Friday Flows Episode 7: Elastic Alert Response with Cases & Slack
The majority of SOC teams are overworked & under-appreciated. Generally, they get flooded with alerts. There aren't enough human beings or resources to deal with the volume of alerts.
So teams will 'turn down' their SIEM solutions so that they can deal with a realistic volume.
The downside is that you're going to miss alerts you should deal with & you're going to get a lot of false positives."
Stephen Creedon shares a highly popular Tines workflow to do the opposite: turn your SIEM (Elastic) up to 100 and let smart, secure workflows built by you & powered by Tines take care of the analysis for you.