HOW-TO GUIDE | DETECTION ENGINEERING
Updated 10 min read

How to Validate Your SIEM Is Actually Detecting Attacks (Not Just Ingesting Logs)

44%
Of organizations have critical detection gaps they are unaware of (Mandiant Security Validation, 2025)
0
Third-party tools required for Tier 1 and Tier 2 validation: uses built-in Windows utilities
5 min
Time to confirm whether your SIEM is receiving current events from a given log source
3
Tiers of validation that provide complete detection stack assurance

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A SIEM that never fires alerts is not necessarily a SIEM in a quiet, well-defended environment. It might be a SIEM with broken log forwarding from the domain controller. Or one where detection rules were deployed but never tested. Or one where alerts are firing but routing to an unmonitored queue.

Mandiant's 2025 security validation assessment found that 44% of organizations had critical detection gaps they were unaware of: not because they lacked rules, but because the pipeline between the event source and the analyst was broken somewhere.

The three-tier validation process below confirms: logs are flowing, rules are firing, and alerts are reaching analysts. Run it quarterly and after any significant SIEM configuration change.

Tier 1: Confirm Log Ingestion Is Current

Before testing detection rules, verify that log sources are actually sending current events. A rule cannot fire if the events are not arriving.

What to check for each log source:

In your SIEM's search interface, query each critical log source for events in the last 15 minutes. If any source shows no events in 15 minutes, ingestion is either broken or the source is genuinely quiet (which is itself suspicious for high-volume sources like domain controller authentication logs).

Expected event volumes for reference:

  • Windows domain controller Security log: Multiple Event ID 4624 (logon) events per minute during business hours. Zero events in 15 minutes during work hours means the log forwarder is broken.
  • Windows endpoint Security log: At least one Event ID 4624 per login session. If a logged-in machine shows no Security events in an hour, the agent is dead.
  • Firewall/network device: At minimum, deny events every few minutes (background internet noise is constant). A firewall with zero events means the syslog forwarding is broken.
  • DNS resolver log: Continuous queries during business hours. Zero DNS events means the resolver is not forwarding.

How to test log forwarder health without generating noise:

On a Windows machine you are monitoring, open Event Viewer and manually create a test event:

eventcreate /ID 999 /L APPLICATION /T INFORMATION /SO SIEM-TEST /D "SIEM ingestion test event"

Search your SIEM for this event within 2 minutes. If it appears, the forwarding pipeline for that machine is functioning. If it does not appear within 5 minutes, the forwarder is broken or the pipeline has an upstream gap.

Tier 2: Fire Known-Bad Events Using Built-In Tools

Once log ingestion is confirmed, test whether your detection rules are actually triggering. Use built-in Windows tools to simulate the attack behaviors your rules claim to detect: no additional software required.

Test 1: PowerShell download cradle (MITRE T1059.001)

Run this on a monitored test endpoint:

powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://169.254.169.254/test' -TimeoutSec 2" 2>&1

This uses the AWS metadata IP as the target (returns immediately with an error on non-cloud systems, generates no external traffic). A properly configured SIEM with PowerShell logging enabled should alert on:

  • PowerShell Operational log Event ID 4104 (Script Block Logging) showing Invoke-WebRequest with an external URI
  • Or your EDR should flag the PowerShell execution pattern

If no alert fires, either PowerShell Script Block Logging is not enabled (HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging) or your SIEM has no rule for this technique.

Test 2: Suspicious process spawned by Office application (MITRE T1566.001)

This simulates a macro-delivery attack pattern:

cmd /c whoami > C:\Users\Public\test_output.txt

This by itself is benign. The detection test is to run it from a parent process that should not spawn cmd.exe. If you are testing in a controlled environment, you can script this from a PowerShell parent:

Start-Process cmd.exe -ArgumentList "/c whoami > C:\Users\Public\test_output.txt"

A SIEM with process creation logging (Sysmon Event ID 1 or Windows Event ID 4688) should generate an alert when cmd.exe is spawned by an unusual parent.

Test 3: Local account creation (MITRE T1136.001)

This is a common attacker persistence technique:

net user SIEM-TEST-ACCOUNT P@ssw0rdTest123 /add

This should generate Windows Security Event ID 4720 (user account created). Your SIEM should alert on new local account creation, and the alert should fire within 5 minutes.

Clean up immediately:

net user SIEM-TEST-ACCOUNT /delete
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Tier 3: Verify Alert Routing and Response Quality

The final tier confirms that triggered alerts actually reach the right people in a usable form. An alert that fires in the SIEM console but routes to an unmonitored queue provides zero defensive value.

Check alert routing for each test in Tier 2:

  1. Did the alert appear in the SIEM console within the expected time window (under 5 minutes for real-time rules)?
  2. Did it route to the correct analyst queue, email distribution list, or ticketing system?
  3. Does the alert contain enough context for a first-responder with no prior knowledge of the event to begin triage? Required context: hostname, username, process name, command line, source IP, and timestamp.
  4. Is the alert severity calibrated correctly? A PowerShell download cradle alert should not be severity Low.

The enrichment gap test:

For the local account creation test (Event ID 4720), check whether your alert includes:

  • The new account name
  • The user or service account that created it
  • The hostname where it was created
  • The source IP of the creating session

If the alert says 'New user account created' with no additional context, your enrichment pipeline is not functioning. Analysts will require manual investigation to answer basic questions that should be in the alert.

Scheduling validation runs:

Run Tier 1 (ingestion check) monthly via an automated script that posts results to your SOC channel. Run Tier 2 and Tier 3 quarterly or after any SIEM rule or forwarding configuration change. Document the results each time: this documentation becomes your detection program's evidence of due care.

Atomic Red Team for Broader Coverage

The three built-in tests above cover the most common detection gaps. For broader coverage of MITRE ATT&CK techniques, Atomic Red Team by Red Canary provides over 1,000 safe test cases that simulate specific attack techniques without causing damage to your environment.

Install in a controlled environment:

Install-Module -Name invoke-atomicredteam -Scope CurrentUser
Import-Module invoke-atomicredteam

Run a specific atomic test:

Invoke-AtomicTest T1059.001  # PowerShell execution
Invoke-AtomicTest T1003.001  # LSASS credential dumping
Invoke-AtomicTest T1136.001  # Local account creation

Each test maps to a specific MITRE ATT&CK technique ID. Run the test, then search your SIEM for the resulting events. Missing alerts identify specific detection gaps, which become specific rule development backlog items.

For organizations that recently covered the Slopoly AI-generated malware techniques or the LameHug APT28 LLM campaign, running the LSASS credential dumping and PowerShell obfuscation Atomic tests is specifically relevant to validating those attack patterns are detectable in your environment.

The bottom line

A SIEM that never alerts requires investigation, not celebration. The three-tier validation confirms: log sources are delivering current events, detection rules fire when attack techniques are simulated, and alerts route to analysts with enough context to act. Run Tier 1 monthly and Tiers 2-3 quarterly. If any tier fails, you have a detection gap: not a quiet environment. Document each validation run so you have evidence that your detection program is active and maintained.

Frequently asked questions

How do I test if my SIEM is working?

Use a three-tier test: first, query each critical log source for events in the last 15 minutes to confirm ingestion is current. Second, simulate known-bad behaviors using built-in Windows tools (PowerShell download cradle, local account creation) and verify alerts fire within 5 minutes. Third, confirm alerts route to the right queue with complete context.

Why is my SIEM not generating alerts?

Zero alerts usually means one of four things: the log source is not forwarding events to the SIEM, the detection rules exist but are disabled or misconfigured, alerts are firing but routing to an unmonitored queue, or the detection rules do not cover the attack techniques in your environment. Run the three-tier validation to identify which.

How do I test my SIEM detection rules without running real malware?

Use atomic tests from Atomic Red Team (github.com/redcanaryco/atomic-red-team) to simulate specific MITRE ATT&CK techniques using legitimate system commands. For example, test T1059.001 (PowerShell) by running a download cradle using Invoke-WebRequest to a known-safe URL: this produces the same Event ID 4104 scriptblock log as real malware without executing anything malicious. Test T1136.001 (local account creation) using 'net user testacct Password1! /add': confirm Event ID 4720 fires and reaches your analyst queue. Clean up after each test. Document which techniques your rules cover and which have no coverage.

What is detection coverage and how do I measure it?

Detection coverage is the percentage of MITRE ATT&CK techniques or sub-techniques that your SIEM has at least one active detection rule for. Measure it by mapping each of your active rules to one or more ATT&CK technique IDs (most SIEM platforms support ATT&CK tagging), then calculating covered techniques as a fraction of the total applicable techniques for your environment. A Sentinel or Splunk ATT&CK coverage heatmap provides a visual representation. 100% coverage is not the goal: prioritize the techniques most used against your industry and in your threat model.

How often should I audit my SIEM for log source gaps?

Run a log source health check monthly: query each critical log source for the last 15 minutes of events and alert if any source has zero events when it should be producing them. Critical sources to monitor: Windows Security events from domain controllers and servers, EDR telemetry, firewall logs, identity provider sign-in logs, and cloud platform audit logs. A log source that stops forwarding silently leaves a detection blind spot: the absence of logs is often invisible in the alert queue because no alerts fire when there are no logs to match against.

What should I do when a SIEM validation test fails to fire an expected alert?

A failed validation test means your detection pipeline has a break somewhere between the event source and the analyst queue. Work through the pipeline from source to destination to find the break. Start at the log source: confirm the event was actually generated on the endpoint by searching Event Viewer or the agent's local log buffer directly. If the event exists on the endpoint but not in the SIEM, the forwarder is broken: check the forwarder service status, its configuration pointing to the correct SIEM collector, and any network firewall rules that might be blocking the forwarding port. If the event exists in the SIEM but the alert did not fire, the detection rule itself is the problem: verify the rule is enabled and not in a disabled or report-only state, confirm the field names in the rule match the actual field names in the ingested log (field naming mismatches are the most common cause of rules that appear correct but never fire), and check that the rule's time window and threshold are not set too high. If the alert fired but did not reach the analyst, the routing configuration is broken: check the alert destination, email distribution list, or ticketing system integration. Document which step in the pipeline failed and create a remediation ticket with an owner and deadline before moving to the next validation test.

Sources & references

  1. Atomic Red Team by Red Canary
  2. MITRE ATT&CK Evaluation Framework
  3. CISA: Free Cybersecurity Services and Tools

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.