SIEM is the backbone of every detection engineering program.

It gives you log aggregation, near real-time alerting, and a single pane of glass where everything is searchable and (hypothetically) correlatable.

But as your detection program grows, if you don’t have a solid engineering process in front of it, alert fatigue will hit you fast. And just having a SIEM in place on its own won’t save you from that.

When teams hit this wall, that’s usually when teams start looking at the next shiny thing: SOAR platforms or, lately, the mystical “AI Agents.” Just picture it:

Automated initial triage. Response workflows. Branching logic that adapts with every new data point - Sounds amazing, doesn’t it?

Well, I’m sure I’m not the first you’ve seen to say it, but more tools don’t automatically make your detection program better.

The promises of SOAR and AI Agents infatuate many detection engineering teams, but is it really the logical next step for you?

Yes, SOAR and AI tools can help reduce some noise and automate repetitive tasks. But they’re bandaid fixes to your problems, not cures.

And if your alerts are poorly designed, automation only helps you fail faster.

The real problem isn’t a lack of SOAR or AI Agents - it’s bad alerts.

How to Address Your Poor Alerts

When I say “poor alerts,” I’m talking about the constant stream of detections in your SIEM that just aren’t pulling their weight. Usually, they fall into one of three buckets:

• They don’t provide any real value

• They’re detached from your environmental context

• They lack the context you need to actually investigate

Bottom line: you need a methodical way to improve alert quality.

Here’s where I’d start.

Tune Out Alerts that aren’t Valuable

One of the biggest mistakes I see is letting weak alerts linger far too long because of perceived value.

This usually looks like keeping a detection around because the activity it picks up sounds suspicious, but in reality, it’s just flagging normal behavior over and over again.

Medium severity detections are notorious for this problem.

There are two approaches I take with high-volume, low-value alerts:

1. Tuning the Detection: While tuning sounds like the simple and obvious choice, it isn’t just an easy tweak and checkbox exercise. It requires a deep understanding of the log source and how attackers actually abuse the behavior you’re trying to pick up on. Without that context, you risk tuning yourself into blindness.

2. Using the Detection in Conjunction with Others: Sometimes a noisy detection isn’t useless. It’s just weak on its own. Repurpose it to strengthen confidence when combined with other signals. By itself, it might be informational. Paired with another detection in the same time window, it might point to something more serious.

The goal of either approach is to eliminate busy work chasing meaningless alerts.

But be cautious and don’t get too trigger-happy. If you tune too aggressively or downgrade everything, you’ll lose visibility into your environment fast.

Move slowly, validate changes, and make sure new behavior matches your expectations.

If you want a deeper dive, check out my article on my detection tuning methodology. The TL;DR: start broad, collect data, and gradually refine down to granular coverage as you scale.

- Today’s Sponsor -

Whether it’s Detection Engineering, Incident Response, or Threat Huting - Security Operations is built on data. And as a Security Engineer, you need to make that data work for you. Selecty is a database-agnostic, sidecar query assistant built to do just that. Generate queries based on your table schehmas, optimize them to your use case, iterate on them quickly, and debug faster than ever - all in one sleek interface. Check it out!

Learn More

Get in Touch with Your Environment

One of the earliest lessons in detection engineering is that most of your Indicators of Compromise (IOCs) come down to privileged actions being taken under the wrong guise.

However, you’ll also quickly find that these same privileged actions are also carried out legitimately every single day by real users and service accounts.

Without tuning, you’ll drown in false positives.

The fix starts with research. Over time, patterns begin to emerge, and it’s your job as a detection engineer to recognize them.

You’ll also find it valuable to communicate with stakeholders. They’ll likely be able to tell you exactly which accounts or teams routinely perform certain actions, and the business cases behind them.

And sometimes, the tuning idea comes from anecdotal experience. If you’re triaging the same false positive five times a day, it’s probably time to adjust your detection logic.

This is especially true when implementing out-of-the-box or open-source detection rules. They’re a great foundation, but they’re designed to flag potentially malicious actions.

What’s normal vs. abnormal in your environment is something that only you, as a detection engineer, have the information to define.

Make Your Alerts Actionable.

If your analysts can’t quickly understand and act on an alert, you don’t have a detection - you have noise.

Poor alerts are generic. They leave you asking: Who was involved? What environment? From what IP? What was the target?

Without answers, you’re forcing your analysts to waste time digging for context.

Frankly, this is one of my biggest complaints with certain SIEM vendors (no names, but you know who you are). Their out-of-the-box rules often feel like they were designed by people who’ve never had to use them.

So how do you fix it? Start by asking yourself: What would I want to know from a quick glance at this ticket?

In most cases, the answers are simple—users, actions, and targets. That’s the core. Build your alert logic and enrichment around them.

Then, make the alert human readable in a way that makes it easy to understand where and how to take action.

Titles should be clear and artifact-rich. Always include critical context like IP addresses, accounts, or targets. Add quick links that make triage almost effortless:

• A dashboard view pre-filtered for that user

• A saved query for that action

• A VirusTotal link with the IP already embedded.

The less manual work, the better. Plus, you’ll achieve a SOAR-like benefit of easily accessible information by following these steps.

Personally, I have a motto for detection engineering. I am to make every alert something I can triage from my phone in Slack.

At a glance, I should know what happened, who’s involved, and whether it’s worth leaving the couch to log in.

That level of clarity isn’t just about efficiency, it’s also preventative towards burnout - especially on small teams.

Having alerts that explain themselves is the difference between sustainable operations and constant fatigue.

The Cybersec Café Discord is officially live! Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. From live events to real-world security discussions — this is where the next generation of defenders connects. Join for free below.

Join Now!

Processes, Not Products

It’s easy to get wowed by a flashy product demo or sold on the promise of what a tool should deliver.

And while there’s a place for SOAR platforms and AI agents, we can’t let the bells and whistles distract us from what really matters: the fundamentals.

In detection engineering, the fundamentals boil down to having a clear framework and guardrails for how you design detections:

• Create detections that provide value, not noise.

• Build with environmental context in mind.

• Make the output actionable.

Often, the real magic isn’t in what you add, but in what you choose to leave out. A SOAR platform is a fantastic next step for a mature detection program. But it’s not the step you need when you’re still building toward maturity.

The temptation to chase the shiny object is always there, but deep down, we know the truth: the answer lies in our processes, not our products.

Securely Yours,

Ryan G. Cox

P.S. The Cybersec Cafe follows a weekly cadence.

Each week, I deliver a Deep Dive on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.

. . .

For more insights and updates between issues, you can always find me on Twitter/X or my Website. Let’s keep learning, sharing, and leveling up together.