Risk Context Alerting in Infigo SIEM, a lifesaver for sure

We have to say it at the beginning – Risk Context Alerting isn’t one of those sexy features that everybody jumps on, customers flock to your presentations, throwing money at your feet, nothing like that.
But it is incredibly useful, especially for people really working on security problems, SOC teams, who love Risk Context Alerting. Why? Because it keeps alerts at manageable levels without everybody going insane.

The big problem is alerts; no matter what you do, no matter the automation, tech stack, configuration, they are still going to be there. And since you’re fighting against the whole world, the alerts keep on coming.
And you want that, alerts are a good thing, they let you know you have to act. But there are thousands of them, and they are relentless! Risk Content Alerting tries to bring the number of alerts down without sacrificing security. It does that mostly by reducing noise and increasing accuracy – risk is not always the same, it depends on many factors. If there isn’t a Risk Content Alerting, all suspicious logins are ranked the same, and everyone gets an alert. But a suspicious login for an admin account should be higher. As should be suspicious login on a production, but if it’s a test environment, not so much.

Risk Content Alerting gives a risk score based on user, asset, and activity behavior. For example, a suspicious login could have a base risk score of 30. And that is not enough to trigger an alert. But, for the admin account, the risk score is doubled. But on a test environment, we could halve it. However, on the production machine, it would dramatically rise.
When all that is crunched together, if it goes over a certain threshold, then an alert is triggered, and SOC analysts can see everything that led to that alert. Until then, the events are mere telemetry.

The risk score is cumulative and can decay over time, but that is all up to you and your organization.

Of course, every number, every asset, every user, every threshold, everything is configurable to your own organization. This is fine-tuning that separates OK security from amazing one.
All data is still recorded, can be accessed, worked on, but more in tune with how your organization functions. When you see that in action, feel how your SOC teams suddenly have more breathing room, that is a thing of beauty.
If somebody were describing to you a delicious cake, there is a limit to how much you can imagine the taste. You have to taste it! The same with Risk Context Alerting.

That is why we made a short explainer, or, as always, you can get a demo or trial license for Infigo SIEM and try for yourself.
< Back to insights