IG3

Tune Security Event Alerting Thresholds

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Detect

Description

Tune security event alerting thresholds monthly, or more frequently.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

Tool Recommendations

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Vectra AI Platform Gartner MQ Leader, NDR 2024

AI-driven threat detection and response for network, cloud, and identity with attack signal intelligence

Vectra AI · Enterprise subscription

ExtraHop RevealX Gartner MQ Leader, NDR 2024; Forrester Wave Leader, NDR 2024

Network detection and response platform with real-time traffic analysis, encrypted traffic inspection, and cloud visibility

ExtraHop · Per-device/bandwidth subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Critical Alert Buried in Excessive False Positives

Confidentiality

A genuine advanced persistent threat alert is lost among thousands of false positive alerts because alerting thresholds have not been tuned, causing analysts to ignore or deprioritize the true positive.

Attacker Evades Detection by Operating Below Static Thresholds

Confidentiality

An attacker deliberately operates just below default detection thresholds that have never been adjusted, successfully exfiltrating data in small increments that never trigger volume-based alerts.

SOC Analyst Burnout Leading to Missed Incidents

Availability

Untuned alerting generates excessive noise that overwhelms security operations staff, causing reduced investigation quality and slower response times when real incidents occur.

Vulnerabilities (When Safeguard Absent)

Static and Unoptimized Alert Thresholds

Without regular threshold tuning, alerting rules remain at default or outdated settings that generate excessive false positives while potentially missing true threats that fall below detection levels.

No Feedback Loop Between Incident Analysis and Detection Rules

Absence of monthly threshold reviews means lessons learned from past incidents and environmental changes are never incorporated into alerting rules, degrading detection effectiveness over time.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Monitoring Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering