Network and system anomalies are monitored and alerted on

Implementation steps

1. 1

   Enable detection rules for high-priority threat scenarios

   Start with detection rules for the highest-impact scenarios: impossible travel (login from two geographically distant locations within minutes), login outside business hours from new locations, bulk file downloads or exports, credential stuffing (many failed logins followed by a success), and lateral movement patterns. Most SIEM and identity platforms provide built-in detection rules; tune them to reduce false positives.

   splunk microsoft-sentinel elastic-siem datadog okta
2. 2

   Configure alerts to route to the on-call security responder

   Route high-severity alerts to your security on-call via PagerDuty or a similar tool. Medium-severity alerts can go to a Slack channel or email. Set escalation paths so that if an alert is not acknowledged within 30 minutes it pages the backup. Avoid alert fatigue by tuning rules regularly: an alert that pages every hour and is always a false positive will be ignored.

   pagerduty opsgenie slack microsoft-teams victorops
3. 3

   Review and tune detections monthly based on alert volume and quality

   Track the ratio of true positives to false positives for each detection rule. Suppress or tune rules with high false positive rates. Add new rules when new threat intelligence suggests your current coverage has gaps. Document all tuning decisions so you understand what is and is not being detected. Aim to continuously improve signal quality, not just increase alert volume.

   splunk elastic datadog microsoft-sentinel confluence

Evidence required