Detection Pipeline — modularCISO

Module 02 · Lesson 12

Designing a detection pipeline that doesn't drown you

You can build perfect defenses and still get breached. The difference between a minor incident and a catastrophe is how quickly you detect it.

200+

Days avg dwell time

10K+

Alerts/day avg SOC

95%

False positive rate

What to Log

Log what answers three questions

Must Log

Security-relevant events

Auth events (success + failure), authorization decisions, privileged actions, data access, network connections, system changes, security tool events.

Never Log

Creates new risk

Passwords (even failed — often 1 char off), full credit card numbers, PII in plaintext, health data. Use reference IDs instead.

Three questions your logs must answer: Did something bad happen? What exactly? How do we stop it?

SIEM Architecture

The nervous system of security ops

Component	Function	Key consideration
Collection	Agents, syslog, APIs pulling from sources	Coverage: missing one server = blind spot
Normalization	Convert different formats to common schema	Without it, can't correlate Windows + Linux events
Correlation	Connect related events across time/sources	Login from Madrid, then Beijing 5 min later = alert
Detection	Rules that trigger alerts on patterns	Start with vendor rules, then customize heavily
Dashboards	Visibility for analysts and executives	SOC: real-time detail. CISO: weekly trends.
Retention	How long logs are searchable/archived	Hot: 30-90 days. Cold: 12-24 months.

Vendor Landscape

Choosing a SIEM

Splunk

Most powerful, most expensive. Dominant in enterprise. Volume-based pricing can surprise you.

Sentinel

Microsoft's cloud SIEM. Great for M365/Azure shops. Consumption pricing — monitor costs carefully.

Elastic

Open source option. Powerful but requires expertise to operate. Self-hosted or cloud.

Chronicle

Google's SIEM. Fixed pricing model — predictable costs regardless of volume.

Wazuh

Open source, free. Best option for SMBs starting from zero. Endpoint + SIEM in one.

Alert Fatigue

The silent killer

10,000+ alerts/day. Most false positives. Your analysts miss the real attack on page 47 of the queue. This is how breaches go undetected despite having a SIEM.

Tune

Fix or disable noisy rules. 50 false positives/week? Fix the rule. 20 well-tuned rules beat 500 noisy ones.

Tier

Not everything is critical. Critical (immediate), High (1hr), Medium (4hr), Low (batch review).

Automate

SOAR for the repetitive. Auto-enrich IPs, auto-block known-bad indicators, auto-close whitelist matches.

Measure

Track: false positive rate, MTTD, MTTR, alert-to-investigation ratio. If 95% are false positives, your SIEM is a liability.

Detection Maturity

Four levels of detection capability

Level 1

Basic Alerts

Vendor-provided rules, minimal tuning. High noise. Reactive only. Where most SMBs start.

Level 2

Tuned Detection

Custom rules for your environment. False positives managed. Incident response tested. Most mid-market target.

Level 3

Proactive Hunting

Dedicated threat hunters. Hypothesis-driven searches. Behavioral analytics. MITRE ATT&CK mapped coverage.

Level 4

Automated Response

SOAR playbooks auto-contain threats. ML-driven anomaly detection. Continuous improvement loop. Enterprise target.

Key Takeaway

Signal over noise

Remember this

200+ day average dwell time means most organizations don't know they've been breached for months.

A SIEM with 20 well-tuned rules beats one with 500 noisy rules. Quality over quantity.

Alert fatigue kills detection capability. Tune relentlessly, tier alerts, automate the repetitive.

Log everything security-relevant. Never log passwords or PII in plaintext.

1 / 7