* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* How to Help SOC Analysts ...

# How to Help SOC Analysts Fight 'Alert Fatigue'

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F07%2Fhelp-soc-analysts-fight-alert-fatigue%2F)  
[](https://twitter.com/share?text=How+to+Help+SOC+Analysts+Fight+%E2%80%98Alert+Fatigue%E2%80%99&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F07%2Fhelp-soc-analysts-fight-alert-fatigue%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F07%2Fhelp-soc-analysts-fight-alert-fatigue%2F&title=How+to+Help+SOC+Analysts+Fight+%E2%80%98Alert+Fatigue%E2%80%99&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2019/07/help-soc-analysts-fight-alert-fatigue/&ts=markdown)  
\[\](mailto:?subject=How to Help SOC Analysts Fight ‘Alert Fatigue’)  
Link copied  
By [Mark Brozek](https://www.paloaltonetworks.com/blog/author/mark-brozek/?ts=markdown "Posts by Mark Brozek")  
Jul 22, 2019  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[MITRE ATT\&CK evaluation](https://www.paloaltonetworks.com/blog/tag/mitre-attck-evaluation/?ts=markdown)

This post is also available in: [简体中文 (Chinese (Simplified))](https://www.paloaltonetworks.com/blog/2019/08/help-soc-analysts-fight-alert-fatigue/?lang=zh-hans "Switch to Chinese (Simplified)(简体中文)") [繁體中文 (Chinese (Traditional))](https://www.paloaltonetworks.com/blog/2019/08/help-soc-analysts-fight-alert-fatigue/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2019/07/help-soc-analysts-fight-alert-fatigue/?lang=ja "Switch to Japanese(日本語)") [한국어 (Korean)](https://www.paloaltonetworks.com/blog/2019/08/help-soc-analysts-fight-alert-fatigue/?lang=ko "Switch to Korean(한국어)") [Português (Portuguese (Brazil))](https://www.paloaltonetworks.com/blog/2019/08/help-soc-analysts-fight-alert-fatigue/?lang=pt-br "Switch to Portuguese (Brazil)(Português)")

Palo Alto Networks survey data shows that SOC analysts are only able to handle 14% of alerts generated by security tools. When you consider IDC data showing that most alerts are false positives,[^\[1\]^](#_ftn1){#\_ftnref1} the results are predictable: **Alerts get ignored, analysts waste time chasing false leads, and actual threats get missed.**

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Mitre-blog-illustration-01-1.png)

Beyond initial prevention, most security tools are designed to perform one key function: create and respond to alerts. Servers create alerts. Routers create alerts. Firewalls create alerts. Antivirus tools create alerts. Security teams will often set up alert-only policies -- rather than block policies -- for potentially risky processes the business uses regularly.

The hopeful assumption is that analysts will review and catch any suspicious behavior based on those alerts. But this strategy falls apart quickly when analysts start to receive thousands of low-fidelity alerts per day. It's worse that these alerts come from siloed security tools that provide little-to-no context about what's actually going on.

**Alert fatigue reduction checklist**

If we eliminate alert-generating sensors and systems, we create security blind spots -- yet too much information is as bad as no information at all. We need to use technology in smarter ways to help solve problems without creating new ones. \*\*We still need alerts, but we need more accurate alerts.\*\*This means embracing the following concepts when considering your tools and processes:

**1. Automation**

First, organizations can greatly improve their alert triage process using automation. Palo Alto Networks believes that all Tier 1 (alert triage) security operations can and should be automated using SOAR technologies, which use predefined playbooks to automate response actions. For alert triage, these actions include analyzing an alert, updating a case if it's a known issue, opening a case if it isn't a known issue, and then triaging the severity of the alert to send it to an analyst. Automating this process greatly reduces the number of alerts analysts must respond to, allowing analysts to spend their valuable time investigating issues rather than staring at logs.

**2. Data stitching**

Secondly, security teams must start prioritizing integrated tools over siloed ones if they want to improve visibility. If you have seven different tools, each looking at a specific slice of your security infrastructure without talking to each other, the tools won't be able to provide context that helps with threat hunting and investigations. You won't know if a series of actions that seem benign on their own are actually being performed in a sequence that may indicate an adversary is in your system. Alternatively, you may spend an hour tracking a piece of malware that snuck past your EPP only to find that it was blocked by your firewall.

A security platform with integrated capabilities allows for much greater insight. Cortex Data Lake, for example, connects endpoint, cloud, and network data together. This integration between security components provides [Cortex XDR](https://www.paloaltonetworks.com/products/xdr?ts=markdown) with the benefit of more enriched telemetry data (for faster investigation and threat hunting) and tainted alerts (to block actions associated with past malicious behavior).

**3. Machine learning**

Finally, an EDR tool should have machine learning capabilities that allow it to recognize patterns so it can learn and improve. Your EDR should draw from your (hopefully integrated!) data sources to continue to refine its algorithms for generating high-fidelity, prioritized, specific alerts.

**Cortex XDR delivers smarter detections**

Cortex XDR has proven it delivers the highest combination of high-fidelity alerts, which are the most useful for identifying threats, as well as enriched, correlated telemetry logs for investigation and threat hunting. These types of alerts can help organizations stem the flood of false positives so their analysts can focus on investigating real threats.

A test of EDR tools using realistic attack emulations from the APT 3 group through the MITRE ATT\&CK recently found that Cortex XDR and Traps [detected the most attack techniques of 10 endpoint detection and response vendors](https://www.paloaltonetworks.com/cortex/cortex-xdr/mitre?ts=markdown). This evaluation provided one of the industry's first open and objective assessments of the true function and performance of the EDR marketplace.

With its default configuration during the MITRE test, Cortex XDR generated 20 realtime, specific alerts and 82 enriched telemetry logs. In a real deployment, customers can give Cortex XDR even more visibility and context into the behavior of potential threat actors by connecting additional network and cloud sensors into Cortex Data Lake. That will further reduce false positives and improve identification of malicious behavior that may otherwise seem benign.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Mitre2-Image.png?ts=markdown)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Mitre2-Image.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Mitre2-Image.png?ts=markdown)

Read more about the [MITRE results here](https://www.paloaltonetworks.com/products/xdr/mitre?ts=markdown).

[^\[1\]^](#_ftnref1){#\_ftn1} Ryan Francis, "False positives still cause threat alert fatigue," CSO Online, May 3, 2017, [https://www.csoonline.com/article/3191379/false-positives-still-cause-alert-fatigue.html](https://www.csoonline.com/article/3191379/false-positives-still-cause-alert-fatigue.html).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### MITRE Round 2 Results Solidify Cortex XDR as a Leader in EDR](https://www.paloaltonetworks.com/blog/2020/04/cortex-mitre/)

### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Cortex XDR and Traps Outperform in MITRE Evaluation](https://www.paloaltonetworks.com/blog/2019/05/xdr-cortex-xdr-sets-standard-mitres-attck-evaluations/)

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Cortex XDR 2.6: Better Search for Better Threat Hunting](https://www.paloaltonetworks.com/blog/2020/11/cortex-xdr-2-6/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Moving Beyond Traditional EDR](https://www.paloaltonetworks.com/blog/2020/10/secops-beyond-traditional-edr/)

### [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Cortex XDR 2.5: Future-Proofed Security Operations With Host Insights](https://www.paloaltonetworks.com/blog/2020/09/cortex-xdr-2-5/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise](https://www.paloaltonetworks.com/blog/2020/08/call-for-papers-ignite-2020/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language