In this presentation, we explore what it truly means to build and operate a detection-first SIEM—beyond log collection and basic alerts. Drawing from real-world SOC experience, this slide deck covers: Strategic breakdown of SIEM detection rule types How to build custom anomaly detection using baseline behavior (not vendor UEBA) The power of cross-correlation rules to reveal real attack narratives Dashboarding comparison across Splunk, Sentinel, Elastic, and Chronicle How to design threat-informed use cases mapped to MITRE ATT&CK Why threat hunting is the R&D wing of any mature SOC This content is designed for SOC teams, SIEM engineers, threat detection builders, and security leaders who want to shift from reactive operations to intentional, intelligence-driven detection. Learn how to build detection that sees deeper, responds faster, and evolves smarter.

1. Reza Adineh 1
Detection-First SIEM
Rule Types, Dashboards & Threat-
Informed Visibility
Reza Adineh | Minimal Cyber
Architecting detection that actually works

2. Reza Adineh 2
The Problem
Most SIEMs collect logs. Few detect
well.
Alert fatigue
Blind spots
Reactive SOCs
Detection isn’t about tools. It’s about
strategy.

3. Reza Adineh 3
Detection Rule Types
Know your rule types. Use them strategically.
Scheduled: Reliable, flexible, layered
Real-time/NRT: Speed-focused, narrow scope
Anomaly: Profile behavior, detect deviation
Cross-Correlation: Multi-source logic
TI/Fusion: IOC and campaign correlation
Tip: Blend rule types based on threat context.

4. Reza Adineh 4
Rethinking Anomaly Detection
Don’t rely on UEBA. Build your own
baseline.
✅ Average logins per user
✅ Usual parent-child process chains
✅ Typical network usage per host
“Normal” is your strongest signal.

5. Reza Adineh 5
Cross-
Correlation
Matters
The difference between noise and a
narrative
Combine logs across domains
Normalize schemas (CIM, UDM, ASIM)
Surface campaigns, not isolated events
Detection quality improves with context.

6. Reza Adineh 6
Dashboards
= Visibility
Your SIEM’s eyes. Design them
intentionally.
Alert volumes, false positives
MITRE coverage
Data ingestion health
Threat intel hits
SOC performance metrics

7. Reza Adineh 7
Platform Comparison
• Dashboarding Power: Who Does What Well?
Platform Flexibility TI Views MITRE Maps
Splunk ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐ ⭐⭐⭐⭐
Sentinel ⭐⭐⭐ ⭐⭐⭐⭐ ⭐⭐⭐⭐
Elastic ⭐⭐⭐⭐ ⭐⭐⭐ ⭐⭐⭐⭐
Chronicle ⭐⭐ ⭐⭐⭐ ⭐⭐
Splunk leads—if you invest in it.

8. Reza Adineh 8
Threat-
Informed
Use Cases
Detection should reflect adversary
behavior
Map to ATT&CK
Use intel reports
Leverage emulation results
Don’t guess. Detect with purpose.

9. Reza Adineh 9
Threat
Hunting
Proactive visibility, not passive
alerting
Start with hypotheses
Investigate outliers
Feed new rules, dashboards,
enrichments
Threat hunting = Detection R&D.

10. Reza Adineh 10
Final
Takeaway
Detection-first SIEM is not a feature—it’s a
mindset.
Design for context
Validate your assumptions
Visualize your blind spots
Hunt, refine, evolve
Build detection like an engineer.
Operate like an adversary.