45%
Of SOC analysts say more than half of all daily alerts are false positives (SANS 2025)
27%
Of security analysts have considered quitting due to alert fatigue
4,000+
Daily alerts processed by the average enterprise SOC
80%
False positive rate reported by organizations using out-of-box SIEM rules without tuning

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every SOC team with an active SIEM faces the same problem: too many alerts, not enough signal. Industry surveys consistently find that organizations using out-of-box detection rules without tuning experience false positive rates above 70 percent. At scale, this means analysts are spending the majority of their shift investigating alerts that were never real threats to begin with.

The common response is to disable noisy rules outright. That is the wrong fix. Disabling a rule removes detection coverage entirely. The right approach is tuning: modifying the rule to exclude the specific patterns that produce noise while preserving detection logic for the patterns that represent genuine attacker behavior.

This guide covers how the three dominant enterprise SIEM platforms each implement false positive tuning: Microsoft Sentinel's KQL exclusions and watchlists, Splunk's risk-based alerting and eval suppression, and Google Chronicle's YARA-L reference lists and condition exceptions. Each platform has a different architecture, and the optimal tuning approach differs accordingly. We also cover how to measure false positive rates before and after tuning, and how to test that exclusions do not create detection blind spots.

Why SIEM False Positives Are a Structural Problem, Not a Rules Problem

Alert fatigue is frequently framed as a people problem: analysts who are burned out, too slow, or insufficiently triaged. The framing is wrong. Alert fatigue is a structural consequence of deploying detection rules calibrated for a generic environment against a specific organization's infrastructure.

Out-of-box SIEM content is written to detect a pattern of behavior that is suspicious in most environments. A rule that fires when PowerShell is invoked with a base64-encoded command is a reasonable heuristic. But if your organization's IT team runs base64-encoded PowerShell as part of a legitimate deployment automation pipeline on a known set of hosts, every deployment becomes an alert. The rule is not broken. The rule is correctly detecting a pattern. The pattern is not malicious in your environment.

This is the distinction between false positive rate and noise rate. Your false positive rate is the fraction of alerts that do not correspond to genuine malicious activity. Your noise rate also includes true positives that your team has no actionable response for: real suspicious events that do not yet have a playbook, are being tracked through another workflow, or are accepted risks given current business context. Both contribute to the analyst workload problem, but they require different solutions. False positives require detection tuning. Noise requires workflow engineering.

The statistics on alert fatigue are consistent across survey sources. The SANS 2025 SOC Survey found 45 percent of analysts classify more than half of their daily alerts as false positives. A 2024 Tines report found that 27 percent of security professionals have considered leaving their role due to alert volume. IBM's 2024 Cost of a Data Breach report found that organizations whose SOCs reported high false positive burdens had longer breach dwell times, because genuine attacker activity was buried in alert noise.

The structural solution is not more analysts. It is a detection engineering program that continuously measures false positive rates per rule, identifies the specific patterns producing noise, writes the narrowest possible exclusions, and validates that exclusions do not create coverage gaps. That program runs differently depending on which SIEM platform you operate.

Microsoft Sentinel False Positive Tuning: Exclusions, Watchlists, and Entity Behavior

Microsoft Sentinel provides three distinct mechanisms for false positive tuning, each appropriate for different suppression scenarios: inline KQL exclusions within the analytics rule query, the built-in False Positives tab for entity-based exceptions, and Watchlists for shared allowlists across multiple rules.

Inline KQL Exclusions

The most direct approach is adding a where clause to the rule query to filter out known-good field values. For example, if a "High-Volume Authentication Failures" rule is firing on a service account used by a monitoring tool:

SigninLogs
| where ResultType == "50126"
| where UserPrincipalName !in~ ("monitoring-svc@contoso.com", "backup-svc@contoso.com")
| summarize FailureCount = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where FailureCount > 10

The !in~ operator performs case-insensitive exclusion against a static list. This is appropriate for small, stable exclusion lists. For exclusions that change frequently (rotating scanner IPs, dynamic admin pools), static inline lists become a maintenance burden.

Watchlists for Shared Exclusions

Sentinel Watchlists are CSV-backed lookup tables stored in Log Analytics that can be referenced from any analytics rule. A Watchlist named KnownScanners containing a IPAddress column can be referenced in KQL:

let KnownScanners = _GetWatchlist("KnownScanners") | project IPAddress;
AzureNetworkAnalytics_CL
| where FlowType_s == "ExternalPublic"
| where SrcIP_s !in (KnownScanners)
| where AllowedOutFlows_d > 500

Watchlists update independently of rule logic, meaning your security operations team can add new scanner IPs or admin accounts to a Watchlist without touching the rule query. This is the correct architecture for shared exclusion data used across multiple rules.

Entity Behavior and UEBA Thresholds

For behavioral rules (Sentinel's UEBA-powered anomaly detections), tuning requires adjusting the anomaly threshold rather than excluding specific values. In Sentinel's Anomaly templates, the threshold is configurable via the rule settings UI. Lowering sensitivity raises the volume required to trigger an anomaly, which is effective when a legitimate business process creates high-volume activity that looks anomalous (batch data exports, scheduled backup jobs).

False Positives Tab

The False Positives tab on individual analytics rules provides a simplified UI for adding entity exclusions without editing KQL directly. Select the entity type (Account, Host, IP), the field to match, and the value. These exclusions are stored separately from the rule query and apply to all future alerts from that rule. This mechanism is appropriate for quick analyst-driven tuning but should be audited regularly: exceptions added through the UI do not appear in rule version history and can accumulate invisibly.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Splunk False Positive Tuning: Risk Scores, Saved Search Suppression, and Notable Event Management

Splunk Enterprise Security offers three tuning mechanisms that operate at different layers of the detection stack: per-event suppression in individual correlation searches, risk score modifiers in Risk-Based Alerting, and notable event suppression in the Incident Review interface.

Risk-Based Alerting as the Primary Tuning Architecture

The most effective false positive reduction approach in Splunk ES is adopting Risk-Based Alerting (RBA). Rather than generating notable events from individual correlation searches, RBA routes suspicious events to a risk index where each event contributes a score to the entity involved. A secondary correlation search generates a notable event only when cumulative risk exceeds a threshold:

| tstats summariesonly=true count from datamodel=Endpoint.Processes
  where Processes.process_name=psexec.exe by Processes.user Processes.dest
| rename Processes.* as *
| eval risk_score=60, risk_object=user, risk_object_type="user"
| collect index=risk

A noisy rule that previously fired on every psexec execution now contributes a risk score of 60 to the user. A user who runs psexec once scores 60. A user who also creates a new local admin account, establishes a new outbound connection, and modifies a registry run key accumulates scores from multiple searches and eventually crosses the alert threshold. Tuning in RBA means adjusting per-source risk scores, not disabling rules. A known-noisy search gets a lower risk score contribution, not a suppression.

Eval-Based Suppression in Individual Searches

For searches not yet migrated to RBA, eval-based filtering suppresses specific field combinations:

index=windows EventCode=4688 New_Process_Name="*psexec*"
| eval suppress=if(Account_Name="svc-deploy" AND Computer="deploy-server01", "true", "false")
| where suppress!="true"
| stats count by Account_Name, Computer, New_Process_Name, CommandLine

The eval suppress pattern is preferable to a direct where NOT filter when the suppression logic is complex (multi-field combinations, time-based windows). It leaves the raw event in the results for auditing while clearly marking suppressed events.

Notable Event Suppression

When a notable event has already been created, Incident Review allows suppression of future identical notables for a defined time window. The suppression can target a specific field value (suppress all notables from this src IP for 24 hours) or a combination (suppress notables from this src IP matched against this rule for 7 days). Notable suppression is appropriate for short-lived tuning needs like maintenance windows. It is not a substitute for rule-level tuning because suppressed notables continue to consume processing resources.

Google Chronicle False Positive Tuning: YARA-L Rule Exceptions and Reference Lists

Google Chronicle's detection engine uses YARA-L 2.0 for rule definition, and false positive tuning is performed by modifying rule conditions and referencing centrally managed lists. Unlike Sentinel and Splunk, Chronicle has no UI-based exclusion mechanism, all tuning requires direct rule edits.

YARA-L Condition Exceptions

A Chronicle rule detecting suspicious scheduled task creation might look like:

rule suspicious_scheduled_task_creation {
  meta:
    author = "detection-engineering"
    severity = "MEDIUM"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line = /schtasks.*\/create/i
    $e.principal.user.userid != "svc-task-mgmt"
    $e.principal.hostname != /^deploy-/
  condition:
    $e
}

The != and regex-based exclusions directly in the events block are the primary mechanism. String negation excludes a specific user; regex negation with ^deploy- excludes any hostname starting with that prefix. Multiple conditions within the events block are evaluated as logical AND, so exclusions are precise and compound-able.

Reference Lists for Shared Allowlists

Reference lists in Chronicle are centrally managed sets of strings or CIDR ranges that can be referenced across multiple rules. A reference list named known_good_domains is used in a rule as:

rule c2_domain_detection {
  meta:
    severity = "HIGH"
  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.name != ""
    $e.network.dns.questions.name notin %known_good_domains
  condition:
    $e
}

The % prefix references a reference list. notin performs membership exclusion against the list. For IP ranges, Chronicle supports CIDR notation in reference lists with the cidrmatches function:

not cidrmatches($e.principal.ip, "10.0.0.0/8", "172.16.0.0/12")

UDM Field Filtering

Chronicle normalizes all ingested events to the Unified Data Model (UDM). Effective tuning requires knowing which UDM fields correspond to the raw log fields you want to filter on. The principal, target, src, and network namespaces cover the most common tuning scenarios. For endpoint events, $e.principal.process.file.full_path is frequently used to exclude known-good binaries from behavioral rules. Chronicle's event search allows you to explore UDM fields for a specific log source before writing exclusions, which is the recommended workflow for new data source onboarding.

The Tuning Workflow: How to Measure and Reduce FP Rate Without Killing Detection Coverage

Effective false positive tuning is a measurement-first discipline. Modifying rules without first measuring their current false positive rate and documenting what patterns you are excluding leads to drift: rules that no longer detect what they were designed to detect, with exclusions no one can justify.

Baselining: Measure Before You Change Anything

For any rule you intend to tune, collect 30 days of alerts and classify each as true positive (confirmed or suspected malicious) or false positive (confirmed benign). For high-volume rules, a 7-day sample is acceptable with the caveat that low-frequency true positives may not appear in the sample window.

Calculate your baseline false positive rate: false positives divided by total alerts. Document which field values account for the majority of false positives. In most cases, 20 percent of excluded patterns will account for 80 percent of false positive volume. Start there.

Writing Exclusions: Narrowest First

The principle is: exclude the specific field combination that distinguishes false positives from true positives. Never exclude on a single broad field when a compound exclusion is possible. Excluding all alerts where user == "svc-backup" is correct if that account only ever produces false positives. But excluding user starts with "svc-" when you only have data about svc-backup creates a blind spot for attacker-created service accounts.

Regression Testing

Before deploying any exclusion to production, verify it does not suppress historical true positives. If your SIEM retains raw events, run the modified rule query against your historical data and compare the alert output against your baseline true positive set. Any historical true positive that disappears after the exclusion is applied means your exclusion is too broad.

The Tune vs. Retire Decision

Some rules are not tunable. If a rule has a false positive rate above 95 percent and you cannot identify a narrow enough exclusion to reduce it materially, retirement is the correct decision, but only if an alternative detection covers the same technique. Map every rule to the ATT&CK technique it covers before retiring it. If no other rule covers that technique, build a replacement before retiring the original.

Expiration Dates on All Exclusions

Every exclusion should carry an expiration date, typically 90 to 180 days, after which a review is mandatory. Business context changes: that service account that legitimately ran psexec last quarter may have been compromised this quarter. Exclusions without expiration dates accumulate into permanent blind spots.

Detection engineering is not a one-time project. Every exclusion you add without an expiration date is a commitment to never detecting that pattern again, even when the threat actor learns to wear the same disguise.

Detection Engineering principle, SOC tuning programs

Common False Positive Patterns and Their Fixes

Certain detection patterns generate disproportionate false positive volume across almost every organization. Understanding the root cause of each pattern allows you to write targeted exclusions rather than disabling rules wholesale.

Scheduled Tasks Misread as Persistence

Rules detecting scheduled task creation (Windows Event 4698, Sysmon Event ID 1 with schtasks /create) are among the noisiest rules in any environment because scheduled tasks are a legitimate administration mechanism. The attacker pattern is task creation by an interactive user session, often via a LOLBin or scripting engine, outside of normal business hours. The false positive pattern is task creation by patch management agents, monitoring tools, and deployment automation.

Fix: Scope the detection to exclude known task creators by process path and user account. Flag task creation via scripting engines (wscript.exe, cscript.exe, powershell.exe) rather than all task creation.

// Sentinel: Suspicious Scheduled Task Creator
SecurityEvent
| where EventID == 4698
| where SubjectUserName !in~ ("SYSTEM", "svc-sccm", "svc-intune")
| where ProcessName has_any ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")

Legitimate Admin Tools Triggering LOLBin Rules

Living-off-the-land binary (LOLBin) rules detect use of signed Windows binaries for malicious purposes: certutil.exe downloading files, mshta.exe executing remote scripts, regsvr32.exe loading unsigned DLLs. These rules fire constantly in organizations that legitimately use these tools for administration.

Fix: The exclusion must be narrow. Exclude specific command-line patterns that correspond to legitimate use, not the binary itself. certutil.exe -decode on a specific output path used by a known application is excludable. All certutil.exe usage is not.

// Splunk: certutil download detection with legitimate use exclusion
index=windows EventCode=4688 New_Process_Name="*certutil*"
| where NOT (match(Process_Command_Line, "certutil\s+-decode\s+C:\\ProgramData\\Vendor\\"))
| where match(Process_Command_Line, "urlcache|verifyctl|encode|decode")

Scanning Tools Triggering Brute Force Rules

Authentication failure rules (detecting brute force attempts via rapid successive failures) consistently fire on vulnerability scanners, penetration testing infrastructure, and monitoring agents that perform credentialed authentication checks. The fix is a scanner IP allowlist referenced from all authentication failure rules, not a per-rule suppression.

In Sentinel, a Watchlist named AuthorizedScanners with a SourceIP column:

let Scanners = _GetWatchlist("AuthorizedScanners") | project SourceIP;
SigninLogs
| where ResultType == "50126"
| where IPAddress !in (Scanners)
| summarize FailureCount = count() by IPAddress, UserPrincipalName, bin(TimeGenerated, 1h)
| where FailureCount > 20

In Chronicle, a reference list authorized_scanner_ips:

$e.principal.ip notin %authorized_scanner_ips

The same source of truth, the scanner IP list, should feed all three SIEMs if your organization operates a multi-SIEM environment. Maintaining separate suppression lists per platform for the same data leads to divergence.

Scheduled task creation by patch management agents

Scope rules to task creators using scripting engines, not all task creation. Exclude known-good creator accounts and process paths using the narrowest possible combination.

LOLBin rules firing on legitimate admin tools

Exclude specific command-line patterns matching legitimate use cases, not the binary itself. Attacker LOLBin use rarely matches the exact command-line pattern of the legitimate application.

Vulnerability scanners triggering authentication failure rules

Maintain a central scanner IP allowlist (Watchlist in Sentinel, reference list in Chronicle, lookup table in Splunk) and reference it from all authentication anomaly rules.

Backup agents triggering data exfiltration rules

Exclude backup service accounts and destination IPs from data transfer volume rules. Track backup agent IPs in your scanner/admin IP allowlist.

CI/CD pipelines triggering code execution rules

Exclude pipeline runner accounts and build server hostnames from PowerShell and script execution rules. Enforce time-window restrictions so detections still fire outside build hours.

IT admin remote access triggering lateral movement rules

Exclude IT admin accounts from pass-the-hash and remote service creation rules with a compound exclusion: account AND source host must both be in the admin tier. Attacker lateral movement typically originates from non-admin hosts.

The bottom line

False positive tuning is a continuous detection engineering discipline, not a one-time configuration task. The core workflow is identical across platforms: measure the false positive rate per rule before changing anything, write the narrowest possible exclusion targeting the specific field combination that distinguishes noise from signal, run a regression test against historical true positives, and attach an expiration date to every exclusion. The platform-specific syntax differs: Sentinel uses KQL where clauses and Watchlists, Splunk uses eval suppression and risk score adjustments, Chronicle uses YARA-L condition exceptions and reference lists. Organizations that centralize their allowlist data (scanner IPs, admin accounts, known-good domains) in a single source of truth and reference it from all SIEM rules reduce maintenance overhead significantly. Tuning is not the same as disabling coverage. Every exclusion should be justified against a specific benign pattern, tested against historical attacker data, and reviewed on a schedule.

Frequently asked questions

How do SIEM platforms handle false positive tuning?

SIEM platforms handle false positive tuning through four primary mechanisms: rule-level exclusions that filter specific field values from triggering an alert (such as excluding a known admin account from a privilege escalation rule), allowlist-based suppression that checks event fields against a reference list of known-good entities, threshold adjustments that raise the activity count required to trigger an alert, and risk score dampening that reduces the weight of an event in risk-based alerting systems. Microsoft Sentinel uses KQL where clauses and watchlists, Splunk uses eval-based suppression and risk score modifiers, and Google Chronicle uses YARA-L notnull/reference list exceptions. All three platforms support entity-level exclusions, but the implementation syntax and management workflow differ significantly.

What is the difference between a false positive rate and a noise rate in a SOC?

A false positive rate is the fraction of alerts that do not correspond to a real threat, measured as false positives divided by total alerts. A noise rate is a broader measure of analyst interruption that includes true positives that are low-priority (real events that do not require action given current risk posture), duplicate alerts for the same underlying event, and alerts for remediated issues that have not yet been suppressed. An alert can be a true positive with confirmed malicious activity but still contribute to noise if the SOC has no playbook to act on it. Reducing the false positive rate is necessary but not sufficient. Reducing noise requires also eliminating duplicate detections and low-signal-to-action alerts.

How do I add entity exclusions to Microsoft Sentinel analytics rules?

Microsoft Sentinel supports two exclusion mechanisms. For ad-hoc exclusions on individual analytics rules, use the False Positive tab in the rule settings to add entity-based exceptions: select the entity type (account, IP, hostname), choose the operator (equals, contains, starts with), and enter the value. These exceptions apply only to that rule. For organization-wide allowlists used across multiple rules, create a Sentinel Watchlist containing your known-good entities and reference it inside the rule KQL using a where clause: `| where AccountName !in~ (watchlist('KnownAdmins') | project AccountName)`. Watchlist-based exclusions are preferable for shared entities (IT admin accounts, vulnerability scanner IPs) because a single watchlist update propagates to all rules that reference it.

How does Splunk risk-based alerting reduce false positives?

Splunk Risk-Based Alerting (RBA) reduces false positives by shifting from per-event alerting to risk score accumulation. Instead of generating a notable event every time a suspicious event occurs, each detection rule contributes a risk score to the entity involved (user, system, or IP). A separate correlation search generates a notable event only when an entity's cumulative risk score crosses a defined threshold within a time window. This means a single anomalous event from a known-noisy source (an IT admin running psexec) does not page an analyst, but the same account performing psexec plus a new local admin creation plus an unusual outbound connection accumulates enough risk score to fire a high-confidence alert. Tuning in RBA means adjusting per-source risk scores and the cumulative threshold, not modifying individual detection rules.

How do I create exceptions in Google Chronicle YARA-L rules?

Google Chronicle YARA-L rule exceptions are implemented directly in rule condition blocks using notnull checks, string comparisons, and reference list lookups. To exclude known-good domains, declare a reference list and reference it with `$domain notin %known_good_domains`. To exclude specific users from a persistence detection, add a condition: `$event.principal.user.userid != "svc-backup"`. Chronicle reference lists support string and CIDR notation for IP ranges, making them the most efficient method for managing large allowlists. Reference lists are centrally managed and apply across all rules that reference them, similar to Sentinel watchlists. Unlike Sentinel and Splunk, Chronicle exceptions cannot be added through a UI toggle, they require direct YARA-L syntax edits to the rule definition.

What is the safest way to tune a SIEM rule without creating detection blind spots?

The safest tuning workflow has four steps. First, measure the current false positive population for a specific rule before changing anything: collect 30 days of alerts, categorize each as false positive or true positive, and identify the field values that distinguish the two groups (specific accounts, IP ranges, process paths, or time windows). Second, write the narrowest possible exclusion targeting only the distinguishing field values, not broad categories. Third, test the exclusion in a staging environment or by adding it to a rule clone and running it in alert-only mode for seven days. Fourth, run a regression test using known-true-positive events from your historical data to confirm the exclusion does not suppress them. Document every exclusion with a justification, a linked ticket, and an expiration date for mandatory review. Exclusions that never expire accumulate into permanent blind spots.

Sources & references

  1. SANS 2025 SOC Survey
  2. Microsoft Sentinel Documentation: Analytics Rule Tuning
  3. Splunk BOTS: Risk-Based Alerting Framework
  4. Google Chronicle YARA-L Reference
  5. MITRE ATT&CK: Defense Evasion Tactic
  6. Elastic SIEM False Positive Guide

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.