Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.

中文翻译：

---

安全运营中心的警报优先级：关于标准和方法的系统调查


安全运营中心 （SOC） 是安全分析师利用先进技术来监控、检测和响应网络事件的专业设施。但是，不断增加的安全事件量使安全分析师不堪重负，导致警报疲劳。有效的警报优先级 （AP） 对于通过使用适当的标准和方法来解决这个问题变得至关重要。人机协作 （HAT） 有可能通过结合人类和 AI 的互补优势来显著增强 AP。AI 擅长处理大量警报数据、识别异常、发现隐藏模式以及大规模确定警报的优先级，所有这些都以机器的速度完成。人类分析师可以利用他们的专业知识来调查优先警报，根据其他上下文重新确定警报的优先级，并向 AI 系统提供有价值的反馈，从而减少误报并确保关键警报的优先级。这项工作对 SOC 中 AP 的标准和方法进行了全面综述。我们分析了基于 HAT 的不同类别的 AP 标准和方法的优缺点，特别是考虑了自动化、增强和协作。我们还确定了未来研究的几个领域。我们预计我们的发现将有助于 AP 技术的进步，促进 SOC 中更有效的安全事件响应。