SIEM users should consider performing testing to validate that their detections actually work, especially if they are doing actual detection engineering (instead of just relying on vendor-provided rules).