Most Security Operations Centers operate with a painful reality: thousands of daily alerts, single-digit investigation rates, and critical threats lost in the noise. The root cause isn't the SIEM platform — it's the detection engineering approach. This article presents a structured methodology for building detections that security analysts actually want to investigate.
The Detection Maturity Model
Before writing rules, assess your current detection maturity:
- Level 0: Vendor defaults — Out-of-the-box rules with no tuning. High noise, low value
- Level 1: Basic customization — Vendor rules with whitelist tuning. Reduced noise but still reactive
- Level 2: Threat-informed — Custom rules written against specific TTPs relevant to your threat model
- Level 3: Hypothesis-driven — Detections created from threat hunting findings and validated against red team exercises
- Level 4: Continuous validation — Automated detection testing with purple team tooling ensuring rules fire reliably
The Detection Engineering Lifecycle
Step 1: Intelligence-Driven Requirements
Start every detection with a specific threat scenario, not a log source:
- What attacker technique are we detecting? (MITRE ATT&CK reference)
- Which threat actors use this technique against organizations like ours?
- What does this technique look like in our specific environment?
- What data sources do we need to detect it?
SIA CTI reports identify which techniques are trending for your industry — use these to prioritize detection development.
Step 2: Data Source Validation
Before writing a rule, confirm the required telemetry exists:
- Is the log source configured and ingesting into the SIEM?
- Are the specific fields needed for detection being parsed correctly?
- Is the log retention sufficient for the detection's lookback window?
- Are there any collection gaps (missing endpoints, network segments, cloud services)?
Step 3: Rule Development
Write detections that balance precision and recall:
- Behavioral over signature — Detect the technique, not the specific tool. Tools change; techniques persist
- Context enrichment — Enrich alerts with asset criticality, user risk score, and threat intelligence context
- Multi-stage correlation — Chain low-confidence signals into high-confidence detections
- Negative logic — Sometimes it's easier to define what's normal and alert on everything else
Step 4: Testing and Validation
Every detection must be tested before deployment:
- Atomic testing — Use Atomic Red Team or similar to simulate the specific technique in a controlled environment
- False positive analysis — Run the detection against 30 days of historical data. If it generates more than 5 alerts per day, it needs tuning
- True positive validation — Confirm the detection fires on known-bad activity with the expected alert fields
Step 5: Operationalization
A detection is only valuable if analysts can act on it:
- Runbook — Every detection rule needs a corresponding investigation runbook
- Severity classification — Based on confidence level, asset criticality, and business impact
- Escalation path — Clear criteria for when to escalate from L1 to L2 to incident response
- Metrics tracking — Track true positive rate, mean time to investigate, and mean time to resolve per detection
High-Value Detection Examples
These detections cover common attack patterns with high true-positive rates:
- Kerberoasting — Windows Event ID 4769 where ticket encryption type is 0x17 (RC4) and the service account is not a machine account
- DCSync — Event ID 4662 with GetChanges and GetChangesAll rights from a non-domain-controller source
- Credential dumping — Sysmon Event ID 10 with TargetImage matching lsass.exe from an unexpected source process
- Lateral movement — Windows Event ID 4624 (Type 3 or Type 10) from a source that has never authenticated to the target before
- Data staging — File creation events in staging directories (C:\PerfLogs, C:\Windows\Temp) with archive extensions (.7z, .zip, .rar)
How SIA Force Helps
High-fidelity detections require high-fidelity intelligence. Incorporate SIA CTI insights to build threat-informed rules, and enrich your SOC alerts with context from SIA Feeds to reduce false positives.