We changed our name from IT Central Station: Here's why

How to evaluate SIEM detection rules?

Hi community, 

When one writes detection rules for SIEM solutions, what are the criteria of a good detection rule? 

Can you share any examples?


ITCS user
33 Answers

author avatar
ExpertModeratorReal User

@Chiheb Chebbi,

I hope the below test cases are helpful.

Test 1 - Recon: Password Spraying
Test 2 - Privilege Escalation (windows): Powershell Dropper Attacks
Test 3 - Lateral Movement: PsExec
Test 4 - Privilege Escalation (Linux): Failed Sudo
Test 5 - Malicious Code Execution: Eicar Malware Test File

author avatar
Top 5LeaderboardReal User
author avatar
Top 5Real User

As a rule, a SIEM correlation should: 

1) Reduce events by 99.99% - raw events to correlations

2) Impact system performance by <1% 

3) Produce Correlated Threats with >35% true positive rate on investigation

- 33% are usually false positives or misconfigurations (not real threats)

- 33% are usually unexplained, root cause not discernable

4) Result in <10% false negatives (missed threats)

Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: January 2022.
564,143 professionals have used our research since 2012.