Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, and threat intelligence enrichment to combat alert fatigue.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-false-positive-reduction-in-siemExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-false-positive-reduction-in-siem from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-false-positive-reduction-in-siem. Access via /performing-false-positive-reduction-in-siem in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-false-positive-reduction-in-siem |
| description | Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, and threat intelligence enrichment to combat alert fatigue. |
| domain | cybersecurity |
| subdomain | soc-operations |
| tags | - siem - false-positive - alert-tuning - detection-engineering - alert-fatigue - soc - correlation |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Token Binding - Restore Access - Password Authentication - Reissue Credential - Strong Password Policy |
| nist_csf | - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 |
False positive alerts are non-malicious events that trigger security rules, overwhelming SOC analysts with noise. Studies show that up to 45% of SIEM alerts are false positives, and a typical SOC analyst can only investigate 20-25 alerts per shift effectively. Reducing false positives requires systematic tuning across thresholds, correlation logic, allowlists, enrichment, and continuous validation. SIEM rules should be reviewed on a quarterly cycle at minimum.
# Splunk - Top 10 noisiest correlation searches
index=notable
| stats count by rule_name
| sort -count
| head 10
| eval pct=round(count / total * 100, 1)
# False positive rate per rule
index=notable
| stats count as total
count(eval(status_label="Closed - False Positive")) as false_positives
count(eval(status_label="Closed - True Positive")) as true_positives
by rule_name
| eval fp_rate=round(false_positives / total * 100, 1)
| sort -fp_rate
| where total > 10
# Before: Too sensitive - fires on 5 failed logins
index=wineventlog EventCode=4625
| stats count by src_ip
| where count > 5
# After: Tuned - requires 20+ failures across 3+ accounts in 10 minutes
index=wineventlog EventCode=4625
| bin _time span=10m
| stats count dc(TargetUserName) as unique_accounts by src_ip, _time
| where count > 20 AND unique_accounts > 3
# Create allowlist lookup for known benign sources
| inputlookup fp_allowlist.csv
| fields src_ip, reason, approved_by, expiry_date
# Apply allowlist in detection rule
index=wineventlog EventCode=4625
| lookup fp_allowlist src_ip OUTPUT reason as allowlisted_reason
| where isnull(allowlisted_reason)
| stats count dc(TargetUserName) as unique_accounts by src_ip
| where count > 20 AND unique_accounts > 3
# Before: Single-event detection (noisy)
index=wineventlog EventCode=4688 New_Process_Name="*powershell.exe"
| eval severity="medium"
# After: Multi-signal correlation (precise)
index=wineventlog EventCode=4688 New_Process_Name="*powershell.exe"
| join src_ip type=left [
search index=wineventlog EventCode=4625
| stats count as failed_logins by src_ip
]
| join Computer type=left [
search index=sysmon EventCode=3
| stats dc(DestinationIp) as unique_external_connections by Computer
| where unique_external_connections > 10
]
| where isnotnull(failed_logins) OR unique_external_connections > 10
| eval severity=case(
failed_logins > 10 AND unique_external_connections > 10, "critical",
failed_logins > 5 OR unique_external_connections > 5, "high",
true(), "medium"
)
# Exclude known maintenance windows
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%A")
| where NOT (hour >= "02" AND hour <= "04" AND day="Sunday")
# Exclude known batch job schedules
| lookup scheduled_tasks_allowlist process_name, schedule_time
OUTPUT is_scheduled
| where isnull(is_scheduled)
# Build baseline for user login patterns
index=wineventlog EventCode=4624
| bin _time span=1h
| stats count as logins dc(Computer) as unique_hosts by TargetUserName, _time
| eventstats avg(logins) as avg_logins stdev(logins) as stdev_logins
avg(unique_hosts) as avg_hosts stdev(unique_hosts) as stdev_hosts
by TargetUserName
| where logins > (avg_logins + 3 * stdev_logins)
OR unique_hosts > (avg_hosts + 3 * stdev_hosts)
# Only alert when destination matches known threat intelligence
index=firewall action=allowed direction=outbound
| lookup ip_threat_intel_lookup ip as dest_ip OUTPUT threat_type, confidence
| where isnotnull(threat_type) AND confidence > 70
# This eliminates FPs from flagging connections to benign IPs
# Run Atomic Red Team test after tuning to confirm detection still works
# Example: Test brute force detection after threshold adjustment
Invoke-AtomicTest T1110.001 -TestNumbers 1
# Verify detection still triggers after tuning
index=notable rule_name="Brute Force Detection"
earliest=-24h
| stats count
| where count > 0
| Metric | Formula | Target |
|---|---|---|
| False Positive Rate | FP / (FP + TP) * 100 | < 20% |
| Alert Volume Reduction | (Old Volume - New Volume) / Old Volume * 100 | 30-50% per quarter |
| Mean Triage Time | Total triage time / Total alerts | < 8 minutes |
| Rule Precision | TP / (TP + FP) | > 0.80 |
| Analyst Satisfaction | Survey score | > 4/5 |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added performing-false-positive-reduction-in-siem from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend performing-false-positive-reduction-in-siem for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-false-positive-reduction-in-siem reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-false-positive-reduction-in-siem has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: performing-false-positive-reduction-in-siem is the kind of skill you can hand to a new teammate without a long onboarding doc.
Keeps context tight: performing-false-positive-reduction-in-siem is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for performing-false-positive-reduction-in-siem matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: performing-false-positive-reduction-in-siem is focused, and the summary matches what you get after install.
performing-false-positive-reduction-in-siem reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in performing-false-positive-reduction-in-siem — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 70