In the previous article, we briefly analyzed what alarm noise reduction in SOC platforms is. This article continues to analyze what alarm assessment in SOC platforms entails.After gathering information online, there are many explanations, as follows:1:Alarm assessment refers to the process by which security personnel or systems conduct in-depth analysis and judgment of alarm information issued by security devices or tools, with the aim of determining the authenticity, severity, and whether corresponding response measures are necessary.2:The assessment work involves searching for other corroborating data related to the alarm elements of security inspection devices (such as host operation logs, configuration information, etc.) and analyzing this data to determine whether the host has been compromised or if lateral movement has occurred, thereby assessing the real threat of the alarm.(I believe definition 1 is quite accurate, while definition 2 focuses more on evidence collection and does not reflect the in-depth analysis and judgment of the alarm information mentioned in definition 1. I think a combination of definitions 1 and 2 is more accurate.)3:Alarm assessment is essentially a re-analysis of intrusion detection events at the human level, using existing device alarms and experience to determine whether it is a real attack.(This definition was provided by a training school, and I can only say… well, it is somewhat correct.)4:Security personnel assess alarms issued by security systems or tools, combining existing experience and relevant tools to determine whether they represent a real attack, and based on the assessment results, provide response recommendations or handling measures.(This definition was given by a member of a blue team and aligns very well with their job characteristics.)5:Alarm assessment can analyze existing threat information (intelligence, vulnerabilities, assets, logs, etc.), conduct manual analysis in conjunction with security device capabilities, and confirm whether a cybersecurity incident has occurred. (This definition is provided in a local government standard, and it has a very formal flavor. Its reference value is limited.)6:In cybersecurity operations, alarm assessment involves denoising, merging, and correlating massive security alarms, utilizing threat matrices and attack-defense knowledge graphs for automated assistance in judgment, forming a complete threat scenario and driving subsequent responses. (To be honest, this definition is a bit far-fetched…) From what I see here, there is no standard definition for “alarm assessment” in the industry.I also call for a standard definition for alarm assessment in SOC-like platforms. My proposed standard definition is:Definition:Alarm assessment refers to the process by which security personnel or systems conduct in-depth analysis of alarm information issued by security devices or tools, andby searching for other corroborating data related to the alarm elements (such as host operation logs, configuration information, etc.) conductthe judgment process,with the aim of determining the authenticity, severity, impact scope, and whether corresponding response measures are necessary.Implementation: 1) Conduct in-depth analysis of the alarm information itself; 2) Search for other corroborating data; 3) Provide north-south and east-west attack paths and correlation maps; 4) Corresponding handling suggestions and response measures.In the cybersecurity operation phase, security analysts, due to limited energy, actually only conduct alarm assessment on the events after alarm noise reduction.————-I am the dividing line————Next time, we will discuss how to use large models to design AI agents for “alarm noise reduction” and “alarm assessment.”