All projects
SIEM Detection EngineeringPlannedL3·9 min

SIEM Detection Pipeline for a Mid-Market SaaS Company

A planned learning exercise that models how a growing SaaS could detect credential abuse and lateral movement without adding analyst headcount.

Business Problem

A fictional Series B SaaS with 180 employees is flooded with low-quality alerts and lacks a way to prioritize what actually matters to the business.

Technical Analysis

Planned: map the top techniques from MITRE ATT&CK most relevant to a cloud-first workforce, then compare coverage against out-of-the-box SIEM content.

Architecture

Proposed architecture: log ingestion tier normalizes identity, endpoint, and SaaS audit logs into a common schema. Detection tier runs Sigma-derived searches on a schedule and routes findings through a triage playbook.

Tools Used
SplunkSigmaSysmonOkta logsPython
Solution
  1. 01Standardize identity events into a single index with common field names.
  2. 02Port a small library of Sigma rules and tune them against lab telemetry.
  3. 03Build a triage playbook that groups alerts by identity and asset criticality.
  4. 04Produce an executive dashboard showing time-to-triage and top risks by business unit.
Expected Deliverables
Planned
Detection ruleset
Proposed
Executive dashboard
Planned
Triage playbook
Detection maturity
Learning objective
Lessons Learned
  • · A detection is only useful if a human can act on it in under five minutes.
  • · The hardest part is not writing rules — it is convincing the business which risks to accept.
  • · Speaking in dashboards, not queries, is what earns budget.
Executive Summary

Learning objective: show how a small SaaS could cut alert noise, cover the techniques most likely to hurt the business, and give leadership a shared language for detection maturity.