Skip to content

Lab 2: Detection Rule Tuning

Difficulty: ⭐⭐⭐ Advanced Duration: 75–90 minutes Chapter Reference: Chapter 5 — Detection Engineering at Scale Nexus SecOps Controls: Nexus SecOps-041, Nexus SecOps-042, Nexus SecOps-043, Nexus SecOps-044, Nexus SecOps-045, Nexus SecOps-048

Learning Objectives

By completing this lab, you will be able to:

  1. Analyze a noisy detection rule and identify its false positive patterns
  2. Propose and evaluate three distinct tuning approaches with tradeoffs
  3. Apply a structured change control workflow to detection modifications
  4. Measure the precision/recall impact of each tuning approach
  5. Write a tuning justification document suitable for peer review

Background

Detection rules decay over time. Environment changes, new authorized tools, and operational patterns cause previously effective rules to generate false positives. A rule with 80% FP rate consumes analyst time that should go to real threats.

Effective tuning requires: - Evidence-based analysis — FP patterns must be identified from data, not assumptions - Tradeoff awareness — every exclusion risks hiding real attacks - Change control discipline — tuning changes follow the same gates as new rules - Metric tracking — measure before and after, not just "it feels less noisy"

Setup

No tooling required. This lab uses synthetic log data provided in the tables below.

Scenario: You are a Detection Engineer at Meridian Financial Services. The SIEM alert queue shows that the rule DET-2024-PS-001 (Suspicious PowerShell Execution) is generating approximately 40 alerts per day, of which your team estimates only 10–15% are genuine concerns.

The CISO has requested that you reduce alert volume by 60% without losing meaningful detection capability. You have 24 hours of alert data to analyze.

The Rule Under Review

Current Rule: DET-2024-PS-001

# Sigma rule format (simplified)
title: Suspicious PowerShell Execution
id: DET-2024-PS-001
status: production
description: >
  Detects PowerShell execution with encoded commands, download cradles,
  or execution policy bypass flags.
author: SOC Detection Team
date: 2023-08-15
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
      - 'DownloadString'
      - 'DownloadFile'
      - 'IEX'
      - 'Invoke-Expression'
      - '-ExecutionPolicy Bypass'
      - '-ep bypass'
      - 'WebClient'
  condition: selection
falsepositives:
  - Administrative scripts
  - Software deployment tools
  - Monitoring agents
level: high
tags:
  - attack.execution
  - attack.t1059.001

Current metrics (last 30 days):

Metric Value
Daily alert volume ~40 alerts/day
Estimated true positive rate 10–15%
Analyst time per alert 8–12 minutes
Total analyst time per day 5–8 hours
Confirmed malicious incidents 3 in 30 days

Alert Dataset: 50 Events (24-Hour Sample)

Analyze the following 50 alerts triggered by the rule. Each row represents one alert.

# Time User Host CommandLine (truncated) Parent Process Notes
1 06:12 svc-monitoring MONSVR01 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Runs every 6h
2 06:12 svc-monitoring MONSVR02 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same encoded cmd
3 06:12 svc-monitoring MONSVR03 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same encoded cmd
4 06:12 svc-monitoring MONSVR04 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same encoded cmd
5 06:12 svc-monitoring MONSVR05 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same encoded cmd
6 07:30 IT-Admin-01 SRV-PATCH01 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM deployment
7 07:31 IT-Admin-01 SRV-PATCH02 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM deployment
8 07:31 IT-Admin-01 SRV-PATCH03 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM deployment
9 07:32 IT-Admin-02 SRV-PATCH04 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM deployment
10 07:32 IT-Admin-02 SRV-PATCH05 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM deployment
11 08:15 jsmith CORP-WS-042 powershell.exe -ExecutionPolicy Bypass -enc SQBuAH... explorer.exe User-initiated; SUSPICIOUS
12 09:00 svc-backup BKPSRV01 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Daily backup job
13 09:00 svc-backup BKPSRV02 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Same backup job
14 10:05 IT-Admin-03 MGMT-WS-001 powershell.exe -enc SQBtAHAAbwByAHQA... powershell_ise.exe Admin scripting
15 10:45 svc-monitoring MONSVR06 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same as #1–5
16 10:45 svc-monitoring MONSVR07 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler Same as #1–5
17 11:00 agarcia HR-WS-003 powershell.exe -ExecutionPolicy Bypass -File C:\Users\agarcia\Downloads\tool.ps1 explorer.exe SUSPICIOUS — user downloaded script
18 11:20 svc-deploy DEPLOY01 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Internal repo URL
19 11:20 svc-deploy DEPLOY02 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Internal repo URL
20 11:20 svc-deploy DEPLOY03 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Internal repo URL
21 11:20 svc-deploy DEPLOY04 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Internal repo URL
22 11:20 svc-deploy DEPLOY05 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Internal repo URL
23 12:00 svc-monitoring MONSVR01 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 12:00 run (same as #1)
24 12:00 svc-monitoring MONSVR02 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 12:00 run
25 12:00 svc-monitoring MONSVR03 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 12:00 run
26 12:00 svc-monitoring MONSVR04 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 12:00 run
27 12:00 svc-monitoring MONSVR05 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 12:00 run
28 12:30 IT-Admin-01 MGMT-WS-002 powershell.exe -ep bypass -File patch-hotfix.ps1 cmd.exe Hotfix deployment
29 13:15 svc-backup BKPSRV03 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Same backup job
30 13:15 svc-backup BKPSRV04 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Same backup job
31 14:00 mlopez FINANCE-WS-011 powershell.exe -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0... explorer.exe SUSPICIOUS — finance user, encoded
32 14:10 mlopez FINANCE-WS-011 powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -enc SQBuAHYA... powershell.exe SUSPICIOUS — hidden window + bypass
33 14:45 IT-Admin-04 SRV-PATCH06 powershell.exe -ep bypass -File .\scripts\audit.ps1 sccm.exe SCCM audit script
34 15:00 svc-monitoring MONSVR06 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 15:00 run
35 15:00 svc-monitoring MONSVR07 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 15:00 run
36 15:30 svc-deploy DEPLOY01 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Afternoon deployment
37 15:30 svc-deploy DEPLOY02 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Afternoon deployment
38 15:30 svc-deploy DEPLOY03 powershell.exe -ep bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://internal-repo/scripts/update.ps1')" deploy-agent.exe Afternoon deployment
39 16:00 IT-Admin-02 MGMT-WS-003 powershell.exe -enc SQBtAHAAbwByAHQA... powershell_ise.exe Admin scripting session
40 16:30 rlopez ACCT-WS-007 powershell.exe -ExecutionPolicy Bypass -File script.ps1 explorer.exe SUSPICIOUS — accounting user
41 17:00 svc-backup BKPSRV01 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Backup job
42 17:00 svc-backup BKPSRV02 powershell.exe -EncodedCommand VABhAHMAawA... Task Scheduler Backup job
43 17:30 IT-Admin-03 SRV-PATCH07 powershell.exe -ep bypass -File deploy.ps1 sccm.exe SCCM end-of-day deployment
44 18:00 svc-monitoring MONSVR01 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 18:00 run
45 18:00 svc-monitoring MONSVR02 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 18:00 run
46 18:00 svc-monitoring MONSVR03 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 18:00 run
47 18:00 svc-monitoring MONSVR04 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 18:00 run
48 18:00 svc-monitoring MONSVR05 powershell.exe -EncodedCommand JAByAGUAc... Task Scheduler 18:00 run
49 21:00 bwilson SALES-WS-019 powershell.exe -ExecutionPolicy Bypass -enc UwB0AGEAcgB0... explorer.exe SUSPICIOUS — after-hours, sales user
50 22:45 ex-contractor TEMP-WS-001 powershell.exe -ep bypass -enc SQBuAHYAbwBrAGUA... explorer.exe HIGH SUSPICIOUS — contractor account after hours

Task 1: FP Pattern Analysis

Before proposing any tuning, analyze the dataset to identify FP patterns.

1.1 — Categorize Each Alert

Group the 50 alerts into categories based on the likely explanation:

Category Alert Numbers Count
Monitoring service (scheduled)
Backup service (scheduled)
IT Admin / SCCM deployment
Deployment service
Suspicious / Needs investigation

1.2 — Calculate Current Metrics

Using your categorization:

Metric Your Calculation
Total alerts 50
Confirmed FP (safe to exclude)
Suspicious (requires investigation)
Estimated FP rate
Alert volume to eliminate (target: 60%)

1.3 — Identify FP Patterns

For each FP category, describe the distinguishing characteristics:

FP Category Parent Process User Account Host Pattern Time Pattern
Monitoring service
Backup service
IT Admin SCCM
Deployment service

Task 2: Evaluate Three Tuning Approaches

For each approach, analyze the tradeoffs before recommending one.

Approach A: Allowlist by Service Account

Proposed modification: 

# Add to rule filter section
filter_service_accounts:
  User|contains:
    - 'svc-monitoring'
    - 'svc-backup'
    - 'svc-deploy'
  ParentImage|endswith:
    - '\taskschd.exe'   # Task Scheduler
    - '\sccm.exe'       # SCCM
    - '\deploy-agent.exe'
condition: selection and not filter_service_accounts

Evaluate this approach:

Criteria Your Assessment
FP alerts eliminated
True positives at risk
Evasion risk (how could an attacker abuse this?)
Maintenance burden (what breaks this in 6 months?)
Recommended? Y/N

Approach B: Parent Process Filtering

Proposed modification: 

# Only alert when parent process is suspicious
filter_known_good_parents:
  ParentImage|endswith:
    - '\taskschd.exe'
    - '\sccm.exe'
    - '\deploy-agent.exe'
    - '\powershell_ise.exe'
condition: selection and not filter_known_good_parents

Evaluate this approach:

Criteria Your Assessment
FP alerts eliminated
True positives at risk
Evasion risk (how could an attacker abuse this?)
Maintenance burden (what breaks this in 6 months?)
Recommended? Y/N

Approach C: Contextual Enrichment + Risk Scoring

Proposed modification: Rather than exclusions, add risk score fields and only alert when a risk score threshold is met:

# Risk score logic (pseudocode for SIEM correlation rule)
base_score: 30  # All PowerShell with suspicious flags

enrichments:
  - user_type:
      service_account: -20
      it_admin: -10
      standard_user: +20
      finance_hr_user: +30
  - parent_process:
      task_scheduler: -15
      sccm: -15
      deploy_agent: -15
      explorer: +25
      powershell: +20
  - time_context:
      business_hours: 0
      after_hours: +15
  - host_context:
      server: -5
      workstation: +10
      monitoring_host: -20

alert_threshold: 50  # Only fire if score >= 50

Evaluate this approach:

Criteria Your Assessment
FP alerts eliminated (estimated)
True positives at risk
Evasion risk (how could an attacker abuse this?)
Maintenance burden
Additional tooling required
Recommended? Y/N

Task 3: Impact Projection

For the approach you recommend, calculate the projected impact:

Metric Before Tuning After Tuning Change
Daily alert volume 40
Analyst hours per day 6–8
Estimated FP rate 85–90%
Alerts requiring investigation ~4–6
Detection coverage (TPs missed) 0

Does your recommended approach meet the 60% volume reduction target? ___

What is the risk of missing a true positive? (describe the specific scenario)

Task 4: Change Control Exercise

Your tuning change requires following the Detection Change Control SOP. Complete the documentation.

Rule Change Documentation

# DET-2024-PS-001 — Change Record
change_id: CHG-DET-2024-0047
rule_id: DET-2024-PS-001
change_type: tuning  # new | tuning | retire
author: [Your Name]
date: 2026-02-19
reviewed_by: [Peer Reviewer Name]

change_summary: >
  [Describe in 1–2 sentences what change is being made and why]

current_metrics:
  daily_volume: 40
  fp_rate: "85-90%"
  analyst_hours_per_day: "6-8"

expected_metrics:
  daily_volume:
  fp_rate:
  analyst_hours_per_day:

detection_coverage_impact: >
  [Describe any reduction in detection coverage and what threat scenarios
  could now evade detection]

tuning_evidence:
  analysis_period: "2026-02-18 (24 hours)"
  events_analyzed: 50
  fp_patterns_identified:
    -
    -
    -

rollback_plan: >
  [How to revert this change if it causes missed detections]

staging_period_days: 7
post_deployment_review_days: 30

Questions to Answer Before Peer Review

  1. What attack scenarios does this change NOT protect against?
  2. Is there a compensating control if this rule misses something?
  3. How will you know if this tuning was correct? (what metrics to track post-deployment)
  4. What would trigger a rollback?

Answer Key

Click to reveal answers — complete your analysis first!

Task 1 — FP Pattern Analysis

Alert Categorization:

Category Alert Numbers Count
Monitoring service (scheduled) 1–5, 15, 16, 23–27, 34, 35, 44–48 20
Backup service (scheduled) 12, 13, 29, 30, 41, 42 6
IT Admin / SCCM deployment 6–10, 14, 28, 33, 39, 43 10
Deployment service (svc-deploy) 18–22, 36–38 8
Suspicious / Needs investigation 11, 17, 31, 32, 40, 49, 50 7

Calculated metrics:

Metric Value
Confirmed FP (safe to exclude) 43
Suspicious 7
Estimated FP rate 86%
Alerts to eliminate (60% target = 30) 43 available

FP Pattern Characteristics:

FP Category Parent Process User Account Host Pattern Time Pattern
Monitoring taskschd.exe svc-monitoring MONSRVxx Every 6h on schedule
Backup taskschd.exe svc-backup BKPSRVxx 09:00, 13:00, 17:00
IT Admin SCCM sccm.exe IT-Admin-xx SRV-PATCHxx, MGMTxx Business hours
Deploy service deploy-agent.exe svc-deploy DEPLOYxx Business hours

Task 2 — Approach Evaluation

Approach A (Service Account Allowlist):

Criteria Assessment
FP alerts eliminated 34 (monitoring + backup + deploy service accounts)
TPs at risk Low — all 7 suspicious alerts use non-service accounts
Evasion risk HIGH — attacker who compromises svc-monitoring or svc-deploy becomes invisible to this rule
Maintenance Medium — need to update list when new service accounts added
Recommended Partially — only with parent process validation as guard

Approach B (Parent Process Filtering):

Criteria Assessment
FP alerts eliminated 43 — all FPs launched from known-good parents
TPs at risk Low — all 7 suspicious alerts launched from explorer.exe or powershell.exe
Evasion risk MEDIUM — attacker who achieves code execution within SCCM, Task Scheduler, or deploy-agent can evade
Maintenance Low — parent processes rarely change
Recommended Yes — but combine with service account context

Approach C (Risk Scoring):

Criteria Assessment
FP alerts eliminated ~38–42 (estimated — depends on threshold tuning)
TPs at risk Very low — all suspicious alerts score high (explorer + standard/finance user + after-hours)
Evasion risk LOW — attacker must match multiple benign attributes simultaneously
Maintenance High — requires SIEM enrichment pipeline, asset/user context always current
Additional tooling Asset inventory integration, user classification
Recommended Best long-term but highest implementation effort

Recommended approach: B + A combined for immediate relief, with C as a 6-month strategic goal.

Combined B+A: Only suppress when parent process AND user account match known-good patterns simultaneously. This prevents either exclusion alone from being abused.

Task 3 — Impact Projection (Approach B)

Metric Before After Change
Daily alert volume 40 ~7 −83%
Analyst hours per day 6–8 h 1–1.5 h −80%
Estimated FP rate 86% ~15% −71 pts
Alerts requiring investigation 4–6 5–7 Roughly flat
Detection coverage (TPs missed) 0% 0% No change

Exceeds the 60% target: Yes — Approach B achieves ~83% volume reduction.

Risk of missing a TP: If an attacker gains access to SCCM and launches PowerShell through the SCCM agent, that alert would be suppressed. Compensating control: monitor SCCM for unexpected command executions; separate SCCM telemetry alert.

Task 4 — Change Control Answers

  1. Attack scenarios not protected: PowerShell launched via SCCM, Task Scheduler, or deploy-agent by an attacker who has compromised those systems or their service accounts.

  2. Compensating controls: SCCM execution monitoring rule; service account anomaly detection (Nexus SecOps-052); lateral movement rules on SCCM hosts.

  3. Post-deployment metrics to track:

  4. Daily alert volume (target: ≤8/day)
  5. FP rate (target: <20%)
  6. New incidents where this rule should have fired but didn't (track via retrospective review)

  7. Weekly check of filtered events for anomalies

  8. Rollback triggers:

  9. Any confirmed incident where a malicious PowerShell execution was suppressed by the filter
  10. Alert volume drops to <2/day (may indicate rule is broken, not just tuned)
  11. Discovery that a threat actor is actively exploiting the parent process exclusion

Scoring

Criteria Points
Correctly categorized all 50 alerts 20 pts
Identified all 4 FP patterns with distinguishing characteristics 20 pts
Evaluated all 3 approaches with accurate tradeoff analysis 30 pts
Impact projection within ±15% of answer key 15 pts
Change control documentation complete and specific 15 pts
Total 100 pts

Score ≥ 80: Ready to lead detection engineering tuning projects Score 60–79: Review Chapter 5 on detection lifecycle and tuning methodology Score < 60: Revisit detection fundamentals; do Lab 1 first

Lab 2 complete. Proceed to Lab 3: IR Simulation