SOC Transformation

Onboarding Telemetry: Log Sources That Move the Needle

SOC Transformation Friday, January 8, 2027 16 min read For CIOs, CISOs & technology leaders
Share LinkedIn X

Most SOC modernization budgets are spent on detection content and dashboards, while the single variable that predicts whether a security operation actually catches anything — which log sources get onboarded, in what order, and at what fidelity — is left to whoever answers the ticket first. Fix the telemetry onboarding sequence and every downstream investment, from correlation rules to AI triage, starts paying for itself; get it wrong and no amount of automation will rescue a SOC that is blind in the places attackers actually operate.

The real bottleneck is not detection logic, it is telemetry sequencing

Ask a CISO what their SOC needs and the answer is usually framed as a tooling gap: better correlation rules, a new SIEM, more analysts, or an AI layer to cut alert fatigue. Ask a detection engineer the same question and the answer is almost always different — it is a data gap. You cannot detect lateral movement you never log, cannot triage an identity compromise without authentication telemetry, and cannot prove containment without endpoint process trees. Every mature detection engineering program eventually arrives at the same conclusion: the ceiling on SOC effectiveness is set by what telemetry is onboarded, normalized, and enriched — not by how clever the rules layer on top of it is.

This matters enormously at the leadership level because telemetry onboarding decisions are usually made bottom-up, source by source, driven by whichever system happens to have an available syslog output or whichever team screams loudest after an incident. That is a reactive, incident-driven onboarding pattern, and it produces SOCs with deep coverage of low-value sources (firewall allow/deny logs, generic OS event logs) and shallow or absent coverage of the sources that actually correlate with breach progression: identity provider logs, EDR telemetry, DNS, and cloud control-plane activity. The fix is not more logs. It is a deliberate, risk-ranked onboarding roadmap treated as a first-class engineering program with its own budget line, its own metrics, and its own executive sponsor.

This article lays out that roadmap: which sources move the needle, in what sequence, with what architecture, and how to restructure the SOC operating model — roles, detection engineering practice, metrics, and analyst experience — around an AI-augmented triage layer that can only be as good as the telemetry beneath it. We treat this as a strategy and operating-model problem first, and a technology problem second, because that is the order in which it actually gets solved.

Insight. Every breach post-mortem that ends with "we had the logs but didn't detect it" is a detection engineering failure. Every post-mortem that ends with "we didn't have the logs" is a telemetry onboarding failure — and it is the more common of the two, and the more expensive to discover after the fact.

Why onboarding sequence is a board-level decision, not an engineering backlog item

Telemetry onboarding consumes three finite resources that executives already track closely: ingest cost (most SIEM and data platform licensing is volume-based), engineering time (parsing, normalization, and enrichment work does not happen automatically), and analyst attention (every new source that is onboarded without tuning adds noise before it adds signal). Because those three resources are finite and because different log sources have wildly different detection value per unit of cost, the order in which sources are onboarded is functionally a resource allocation decision with direct P&L and risk implications. That makes it a decision that belongs in the operating model conversation the CISO has with the CIO and the board, not a task list handed to whichever engineer has SIEM access this quarter.

Consider the economics. A firewall generates enormous log volume — often the single largest ingest source in an environment — but the detection value of raw allow/deny records is low once basic perimeter monitoring exists; most lateral movement and privilege escalation never crosses that boundary at all. Identity provider logs, by contrast, generate a fraction of the volume but map almost one-to-one onto the techniques attackers use in the middle stages of an intrusion: impossible travel, MFA fatigue, token replay, privilege escalation through group membership changes. Onboarding cost per source should be evaluated against detection value per source, not against ingest volume, and most legacy SOC data platforms were built and priced in an era when that distinction was not made explicit.

The strategic reframe for leadership is this: telemetry onboarding is a portfolio allocation exercise across a fixed budget, and the objective function is detection coverage against the threats most likely to hurt the organization — not log volume, not source count, and not compliance checkbox completion. A CISO who can show the board a coverage map against a named threat model (ransomware kill chain, business email compromise, insider data exfiltration) is in a fundamentally stronger position than one who can only report "we ingest 40 log sources."

A decision framework: scoring log sources by detection value, not volume

To move onboarding from an ad hoc backlog to a defensible roadmap, score every candidate source across four dimensions and rank by the composite. This is the framework we use when building a telemetry roadmap as part of an agentic SOC transformation engagement.

  • Kill-chain coverage: how many stages of the MITRE ATT&CK matrix does this source give visibility into, and specifically which techniques used by threat actors relevant to this industry vertical?
  • Uniqueness of signal: is this the only source that can detect a given behavior, or does another already-onboarded source provide overlapping coverage? Redundant telemetry has diminishing marginal value.
  • Fidelity and context richness: does the source provide enough structured context (user identity, process lineage, source/destination, command line) to support automated triage, or does it require heavy manual correlation to be useful?
  • Onboarding cost: parsing complexity, normalization effort, licensing/ingest cost, and ongoing maintenance burden (schema drift, API changes, log format versioning).

Score each candidate source 1–5 on the first three dimensions and invert the cost dimension (low cost scores high), then rank. In nearly every environment we have assessed, this exercise reorders the intuitive priority list substantially — DNS query logs and identity provider logs routinely outrank additional firewall or proxy tiers that teams assumed were "next" simply because they were operationally familiar.

Log source categoryATT&CK stage coverageTypical onboarding costComposite priority
Identity provider (SSO/IdP, directory services)Initial access, credential access, privilege escalation, persistenceLow–MediumVery high
Endpoint detection and response (EDR) telemetryExecution, defense evasion, privilege escalation, lateral movementMediumVery high
DNS query logsCommand and control, exfiltration, initial access (phishing infra)LowHigh
Cloud control-plane (audit logs across IaaS/PaaS)Persistence, privilege escalation, defense evasion, collectionMediumHigh
Email security gateway / M365 or Workspace audit logsInitial access, collection, exfiltrationMediumHigh
Network flow / NetFlow-IPFIXLateral movement, discovery, exfiltrationMediumMedium–High
Privileged access management (PAM) session logsCredential access, privilege escalation, persistenceLow–MediumHigh
Firewall allow/deny (perimeter)Initial access (limited), reconnaissanceLow (already flowing)Medium
Generic OS/application event logs (non-endpoint agent)Execution (limited), fragmentaryLowLow–Medium
Database audit logsCollection, exfiltrationHighMedium (high for data-centric risk profiles)
Insight. If a threat-informed scoring exercise puts identity and endpoint telemetry above additional firewall tiers — and it almost always does — but your onboarding roadmap has firewall expansion next in the queue, the roadmap is being driven by what is easy to connect, not by what reduces risk.

Tier one: the sources that must be onboarded before anything else matters

Identity telemetry is the new perimeter log

In an environment where the network perimeter has dissolved into SaaS, remote access, and cloud infrastructure, identity events are the closest equivalent to the perimeter firewall log of a decade ago — the place where almost every attack path leaves a trace. Authentication events (success, failure, MFA challenge, MFA bypass), conditional access policy evaluations, privileged role assignments, and directory synchronization events collectively let a detection program catch credential stuffing, password spray, impossible-travel logins, session token theft, and privilege escalation via group membership manipulation. Organizations that onboard identity telemetry early and enrich it with user risk scoring see measurable reductions in dwell time for account-takeover incidents, because the signal-to-noise ratio on identity anomalies is far better than on network telemetry once basic baselining is in place. This is also the telemetry backbone that supports mature identity and privileged access monitoring, tying detection directly to the access-governance controls the audit committee already cares about.

Endpoint telemetry: process trees over signature hits

EDR-grade endpoint telemetry — process creation with full command-line arguments, parent-child process lineage, module loads, registry modifications, and network connections initiated by process — is non-negotiable for any SOC serious about detecting the middle and late stages of an intrusion. Antivirus alerts and signature hits are a different, much weaker category of telemetry: they tell you a known-bad file was blocked, not what an attacker did once they were inside. The detection engineering value of raw process telemetry is that it supports behavioral detections (living-off-the-land binary abuse, encoded PowerShell, credential dumping tool execution) that no signature will ever catch, and it gives an AI triage layer the structured context needed to auto-correlate an alert with what actually happened on the host before and after.

DNS: cheap, high-signal, chronically under-prioritized

DNS query logs are frequently the most underrated source in a telemetry roadmap. They are inexpensive to collect, low in volume relative to network flow, and extraordinarily useful for detecting command-and-control beaconing, domain generation algorithm (DGA) activity, data staging via DNS tunneling, and newly-registered-domain communication patterns that correlate strongly with phishing infrastructure. Many SOCs never onboard DNS logs formally because the recursive resolvers are managed by network operations and nobody owns the integration. That ownership gap, not a technical barrier, is usually the actual blocker — and it is a symptom of the operating-model problem this article returns to below.

Tier two: cloud, SaaS, and the sources that catch what perimeter thinking misses

Once identity, endpoint, and DNS are onboarded and tuned, the next tier addresses the reality that most enterprise data and workloads now live in cloud and SaaS platforms that a traditional network-centric SOC was never built to see. Cloud control-plane audit logs — the record of every API call made against cloud infrastructure, including who created a resource, changed a security group, or assumed a role — are the cloud equivalent of endpoint process telemetry: they show what actually happened, not just what traffic crossed a boundary. Attackers who compromise a cloud identity rarely need to touch the network at all; they call APIs directly, and if control-plane logging is not onboarded and correlated with identity context, that entire class of attack is invisible.

Email remains the single most common initial access vector in nearly every industry vertical, which makes email security gateway logs and native mailbox audit logs (message trace, mailbox rule changes, forwarding rule creation, OAuth app consent grants) a tier-two priority that many organizations still treat as a compliance afterthought rather than a detection source. Mailbox rule creation and OAuth consent grant telemetry in particular catch a specific, high-value attacker behavior: post-compromise persistence via silent forwarding rules or malicious app registrations, which is frequently how business email compromise actors maintain access after a password reset forces them out of interactive sessions.

Network flow data (NetFlow, IPFIX, or equivalent) and PAM session recording round out this tier. Flow data is lower-fidelity than full packet capture but vastly cheaper to store and sufficient for detecting lateral movement patterns, unusual east-west traffic, and data staging behavior when correlated with identity and endpoint context. PAM session logs close a specific and high-risk gap: privileged session activity on systems that do not have endpoint agents deployed, such as network devices, hypervisor management interfaces, and legacy systems that cannot run modern EDR.

Identity + EndpointTier 1 — kill-chain backbone
DNS + Cloud Control PlaneTier 2 — visibility into modern attack paths
Email + Network Flow + PAMTier 2 continued — closes remaining blind spots
Application & DatabaseTier 3 — risk-specific enrichment

Tier three sources — application-level audit logs, database activity monitoring, OT/ICS telemetry, and container/Kubernetes audit logs — are onboarded based on the organization's specific risk profile rather than a universal sequence. A financial services firm with a data-centric threat model should pull database audit logs forward; a manufacturer with significant OT exposure should prioritize ICS network telemetry earlier than the generic sequence suggests. The tiering above is a default prior, not a rigid law, and the scoring framework from the previous section is precisely the tool used to re-rank it for a specific organization's risk profile.

Architecture: ingestion is the easy part, normalization and enrichment are where value is made

Connecting a new log source to a SIEM or data platform is rarely the hard part of onboarding — most modern platforms make raw ingestion straightforward. The work that actually determines whether a source moves the needle happens after ingestion: parsing into a normalized schema, enriching with identity and asset context, and making the resulting data available to both correlation rules and AI triage models in a consistent shape. A raw authentication log that says "user X authenticated from IP Y" is not useful until it is enriched with the user's role, their normal authentication pattern (baseline geography, device, time-of-day), the IP's reputation and geolocation, and whether the device is a known-managed asset. That enrichment layer is where most onboarding budgets are underfunded relative to the raw ingestion budget, and it is the most common reason a newly onboarded source produces noise instead of detections for months after go-live.

A layered architecture makes this explicit and gives leadership a clear place to ask "where is the value being added" during budget reviews.

Detection & AI triage — correlation rules, behavioral models, agentic investigation
Enrichment layer — identity context, asset criticality, threat intel, baselining
Normalization layer — common schema, field mapping, timestamp alignment
Ingestion & collection — agents, syslog, API pollers, cloud-native log export

Normalization to a common schema — whether that is OCSF, a vendor-native common information model, or an internally defined schema — matters more than it sounds like it should, because every downstream detection rule and every AI model that reasons over the data depends on field consistency across sources. A detection rule written against one vendor's field names silently breaks or under-fires when the underlying log source changes format or is replaced, and this is one of the most common causes of "detection decay" that goes unnoticed until an incident retrospective. This is precisely the layer where a unified data foundation like MoxDB earns its keep: normalizing heterogeneous telemetry into a consistent schema once, rather than re-solving the mapping problem inside every rule and every model that consumes the data.

Enrichment context that should be attached at ingestion time, not computed ad hoc during investigation, includes: asset criticality tier (so an anomaly on a domain controller is weighted differently than the same anomaly on a kiosk workstation), identity role and privilege level, known baseline behavior for the user or host, and current threat intelligence relevance (is this IP, domain, or hash associated with an active campaign). Attaching this context at ingestion rather than at query time is what allows an AI triage layer, such as the correlation and enrichment engine behind AI-driven XDR alert triage, to make a confident disposition decision in seconds rather than requiring an analyst to manually pull five different context sources for every alert.

Rebuilding detection engineering as a standing discipline, not a rules backlog

Most SOCs still treat detection content as something that accumulates: a rule gets written after an incident, a vendor content pack gets imported wholesale, and nobody revisits either one until it either misfires enough to get disabled or a gap is discovered the hard way. That model does not scale to an environment where telemetry sources, cloud services, and attacker techniques are all changing continuously. The organizations that get measurably better detection outcomes treat detection engineering the way a mature software team treats a codebase: version-controlled detection logic, test coverage against known attack techniques, a deprecation process for rules that no longer fire or no longer map to relevant threats, and a review cadence tied to the ATT&CK framework rather than to whatever incident happened most recently.

This requires a structural change to how the detection engineering function is staffed and measured. Detection engineers should be a distinct role from SOC analysts — not a senior analyst doing rule-writing in spare cycles, but a dedicated function with its own backlog, its own coverage map, and its own accountability for detection quality metrics (true positive rate, mean time to detect for specific technique classes, rule staleness). The detection engineering backlog should be explicitly driven by the telemetry onboarding roadmap: every new source onboarded should arrive with a paired set of detections designed against it, not bolted on months later once someone notices the data is sitting unused.

A practical mechanism that works well operationally is a "detection-as-code" pipeline: detection logic lives in a repository, changes go through peer review, every rule has an associated test case built from either a red team exercise or an atomic technique simulation, and rules are tagged against the ATT&CK technique they cover so leadership can query coverage directly ("what percentage of the techniques used by ransomware group X do we have detection coverage for") rather than relying on anecdote. This is also the substrate that makes an agentic detection layer trustworthy: an AI system that proposes new detection logic or tunes existing rules needs the same version control, testing, and human review gates as a human-authored rule, and organizations that skip this step when adopting AI-assisted detection engineering end up with unauditable rule drift.

Insight. A detection rule with no associated test case and no ATT&CK mapping is a liability disguised as an asset — it consumes analyst attention on every fire, and nobody can tell you with confidence whether it still catches what it was written to catch.

Redesigning SOC roles for an AI-augmented operating model

The traditional three-tier SOC model — Tier 1 triage, Tier 2 investigation, Tier 3 hunting and engineering — was built around a scarcity assumption: human attention is the bottleneck, so route the easy alerts to the least experienced analysts and escalate up a chain as complexity increases. That model is now actively counterproductive in environments where an AI triage layer can absorb the volume of low-complexity, high-confidence dispositions that used to occupy the majority of Tier 1 capacity. Keeping a large Tier 1 function staffed to manually triage volume that a well-tuned AI layer can already disposition with equal or better accuracy is not a caution; it is a waste of the organization's most perishable resource, which is skilled analyst attention.

The operating model that works instead reallocates human capacity toward the work that genuinely requires human judgment: ambiguous cases the AI layer flags as low-confidence, novel technique investigation, threat hunting hypotheses that have not yet been codified into detections, and incident response coordination that requires organizational context an AI model does not have. This does not eliminate Tier 1 as a career stage — it changes what Tier 1 analysts spend their time doing, from repetitive alert acknowledgment toward supervised validation of AI dispositions, hypothesis generation, and detection engineering apprenticeship. This shift is the operating-model core of what an agentic SOC actually means in practice: it is not "add a chatbot to the SIEM," it is a redesign of what humans and AI agents are each responsible for across the investigation lifecycle.

AI triage layer

Enriches, correlates, and dispositions high-volume, well-understood alert patterns against onboarded telemetry with full context attached.

Analyst-in-the-loop review

Validates low-confidence AI dispositions, provides feedback that retrains and tunes the model, owns escalation judgment calls.

Detection engineering

Owns the onboarding-to-detection pipeline, maintains coverage maps, retires stale rules, builds tests against new techniques.

Threat hunting & IR

Pursues hypotheses the AI layer cannot yet formalize into a rule, leads coordinated response for confirmed incidents.

This redesign also changes hiring and retention economics in ways worth surfacing at the board level. Entry-level SOC analyst roles have historically had punishing attrition rates — the work is repetitive, the volume is unmanageable, and burnout is structural rather than incidental. An operating model where the AI layer absorbs repetitive triage and humans spend their time on judgment-intensive work is not just more effective at catching threats; it materially improves analyst retention, which reduces the very expensive cycle of hiring and retraining that most CISOs already know is a hidden cost center. Retention improvement should be modeled explicitly in the ROI case for an AI-augmented operating model, alongside detection and response time metrics, because it is frequently the largest single line item in the total cost comparison.

Role redesign has to be paired with a governance change: someone has to own the feedback loop between analyst review and AI model tuning, or the model drifts and trust erodes. This is typically a detection engineering responsibility rather than a SOC management responsibility, because it requires the same rigor — version control, testing, measured rollback criteria — as any other production system change.

Metrics: measuring telemetry and detection maturity the board will actually understand

Most SOC metrics reported to boards are activity metrics — alerts processed, tickets closed, average response time — that say nothing about whether the organization is actually harder to breach. A metrics framework anchored to telemetry onboarding and detection coverage tells a fundamentally different and more useful story, because it connects operational activity to risk reduction in a way a board or audit committee can actually evaluate.

  • ATT&CK technique coverage percentage: what proportion of techniques relevant to the organization's threat model (informed by industry-specific threat intelligence) have a validated, tested detection, broken down by kill-chain stage.
  • Mean time to detect (MTTD) by technique class, not as a single blended number — credential compromise detection speed and ransomware pre-encryption detection speed are different metrics with different acceptable thresholds.
  • Telemetry coverage against critical assets: what percentage of assets classified as critical (domain controllers, crown-jewel data stores, internet-facing systems) have full-fidelity endpoint and identity telemetry flowing, versus partial or none.
  • Detection-to-noise ratio: true positive rate per rule and per source, tracked over time, to catch detection decay before it becomes an incident.
  • AI disposition accuracy and override rate: what percentage of AI triage dispositions are overturned on human review, tracked as a leading indicator of model trust and tuning quality.
  • Cost per validated detection: total onboarding, ingest, and engineering cost divided by the number of true-positive detections a source has contributed, which is the metric that actually justifies or kills a telemetry investment.
  • Analyst time allocation: percentage of analyst hours spent on repetitive triage versus judgment-intensive investigation and hunting, tracked as the operating-model health indicator.

The cost-per-validated-detection metric deserves particular emphasis because it is the one most consistently absent from vendor and internal reporting, and it is the one that actually settles onboarding-priority arguments with data rather than opinion. A source that costs relatively little to ingest but has produced zero validated detections in six months either needs better detection content built against it or does not belong in the roadmap at its current priority. Conversely, a source with high per-unit ingest cost but a strong validated-detection track record is earning its budget line regardless of raw volume, and that argument is far more persuasive to a CFO than "we need more visibility."

MetricWhat it revealsReporting cadence
ATT&CK technique coverage %Structural detection gaps against the actual threat modelQuarterly, board-level
MTTD by technique classOperational speed, segmented by attack type severityMonthly, SOC leadership
Critical-asset telemetry coverageBlind spots on the assets that matter mostQuarterly, risk committee
Detection-to-noise ratioDetection content decay and analyst fatigue riskMonthly, detection engineering
AI override rateModel trust, tuning quality, and driftWeekly during rollout, monthly steady-state
Cost per validated detectionWhether a telemetry investment is actually earning its budgetQuarterly, CISO/CFO review

Analyst experience: the operating model change that determines whether any of this sticks

Telemetry, detection engineering rigor, and AI triage all fail together if the day-to-day experience of the analyst using the resulting system is worse than the manual process it replaced. This is the part of SOC modernization most often underinvested in, because it is not a procurement line item — it is workflow design, interface design, and trust-building between analysts and an AI layer that is making dispositions on their behalf. An AI triage system that produces a correct verdict but presents it as an opaque score with no supporting evidence will be ignored or routinely overridden by analysts regardless of its actual accuracy, because analysts are professionally and legally accountable for missed detections and will not act on a recommendation they cannot audit.

The design pattern that earns analyst trust is showing the reasoning, not just the verdict: which enriched telemetry fields drove the disposition, which baseline was compared against, and what similar historical cases were used as reference points. This is also where the earlier onboarding and enrichment work pays a second dividend — an AI system that has full identity, endpoint, and asset context attached to an alert can produce a genuinely explainable disposition ("this login matches this user's normal pattern except for a new device fingerprint, and the device has since completed additional MFA challenges consistent with legitimate use"), whereas a system working from unenriched raw logs can only produce a probability score with no narrative, which analysts correctly treat with suspicion.

Analyst experience redesign should also address alert consolidation. A single attacker action frequently generates alerts across multiple onboarded sources — an anomalous login, a suspicious process execution, an unusual outbound DNS query — and presenting these as three separate tickets to three different queues is a direct tax on analyst cognitive load and a direct cause of missed correlations. Case-based consolidation, where the AI layer groups telemetry from multiple sources into a single incident narrative before it ever reaches a human, is one of the highest-leverage changes an organization can make to analyst throughput, and it is only possible once the underlying telemetry has been normalized to a common schema, which is why this article has treated normalization as foundational rather than incidental.

Insight. An AI triage system analysts do not trust enough to act on is worse than no AI system at all — it adds a review step without removing any of the original workload, and it quietly erodes confidence in every future automation initiative.

A step-by-step rollout playbook

Translating the framework above into an executable program requires a sequence that respects both the technical dependencies (you cannot enrich what is not normalized, cannot detect on what is not enriched) and the organizational reality that budget and attention are released in phases, not all at once.

  1. Build the threat-informed asset and risk model first. Before ranking any log source, define which threat scenarios matter most for this organization — ransomware, business email compromise, insider data theft, supply chain compromise — and which assets are truly critical. This model is the input to the scoring framework, and skipping it produces a generic onboarding order that ignores the organization's actual risk profile.
  2. Run the source scoring exercise against current telemetry state. Inventory what is already onboarded, score every candidate source (onboarded or not) against kill-chain coverage, uniqueness, fidelity, and cost, and produce a ranked roadmap with explicit rationale for the order.
  3. Onboard Tier 1 sources with enrichment built in from day one. Do not onboard identity and endpoint telemetry raw and plan to enrich later — build the identity context, asset criticality tagging, and baseline logic as part of the initial onboarding sprint, because retrofitting enrichment onto months of unenriched data is far more expensive than building it in from the start.
  4. Pair every onboarded source with detection content before declaring it "live." A source is not done onboarding when data is flowing into the platform; it is done when there are tested, ATT&CK-mapped detections built against it and validated with a simulated or red-team-generated technique.
  5. Stand up the detection-as-code pipeline in parallel, not after. Version control, peer review, and test cases for detection logic should exist before the detection backlog grows large enough that retrofitting process discipline becomes its own project.
  6. Introduce AI triage incrementally, source by source, with override tracking from day one. Do not flip on AI disposition across the entire alert volume simultaneously; roll it out against the highest-confidence, highest-volume alert classes first, track override rates closely, and expand scope as trust and accuracy are demonstrated.
  7. Redesign analyst roles and metrics in lockstep with AI rollout, not after it has already changed workload distribution informally. Analysts should know, explicitly, what their role is shifting toward before the shift happens, or the change reads as headcount risk rather than capability growth.
  8. Report coverage and cost-per-detection metrics to the board quarterly, tying every telemetry and tooling investment back to a measurable change in ATT&CK coverage or detection speed, not to activity volume.

This sequencing generalizes well beyond a pure security operations center. Organizations running converged operations — where security and IT operations telemetry increasingly overlap in cloud and identity infrastructure — should apply the same onboarding discipline across an integrated NOC-SOC model, since the identity and cloud control-plane sources that matter most for security detection are frequently the same sources IT operations teams need for availability and performance monitoring. Treating these as separate onboarding programs duplicates engineering effort and produces inconsistent enrichment across two teams looking at the same underlying data.

Risk and ROI framing for the boardroom

Executives evaluating a telemetry and SOC modernization investment need the case made in terms of risk reduction and cost avoidance, not technical completeness. The most defensible version of that case has three components. First, quantify current blind spots in dollar terms by mapping uncovered ATT&CK techniques to the threat scenarios most likely to affect the organization and estimating the cost of a successful incident along that path — using industry breach cost benchmarks adjusted for the organization's size and sector gives a credible order-of-magnitude figure without requiring speculative precision. Second, show the marginal cost of closing the highest-priority gaps using the scoring framework, making clear that the roadmap is sequenced by risk reduction per dollar rather than by an arbitrary source list. Third, tie the operating-model redesign to a measurable reduction in both detection/response time and analyst attrition cost, since the retention benefit alone frequently offsets a meaningful share of the technology investment.

This framing also supports a more honest conversation about what AI actually changes in the ROI case. AI triage does not reduce the need for good telemetry — it amplifies the value of telemetry that is already well-normalized and enriched, and it amplifies the cost of telemetry that is not. Boards should be told plainly that an AI layer bolted onto poorly onboarded, unenriched telemetry will underperform expectations and generate exactly the kind of high-profile automation failure that damages trust in the entire modernization program. The sequencing argument in this article — telemetry and enrichment first, detection engineering discipline second, AI triage layered on top of both — is as much risk management for the AI investment itself as it is a detection strategy.

Continuous exposure management complements this telemetry-first approach by ensuring the assets generating (or failing to generate) telemetry are themselves continuously assessed for exploitability, closing the loop between what the organization can see and what it is actually exposed to. Programs built around continuous threat exposure management and platforms like CyberMox are designed around exactly this pairing: exposure visibility informing telemetry priority, and telemetry validating whether exposure remediation is actually holding.

Key takeaways

  • Telemetry onboarding sequence, not detection rule volume, is the primary variable that determines SOC effectiveness — treat it as a resource allocation decision, not an engineering backlog.
  • Score candidate log sources on kill-chain coverage, signal uniqueness, fidelity, and onboarding cost — not on ingest volume — and expect the ranking to reorder intuitive priorities.
  • Identity telemetry and endpoint process-level telemetry are the modern equivalent of the perimeter firewall log and belong at the top of every onboarding roadmap; DNS is cheap, high-signal, and chronically under-prioritized.
  • Normalization and enrichment, not raw ingestion, are where telemetry value is actually created — and where most onboarding budgets are underfunded relative to raw connection work.
  • Detection engineering needs to be a standing discipline with version control, test coverage, and ATT&CK-mapped rules — not a backlog that accumulates after incidents.
  • The three-tier SOC model built around human-attention scarcity should be redesigned around what AI triage can absorb, reallocating analyst time toward judgment-intensive investigation and hunting.
  • Metrics should connect telemetry and detection investment to risk reduction — ATT&CK coverage, cost per validated detection, and AI override rate — not activity counts like tickets closed.
  • Analyst trust in AI triage depends on explainability built from enriched context, not just a probability score, and analyst experience redesign is what determines whether any of this modernization actually sticks.

Frequently asked questions

Which log source should a SOC onboard first if it can only choose one?

Identity provider telemetry, in almost every environment. It offers the broadest kill-chain coverage per unit of onboarding cost, catches the initial access and privilege escalation stages that most other sources miss, and provides the identity context needed to enrich every other source onboarded afterward.

How do we know if a log source is actually earning its ingest cost?

Track cost per validated detection: total onboarding, ingest, and maintenance cost for a source divided by the number of confirmed true-positive detections it has contributed over a defined period. Sources with low validated-detection output relative to cost either need dedicated detection content built against them or should be deprioritized in favor of higher-scoring candidates.

Does introducing AI triage reduce the need to keep expanding telemetry coverage?

No — it does the opposite. AI triage amplifies the value of well-normalized, enriched telemetry and amplifies the cost of gaps, because a model reasoning over incomplete context produces less confident, less explainable dispositions. Telemetry coverage and enrichment quality should be treated as the foundation the AI layer depends on, not a parallel workstream.

How long does a full telemetry onboarding roadmap typically take to execute?

Tier one sources (identity, endpoint, DNS) with paired detection content typically take one to two quarters for a mid-sized enterprise, assuming dedicated detection engineering resources. Tier two sources (cloud control-plane, email, network flow, PAM) add another two to three quarters. Organizations that try to compress this timeline by skipping enrichment or detection content pairing tend to end up re-doing the work later at higher cost.

Build a telemetry roadmap that actually reduces risk

Algomox helps security and IT leaders score, sequence, and operationalize log source onboarding against a real threat model — then pairs it with an AI-native detection and triage layer built on normalized, enriched telemetry from day one.

Talk to us
AX
Algomox Research
SOC Transformation
Share LinkedIn X