From Alerts to Hours: The Hidden Cost of Noise

Over 1 Million Alerts — What’s Behind That Number?

Over the last 7 days, this environment generated 1,107,211 alerts.

At first glance, that sounds like strong security coverage.

But here’s the reality:

More alerts don’t mean more protection — they often mean more noise.

The real question is not how many alerts were generated, but:

How many of these actually matter?

Use Case: SMB to Public IP

To understand how this pattern behaves across the environment, we zoomed into a specific detection:

SMB communication to public IP addresses

This is a common alert category — and a perfect example of how noise accumulates.

From this single detection, we observed:

40,223 alerts

At first, this volume looks concerning. But once we investigated the behaviour behind it, a different picture emerged.

The activity was highly repetitive. The same systems were communicating with the same destinations, over and over again, in a consistent and predictable way. There was no deviation, no anomaly, no sign of malicious intent.

Expected, repetitive activity — not malicious behaviour

By applying a simple filter:

NOT original.SourceAddress: 10.10.10.10
AND NOT original.DestinationAddress: 123.123.123.123

The dataset changed dramatically.

40,223 alerts → 2 relevant events

The rest? Noise.

Applying this filter took approximately 20 seconds.

On its own, that’s trivial. But this is where scale changes everything.

Now Let’s Talk About Time

Let’s return to that 20 second filter.

If one filter takes ~20 seconds to apply, and an analyst has to apply multiple filters per alert, the time starts to compound quickly.

In a realistic scenario:

• around 20 alerts

• each requiring filtering of known exceptions

• approximately 15 filters per alert

  
  

That results in roughly 5 minutes per alert.

Across a single day, that becomes:

100 minutes (~1.6 hours) spent purely on filtering.)

Over Time

When repeated daily, this effort scales into a substantial operational cost:

Time Is Money Literally

384 hours is not just time — it’s budget burned on non threats.

That’s over 48 working days spent filtering known, repetitive activity.

Nearly 2 months of analyst capacity lost to noise

And that doesn’t include:

• investigation fatigue

• reduced focus on real threats

The Real Risk

The issue is not just inefficiency — it’s exposure.

While analysts are:

• filtering known IPs

• excluding expected behaviour

• cleaning repetitive alerts

They are not investigating real threats

If a genuine attack is happening at the same time — whether it’s lateral movement, a suspicious login, or an unusual outbound connection — detection is delayed.

And in security, delay matters.

• investigations start later

• response is slower

• attackers gain time

Where the SOC Adds Value

This is where a Security Operations Centre changes the equation entirely.

Instead of manually repeating the same filtering process for every alert, a SOC:

• baselines known behaviour

• pre defines trusted exceptions

• automates filtering logic

• reduces noise before it reaches the analyst

The result is not just fewer alerts — it’s better focus.

Final Insight

1 million alerts do not mean 1 million threats.

They represent scale, noise, and repetition.

The real value lies in transforming that volume into something manageable:

A small number of meaningful, actionable signals

Because in the end:

-Written by Andy Urlep