Hi community,
When one writes detection rules for SIEM solutions, what are the criteria of a good detection rule?
Can you share any examples?
Thanks.
@Chiheb Chebbi,
I hope the below test cases are helpful.
Test 1 - Recon: Password SprayingTest 2 - Privilege Escalation (windows): Powershell Dropper AttacksTest 3 - Lateral Movement: PsExecTest 4 - Privilege Escalation (Linux): Failed SudoTest 5 - Malicious Code Execution: Eicar Malware Test File
Some examples
https://drertugrulakbas.medium...
As a rule, a SIEM correlation should:
1) Reduce events by 99.99% - raw events to correlations
2) Impact system performance by <1%
3) Produce Correlated Threats with >35% true positive rate on investigation
- 33% are usually false positives or misconfigurations (not real threats)
- 33% are usually unexplained, root cause not discernable
4) Result in <10% false negatives (missed threats)
@Chiheb Chebbi,
I hope the below test cases are helpful.
Test 1 - Recon: Password Spraying
Test 2 - Privilege Escalation (windows): Powershell Dropper Attacks
Test 3 - Lateral Movement: PsExec
Test 4 - Privilege Escalation (Linux): Failed Sudo
Test 5 - Malicious Code Execution: Eicar Malware Test File
Some examples
https://drertugrulakbas.medium...
As a rule, a SIEM correlation should:
1) Reduce events by 99.99% - raw events to correlations
2) Impact system performance by <1%
3) Produce Correlated Threats with >35% true positive rate on investigation
- 33% are usually false positives or misconfigurations (not real threats)
- 33% are usually unexplained, root cause not discernable
4) Result in <10% false negatives (missed threats)