Real estate firm improves MTTD and MTTR using Risk-Based Alerting (RBA)
Client: Confidential Real Estate and Property Management Firm (500+ Employees)
Industry: Real Estate and Property Management
The Challenge: Customer’s Security Operations Center (SOC) faced a growing volume of security alerts generated from multiple sources, including:
- Windows Event Logs
- Firewall and IDS/IPS logs
- Microsoft 365 audit logs
- Endpoint Detection and Response (EDR) telemetry
- Cloud application logs (Azure AD Sign-ins, SharePoint, OneDrive)
- *nix logs
- Database logs
- Firewall and network logs
The SIEM was producing hundreds of daily alerts, many of which were low-value or repetitive. Analysts struggled to prioritize incidents effectively, leading to:
- Alert fatigue and missed high-risk threats
- Longer Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
- Inconsistent correlation between user activities across different systems
The SOC team needed a more intelligence-driven detection model that would prioritize actual risk instead of raw event volume.
The Solution: NCI introduced a Risk-Based Alerting framework to shift the firm’s detection model from event-based to risk-based.
Step 1: Inventory and Categorize Existing Use Cases
All existing SIEM correlation rules and use cases were reviewed.
Use cases were grouped into categories:
- Authentication anomalies
- Data exfiltration
- Privileged account abuse
- Cloud access deviations
- Network reconnaissance
Step 2: Define Risk Scoring Model
Each use case was assigned a risk score based on:
- Asset criticality (e.g., domain controller vs. user workstation)
- User privilege level
- Threat severity (based on MITRE ATT&CK tactics)
- Event confidence (false positive likelihood)
Example:
| Use Case | Source | Severity | Confidence | Risk Score |
| Multiple failed logins followed by success | AD | Medium | High | 50 |
| File download from SharePoint outside office hours | O365 | Low | Medium | 30 |
| EDR detects credential dumping | EDR | High | High | 90 |
Step 3: Implement RBA Correlation
Instead of generating individual alerts for each event, the SIEM was configured to:
- Accumulate risk scores for entities (users, hosts, IPs) over a time window
- Trigger alerts only when cumulative risk exceeded a defined threshold
This created entity-centric detection, e.g.:
“User’s cumulative risk score reached 120 — involving suspicious logins, elevated PowerShell activity, and file exfiltration.”
Step 4: Enrichment and Contextualization
Threat intelligence feeds and identity data (from HR systems) were integrated to add context:
- User department and role
- Asset criticality from CMDB
- Known bad IPs from threat intel
This context improved accuracy and response prioritization.
Step 5: Dashboards and Analyst Training
New dashboards visualized entity risk trends, high-risk users, and alert sources.
SOC analysts were trained to investigate risk-based alerts instead of raw correlation events.
After 90 days of implementation:
| Metric | Before RBA | After RBA | Improvement |
| Daily alerts | 850+ | ~120 | 86% reduction |
| False positives | 65% | 20% | 45% improvement |
| MTTD | 6 hours | 1.5 hours | 75% faster detection |
| Analyst productivity | Low | High | SOC focus shifted to meaningful threats |
Key Benefits
- Prioritized Threats: Alerts now reflect cumulative user/host risk rather than one-off anomalies.
- Reduced Noise: Analysts focus on meaningful signals, not event floods.
- Improved Response Time: Faster triage due to enriched context and automated scoring.
- Strategic SOC: Detection aligned with business risk and asset criticality.
Client Testimonial:
“NSecurity Consulting completely transformed how our SOC operates. By implementing Risk-Based Alerting, we reduced alert noise by over 80% and can now focus on the threats that truly matter to our business.” – SOC Manager