A fictional Series B SaaS with 180 employees is flooded with low-quality alerts and lacks a way to prioritize what actually matters to the business.
Planned: map the top techniques from MITRE ATT&CK most relevant to a cloud-first workforce, then compare coverage against out-of-the-box SIEM content.
Proposed architecture: log ingestion tier normalizes identity, endpoint, and SaaS audit logs into a common schema. Detection tier runs Sigma-derived searches on a schedule and routes findings through a triage playbook.
- 01Standardize identity events into a single index with common field names.
- 02Port a small library of Sigma rules and tune them against lab telemetry.
- 03Build a triage playbook that groups alerts by identity and asset criticality.
- 04Produce an executive dashboard showing time-to-triage and top risks by business unit.
- · A detection is only useful if a human can act on it in under five minutes.
- · The hardest part is not writing rules — it is convincing the business which risks to accept.
- · Speaking in dashboards, not queries, is what earns budget.
Learning objective: show how a small SaaS could cut alert noise, cover the techniques most likely to hurt the business, and give leadership a shared language for detection maturity.