I have a lot of organizations asking me about modern ways to use XDR platforms … specifically Sentinel (because where I work). The classic way to use a SIEM is send all of your crap at it and hope it spits out useful information. What always happens is you get a TON of noise, false positives, and /or too many things to investigate leading to the need to tune things down. As tuning occurs, the XDR platform eventually gives value. Good … but not great.
A better approach of setting up your SIEM is to build risk-based alerting meaning you tactically develop alerts based on expected unwanted behavior and tune the data to enrich detectors to find such data points. Throwing random stuff at a SIEM leads to the old saying “Garbage in, Garbage out”. Tuning Garbage in is like trying to build a house out of random stuff in a pile of garbage. You can do that, but a better approach is designing the house first, then ordering the parts needed to build the house.
I found a blog post from Isaac Dunham that speaks to building risk-based alerting in Microsoft Sentinel found HERE. Ive seen similar type work done with other SIEMs such as Splunk and LogRhythm. The concepts are similar, but execution is different based on the SIEM and capabilities it offers. Check it out the blog post. Its honest, real world, and not promising this solves every challenge seen by a SOC or perfect. But its helpful to think a better way about setting up a SIEM.