Guide · Detection engineering

Tuning Sigma false positives without weakening detection

Last reviewed:

False-positive tuning should remove known-good activity from the SIEM alert path while leaving the attacker behaviour intact. If tuning changes the behaviour being detected, it has gone too far.

Start with the behaviour

Before tuning a noisy rule, restate the attacker behaviour in one sentence. For example: a new credential is added to a cloud service account, a diagnostic setting is disabled, or a suspicious child process starts from a web server. That sentence is the part you must not tune away.

Then list the legitimate systems that produce the same signal. Most useful suppressions are boring: deployment automation, break-glass accounts, vulnerability scanners, backup jobs and approved maintenance scripts.

Prefer narrow suppression

A broad exclusion is tempting when alerts are noisy. It is also where detections go to die. Suppressing every administrator, every internal IP or every service account may silence the queue while handing attackers a clean path through the rule.

Use narrow conditions instead. Suppress a named automation principal only when it calls an expected API from an expected network during an approved window. Keep the base behaviour visible outside that lane.

  • Suppress known-good identities by exact id, not by loose display-name patterns.
  • Limit network suppressions to owned ranges with a change record.
  • Add expiry dates to temporary suppressions created during incident response.

Tune in the SIEM

Sigma is the portable source rule. Production tuning belongs in the SIEM where the tenant's field names, enrichment tables and allowlists live. That keeps the shared rule useful while letting each environment handle its own noise.

For Splunk, this may mean lookup tables and macros. For Sentinel, it may mean watchlists and KQL joins. For Google SecOps, Elastic or OpenSearch, the same principle applies: keep the attacker condition, then subtract known-good context as close to the alerting layer as possible.

Prove the rule still works

Every tuning change needs a before-and-after check. Count how many historical alerts disappear, then replay a known-bad or synthetic event that should still fire. If the test event no longer alerts, the suppression is too wide.

Good tuning leaves a note for the next analyst: what was suppressed, why it was safe, who approved it and when to review it. Six months later, that note matters more than the clever query change.

Tuning review checklist text 
[ ] Attacker behaviour is still present in the condition
[ ] Suppression names exact known-good sources
[ ] Test event still alerts after tuning
[ ] Owner and review date are recorded
[ ] Temporary exceptions have an expiry date
← Back to Guides
Sources
  • SigmaHQ rule format, https://github.com/SigmaHQ/sigma-specification
  • Microsoft Sentinel analytics rules tuning, https://learn.microsoft.com/azure/sentinel/detect-threats-custom
  • Splunk search best practices, https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchoptimization
Last verified: 2026-05-20