From one noisy alert to a portable Sigma rule
A single EDR detection is a starting point, not an answer. Here's how to turn it into a tuned, vendor-neutral Sigma rule without drowning in false positives.
Most detections start life as a single alert that someone, somewhere, decided was interesting. The hard part isn’t writing the rule — it’s writing one that survives contact with a real environment. This walks through promoting a one-off observation into a Sigma rule you can ship.
Start from the behaviour, not the artefact
The instinct is to match on a hash or a filename. Both are brittle. Instead, anchor on the behaviour the technique requires. For a suspicious LOLBin invocation, that’s usually the combination of image, a distinctive flag, and an unusual parent.
title: Suspicious rundll32 with no DLL arguments
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
filter_args:
CommandLine|contains: '.dll'
condition: selection and not filter_args
falsepositives:
- Rare legitimate wrappers that shell out to rundll32
level: mediumTune against reality
Run it across your benign dataset before it ever reaches production. Every match is either a true positive you can explain or a false positive you need to filter. Resist the urge to filter by hostname — that just hides the noise.
Ship it at medium, watch it for a fortnight, and promote to high once the false-positive rate
is something your on-call rotation can live with.