[Technology Newsletter] Giảm thiểu nhiễu cảnh báo với AI-Driven SIEM
Cẩm nang công nghệ
15/06/2026
Security teams today are generating more log data than ever from endpoints, cloud platforms, identity systems, and OT devices. SIEM platforms centralize this data and fire alerts when suspicious activity is detected. The problem: most alerts are noise. This document explains how AI-driven SIEM addresses alert fatigue: the key technologies involved, how they fit together architecturally and real-world scenarios.
For related reading: Next-Generation SIEM | What is SIEM?
1. The Alert Fatigue Problem
Large organizations can generate thousands of security alerts every day, yet studies consistently show that 80–90% are false positives or low-value events. When analysts must investigate every alert, real threats get buried.
IBM's 2024 Cost of a Data Breach Report puts the average breach cost at $4.88 million. Delayed detection and slow response directly inflate that figure.
Why Traditional Rule-Based SIEM Cannot Scale
2. How AI Reduces Alert Noise
AI-driven SIEM does not replace rules - it adds an intelligence layer that pursues two complementary goals:
• Suppression - filter alerts from known benign activity, duplicate detections, and low-confidence events
• Prioritisation - surface genuine risks and enrich them with context so analysts can act immediately
The Five Core Technologies
These five technologies work as a layered stack. Understanding each one explains why the combined system outperforms any single approach.
3. AI-Driven SIEM Architecture
3.1 Traditional vs AI-Driven SIEM
The fundamental shift is where intelligence lives in rule-centric (human encodes logic, system executes) vs data-centric (system derives logic from observed patterns, adapts continuously).
3.2 End-to-End Processing Pipeline
Raw logs enter on the left; ranked, analyst-ready incidents exit on the right. Each stage in the pipeline addresses a specific limitation of traditional approaches.
3.3 Data Flow: Signals In, Incidents Out
4. Key Technologies in Practice
🔵 Technology #1: UEBA — User and Entity Behaviour Analytics
UEBA does not ask whether an event matches a rule. It asks: is this behaviour normal for this user or entity?
Models learn user A logs in at 9 am from Ho Chi Minh City, accesses specific folders, uses apps X and Y. When behaviour deviates — 3 am login from Romania, 500 files downloaded in 10 minutes — the risk score rises immediately, even if credentials are valid.
Scenario: Account Takeover via Stolen Credentials
Scenario: Insider Threat — Departing Employee
🟣 Technology #2: Unsupervised ML for Behavioural Baseline
Supervised models require labelled attack data — which does not exist for zero-days. Unsupervised ML only needs to learn what normal looks like. Anything that deviates sufficiently is an anomaly.
Scenario: C2 Communication Hidden in HTTPS Traffic
🟡 Technology #3: Alert Clustering & Multi-Signal Risk Scoring
One attack generates many individual rule matches. Clustering groups related signals into a single incident. Risk scoring replaces binary alert severity with a weighted, contextual danger rating.
Scenario: Ransomware Contained — 72 Alerts → 1 CRITICAL Incident
How Risk Score Is Calculated
Why Risk Score beats Severity
A single failed login is low severity. The same event after a phishing click, from an unusual IP, targeting a domain admin account on a production server = Risk Score 87/100. Context transforms the signal.
🟠 Technology #4: Generative AI & LLM in Security Operations
LLMs (GPT-4, Gemini, Claude) are integrated into SIEM not as chatbots but as analyst assistants - reducing investigation time and lowering the technical barrier for junior analysts.
Scenario: Natural-Language Query — No SPL/KQL Required
Scenario: Automated Incident Summary
Products available now: Microsoft Security Copilot | Splunk AI Assistant | Google Chronicle + Gemini
🔴 Technology #5: Agentic AI — Autonomous Security Response
Agentic AI closes the gap between detection and containment. Instead of notifying an analyst who must then act, the system can executes low-risk response actions in seconds. Human oversight is preserved through tiered policy and one-click rollback.
Tiered Automation Model
Scenario: Ransomware Contained in 47 Seconds
5. Real-World Use Cases
The following use cases represent the environments where AI-driven SIEM delivers the greatest measurable return.
5.1 Reducing Alert Fatigue in High-Volume SOCs
Large enterprises generate thousands of alerts daily. AI-driven prioritisation and clustering reduce duplicates and low-value events, allowing analysts to focus exclusively on high-risk incidents.
Typical outcome (mid-market enterprise):
• Alert volume reduction: 60–80% fewer alerts reaching the analyst queue
• False-positive rate drops from ~85% to ~20–30% after 90-day model maturation
• Analyst capacity freed: ~40% of analyst time redirected to threat-hunting
|
5.2 Cloud and Identity-Driven Environments
As organisations adopt cloud services and remote work, most incidents revolve around identities, API access, and privilege management. UEBA models trained on cloud IAM logs detect impossible-travel scenarios, OAuth token abuse, and privilege creep that static rules miss entirely.
5.3 Multi-Stage Attack Detection
APT campaigns unfold over days or weeks as a series of low-profile events. AI-driven correlation links these signals across time and systems, surfacing the full attack chain rather than individual low-severity alerts that analysts would otherwise dismiss.
Example kill-chain correlation:
• Day 1 — spear-phishing email opened: low alert, no action taken
• Day 3 — DNS beaconing from same host: medium alert, dismissed in queue
• Day 7 — credential access + lateral movement: UEBA flags deviation
• AI correlates all three events into one APT case — 7 days of context in one view
|
5.4 OT and IoT Environments
Industrial and IoT devices generate repetitive telemetry but have rigid, predictable behaviour profiles. Unsupervised ML establishes tight baselines for these devices, making even subtle deviations — a PLC communicating on a new port, a sensor reporting out-of-band — immediately detectable without bespoke rules.
Conclusion
Alert fatigue is not solved by adding analysts or writing more rules. The scale and complexity of modern security data require a fundamentally different approach: AI-driven SIEM that learns what normal looks like, clusters noise into signal, scores risk in context, and acts on well-defined playbooks without waiting for human input on every decision.
The five technologies described in this document — UEBA, Unsupervised ML, Alert Clustering, Generative AI, and Agentic Response — form a coherent stack. Each one addresses a specific failure mode of traditional SIEM. Together they enable security teams to detect faster, triage smarter, and respond at machine speed.
Successful deployment requires data quality discipline, a realistic tuning timeline, analyst retraining, and written automation policies before enabling any autonomous action. Organisations that invest in these foundations will see measurable reductions in alert volume, false-positive rate, and mean time to respond.
Appendix: Glossary of Key Terms
Term
| Definition
|
AI (Artificial Intelligence)
| Systems capable of tasks that normally require human reasoning and judgement.
|
ML (Machine Learning)
| AI subset where systems learn patterns from data without explicit per-task programming.
|
Deep Learning
| ML subset using multi-layer neural networks to model complex patterns in large datasets.
|
SIEM
| Platform that centralises log collection, correlation, and alerting across an IT environment.
|
SOC
| Team responsible for monitoring, detecting, and responding to security events.
|
UEBA
| Establishes normal activity baselines for users and systems; detects deviations indicative of compromise or insider threat.
|
SOAR
| Automates security workflows include triage, investigation steps, and response actions via playbooks.
|
XDR
| Integrates telemetry from endpoints, networks, identity systems, and cloud into a unified detection and response layer.
|
APT
| Long-duration targeted cyberattack where an adversary maintains covert access to pursue strategic objectives.
|
GenAI / LLM
| AI is capable of generating text, code, and summaries from training data. Applied in SIEM for NLQ and incident summarisation.
|
MTTR
| Mean Time to Respond — average elapsed time between incident detection and containment.
|
MITRE ATT&CK
| Publicly available knowledge base of adversary tactics and techniques, used as a reference framework in SIEM detection.
|
CEF / LEEF
| Common Event Format / Log Event Extended Format — standardised log schemas for cross-source normalisation.
|
OT (Operational Technology)
| Hardware and software monitoring physical industrial processes including manufacturing and critical infrastructure.
|
DPIA
| Data Protection Impact Assessment
|
LSTM
| Long Short-Term Memory: A neural network model used to learn patterns over time and detect unusual behavior sequences.
|
DBSCAN
| Density-Based Spatial Clustering of Applications with Noise.
|
Autoencoder
| A neural network that learns normal patterns and flags data that deviates from them as anomalies.
|
Further reading: TMA Insights — Next-Generation SIEM | MITRE ATT&CK | Microsoft Security Copilot
Tin liên quan
![[Technology Newsletter] Monthly Update on AI Models, Frameworks, Tools & Platforms - April 2026](https://www.tma.vn/images/news/news_thumbnailURL_20260608095150.622.webp)
AI is evolving at breakneck speed. In less than a month, a series of new AI models and features from major tech companies have been released. "Latest Technology Newsletter | Issue #02" will bring you...
Sáng ngày 12/02 vừa qua, tại TMA Lab 6 và nền tảng trực tuyến Zoom, buổi seminar chuyên sâu với chủ đề "Securing Agentic AI at Internet Scale" đã diễn ra thành công, thu hút...
Trong kỷ nguyên số, Trí tuệ Nhân tạo (AI) đã trở thành động lực thay đổi mọi khía cạnh của cuộc sống, và hoạt động tuyển dụng cũng không ngoại lệ. Nhằm tăng trải nghiệm...