CIS Control 13.11: Tune Security Event Alerting Thresholds
Alert fatigue blinds your security team to real threats. CIS Control 13.11 requires you to review and tune security event alerting thresholds monthly—or more frequently—to maintain alert quality without drowning in noise. This control directly improves your incident detection effectiveness and reduces mean time to response.
What this means
Security event alerting thresholds determine which events trigger notifications to your security team. If thresholds are too high, genuine threats slip through; if too low, your team wastes time on false positives. This control mandates regular, systematic review of these thresholds at least monthly to ensure alerts remain relevant, actionable, and proportionate to actual risk.
How to comply
- 1.Establish a monthly review cadence for all security event alerting rules across SIEM, endpoint detection, and network monitoring tools
- 2.Analyze alert volume and alert disposition (true positive vs. false positive rates) for each rule over the preceding month
- 3.Identify and document rules generating excessive false positives or rules that failed to detect actual incidents
- 4.Adjust threshold values, detection logic, or rule scope based on analysis findings
- 5.Document tuning decisions, rationale, and any rule changes in a control log or change management system
- 6.Test updated rules in a staging environment before deploying to production monitoring
- 7.Communicate threshold changes to relevant stakeholders (SOC, incident response, engineering teams)
- 8.Maintain historical records of threshold changes to track tuning trends and justify modifications
Evidence auditors look for
- Monthly alert tuning log showing rule reviews, adjustments made, and false positive reduction metrics
- SIEM configuration change history with timestamps and documented rationale for threshold modifications
- Alert quality reports comparing baseline alert volume to post-tuning metrics
- Documentation of alert disposition analysis (number of true vs. false positives per rule)
- Meeting notes or sign-offs from security team confirming threshold review and approval
- Before-and-after detection rule parameters showing specific threshold value adjustments
- Incident post-mortem notes referencing alert tuning improvements to address detection gaps
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates monthly alerting threshold review workflows, tracks alert disposition metrics across your monitoring tools, and maintains the tuning audit trail required for CIS Controls compliance—eliminating manual spreadsheet tracking and reducing the time your security team spends on administrative overhead.
See how GRCWatch handles this control automatically
Start free trial