Files
Anthropic-Cybersecurity-Skills/skills/implementing-siem-use-case-tuning/SKILL.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

45 lines
1.9 KiB
Markdown

---
name: implementing-siem-use-case-tuning
description: Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic
domain: cybersecurity
subdomain: security-operations
tags:
- siem
- detection-engineering
- false-positive-reduction
- splunk
- elastic
- alert-tuning
- soc
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Implementing SIEM Use Case Tuning
## Overview
SIEM use case tuning reduces alert fatigue by systematically analyzing detection rules for false positive rates, adjusting thresholds based on environmental baselines, creating context-aware whitelists, and measuring detection efficacy through precision/recall metrics. This skill covers tuning workflows for Splunk correlation searches and Elastic detection rules, including statistical baselining, exclusion list management, and alert-to-incident conversion tracking.
## Prerequisites
- Splunk Enterprise/Cloud with ES or Elastic SIEM with detection rules enabled
- Historical alert data (minimum 30 days) for baseline analysis
- Python 3.8+ with `requests` library
- SIEM admin credentials or API tokens
## Steps
1. Export current alert volumes per detection rule from SIEM
2. Calculate false positive rate per rule using analyst disposition data
3. Identify top noise-generating rules by volume and FP rate
4. Build environmental baselines for thresholds (e.g., login counts, process spawns)
5. Create whitelist entries for known-good entities (service accounts, scanners)
6. Adjust rule thresholds using statistical analysis (mean + N standard deviations)
7. Measure tuning impact via before/after precision and alert-to-incident ratio
## Expected Output
JSON report with per-rule tuning recommendations including current FP rate, suggested threshold adjustments, whitelist entries, and projected alert reduction percentages.