In place of in-house solutions, organizations are increasingly moving towards managed services for cyber defense. Security Operations Centers are specialized cybersecurity units responsible for the defense of an organization, but the large-scale centralization of threat detection is causing SOCs to endure an overwhelming amount of false positive alerts -- a phenomenon known as alert fatigue. Large collections of imprecise sensors, an inability to adapt to known false positives, evolution of the threat landscape, and inefficient use of analyst time all contribute to the alert fatigue problem. To combat these issues, we present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC workflows by predicting alert-level and incident-level actionability. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by $22.9\%$, suppress $54\%$ of false positives with a $95.1\%$ detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by $14\%$.

翻译：为取代内部自建方案，各类组织正日益转向托管式网络防御服务。安全运营中心作为负责组织防御的专项网络安全单位，由于威胁检测的大规模集中化，正承受着海量误报告警的冲击——这一现象被称为"告警疲劳"。大量不精确的传感器、缺乏对已知误报的适应能力、威胁态势的持续演变，以及分析师时间利用的低效性，共同导致了告警疲劳问题。为应对这些挑战，我们提出了TEQ（That Escalated Quickly）机器学习框架，该框架通过预测告警级和事件级可行动性，在最小化变更安全运营中心工作流程的前提下有效缓解告警疲劳。在实际数据中，该系统可将可行动事件的响应时间缩短22.9%，以95.1%的检测率抑制54%的误报，并将分析师在单个事件中需要调查的告警数量减少14%。