Alert Tuning: How to Ignore 90% of Alerts Without Getting Fired
Published on May 5, 2025
How to Ignore 90% of Alerts Without Getting Fired
By someone who actually does it — and still gets paid.
There are two types of people in IT security:
- Those who chase every alert
- And those who still have a functioning nervous system
If you work in corporate cybersecurity, you already know the truth:
Most alerts are noise — designed to protect reputations, not infrastructure.
They exist to fulfill the ancient compliance ritual of “we had an alert for that.”
But if you want to survive in this industry without burning out or blacking out, you need to develop the most essential skill in modern cybersecurity:
Knowing what to ignore, and doing it with confidence.
Here’s how to do it — and still look like a hero when the real breach hits.
1. Understand Which Alerts Are Corporate Theater
Some alerts are not meant to protect anything.
They’re there to prove to someone that something is being watched — usually a manager, auditor, or well-meaning compliance drone.
Let’s call these what they are: Performance Security Alerts.
Examples:
- “Delegated mailbox permissions were updated.”
Useless to a hacker who already has mailbox access. Also, Microsoft does this routinely on the backend without warning anyone. If there were a breach here, you’d see it in message trace, login anomalies, and forwarding rules — not in this weak sauce. - “User added to Admin role.”
Sounds dramatic but if you think critically: only someone with admin rights can assign admin rights. Why would a hacker give someone else admin access after they’ve already compromised it?
These alerts exist to satisfy checkbox logic — not security logic.
How to handle them:
Create a filter, tag them as “Audit Theater,” and auto-archive. You’re not deleting. You’re preserving your sanity.
2. Build a ‘Fire-First’ Triage Mindset
Here’s the truth nobody wants to admit:
You don’t need to care about every alert.
You only need to care about the ones that are clustered, coordinated, and occurring at the same time.
Let’s break it down.
Real breaches don’t announce themselves with a single flagged event. They show up like this:
- Unusual sign-in location
- Followed by MFA fatigue
- Followed by suspicious inbox rule
- Followed by data exfiltration attempt
- All on the same account
- Usually In under 15-30 minutes
That’s fire.
Everything else is noise.
Learn to triage by this logic:
| Category | Description |
|---|---|
| Fire | Multiple high-value events in short succession |
| Ice | Single anomaly with no follow-up |
| Trash | Repetitive alerts from expected behavior (cloud vendor accounts) |
If your alert doesn’t check at least two real boxes (e.g., privilege escalation + login oddity), it’s probably not worth interrupting lunch.
3. Automate Passive Surveillance Like You’re Building a Bot Army
Here’s the golden rule of alert tuning:
If you’re manually closing the same alert more than once, you’ve already failed.
Security tools love to drown you. If you don’t build personalized suppression logic, you will drown in “Possible Suspicious Possible Behavior” warnings that haven’t meant anything since 2014.
What to do:
- Build mail rules: Auto-tag recurring noise.
- Define alert severit levels when you can: critical, medium, low, informational.
- Use SIEM logic: Suppress events that happen X times with no correlated follow-up.
- Script it: PowerShell, Logic Apps, in our case RocketCyber rule suppression and SaaS Alert tuning: whatever makes it vanish until you want to see it.
- Maintain a “Muting Log” (part of the playbook) so when someone questions your silence, you show them the logic, not your blood pressure.
Example muting log:
“I created a rule where if the same IP fails login 5 times in 30 minutes, and it never succeeds, it gets filtered to a folder called ‘Try Harder.’”
Your job is not to play whack-a-mole. It’s to spot the badger that just tunneled in from a foreign IP with a known C2 domain.
Warning:
You will get pushback.
Someone will tell you, “But we have to review all alerts in case we get audited.”
Smile. Nod. Then automate the report that says you reviewed them all.
You are not a cybersecurity therapist. You are a defender. Act like it.
You don’t get promoted for chasing ghosts.
You get promoted for spotting the poltergeist before it starts throwing furniture around.
M365 Alert Breakdown: What Actually Matters
These are the alert types worth your time — the rest are audit wallpaper.
Microsoft Defender for Office 365
| Worth It | Why It Matters |
|---|---|
| User-reported phishing (especially high-confidence) | Correlated with real compromise 20–30% of the time |
| Email forwarding rules created | Major exfil signal |
| Malicious URL click + sign-in event | User compromised after click = real threat |
| Unusual inbox rule created | Seen in >70% of BECs |
| File download surge from SharePoint/OneDrive | Indicates exfil, especially after privilege escalation |
Microsoft Entra ID (Azure AD)
| Worth It | Why It Matters |
|---|---|
| Impossible travel or unfamiliar sign-in (combined with MFA fatigue or prompt spam) | Account takeover in progress |
| Consent to new OAuth app | High chance of malicious lateral movement or persistence |
| User added to privileged group + lateral login | Chained actions = strong compromise indicator |
Microsoft Purview (Compliance Center)
| Worth It | Why It Matters |
|---|---|
| Sensitive info shared externally (DLP alert) | Leaks, especially when repeat offenders emerge |
| Mass deletion of Teams/SharePoint files | Ransomware or rogue user activity |
| Accessed content labeled “Highly Confidential” | Especially by someone outside of normal access roles |
| Mailbox search/export activity | Possible Privilege abuse or investigation gone rogue |
Not Worth Your Time (Usually)
| Alert | Why It’s Trash |
|---|---|
| Delegated mailbox permission | Common MS backend ops + doesn’t indicate compromise |
| Admin role assignments by admins | Redundant, expected — threat actor already has power |
| Every single failed login alert | Needs context — alone, it’s meaningless |
| Alert: Antivirus detected X | The tool has already blocked it. You’re just late for the party. |
| Failed logins from legacy protocols (like IMAP or SMTP) | Attackers love them – we block them already |
Final Word
Security is strategy.
If you treat every alert equally, you’re not doing your job — you’re feeding the machine.
Focus on chained behavior
Think like an attacker
Automate the rest