Reducing benign positives in threat detection systems: A graph-based approach to contextualizing security alerts

Threat detection systems form the backbone of modern enterprise cybersecurity programs, analyzing massive volumes of logs, network flows, and user activities to identify potentially malicious events. Despite continuous advances in detection techniques, these systems generate an abundance oding to alert fatigue, wasted analyst resources, and a delayed response to actual threats. This paper surveys the problem of benign positives and proposes a graph-based framework that unifies alerts, user roles, infrastructure metadata, and historical dispositions in a knowledge graph. By representing alerts and contextual entities as interconnected nodes and edges, security teams can quickly detect recurring benign patterns (e.g., routine scanning tasks, staging environment bulk transfers) and implement precise suppression rules. Experimental findings from a simulated enterprise environment indicate that this approach significantly reduces benign positives compared to conventional static filters or standalone machine learning methods. The paper closes with recommendations for integrating multi-cloud data, automated rule generation, privacy safeguards, and user-friendly interfaces that support non-expert security analysts.