Analysis of 6,859 rule histories shows 56% undergo detection logic revisions, with over half both adding and removing clauses and a quarter to a third alternating between coverage expansion and false-positive reduction.
99% false positives: A qualitative study of SOC analysts’ perspectives on security alarms
1 Pith paper cite this work. Polarity classification is still indexing.
1
Pith paper citing it
fields
cs.CR 1years
2026 1verdicts
UNVERDICTED 1representative citing papers
citing papers explorer
-
Evolution of Log-Based Detection Rules in Public Repositories
Analysis of 6,859 rule histories shows 56% undergo detection logic revisions, with over half both adding and removing clauses and a quarter to a third alternating between coverage expansion and false-positive reduction.