categories":[27],"tags":[29,30,36,31],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-insights","tag-alert-fatigue","tag-detection-engineering","tag-insight","tag-splunk-es"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/comments?post=367"}],"version-history":[{"count":1,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":368,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/posts\/367\/revisions\/368"}],"wp:attachment":[{"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/media?parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/categories?post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/logsmith.io\/index.php\/wp-json\/wp\/v2\/tags?post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}