security-alerts

Threat Hunting

Definition

A security alert is a notification generated by a security tool — like an antivirus, intrusion detection system (IDS), endpoint detection and response (EDR), or SIEM — when it detects activity matching certain rules, signatures, or suspicious patterns. Alerts are meant to draw an analyst’s attention to potential threats so they can investigate.

They can be triggered by:

* Known malware signatures (e.g., “Trojan\:Win32/Emotet detected in C:\Users\Public\invoice.docm”)
* Unusual network traffic patterns (e.g., “Outbound connection to known C2 IP 203.0.113.77 over port 4444”)
* Unauthorized login attempts (e.g., “Multiple failed logins for admin from IP 198.51.100.23”)
* Suspicious process executions (e.g., “PowerShell launched with -enc Base64-encoded payload”)

Security alerts are the “smoke alarm” of cybersecurity — they don’t fix the problem, but they warn you something might be wrong.

**Drawbacks and limitations**

**False positives** – Benign activity triggers an alert.

* Example: A legitimate patch installer flagged as malware because it uses obfuscated code.

**False negatives** – Malicious activity slips past detection.

* Example: A custom ransomware variant not matching any known signatures avoids triggering the antivirus.

**Alert fatigue** – Too many alerts overwhelm analysts.

* Example: A SIEM generating 20,000 low-priority alerts per day causes critical alerts to be overlooked.

**Context gaps** – Alerts lack surrounding detail to make quick decisions.

* Example: “Suspicious PowerShell command detected” without information on who ran it or what it did afterward.

**Rule dependency** – Alerts are only as good as the rules.

* Example: If detection rules aren’t updated for a newly discovered exploit, the attack may go unnoticed.

**Limited scope** – One alert rarely shows the whole attack chain.

* Example: An alert for “Outbound connection to rare IP” might seem harmless until correlated with alerts for phishing email delivery and credential theft.

**Real-world examples**

* During the **SolarWinds breach (2020)**, some environments produced low-priority alerts tied to attacker activity, but these were dismissed as noise. The intrusion persisted for months.
* In **Emotet campaigns**, EDR tools often flagged malicious Word macros, but without correlation to follow-on activity (PowerShell downloaders, C2 traffic), analysts sometimes closed them prematurely.
* The **2016 Mirai botnet** generated IDS alerts for massive outbound scanning, but many ISPs ignored them until the DDoS attacks began.

security-alerts

Definition

Explore More Terms