You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As detection engineers, we often consolidate multiple behaviors into a single rule for efficiency — but this creates a challenge when reporting to stakeholders who still focus on raw rule counts.
To address this, I propose introducing a new metadata field:
z_score – a numeric value that indicates how many logically distinct use cases are represented within a single rule.
It helps:
Communicate the true detection coverage of consolidated rules
Normalize engineering value across teams and environments
Improve reporting accuracy without inflating rule count
Use Case Example: Remote Code Execution Techniques
Description: This detection rule consolidates five common techniques seen in initial access and hands-on-keyboard activity:
z_score.5
description: >
This rule detects five common remote code execution techniques using built-in
system utilities. `
Instead of writing five separate rules, they’re consolidated into one — and the Z-Score reflects that.
This is extremely beneficial because it introduces a simple, standardized way to measure detection coverage, not just volume. Additionally, It enables:
More meaningful detection metrics
Better justification for optimized engineering work
Consistency in how teams define and report use case coverage
It’s vendor-neutral enhancement that fits naturally into Sigma’s metadata model — and could be a valuable addition for the broader detection engineering community.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
As detection engineers, we often consolidate multiple behaviors into a single rule for efficiency — but this creates a challenge when reporting to stakeholders who still focus on raw rule counts.
To address this, I propose introducing a new metadata field:
z_score – a numeric value that indicates how many logically distinct use cases are represented within a single rule.
It helps:
Use Case Example: Remote Code Execution Techniques
Description: This detection rule consolidates five common techniques seen in initial access and hands-on-keyboard activity:
`title: Suspicious Remote Code Execution via Scripting Tools
z_score: 5
tags:
description: >
This rule detects five common remote code execution techniques using built-in
system utilities. `
Instead of writing five separate rules, they’re consolidated into one — and the Z-Score reflects that.
This is extremely beneficial because it introduces a simple, standardized way to measure detection coverage, not just volume. Additionally, It enables:
It’s vendor-neutral enhancement that fits naturally into Sigma’s metadata model — and could be a valuable addition for the broader detection engineering community.
Would love to hear your thoughts.
Beta Was this translation helpful? Give feedback.
All reactions