It’s common practice that devops wake up in the middle of the night if the database stops working.
Who wants to wake up just because your (un)beloved security monitoring system flagged an alert as critical? Security teams usually have either too few alerts - potentially a sign of not monitoring everything - or too many, and are therefore overwhelmed with false positives. At a certain point, filtering and event correlation are inevitable to keep only those alerts that should have an immediate action item. We are going to talk about our home-built ElasticSearch-based solution and show how we managed to transform thousands of events per second to 30-50 alerts per day.