This is a survey of AI-driven security alert screening in Security Operations Centers (SOCs) from 2015 to 2026. The authors reviewed 119 papers and organized them into a four-stage workflow: filtering (removing noise), triage (prioritizing alerts), correlation (linking related alerts), and generative augmentation (adding context). They identify persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practices, and propose a research agenda for building trustworthy cognitive SOCs.
Main takeaways:
- Synthesizes 119 records (87 core studies) into a four-stage taxonomy: filtering, triage, correlation, and generative augmentation
- Identifies gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation standards
- Alert screening reduces alert fatigue by filtering false positives, prioritizing high-severity incidents, and linking related events
- The field lacks real-world validation and adversarial testing despite increasing AI adoption in SOCs
- Proposes a research agenda toward trustworthy Cognitive Security Operations Centers