# High-Signal Detection Patterns and SIEM Examples > **Intro:** Teams rarely need more alerts. They need better ones. Product Security detections should focus on identity misuse, tenant-boundary stress, delivery-path abuse, and runtime behaviors that are hard to explain away as normal. > > **What this page includes** > > * detection patterns that repeatedly matter in product environments > * SIEM examples for KQL, SPL, and cloud-native query styles > * what to tune out > * how to explain a detection to an engineering team ## Detection families worth building first ### 1. identity expansion Examples: * unusual role assumption from CI or workload identities; * first-time access to secrets or registries by a service account; * admin impersonation outside support hours. ### 2. tenant-boundary stress Examples: * burst of object-not-found or forbidden responses across many object IDs; * export jobs spanning unexpected tenants or object counts; * unusual fan-out in GraphQL or search APIs. ### 3. release-path tampering Examples: * image tag moved without expected pipeline context; * manifest changed from an unexpected repo, branch, or runner class; * protected environment approval removed or bypassed. ### 4. runtime behavior drift Examples: * shell execution in app containers; * binary execution from writable paths; * metadata endpoint access from pods or app workers; * privileged pod creation or sudden hostPath mounts. ## Tuning rules Good detections are usually scoped by: * expected actor population; * expected environment; * expected business time window; * approved maintenance patterns. For example, “AssumeRole from CI” is too noisy. “AssumeRole from CI outside repositories approved for deployment to production” is useful. ## Sample KQL ideas ```kusto CloudAppEvents | where ActionType == "AssumeRole" | where AccountType in ("ServicePrincipal", "ManagedIdentity", "Workload") | summarize count(), firstSeen=min(Timestamp), lastSeen=max(Timestamp) by Identity, TargetRole, Repo, Branch | where count_ > 5 and Branch !in ("main", "release") ``` ```kusto AppRequests | where ApiRoute startswith "/exports" | summarize exports=count(), tenants=dcount(TenantId), objects=dcount(ObjectId) by ActorId, bin(Timestamp, 15m) | where tenants > 1 or objects > 500 ``` ## Sample SPL idea ```spl index=cloudtrail eventName=GetSecretValue OR eventName=AssumeRole | stats count values(eventName) values(userIdentity.arn) values(requestParameters.secretId) by sourceIPAddress userAgent | where count > 3 ``` ## Noise to avoid first * generic 4xx spikes with no actor or tenant context; * all pod restarts; * all denied requests; * unactionable “suspicious user-agent” lists without business context. ## Engineering translation When handing a detection to engineers, describe it as a broken expectation: * “this workload identity read a secret family it has never read before”; * “this user attempted object access across more tenants than the workflow allows”; * “this pipeline changed a production deployment path without the usual branch and approval chain.” ## Related pages * [Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md) * [Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md) * [Provider-Specific Attack Hunt Queries](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/cloud/provider-specific-attack-hunt-queries.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.