Microsoft Corporation
Automated onboarding of detections for security operations center monitoring

Abstract:

Methods, systems, apparatuses, and computer program products are provided for evaluating security detections. A detection instance obtainer obtains detection instances from a pool, such as a security detections pool. The detection instances may be obtained for detections that meet a predetermined criterion, such as detections that have not been onboarded or rejected, or detections that have generated detection instances for a threshold time period. The detection may be onboarded or rejected automatically based on a volume thresholder and/or a detection performance evaluator. For instance, the volume thresholder may be configured to automatically onboard the detection if the volume of the detection instances is below a first threshold, and reject the detection if the volume is above a second threshold. The detection performance evaluator may be configured to onboard or reject the detection based on an efficacy of the detection (e.g., based on a true positive rate of the detection instances).