mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
Add 5 new cybersecurity skills with full implementations
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing - detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis - performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation - analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation - hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
This commit is contained in:
@@ -0,0 +1,44 @@
|
||||
---
|
||||
name: implementing-siem-use-case-tuning
|
||||
description: Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic
|
||||
domain: cybersecurity
|
||||
subdomain: security-operations
|
||||
tags:
|
||||
- siem
|
||||
- detection-engineering
|
||||
- false-positive-reduction
|
||||
- splunk
|
||||
- elastic
|
||||
- alert-tuning
|
||||
- soc
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Implementing SIEM Use Case Tuning
|
||||
|
||||
## Overview
|
||||
|
||||
SIEM use case tuning reduces alert fatigue by systematically analyzing detection rules for false positive rates, adjusting thresholds based on environmental baselines, creating context-aware whitelists, and measuring detection efficacy through precision/recall metrics. This skill covers tuning workflows for Splunk correlation searches and Elastic detection rules, including statistical baselining, exclusion list management, and alert-to-incident conversion tracking.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Splunk Enterprise/Cloud with ES or Elastic SIEM with detection rules enabled
|
||||
- Historical alert data (minimum 30 days) for baseline analysis
|
||||
- Python 3.8+ with `requests` library
|
||||
- SIEM admin credentials or API tokens
|
||||
|
||||
## Steps
|
||||
|
||||
1. Export current alert volumes per detection rule from SIEM
|
||||
2. Calculate false positive rate per rule using analyst disposition data
|
||||
3. Identify top noise-generating rules by volume and FP rate
|
||||
4. Build environmental baselines for thresholds (e.g., login counts, process spawns)
|
||||
5. Create whitelist entries for known-good entities (service accounts, scanners)
|
||||
6. Adjust rule thresholds using statistical analysis (mean + N standard deviations)
|
||||
7. Measure tuning impact via before/after precision and alert-to-incident ratio
|
||||
|
||||
## Expected Output
|
||||
|
||||
JSON report with per-rule tuning recommendations including current FP rate, suggested threshold adjustments, whitelist entries, and projected alert reduction percentages.
|
||||
Reference in New Issue
Block a user