Describe a time you built a custom detection rule for a real threat. What was the threat, and how did you reduce false positives?