SIEM Alert Tuning: How to Cut 10,000 Daily Alerts Down to 50 Actionable Ones

Before touching any rule, know where your volume is coming from.

Splunk:

index=notable earliest=-30d
| stats count by source
| sort -count
| head 20

Microsoft Sentinel:

SecurityAlert
| where TimeGenerated > ago(30d)
| summarize count() by AlertName, ProviderName
| order by count_ desc
| take 20

What to look for in the results:

• Any single rule generating >1,000 alerts/day: almost certainly needs tuning or suppression
• Antivirus/EDR detections from known-benign software being flagged repeatedly
• Network IDS rules firing on internal scanning tools or monitoring agents
• Authentication failure rules firing on service accounts with incorrect cached passwords
• Scheduled task or backup software triggering process creation rules

For each top-5 source, answer:

1. What percentage of these alerts result in a confirmed incident? (check your closure reason data)
2. Is there a common pattern in the false positives? (same source IP, same process, same time window)
3. Can the rule be scoped more narrowly, or is the entire rule generating noise?

Every alert being 'P1' means nothing is P1. Define tiers clearly and stick to them.

Tier definitions:

Tagging rules in Splunk ES:

| makeresults
| eval rule_name="Impossible Travel Login"
| eval tier="P2"
| eval sla_hours=4
| outputlookup alert_tier_lookup.csv append=true

Routing in Sentinel (action groups): Create separate action groups in Azure Monitor for each tier:

• P1: PagerDuty/OpsGenie webhook + SMS to on-call
• P2: ServiceNow ticket creation + email to SOC queue
• P3: Log to SharePoint/Teams channel for batch review

Analytics rule alert severity maps to tier: High = P1, Medium = P2, Low = P3.

Allowlisting suppresses alerts for specific, documented conditions that you have confirmed are benign. Each allowlist entry should have: what it suppresses, why it's known-good, who approved it, and an expiry date.

Splunk: allowlist via lookup table

| inputlookup allowlist_processes.csv

Structure of allowlist_processes.csv:

process_name,justification,approved_by,expiry_date
powershell.exe -EncodedCommand dABlAHMAdAA=,Base64 encoded 'test' -- used by CI pipeline,security@company.com,2026-12-01
psexec.exe,IT uses PsExec for remote admin on server OU only,it-director@company.com,2026-08-01

Apply in a detection rule:

index=sysmon EventCode=1 Image="*powershell.exe*"
| lookup allowlist_processes.csv process_name AS CommandLine OUTPUT justification
| where isnull(justification)  // only alert on non-allowlisted commands
| stats count by ComputerName, CommandLine, User

Sentinel: allowlist via watchlist

let allowlisted_processes = _GetWatchlist('AllowlistedProcesses')
  | project process_name, justification;
SecurityEvent
| where EventID == 4688
| where NewProcessName has "powershell"
| join kind=leftanti allowlisted_processes
  on $left.CommandLine == $right.process_name

Allowlist governance rules:

• Maximum 90-day expiry on any allowlist entry (default; extend with re-approval)
• Monthly review: run a query to show all entries expiring in the next 30 days
• Any allowlist entry for a process on the LOLBAS list (living-off-the-land binaries) requires CISO sign-off
• Developers cannot add their own entries -- security team approves all

Some detections fire too frequently because the threshold is wrong for your environment. Failed login rules are the most common example -- a threshold of 5 failures in 10 minutes generates enormous noise in an environment with aggressive password policies or legacy apps.

Finding your right threshold (Splunk):

index=wineventlog EventCode=4625
| bin _time span=10m
| stats count by _time, user, src_ip
| stats avg(count) as avg_count, max(count) as max_count, 
    perc90(count) as p90_count by user
| sort -p90_count
| head 20

This shows the 90th percentile failure count per user per 10-minute window. Set your alert threshold above the p90 for normal accounts (so normal bad password days don't alert) but below the max for accounts you know have been spray-attacked.

Typical threshold calibration approach:

1. Disable the alert (or set to report-only/log-only)
2. Run for 2 weeks; collect the count distribution
3. Set threshold at 95th percentile + 20% buffer
4. Re-enable and track true positive rate for 2 weeks
5. Adjust if needed

Sentinel: dynamic thresholds Sentinel's ML-based Anomaly rules use adaptive baselines rather than fixed thresholds. For key detections (logon anomalies, data exfiltration volume), prefer Anomaly rules over fixed-threshold Scheduled Query rules when the baseline varies significantly across users or time of day.

Every SIEM deployment accumulates rules that have never produced a confirmed incident. These consume analyst time, erode trust in the alert stream, and create noise that masks real detections.

Identify candidates for retirement (Splunk):

index=notable earliest=-90d
| stats count as alert_count, 
    count(eval(status="resolved")) as resolved,
    count(eval(owner!="unassigned")) as worked
  by source
| eval worked_rate=round(worked/alert_count*100,1)
| eval resolve_rate=round(resolved/alert_count*100,1)
| where worked_rate < 5  // less than 5% of alerts were ever worked
| sort -alert_count

For any rule with <5% worked rate over 90 days, conduct a quick review:

• Is the alert volume so high analysts gave up working it? (tuning problem)
• Does the rule detect something real that's never happened in 90 days? (consider moving to P3/hunt)
• Was the rule designed for a system we no longer have? (retire it)

Retirement process:

1. Move from P1/P2 to P3 (log-only) for 30 days -- don't delete immediately
2. Confirm no incidents are missed during the 30-day observation period
3. Disable with a comment documenting why and the date
4. Full delete after 6 months if no reason to reinstate

Keep a rule retirement log:

Rule name | Date disabled | Reason | Approved by | Review date
Brute force - 5 failures in 1 min | 2026-03-01 | 0 TPs in 180 days, threshold wrong for env | CISO | 2026-09-01

Tuning without measurement is guesswork. Track these four metrics monthly:

Splunk dashboard query for monthly trend:

index=notable earliest=-6mon
| bin _time span=1mon
| stats count as total_alerts,
    count(eval(status="false positive")) as false_positives,
    count(eval(owner!="unassigned")) as worked
  by _time
| eval fp_rate=round(false_positives/total_alerts*100,1)
| eval worked_rate=round(worked/total_alerts*100,1)
| table _time, total_alerts, worked_rate, fp_rate

If total alert volume is declining and worked rate is increasing: tuning is working. If total alert volume is declining but worked rate is flat: you're suppressing without fixing root causes.