2026-06-02 –, Room 1
Nine months. That's how long a Sigma detection rule for AWS IAM privilege escalation sat in a production SIEM without firing. Not because there were no attacks because the rule referenced a CloudTrail field that doesn't exist. It matched nothing. It looked healthy. It was dead.
We built sigma-lens, an open-source quality analyzer, and ran it against the two largest public cloud rule repositories: SigmaHQ and Elastic. Across 2,000+ cloud detection rules, we found that 1 in 3 contained significant quality defects.
This talk reveals the results of our audit: rules referencing non-existent log fields, logic that misses 80% of realistic attack variants, and "hallucinated" fields in AI-generated rules. We will release sigma-lens and a new database of 400+ validated CloudTrail log schemas, equipping you to test your detection rules with the same rigor you apply to application code.
Gowthamaraj Rajendran is a Threat Detection Engineer on Meta’s Infrastructure Security Monitoring team, where he focuses on building and operationalizing detections for large-scale surfaces. His work centers on translating real-world adversary behaviors into measurable detection coverage, improving telemetry quality, and reducing time-to-detect for high-impact incidents. He is particularly interested in detection engineering methodology, breach-informed validation, and practical approaches to strengthening security monitoring at scale.