SIEM Content Engineering

Purpose and Scope

SIEM content engineering is the practice of building, tuning, and maintaining detection rules and correlation logic. Effective content engineering balances detection coverage with alert quality, minimizing noise while catching real threats.

Prerequisites

• SIEM platform access: Splunk, Elastic, Microsoft Sentinel, Chronicle, or similar
• Log ingestion: Endpoint, network, identity, and cloud logs flowing into the SIEM
• Query proficiency: SPL, KQL, Lucene, YARA-L, or platform specific language
• Understanding of detection frameworks: MITRE ATT&CK, Sigma, Elastic Detection Rules

Detection Goals

Build content that:

• Detects attacker techniques mapped to MITRE ATT&CK
• Minimizes false positives to avoid alert fatigue
• Provides actionable context for analysts
• Scales with environment growth
• Remains maintainable over time

Content Development Workflow

1. Identify Detection Opportunity

Start with a specific technique or behavior to detect:

• Review threat intelligence for relevant TTPs
• Analyze past incidents for detection gaps
• Map coverage gaps against MITRE ATT&CK
• Prioritize based on risk and data availability

2. Research the Technique

Understand how the technique manifests in telemetry:

• What data sources capture this behavior?
• What fields indicate malicious vs. benign use?
• Are there known bypasses or evasion methods?
• What does normal look like in your environment?

3. Write the Detection Logic

Build queries that identify the behavior:

• Start with broad logic and refine iteratively
• Use field normalization (ECS, CIM) for portability
• Include both positive indicators and exclusions for known benign activity
• Add comments explaining the logic and rationale

4. Test Against Historical Data

Validate the detection before enabling alerts:

• Run against 30-90 days of historical logs
• Review all results for false positives and missed detections
• Tune thresholds and exclusions based on findings
• Test against known malicious samples if available

5. Deploy and Monitor

Enable the rule and track its performance:

• Set appropriate severity and response procedures
• Monitor alert volume and true positive rate
• Collect analyst feedback on alert quality
• Schedule periodic reviews and updates

Correlation Techniques

Temporal Correlation

Link events that occur within a time window. Example: credential access followed by lateral movement within 15 minutes.

Entity Correlation

Group events by user, host, or IP to identify patterns. Example: same user authenticating from multiple countries.

Threshold Based Correlation

Alert when counts exceed baselines. Example: more than 10 failed logins in 5 minutes.

Sequence Detection

Identify ordered event chains. Example: phishing email received, then attachment opened, then PowerShell execution.

Using Sigma Rules

Sigma provides detection rules that work across platforms:

• Write once, convert to SPL, KQL, Lucene, and other formats
• Large community library of validated rules
• Use sigmac or pySigma for conversion
• Customize converted rules for your environment

Alert Quality Metrics

• True positive rate: Percentage of alerts representing real threats
• Mean time to triage: How long analysts spend per alert
• Coverage score: Percentage of ATT&CK techniques with detection
• Alert volume: Total alerts per day/week by rule

Tuning Strategies

• Maintain allowlists for known good activity (authorized admin tools, scheduled tasks)
• Use risk scoring to prioritize high confidence alerts
• Implement tiered alerting: high severity for confident detections, lower for informational
• Regularly review and deprecate rules that no longer provide value

Documentation Standards

Every detection rule should include:

• ATT&CK technique mapping
• Description of the behavior detected
• Data source requirements
• Known false positive scenarios
• Recommended response actions
• Author and last review date

References

• Sigma Rules: github.com/SigmaHQ/sigma
• Elastic Detection Rules: github.com/elastic/detection-rules
• MITRE ATT&CK: attack.mitre.org
• Splunk Security Content: research.splunk.com