← mariacybersec

The Silent SIEM: Why Data ≄ Detection

A Post-Mortem on Stateless Logic & Telemetry Gaps

Executive Summary: SOC failures are rarely caused by missing tools or broken ingestion. They happen when logic, schema, and execution reality drift apart. This project examined why enabled, healthy SIEM detections failed to trigger during a simulated Linux intrusion chain; and what it takes to fix that silence.

Phase 1: Telemetry Validation

Before testing detection logic, I verified the pipeline itself. The Elastic Agent was healthy, and endpoint telemetry was successfully ingested. Process execution (whoami) and network activity (curl) appeared in the logs-endpoint.events.* data stream.

Conclusion: the SIEM was not blind. The data existed.

Phase 2: Attack Simulation

I executed a basic post-exploitation workflow:

Each behavior occurred at the OS level and produced telemetry. Result: zero alerts.

Phase 3: Root Cause Analysis

1. Schema Mismatch: The SSH brute-force rule queried system.auth. An audit via Dev Tools showed the dataset never initialized. Logs existed, but not in the schema the rule assumed. Lesson: a detection rule is only as effective as the data model it relies on.

2. Field Semantic Brittleness: One process-based rule expected a specific parent executable. Actual telemetry showed the shell interpreter instead. The detection failed not because the behavior was absent, but because OS execution semantics didn’t match the rule’s assumptions.

3. Stateless Evaluation: Identity, process, and network telemetry existed, but remained siloed. Without state, time, or entity correlation, the SIEM evaluated each signal as low-fidelity noise. The system saw events but it did not understand behavior.

Phase 4: Engineering the Fix · Stateful EQL

To close the gap, I replaced point-in-time detections with a stateful EQL sequence. Instead of alerting on individual events, the rule correlates a temporal chain:

sequence by host.name, user.name with maxspan=15m
  [authentication where event.outcome == "success"]
  [process where process.name == "whoami"]
  [network where destination.port == 80]

By linking these events within a defined window, isolated noise becomes a coherent intrusion lifecycle.

Conclusion

Detection coverage does not equal detection efficacy. Attacks unfold as stories, but most SIEMs still evaluate sentences in isolation. Until detections retain state across identity, process, and network telemetry, silence will continue to look like safety.

Screenshots

Click any image to zoom.

Telemetry validation in Discover
Dev Tools index audit
Siloed telemetry analysis
Root cause investigation
Stateful EQL implementation
Successful detection chain

See the quick summary on Instagram @maria.cybersec.