The collection trap

Many teams equate "we ship everything to a log platform" with "we have detection." They don't. Logs you never query are just a storage bill. Detection means someone or something is watching for the patterns that matter and acting on them.

Cover the sources that count

You can't detect what you can't see. Prioritize:

  • Identity provider logs — logins, MFA events, privilege changes.
  • Cloud control plane — API calls, IAM changes, resource creation.
  • Endpoint telemetry — process execution, persistence, lateral movement.
  • Network / DNS — exfiltration and command-and-control signals.

Write detections for behavior, not just signatures

Signature matching catches known-bad. The interesting attacks look like legitimate activity. Build behavioral detections:

  1. Impossible travel or new-country logins.
  2. A service account suddenly used interactively.
  3. Mass downloads or unusual data egress.
  4. New IAM admin grants outside change windows.

Tune relentlessly

A detection that fires 200 false positives a day will be ignored, and the one true positive will be lost. Measure alert-to-action ratio. If responders dismiss most alerts without action, the rule is broken — fix or retire it.

Retention and speed

Keep enough history to investigate (90 days hot, a year cold is a common baseline) and make queries fast. During an incident, the difference between a five-minute query and a five-hour one is the difference between containment and catastrophe.