* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Stop Alert Fatigue: Fine-... # Stop Alert Fatigue: Fine-Tune Cortex XDR Analytics for Zero-Noise Security [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstop-alert-fatigue-fine-tune-cortex-xdr-analytics-for-zero-noise-security%2F) [](https://twitter.com/share?text=Stop+Alert+Fatigue%3A+Fine-Tune+Cortex+XDR+Analytics+for+Zero-Noise+Security&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstop-alert-fatigue-fine-tune-cortex-xdr-analytics-for-zero-noise-security%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstop-alert-fatigue-fine-tune-cortex-xdr-analytics-for-zero-noise-security%2F&title=Stop+Alert+Fatigue%3A+Fine-Tune+Cortex+XDR+Analytics+for+Zero-Noise+Security&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/stop-alert-fatigue-fine-tune-cortex-xdr-analytics-for-zero-noise-security/&ts=markdown) \[\](mailto:?subject=Stop Alert Fatigue: Fine-Tune Cortex XDR Analytics for Zero-Noise Security) Link copied By [Alice Nguyen](https://www.paloaltonetworks.com/blog/author/alice-nguyen/?ts=markdown "Posts by Alice Nguyen") and [Maxim Shifrin](https://www.paloaltonetworks.com/blog/author/maxim-shifrin/?ts=markdown "Posts by Maxim Shifrin") Dec 03, 2025 5 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Customizing Analytics Rules](https://www.paloaltonetworks.com/blog/tag/customizing-analytics-rules/?ts=markdown) [endpoint security](https://www.paloaltonetworks.com/blog/tag/endpoint-security/?ts=markdown) [Extended Detection and Response](https://www.paloaltonetworks.com/blog/tag/extended-detection-and-response/?ts=markdown) [Fine-Tune Security](https://www.paloaltonetworks.com/blog/tag/fine-tune-security/?ts=markdown) [Noise Suppression](https://www.paloaltonetworks.com/blog/tag/noise-suppression/?ts=markdown) [Prioritized Triage](https://www.paloaltonetworks.com/blog/tag/prioritized-triage/?ts=markdown) [​​Adjust Alert Severity](https://www.paloaltonetworks.com/blog/tag/adjust-alert-severity/?ts=markdown) Your security stack is working...to an extent. SOC teams today aren't struggling because they're missing threats, they're drowning because every tool is screaming for attention, burying critical alerts under mountains of low-priority noise. This massive volume of notifications, many of which are low-priority or false positives, leads to severe alert fatigue. Teams want to minimize the noise and focus their limited resources on what is necessary, especially when every SOC has unique risk tolerance, environment specifics, and organizational policies. Customizing analytics rules addresses the alert overload by enabling users to easily adjust the severity of their detections. The SOC team can dim less relevant alerts, so the focus remains on high-value tasks. This on-demand control ensures the analytical output aligns with the enterprise's prioritization and response. ## Key Benefits of Customization The core benefit of the flexible customization for [Analytics Rules](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-3.x-Documentation/Analytics-issues-and-Analytics-BIOCs) feature is the ability to align the security platform's output with your organization's unique risk profile and operational needs. ### 1. Achieving Optimal Triage and Risk Alignment Every asset and user carries a different level of business risk. While a default medium severity may be suitable in some cases, a threat against a sensitive database or C-level executive requires immediate critical escalation. Cortex^®^ XDR grants granular control over alert severity (critical, high, medium, low, informational) for individual rules, allowing SOC teams to directly control their alert queue and ensure prioritized triage. By reflecting the organization's unique risk tolerance, analysts can immediately focus on the most impactful incidents, minimizing response time and potential damage. ![Figure 1. Easily adjust the severity level of detection rules](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/12/word-image-349545-1.png) Figure 1. Easily adjust the severity level of detection rules ### 2. Guardrails and Warnings: Preventing Unintended Consequences If an analyst accidentally tunes a behavioral rule to generate alerts at a high severity for common, low-risk activity, it can instantly create an unmanageable alert flood and cause operational blindness. While Cortex XDR is designed for immediate value by providing default alert severity based on Palo Alto Networks' expert threat intelligence and domain knowledge, customizing analytics severity is therefore an additional control to align the system with organization-specific risk tolerance. To prevent these kinds of operational errors when tuning these rules, Cortex XDR incorporates guardrails and warnings. These mechanisms are designed to build confidence and ensure the stability of the SOC workflow. * **Impact Warning:** When setting a rule's severity to a low level (informational or low) or a high level (high or critical), users will receive a prompt warning. This ensures a clear understanding of the potential consequences, such as losing sight of genuine threats (if too low) or increasing the rate of false positives (if too high). * **Reversion Option:** Teams can easily revert any custom change back to the default severity value at any time. ![Figure 2. An impact warning appears when severity levels are changed](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/12/word-image-349545-2.png) Figure 2. An impact warning appears when severity levels are changed ### 3. Maintaining Governance and Safe Deployment When unauthorized users or those without the necessary expertise attempt to modify global security rules, they risk creating a significant security gap or causing a widespread operational outage. To prevent such unintended errors and ensure customization is performed securely and transparently, the feature integrates strong governance and safety controls. Changes are subject to [role-based access control](https://www.paloaltonetworks.com/cyberpedia/access-control)(RBAC) to limit modifications to authorized users, and the feature is fully supported in multi-tenant managed environments (MSSP use cases). For audit and oversight, dedicated fields track who made the change, when, and which rules were modified, ensuring full accountability. ![Figure 3. The modification timestamp indicates the last time a user edited or updated the Analytics Rule](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/12/word-image-349545-3.png) Figure 3. The modification timestamp indicates the last time a user edited or updated the Analytics Rule ## Example Scenario for Customization The flexibility to adjust severity is crucial for matching the detection platform to the customer's unique risk environment. **Example: Reducing Severity for Noise Suppression** Consider a "Rare Remote Service Command Execution" rule. In most environments, this is correctly flagged as high severity, indicating a potential lateral movement or post-exploitation activity. **Customization Need:** In a specific environment that runs frequent, automated, and benign remote scripts for IT configuration management (such as nightly patch installations managed by a unique automation service account), this rule may generate consistent, expected alerts. \*\*Action:\*\*The SOC team may change the severity for this specific rule to medium (or even low) when triggered by the known automation service account. **Result:** This customization reduces alert noise in the high-priority queue, saving analyst time without sacrificing the underlying detection logic. **Conclusion** Ultimately, Cortex XDR provides a prevention-first approach to secure every endpoint, reduce risk, and unify the SOC. With flexible customization for [Analytics Rules](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/View-and-manage-Analytics-rules), security teams can tailor the system's output to their specific environment, ensuring that high-risk threats are immediately escalated and routine noise is suppressed. This fine-tuned approach transforms alert fatigue into prioritized, effective security operations, allowing analysts to focus on what matters most: stopping the attacker. ### Ready to transform your endpoint security? Explore how [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr) and [Cortex Extended Data Lake^™^ (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl) can help you leverage unified data to secure every endpoint and reduce risk. *** ** * ** *** ## Related Blogs ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Forrester Names Palo Alto Networks a Leader in XDR](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Understand and Protect Your Environment with Cortex 3.7](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/understand-and-protect-your-environment-with-cortex-3-7/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://origin-researchcenter.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Introducing Cortex XDR 5.0: The New Standard for Endpoint Security](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/introducing-cortex-xdr-5-0-the-new-standard-for-endpoint-security/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language