Smarter Logs for Smarter SOCs: Threat-Informed Telemetry That Powers AI Agents and Cuts Costs

Modern SIEMs can ingest billions of events per day, and AI agents excel at correlating and prioritising this volume. However, even the most advanced AI analytics cannot overcome fundamental telemetry gaps. An effective detection pipeline still depends on three conditions:

• The required event types must be collected.
• The specific fields needed for analysis must be present.
• The data must arrive clean, consistently formatted, and in near-real time.

When any of these prerequisites fail, like critical command-line parameters are excluded to save storage, or endpoint logs arrive hours late, true positives become false negatives, alerts lack sufficient context, and investigations stall.

On the flip side, attempting to “ingest everything” is neither sustainable nor cost-effective. Only a disciplined, intelligence-driven log-onboarding strategy ensures that AI is working with evidence strong enough to justify automated decisions.

• Identify Relevant Adversaries: Use curated CTI to determine which actors are actively targeting organisations with your industry profile and geographic footprint.
• Enumerate Their TTPs: Map each adversary’s behaviours to MITRE ATT&CK techniques. This creates a formalised threat model grounded in evidence.
• Link Techniques to Detection Data Sources: ATT&CK provides data-source–to-technique mappings (Data Source IDs). Translate these into specific log sources. For example, DS0017: Command Execution maps to Windows Event ID 4688 plus parent-process correlation in EDR telemetry.
• Validate Log Coverage and Field Completeness: Build a matrix indicating whether each required source and field is present (green), partially present (yellow), or absent (red). The matrix becomes both a roadmap for engineering work and an audit artefact for regulators and executives.

Once established, this process should be repeated on a defined cadence or when major technology changes occur.

Key findings from Arachne Digital CTI for financial institutions across South America, taken 21 June 2025 included:

• Primary adversaries include: FIN7, TA549, Battery Elf, Gold Lagoon, and APT44

High-frequency techniques include:

• T1059.001 PowerShell
• T1105 Ingress Tool Transfer
• T1555.003 Credentials from Web Browsers
• T1190 Exploit Public-Facing Application
• T1005 Data from Local System

Using these techniques, the data-source requirements include:

ATT&CK Technique: T1059.001 PowerShell

• Essential data sources include: Command and Process logs
• Critical data components include: Command Execution and Process Creation

ATT&CK Technique: T1105 Ingress Tool Transfer

• Essential data sources include: File and Network Traffic logs
• Critical data components include: File Creation and Network Traffic Content

ATT&CK Technique: T1555.003 Browser Credential Theft

• Essential data sources include: File and Process logs
• Critical data components include: File Access and OS API Execution

ATT&CK Technique: T1190 Exploit Public-Facing Application

• Essential data sources include: Application Log and Network Traffic logs
• Critical data components include: Application Log Content and Network Traffic Content

ATT&CK Technique: T1005 Data from Local System

• Essential data sources include: Process and Script logs
• Critical data components include: Process Creation and Script Execution

Often, required fields are absent or inconsistently collected, primarily due to default configurations that suppressed “verbose” logging categories. If you are anyone working with a SOC, from a CISO right down to a tier one analyst, can you say that you know all the relevant CTAs to your organisation, their current TTPs, and that all the required logs are ingested into your SIEM with all the required fields? And do you have a way to ensure you stay up to date as the CTAs and TTPs shift?

If you can’t, an AI agent won’t solve your fundamental issue.

To prepare for deploying AI agents, maintain a configuration-management baseline that specifies the event ID, logging channel, and policy setting for each ATT&CK data component. Automate compliance checks via PowerShell, Ansible, or your preferred configuration-management tool.

Strengthening telemetry does not have to equal runaway storage bills. The same ATT&CK-aligned matrix that highlights missing data sources also exposes over-collected ones, logs and fields that contribute little or nothing to detections relevant to your threat model.

For each log source:

• Tag the ATT&CK techniques it enables and assign a rough business value: high (critical detection gap), medium (useful enrichment), or low (no mapped techniques).
• Pull ingestion metrics from your SIEM or data-lake billing dashboard to calculate daily gigabytes and monthly cost.
• Create a simple 3×3 heat map (value on one axis, cost on the other). Anything “low value / high cost” is a candidate for optimisation.

Based on your findings you can make a judgement to:

• Retain but Tier: Move low-value logs to chilled or object storage with longer query latency but a fraction of the price.
• Sample or Filter: Keep only events that include fields tied to medium or high ATT&CK value. For example, you could look at dropping firewall allows, but retaining denies.
• Shorten Retention: Regulatory requirements rarely mandate 365-day hot storage for every log type. Right-size retention based on compliance need plus investigative usefulness.

Dollars freed by pruning low-value telemetry can bankroll onboarding of high-value sources, extended EDR fields, detailed SaaS audit logs, or container runtime events, without increasing the overall budget line.
Also, track the before-and-after cost curve alongside detection coverage metrics. This evidence helps justify future security spend to finance and the board.

Threat-informed defence is not just a security win; it’s a budget optimisation tool that ensures every gigabyte you keep is pulling its weight.

Threat landscapes are dynamic:

• New or re-emerging groups (e.g., FIN6, applicable to our case study above) may adopt techniques that demand additional telemetry.
• Shifts in tooling (PowerShell downgraded, WMI upgraded) alter the priority of data sources.
• Emerging vulnerabilities introduce detection requirements for previously irrelevant platforms.

Arachne Digital’s feeds deliver sector-specific intelligence as machine-readable JSON, including ATT&CK mappings, and first-/last-seen dates. Integrating this feed with your log-coverage matrix allows automatic creation of engineering tickets whenever a new technique enters the scope of relevant threats, or when there are possible cost savings to be made.

By contrast, deploying AI on incomplete data often increases workload, as analysts chase poorly prioritised or context deficient alerts.

Acquire an Industry-Specific Intelligence Baseline

• Free introductory reports and API trials are available from Arachne Digital.

Construct or Update the ATT&CK Log-Coverage Matrix

• Include source, event ID, and critical fields. Mark gaps clearly.

Remediate Gaps

• Prioritise high-impact techniques and low-effort fixes.
• Align storage budgets with security value.

Automate Continuous Validation

• Combine configuration-management tools with CTI updates to keep the matrix evergreen.

Deploy or Enhance AI Analytics

• Once telemetry quality is verified, AI agents can work to their full potential.

Thread & Tracery: Automatically map threat-report text to ATT&CK techniques, providing machine-readable context suitable for log engineering workflows.

Sector-Focused Intelligence Feeds: Deliver only the adversary activity relevant to your environment, reducing analysis overhead.

Human Curated Accuracy: Experienced analysts validate each mapping, ensuring false data does not contaminate automated pipelines.

Customers who adopt this threat-informed-defence methodology typically realise measurable gains within one quarter, including a reduction in false positives as redundant or missing telemetry is corrected, and faster incident triage due to richer context in each alert. Threat-informed-defence will also set your SOC up for success come audit time, through a maintained ATT&CK-aligned evidence trail.

AI agents offer genuine value in security operations, but they cannot transcend fundamental telemetry limitations. Threat-informed defence, anchored by current, high-fidelity CTI, remains the most efficient path to ensuring that the “right logs with the right fields” reach your SIEM. Only when that foundation is secure can AI reliably assume analytic tasks and allow your human teams to focus on higher order tasks.

If you would like to review a complimentary, sector-specific ATT&CK coverage report, or to explore how Arachne Digital can integrate continuous intelligence directly into your log engineering workflows, contact us via our contact-form or email.