We just raised a $30M Series A: Read our story
2021-08-12T15:37:00Z

How to evaluate SIEM detection rules?

61

Hi community, 

When one writes detection rules for SIEM solutions, what are the criteria of a good detection rule? 

Can you share any examples?

Thanks.

ITCS user
Guest
33 Answers

author avatar
ExpertModeratorReal User

@Chiheb Chebbi,


I hope the below test cases are helpful.


Test 1 - Recon: Password Spraying
Test 2 - Privilege Escalation (windows): Powershell Dropper Attacks
Test 3 - Lateral Movement: PsExec
Test 4 - Privilege Escalation (Linux): Failed Sudo
Test 5 - Malicious Code Execution: Eicar Malware Test File

2021-08-13T13:55:05Z
author avatar
Top 5LeaderboardReal User
2021-09-03T20:26:26Z
author avatar
Top 5Real User

As a rule, a SIEM correlation should: 


1) Reduce events by 99.99% - raw events to correlations


2) Impact system performance by <1% 


3) Produce Correlated Threats with >35% true positive rate on investigation


- 33% are usually false positives or misconfigurations (not real threats)


- 33% are usually unexplained, root cause not discernable


4) Result in <10% false negatives (missed threats)

2021-08-27T19:42:41Z
Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: October 2021.
540,884 professionals have used our research since 2012.