In place of in-house solutions, organizations are increasingly moving towards managed services for cyber defense. Security Operations Centers are specialized cybersecurity units responsible for the defense of an organization, but the large-scale centralization of threat detection is causing SOCs to endure an overwhelming amount of false positive alerts -- a phenomenon known as alert fatigue. Large collections of imprecise sensors, an inability to adapt to known false positives, evolution of the threat landscape, and inefficient use of analyst time all contribute to the alert fatigue problem. To combat these issues, we present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC workflows by predicting alert-level and incident-level actionability. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by $22.9\%$, suppress $54\%$ of false positives with a $95.1\%$ detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by $14\%$.

翻译：为取代内部解决方案，组织正日益转向托管式网络防御服务。安全运营中心是负责组织防御的专业化网络安全单元，但威胁检测的大规模集中化导致安全运营中心承受着海量误报警告——这一现象被称为告警疲劳。传感器精度不足的大规模部署、对已知误报缺乏自适应能力、威胁态势的持续演变以及分析师时间利用效率低下，均加剧了告警疲劳问题。为应对这些挑战，我们提出"警报升级快速化"（TEQ）框架——一种通过预测告警级与事件级可操作性来最小化对安全运营中心工作流程影响的机器学习方案。在真实数据上，该系统可使可操作事件的响应时间缩短22.9%，以95.1%的检测率抑制54%的误报，并将分析师需调查的单个事件内告警数量减少14%。