Full Report
A Familiar Hype CycleArtificial-intelligence agents embedded in security information and event management (SIEM) platforms promise to automate investigation and triage. Some are claiming that AI will replace human analysts. Yet the effectiveness of any analytic model, machine-learning or rule-based, remains constrained by the quality of the telemetry it receives. If essential events or log fields are missing, even the most sophisticated model will incorrectly classify or overlook malicious activity.Threat-informed defence offers a rigorous, repeatable framework for determining exactly which logs, and which log fields, are required to detect the tactics, techniques, and procedures (TTPs) of cyber threat actors (CTAs) that actively target your industry and geography. Continuous cyber threat intelligence (CTI) keeps those requirements aligned with the evolving threat landscape.AI Agents Cannot Compensate for Missing TelemetryModern SIEMs can ingest billions of events per day, and AI agents excel at correlating and prioritising this volume. However, even the most advanced AI analytics cannot overcome fundamental telemetry gaps. An effective detection pipeline still depends on three conditions:The required event types must be collected.The specific fields needed for analysis must be present.The data must arrive clean, consistently formatted, and in near-real time.When any of these prerequisites fail, like critical command-line parameters are excluded to save storage, or endpoint logs arrive hours late, true positives become false negatives, alerts lack sufficient context, and investigations stall.On the flip side, attempting to “ingest everything” is neither sustainable nor cost-effective. Only a disciplined, intelligence-driven log-onboarding strategy ensures that AI is working with evidence strong enough to justify automated decisions.Threat-Informed Defence: A Four-Step MethodIdentify Relevant Adversaries: Use curated CTI to determine which actors are actively targeting organisations with your industry profile and geographic footprint.Enumerate Their TTPs: Map each adversary’s behaviours to MITRE ATT&CK techniques. This creates a formalised threat model grounded in evidence.Link Techniques to Detection Data Sources: ATT&CK provides data-source–to-technique mappings (Data Source IDs). Translate these into specific log sources. For example, DS0017: Command Execution maps to Windows Event ID 4688 plus parent-process correlation in EDR telemetry.Validate Log Coverage and Field Completeness: Build a matrix indicating whether each required source and field is present (green), partially present (yellow), or absent (red). The matrix becomes both a roadmap for engineering work and an audit artefact for regulators and executives.Once established, this process should be repeated on a defined cadence or when major technology changes occur.Case Study: Financial Institutions in South AmericaKey findings from Arachne Digital CTI for financial institutions across South America, taken 21 June 2025 included:Primary adversaries include: FIN7, TA549, Battery Elf, Gold Lagoon, and APT44High-frequency techniques include:T1059.001 PowerShellT1105 Ingress Tool TransferT1555.003 Credentials from Web BrowsersT1190 Exploit Public-Facing ApplicationT1005 Data from Local SystemUsing these techniques, the data-source requirements include:ATT&CK Technique: T1059.001 PowerShellEssential data sources include: Command and Process logsCritical data components include: Command Execution and Process CreationATT&CK Technique: T1105 Ingress Tool TransferEssential data sources include: File and Network Traffic logsCritical data components include: File Creation and Network Traffic ContentATT&CK Technique: T1555.003 Browser Credential TheftEssential data sources include: File and Process logsCritical data components include: File Access and OS API ExecutionATT&CK Technique: T1190 Exploit Public-Facing ApplicationEssential data sources include: Application Log and Network Traffic logsCritical data components include: Application Log Content and Network Traffic ContentATT&CK Technique: T1005 Data from Local SystemEssential data sources include: Process and Script logsCritical data components include: Process Creation and Script ExecutionOften, required fields are absent or inconsistently collected, primarily due to default configurations that suppressed “verbose” logging categories. If you are anyone working with a SOC, from a CISO right down to a tier one analyst, can you say that you know all the relevant CTAs to your organisation, their current TTPs, and that all the required logs are ingested into your SIEM with all the required fields? And do you have a way to ensure you stay up to date as the CTAs and TTPs shift?If you can’t, an AI agent won’t solve your fundamental issue.To prepare for deploying AI agents, maintain a configuration-management baseline that specifies the event ID, logging channel, and policy setting for each ATT&CK data component. Automate compliance checks via PowerShell, Ansible, or your preferred configuration-management tool.Cost-Efficiency: Log More Where It Matters, Less Where It Doesn’tStrengthening telemetry does not have to equal runaway storage bills. The same ATT&CK-aligned matrix that highlights missing data sources also exposes over-collected ones, logs and fields that contribute little or nothing to detections relevant to your threat model.For each log source:Tag the ATT&CK techniques it enables and assign a rough business value: high (critical detection gap), medium (useful enrichment), or low (no mapped techniques).Pull ingestion metrics from your SIEM or data-lake billing dashboard to calculate daily gigabytes and monthly cost.Create a simple 3×3 heat map (value on one axis, cost on the other). Anything “low value / high cost” is a candidate for optimisation.Based on your findings you can make a judgement to:Retain but Tier: Move low-value logs to chilled or object storage with longer query latency but a fraction of the price.Sample or Filter: Keep only events that include fields tied to medium or high ATT&CK value. For example, you could look at dropping firewall allows, but retaining denies.Shorten Retention: Regulatory requirements rarely mandate 365-day hot storage for every log type. Right-size retention based on compliance need plus investigative usefulness.Dollars freed by pruning low-value telemetry can bankroll onboarding of high-value sources, extended EDR fields, detailed SaaS audit logs, or container runtime events, without increasing the overall budget line.Also, track the before-and-after cost curve alongside detection coverage metrics. This evidence helps justify future security spend to finance and the board.Threat-informed defence is not just a security win; it’s a budget optimisation tool that ensures every gigabyte you keep is pulling its weight.Continuous Intelligence Keeps the Matrix CurrentThreat landscapes are dynamic:New or re-emerging groups (e.g., FIN6, applicable to our case study above) may adopt techniques that demand additional telemetry.Shifts in tooling (PowerShell downgraded, WMI upgraded) alter the priority of data sources.Emerging vulnerabilities introduce detection requirements for previously irrelevant platforms.Arachne Digital’s feeds deliver sector-specific intelligence as machine-readable JSON, including ATT&CK mappings, and first-/last-seen dates. Integrating this feed with your log-coverage matrix allows automatic creation of engineering tickets whenever a new technique enters the scope of relevant threats, or when there are possible cost savings to be made.By contrast, deploying AI on incomplete data often increases workload, as analysts chase poorly prioritised or context deficient alerts.Implementation RoadmapAcquire an Industry-Specific Intelligence BaselineFree introductory reports and API trials are available from Arachne Digital.Construct or Update the ATT&CK Log-Coverage MatrixInclude source, event ID, and critical fields. Mark gaps clearly.Remediate GapsPrioritise high-impact techniques and low-effort fixes.Align storage budgets with security value.Automate Continuous ValidationCombine configuration-management tools with CTI updates to keep the matrix evergreen.Deploy or Enhance AI AnalyticsOnce telemetry quality is verified, AI agents can work to their full potential.How Arachne Digital Accelerates the ProcessThread & Tracery: Automatically map threat-report text to ATT&CK techniques, providing machine-readable context suitable for log engineering workflows.Sector-Focused Intelligence Feeds: Deliver only the adversary activity relevant to your environment, reducing analysis overhead.Human Curated Accuracy: Experienced analysts validate each mapping, ensuring false data does not contaminate automated pipelines.Customers who adopt this threat-informed-defence methodology typically realise measurable gains within one quarter, including a reduction in false positives as redundant or missing telemetry is corrected, and faster incident triage due to richer context in each alert. Threat-informed-defence will also set your SOC up for success come audit time, through a maintained ATT&CK-aligned evidence trail.Are You Ready?AI agents offer genuine value in security operations, but they cannot transcend fundamental telemetry limitations. Threat-informed defence, anchored by current, high-fidelity CTI, remains the most efficient path to ensuring that the “right logs with the right fields” reach your SIEM. Only when that foundation is secure can AI reliably assume analytic tasks and allow your human teams to focus on higher order tasks.If you would like to review a complimentary, sector-specific ATT&CK coverage report, or to explore how Arachne Digital can integrate continuous intelligence directly into your log engineering workflows, contact us at [email protected].
Analysis Summary
# Best Practices: Threat-Informed Defence for Effective Security Telemetry and AI Augmentation
## Overview
These practices detail how to implement a **Threat-Informed Defence (TID)** strategy to ensure that Security Information and Event Management (SIEM) systems, especially those utilizing AI agents, receive the necessary, high-quality telemetry (logs and specific fields) required to effectively detect the Tactics, Techniques, and Procedures (TTPs) employed by relevant cyber threat actors (CTAs). The core principle is that AI effectiveness is directly constrained by data quality, making disciplined log onboarding essential.
## Key Recommendations
### Immediate Actions (Within 2 Weeks)
1. **Identify Relevant Adversaries:** Leverage Continuous Cyber Threat Intelligence (CTI) to curate a list of adversaries actively targeting your specific industry profile and geographic location.
2. **Map TTPs to ATT&CK:** For the identified adversaries, formally map their known behaviors to specific techniques within the MITRE ATT&CK framework.
3. **Establish Initial Coverage Matrix:** Begin constructing a matrix tracking required log sources and critical fields against the TTPs identified, marking coverage as Present, Partially Present, or Absent (Red/Yellow/Green status).
### Short-term Improvements (1-3 months)
1. **Link Techniques to Specific Data Sources:** Translate the required ATT&CK techniques into concrete log sources, specific Event IDs (e.g., Windows Event ID 4688), and the necessary distinct log fields required for detection.
2. **Remediate Obvious Telemetry Gaps:** Prioritize closing critical coverage gaps (fields marked 'Red') that align with high-impact, active adversary TTPs, focusing on low-effort fixes first.
3. **Verify Data Quality Prerequisites:** Confirm that essential event types (logs) are being collected, that required fields are present during ingestion, and that data arrives in a clean, consistently formatted, near-real-time manner.
### Long-term Strategy (3+ months)
1. **Integrate Continuous CTI Updates:** Establish a formal process to review and update the TTP mapping and the corresponding log coverage matrix on a defined cadence (e.g., quarterly) or following significant technology changes.
2. **Align Storage Budget with Security Value:** Shift log onboarding strategy from "ingest everything" to a disciplined, intelligence-driven approach, ensuring storage allocation is prioritized for logs directly mapping to prioritized threat coverage.
3. **Deploy AI Analytics Post-Validation:** Only deploy or enhance SIEM AI agent analytics after verifying that the underlying telemetry foundation is high-fidelity and complete for the targeted threats.
## Implementation Guidance
### For Small Organizations
- **Start with High-Confidence Sources:** Focus initial efforts on ensuring the availability of the most critical, easily accessible logs (e.g., EDR process creation events, core firewalls) that map to the top 3-5 TTPs for your sector.
- **Leverage Community Mappings:** Utilize publicly available ATT&CK data-source mappings to shortcut the initial TTP-to-Log source translation process.
- **Phased Log Onboarding:** Rationally phase in log acquisition based strictly on CTI relevance to manage potential ingestion costs.
### For Medium Organizations
- **Formalize the Matrix Creation:** Institutionalize the construction and maintenance of the ATT&CK Log-Coverage Matrix as a necessary deliverable, involving both security and infrastructure teams.
- **Automated Coverage Validation:** Implement configuration management tools or scripts to periodically validate that required log sources and essential fields are present in the SIEM pipeline.
- **Focus on Contextual Fields:** Move beyond just collecting the Event ID; focus engineering efforts on ensuring fields like command-line parameters and parent/child process relationships are reliably captured for rich EDR analysis.
### For Large Enterprises
- **Establish Formal Governance:** Institute a security governance process where new system deployments or log decommissioning must first be assessed against the existing threat-coverage matrix.
- **Integrate CTI Workflow Automation:** Adopt intelligence platforms capable of automatically mapping threat report text to machine-readable ATT&CK inputs, feeding directly into log engineering workflows.
- **Audit Readiness:** Use the maintained, cross-referenced Log Coverage Matrix as a primary artifact for demonstrating security control efficacy to compliance officers and auditors.
## Configuration Examples
* **Example 1 (PowerShell Execution Detection):** To effectively detect MITRE ATT&CK Technique **T1059.001 (PowerShell)**:
* **Essential Data Sources:** Command logs and Process logs.
* **Critical Data Component Validation:** Verify that **Windows Event ID 4688 (A new process has been created)** is enabled, *and* that process creation telemetry (e.g., EDR data) is correlated to include the full **Command Line** arguments.
* **Example 2 (Ingress Tool Transfer Detection):** To effectively detect **T1105 (Ingress Tool Transfer)**:
* **Essential Data Sources:** File logs and Network Traffic logs.
* **Critical Data Component Validation:** Ensure **File Creation** logs capture file hashes and paths, and that **Network Traffic Content** logs capture enough context to trace the destination of the download.
## Compliance Alignment
- **NIST CSF:** Aligned strongly with the **Identify (ID)** function (Asset Management, Risk Assessment, Governance) and the **Detect (DE)** function (Continuous Monitoring).
- **ISO 27001:** Supports Annex A controls related to operational security, monitoring, and integrity of system logs.
- **CIS Critical Security Controls:** Directly supports Control 13 (Data Protection) and Control 16 (Audit Log Management and Monitoring) by defining exactly what should be logged.
## Common Pitfalls to Avoid
- **Discarding High-Value Fields:** Deleting essential log fields (like full command-line arguments) to save storage costs before a proper risk/benefit analysis is conducted. This turns true positives into false negatives.
- **AI Over-reliance:** Deploying AI analytics before the underlying telemetry foundation meets the requirements needed to support sophisticated correlation, leading to high false-positive rates or alert fatigue.
- **Static Threat Model:** Relying on last year's adversary profile; threat requirements must be continuously updated with current CTI.
- **"Ingest Everything" Approach:** Ingesting excessive, irrelevant, or poorly formatted data, which inflates SIEM costs without improving security visibility.
## Resources
- **MITRE ATT&CK Framework:** For mapping adversary TTPs and discovering required data sources ([attack.mitre.org](https://attack.mitre.org/)).
- **Arachne Digital (General Reference):** For sector-focused intelligence reports and accelerated mapping tools (Contact at [email protected]).