Skip to content
Sagan

Paper

AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey

Unreadunread

AI summary

This is a survey of AI-driven security alert screening in Security Operations Centers (SOCs) from 2015 to 2026. The authors reviewed 119 papers and organized them into a four-stage workflow: filtering (removing noise), triage (prioritizing alerts), correlation (linking related alerts), and generative augmentation (adding context). They identify persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practices, and propose a research agenda for building trustworthy cognitive SOCs.

Main takeaways:

  • Synthesizes 119 records (87 core studies) into a four-stage taxonomy: filtering, triage, correlation, and generative augmentation
  • Identifies gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation standards
  • Alert screening reduces alert fatigue by filtering false positives, prioritizing high-severity incidents, and linking related events
  • The field lacks real-world validation and adversarial testing despite increasing AI adoption in SOCs
  • Proposes a research agenda toward trustworthy Cognitive Security Operations Centers