Detection content
Our SIEM detection rules are engineered to deliver maximum coverage with minimal complexity, prioritizing the log sources that matter most for modern cybersecurity. By focusing on your organization’s critical data streams, we enable faster threat hunting, reduced alert fatigue, and compliance-ready monitoring.
The following log sources cover 80%+ of critical use cases for most organizations:
Log Source Prioritization Matrix
Quick Start Guide
This matrix prioritizes common log sources based on real-world attack patterns.
Use it to align your team on "what to deploy first" and justify decisions to stakeholders.
🔥 Critical | Log sources tied to >50% of breaches (e.g., AD, EDR). Deploy first.
🟠 Important | Address common but lower-risk threats (e.g., VPN, Email). Phase 2.
🟡 Situational | Niche needs (e.g., DAM, CASB). Deploy only if required.
| Log Source | Category | Implementation Complexity | Priority | Example Use Case Categories |
|---|---|---|---|---|
| Active Directory (AD) | Authentication Systems | Low | 🔥 Critical | - Account Compromise - Privilege Escalation - Anomalous and Failed Login - Brute Force Attack |
| EDR Logs | EDR Systems | Medium | 🔥 Critical | - Malware Detection - Anomalous Behavior and Threat Hunting - Configuration Compliance Monitoring |
| Firewall/IDS/IPS Logs | Network Devices | Low | 🔥 Critical | - Network Intrusion Detection - Traffic Anomaly Detection - Network Performance Monitoring |
| AWS CloudTrail | Cloud Services | Medium | 🔥 Critical | - Cloud Native Threat Detection - Account Compromise Detection - Cloud Access Anomaly Detection |
| Email Security Logs | Email Systems | Low | 🔥 Critical | - Phishing and Spear-Phishing Attack Detection - Malware and Ransomware Distribution via Email - Email Account Compromise Detection |
| Windows Event Logs | Operating Systems | Medium | 🔥 Critical | - Malicious Activity Detection - User Activity Monitoring - Unauthorized System Changes - Endpoint Compliance Monitoring |
| VPN Logs | VPN Services | Low | 🟠 Important | - VPN Connection Monitoring - Threat Intelligence Integration - VPN Traffic Analysis - User Authentication and Access Control |
| CASB Logs | Cloud Services | High | 🟡 Situational | - Cloud Native Threat Detection - Account Compromise Detection - Cloud Access Anomaly Detection |
| Database Logs (DAM) | Databases | High | 🟡 Situational | - Unauthorized Database Access Detection - Database Configuration Changes Monitoring - Sensitive Data Exposure Alerts |
Next: Explore the Content Catalog
Now that you’ve prioritized log sources, dive into implementation details for each category:
| Section | What’s Included | Example |
|---|---|---|
| Overview | Key threats and detection focus for the technology. | "Detect cloud-native threats like SSRF attacks." |
| Sample Products | Supported tools and log sources. | AWS CloudTrail, Azure Activity Logs |
| Use Case Categories | Grouped detection scenarios. | "Cloud Access Anomaly Detection" |
| Core Use Cases | Specific detection rules with real-world impact. | 🔍 "Unusual API Calls Detection" (identifies credential hijacking in 5 minutes) |
| MITRE ATT&CK | Mapped tactics/techniques for threat hunting. | T1534, T1550 (Cloud Account Hijacking) |