Security Information and Event Management (SIEM) platforms are all about turning the mass of raw events that occur in your organisation’s infrastructure into intelligence that can be assessed by analysts and incident responders to identify and react to information security incidents.
SIEMs, despite what the vendors will tell you, are not infallible. It may take you months, even years, to finally tune your ruleset to eliminate false positives and you’re probably working against a moving target of an increasing number of event sources as well as continually facing new threats.
To make maximum use of your highly-skilled analysts, it is common to tier your analysts into at least two layers – an initial layer that are solely responsible for the triage of incoming events, that is the identification of false positives and dealing with common, easy-to-handle events. Only events assessed as real events are escalated to the next level of more skilled analysts to conduct a deeper level of investigation. False positives can be routed to content specialists who can further tune the SIEM rules to try and prevent the false positive from occurring in the future.
Some organisations have as many as three or four tiers of analysts, gradually becoming more skills and specialised as you move up the chain.