/> Update cookies preferences
Skip to main content
New! Read the Abstract Security Technical Product Brief by Cybersecurity Insiders

Shifting Detection Left: How to Decouple SIEM Detection Criteria for Modern Security Operations

Shifting Detection Left: Decoupling Detection Criteria from the SIEM

September 25, 2025

Security Operations migrations are common as more organizations modernize. However, the decision-making of choosing the right SIEM platform isn’t straightforward. Some organizations are choosing to move from legacy SIEM solutions to newer cloud-native platforms, while others choose to make the exact opposite decision.  

While other organizations are migrating from older SIEM solutions such as Splunk and Elastic to newer cloud native solutions like Google SecOps or Azure Sentinel. A growing number of organizations are migrating from Google SecOps to other solutions, and even to Splunk. Other organizations are migrating from those technologies to modular solutions, consisting of Online Analytical Processing (OLAP) platforms, data lakes such as Snowflake, Databricks, Azure Data Explorer, or plain Object Storage with a query platform like Athena or BigQuery on top of the data.

When it comes to migrations, moving data is just the beginning; the real complications lie in migrating and optimizing your detection and analytics capabilities. At Abstract Security, we’ve guided numerous organizations through this once-complex transition and through these journeys. We’ve found that the most successful migrations aren’t just about moving data and rules from A to B. It’s about rethinking how detection engineering should work, and modernizing security operations processes along the way.

The Hidden Complexity of Security Analytics Migrations

While connecting data sources to a new platform might seem straightforward, the reality is far more nuanced. Organizations frequently encounter obstacles with source integrations or struggle to map legacy data structures to new schemas, such as OSCF.  

Even when the mapping and logic translation hurdles are cleared a deeper challenge emerges: How do you grapple with years of accumulated detection content?  

This is where most teams face a critical decision point. Many choose the path of least resistance to simply recreate what they had before. While this approach feels safe and comfortable, it will likely perpetuate inefficiencies and miss the opportunity to build a more strategic detection program.

Three Paths Forward

When it comes to migrating detection content, security teams typically choose one of three approaches:

Approach #1: Lift and Shift

This approach involves moving all existing detection rules to the new platform with minimal changes. While this preserves institutional knowledge, it's often the most resource-intensive approach and carries forward all the technical debt accumulated over years.

This approach may seem like the easiest decision, however, planning and execution can extend throughout many cycles. It will also typically migrate legacy content that wastes computation resources and detection rule limits.

Approach #2: Starting Fresh

Starting from the beginning means entirely abandoning legacy content and building from vendor-provided rules and templates. This approach offers a clean slate but risks losing valuable organizational context and hard-won insights about your specific threat landscape. While technically the fastest, it can rightfully leave stakeholders concerned about having complete detection coverage.

Approach #3: Review, Revise, and Refresh

This is a strategic middle ground that involves evaluating existing detections, keeping what delivers value, optimizing for the new architecture, and making room for improved approaches. In our experience, this path consistently delivers the best outcomes. However, it requires discipline and a willingness to make difficult decisions about legacy content.

Technical Debt Hidden in Your Detection Rules

Before diving into migration strategies, it's worth examining the common problems that plague detection rule sets across organizations:  

  • Legacy Threat Focus: We still regularly encounter Conficker detection rules in 2025 - sixteen years after the malware's peak relevance. These outdated rules consume computational resources while providing little security value.  
  • Redundant Coverage: Many organizations run duplicate detection logic across EDR, NDR, and SIEM platforms, creating noise without additional security benefit.
  • Resource-Intensive Rules: Some detection rules consume disproportionate computational resources relative to their security impact, creating scalability challenges and increased costs.  
  • Vendor Overlap: Numerous custom rules attempt to detect threats already covered more effectively by vendor-provided detections, representing wasted engineering effort.  

A Better Approach: Detection Engineering Focused on What Matters

The most effective corporate detection engineering teams focus their limited resources on infrastructure and risks unique to their organization. Rather than trying to catch every possible threat with custom rules, they complement vendor-provided detections with targeted coverage of organizational-specific risks.  

Instead of creating multiple rules to detect CVE-2024-49706 Sharepoint exploitation attempts, implement a single rule focused on patch management regressions that identifies vulnerable or legacy systems. Adopting this approach addresses the root cause, rather than the symptoms since a vulnerable system likely indicates broader posture management issues.

Shifting Detection Left: Prevention Over Reaction

Too many detection programs focus exclusively on later stages of the attack lifecycle when adversaries are already operating within your environment. A more strategic approach emphasizes "shifting left" to detect and address risks earlier in the process.  

Focus Areas for Organizational-Specific Detections:  

  • Privileged Identity Detection: Monitor access to critical infrastructure management accounts, systems, and processes that control your environment's security posture, and unusual activity involving accounts with elevated permissions across your unique technology stack.  
  • Change Management Anomalies: Detect production changes occurring outside established release windows or approval processes.  
  • Infrastructure Exposure Detection: Identify resources exposed to attacks and compromise.  
  • Custom Application Behaviors: Monitor proprietary applications and internal tools that external vendors cannot effectively cover.  

The Strategic Advantage of Decoupled Detection

Rather than tightly coupling your detection logic to specific platforms, consider a more flexible architecture. By decoupling detection criteria from the underlying analytics platform, organizations can:  

  • Reduce Migration Risk: Changes to analytics platforms don't require complete detection rewrites  
  • Improve Consistency: Detection logic remains consistent across different security tools  
  • Enable Real-Time Response: Stream-based detection reduces mean time to detection compared to batch processing approaches  
  • Focus Resources: Security teams can concentrate on detection logic rather than platform-specific implementation details  

Taking Action

Deciding upon which of the three paths (Lift and Shift, Start Fresh, or Review, Revise, Refresh) are right for you is a decision that you as an organization must make. The Lift and Shift approach may seem the easiest, while typically becoming the hardest and most grueling with the least benefit.  

Taking the path to Review, Revise and Refresh your detection content provides an opportunity to build a more strategic, efficient, and effective detection program.  

Start by auditing your current detection content. Identify rules that provide genuine security value versus those that exist simply because they always have. Consider which threats are better addressed through preventive controls rather than detection rules. Most importantly, focus your detection engineering resources on the unique aspects of your environment that only your team can effectively monitor.  

  1. Audit and Categorize Existing Detection Content. Categorize content into multiple areas:

    1. Legacy content for removal (Conficker, etc.)
    2. Custom content unique to your organization and infrastructure
    3. Recent high value content
  2. Migrate detection content to managed detection configurations

  3. Plan – Determine where this content is best applied

    1. Real time detections
    2. Summary detections over longer time periods

  4. Implement

    1. Translate to destination systems
    2. Apply workflows post detection
  5. Manage, Measure and Maintain

Building for the Future with Abstract

Key Principles for Modern Detection Engineering:  

  1. Quality Over Quantity: A smaller set of well-tuned, relevant detections outperforms hundreds of noisy, outdated rules.  
  1. Context-Aware Coverage: Focus detection efforts on risks and assets that matter most to your specific organization.  
  1. Complementary Strategy: Design custom detections to fill gaps not covered by vendor solutions rather than duplicating existing capabilities.  

There's a goal greater than successful migration: building a detection capability that evolves with your organization's needs and threat landscape. This requires moving beyond the traditional approach of accumulating more and more rules and toward a more strategic focus on high-impact, organizationally-relevant detections.  

Don’t just migrate—modernize. See how Abstract helps you shift detection left.

Show Transcript
Get In Touch