c94561c3-7b35-483f-aa90-af5e189cb172

The Top 10 Ways that SIEM rules “silently” break

If you’re like most detection engineering teams, your SIEM – such as Splunk, Microsoft Sentinel, and IBM QRadar – has hundreds of detection rules that have been added over time.

Often, these rules were added by security engineers and analysts who are no longer part of the team, leaving little (if any) documentation.

But also over time, your environment has changed in many different ways. You may have added new log source types, retired older log sources, upgraded to newer versions of log source types, added new detections for the latest threats and vulnerabilities, and changed specific monitoring targets and exclusions (critical users, sensitive hosts, crown jewel applications, etc.) as well as added generic rules that were copied and pasted from open sources or by an MSSP.

The result? Broken rules that will never fire due to misconfigurations and data quality issues – and gaps in your threat detection coverage.

This leads to a false sense of security because your CISO and management think they’re protected -- but then are unpleasantly surprised when their Red Team (or worse, an adversary) finds a hidden gap in your defenses and exploits it.


Yes, I would like to receive information about CardinalOps products, services, and events. For more information, please see our Privacy Policy.