Writing SIEM Detection Rules and Alerts
Build detection rules that balance sensitivity (catching real threats) against specificity (minimizing alert fatigue) for common attack techniques.
Detection Rules: What and Why
Detection rules are the logic encoded in a SIEM that defines what conditions constitute a security alert. Without good detection rules, a SIEM is just an expensive log storage system. Well-crafted rules identify specific attacker behaviors — credential stuffing, lateral movement, data exfiltration — while avoiding triggering on normal operations. Detection engineering is the discipline of writing, testing, and maintaining these rules continuously.
Anatomy of a Detection Rule
Every detection rule has key components. A data source specifies which logs are queried. A filter condition specifies what events match. A threshold or pattern defines how many events or what sequence triggers the alert. Metadata includes severity, MITRE ATT&CK mapping, description, and recommended response. Well-documented rules help analysts quickly understand what an alert means and how to respond when it fires.
# Detection rule anatomy example:
# Name: 'Suspicious PowerShell Encoded Command'
# Severity: HIGH
# ATT&CK: T1059.001 - Command and Scripting Interpreter: PowerShell
# Source: Windows Security Event Logs (EventID 4688)
# Condition: CommandLine contains '-EncodedCommand' OR '-enc '
# AND ParentImage NOT IN ('sccm.exe','wsus.exe')
# Threshold: Any single occurrence
# Response: Isolate host, collect memory dump, notify SOC