Our SIEM had high-noise, low-fidelity out-of-the-box rules generating hundreds of alerts daily, most of which were false positives. Analysts were experiencing alert fatigue, causing real threats to be missed. We needed a systematic detection engineering program to build high-quality, behavior-based rules mapped to our specific threat model.
| Tactic | Technique | Platform | Confidence |
|---|---|---|---|
| Initial Access | T1190 Exploit Public App | Splunk SPL | High |
| Execution | T1059.001 PowerShell | Splunk + Sigma | High |
| Persistence | T1053.005 Scheduled Task | Splunk + Wazuh | High |
| Privilege Esc. | T1078 Valid Accounts | Splunk SPL | Medium |
| Defense Evasion | T1070.004 File Deletion | Wazuh FIM | High |
| Cred. Access | T1110 Brute Force | All Platforms | High |
| Lateral Movement | T1021.001 RDP | Splunk SPL | High |
| C&C | T1071.004 DNS Tunneling | Network Logs | Medium |
index=windows_events EventCode IN (4698, 4702)
| where NOT match(TaskName, "^(Microsoft|Windows|Adobe|Google)")
| stats count by Computer, SubjectUserName, TaskName
| eval severity="HIGH", technique="T1053.005"title: PowerShell Encoded Command
tags: [attack.execution, attack.t1059.001]
logsource:
product: windows
category: ps_script
detection:
selection:
ScriptBlockText|contains: ['-EncodedCommand', '-enc ']
condition: selection
level: highWe reduced false positives by 40% using: 2-week audit mode baseline before enabling alerts, asset criticality enrichment on every alert, whitelist trusted admin processes, statistical anomaly rules over exact pattern matches, and Git-based version control for all rule changes.