In This Article
The Invisible Breach: Why Detection Is the Critical Gap
The average time to detect a cloud breach is 197 days. During those 197 days, the attacker moves laterally through the environment, escalates privileges, exfiltrates data, and establishes persistence — all while the security team sees green dashboards because their monitoring doesn't cover the cloud attack surface. The breach is discovered when: a customer reports their data on the dark web, a regulatory body notifies the organization, or an analyst notices an anomalous cloud bill. By then, the damage is done.
Detection is the critical gap because prevention isn't perfect. Firewalls, MFA, encryption, and segmentation reduce the attack surface — but determined attackers find ways through. When prevention fails, detection determines whether the breach is contained in hours (before significant damage) or discovered in months (after catastrophic data loss). The investment in detection infrastructure — SIEM, threat analytics, automated response — determines the organization's resilience when (not if) a security incident occurs.
Cloud Threat Detection Architecture
| Layer | What It Captures | Azure Service | Detection Capability |
|---|---|---|---|
| 1. Data Collection | Logs from all cloud resources, identity, network | Log Analytics + Data Connectors | Visibility — can't detect what you don't collect |
| 2. Detection Analytics | Patterns, anomalies, correlations across signals | Microsoft Sentinel Analytics | Threat identification — known and unknown patterns |
| 3. Investigation | Context, timeline, scope of detected threats | Sentinel Investigation Graph | Understanding — what happened, how far it spread |
| 4. Response | Containment, remediation, recovery actions | Sentinel Playbooks (Logic Apps) | Action — stop the threat, fix the damage |
Microsoft Sentinel: Cloud-Native SIEM
Microsoft Sentinel is a cloud-native SIEM that collects, analyzes, and responds to security data across the enterprise — Azure resources, Microsoft 365, on-premises systems, and third-party security tools. Unlike on-premises SIEM (Splunk, QRadar) that requires sizing, maintaining, and scaling hardware, Sentinel scales automatically with data volume — you pay for data ingestion, not infrastructure capacity.
Data Connectors
Sentinel ingests security data from 200+ built-in connectors: Microsoft native (Azure Activity, Entra ID, Defender for Cloud, Microsoft 365, Defender XDR — zero-configuration, high-fidelity), third-party security (Palo Alto, Fortinet, CrowdStrike, Cisco — via CEF/Syslog or API), cloud platforms (AWS CloudTrail, GCP Audit Logs — for multi-cloud visibility), and custom sources (via Log Analytics agent, REST API, or Azure Functions — for proprietary applications). The coverage principle: every system that processes data, authenticates users, or communicates over the network should feed into Sentinel. Gaps in coverage are gaps in detection.
Kusto Query Language (KQL)
Detection rules in Sentinel are written in KQL — a powerful query language optimized for log analytics. Example detection: "alert when a user signs in from 2 different countries within 1 hour" (impossible travel detection), "alert when a service principal's permissions change outside of change windows" (privilege escalation), "alert when data export volume exceeds 10x the user's 30-day average" (data exfiltration). KQL combines the expressiveness of SQL with time-series analysis functions — making it possible to write detections that correlate events across time, across users, and across systems.
Detection Engineering: Rules, Analytics, and ML
Detection operates at three sophistication levels — each catching threats the previous level misses.
Level 1 — Scheduled rules: KQL queries that run on a schedule (every 5 minutes, every hour). Match known attack patterns: brute force login attempts, known malicious IPs, specific attack techniques from the MITRE ATT&CK framework. These catch: known threats, compliance violations, and policy deviations. Coverage: 60-70% of detectable threats.
Level 2 — ML-powered analytics: Sentinel's built-in ML models detect anomalies that rules can't express: unusual sign-in patterns (user who normally works 9-5 EST signs in at 3 AM from a new country), anomalous data access (user downloads 50x more files than their peer group average), and abnormal command execution (admin runs PowerShell commands they've never used before). ML analytics catch: unknown threats, insider threats, and slow-burn attacks that stay within individual rule thresholds. Coverage: additional 15-20%.
Level 3 — Threat intelligence correlation: Cross-reference internal security events with external threat intelligence feeds — known attacker IPs, domains, file hashes, and TTPs (Tactics, Techniques, and Procedures). An IP address that appears benign in isolation becomes suspicious when threat intelligence identifies it as part of a known attacker's infrastructure. Coverage: additional 5-10%.
SOAR: Automated Incident Response
SOAR (Security Orchestration, Automation, and Response) automates the response to detected threats — reducing response time from hours (human analyst triages, investigates, and responds) to seconds (playbook executes automatically on detection).
Response Playbooks
Sentinel playbooks (built on Azure Logic Apps) define automated response workflows triggered by detection alerts:
Identity Compromise Playbook
Trigger: high-risk sign-in detected. Actions: force MFA re-authentication, disable the user's active sessions, block sign-in pending investigation, notify the security team, create an incident ticket, and enrich the alert with user's recent activity for investigation. Response time: 30 seconds from detection to containment.
Malware Detection Playbook
Trigger: Defender for Endpoint detects malware on a VM. Actions: isolate the VM from the network (NSG rule blocking all traffic), take a memory snapshot for forensics, scan connected VMs for indicators of compromise, notify the SOC team, and create an incident with full investigation context. Response time: 60 seconds from detection to isolation.
Data Exfiltration Playbook
Trigger: anomalous data download volume detected. Actions: temporarily revoke the user's access to sensitive resources, capture the download activity details, correlate with other user actions (sign-in location, device, time), notify the data protection team, and preserve evidence (log snapshots, session recordings) for investigation.
6 Detection Use Cases for Enterprise Cloud
| Use Case | Detection Method | Automated Response | MITRE ATT&CK Mapping |
|---|---|---|---|
| Credential compromise | Impossible travel, unusual sign-in pattern | Force MFA, disable sessions | T1078 — Valid Accounts |
| Privilege escalation | Permission change outside change window | Alert SOC, revert permission | T1548 — Abuse Elevation |
| Data exfiltration | Anomalous download volume | Revoke access, preserve evidence | T1567 — Exfiltration Over Web |
| Ransomware | Mass file encryption pattern | Isolate VM, snapshot, alert | T1486 — Data Encrypted for Impact |
| Lateral movement | Unusual server-to-server connections | Block connection, investigate source | T1021 — Remote Services |
| Supply chain attack | Compromised dependency, unusual update source | Quarantine affected systems, scan | T1195 — Supply Chain Compromise |
Measuring Detection Effectiveness
| Metric | Target | What It Measures |
|---|---|---|
| Mean Time to Detect (MTTD) | <1 hour | Time from threat occurrence to detection alert |
| Mean Time to Respond (MTTR) | <30 minutes | Time from alert to containment action |
| Alert-to-Incident Ratio | 10:1 or lower | Signal-to-noise — high ratio = too many false positives |
| Detection Coverage | >80% of MITRE techniques | % of known attack techniques with detection rules |
| SOAR Automation Rate | >60% | % of incidents with automated first response |
Multi-Cloud Detection: Azure + AWS + GCP Under One SIEM
Many enterprises operate multi-cloud environments — primary workloads on Azure, specific services on AWS (S3, Lambda), and some teams using GCP. Microsoft Sentinel provides multi-cloud visibility through native connectors: AWS CloudTrail and GuardDuty logs ingest into Sentinel for cross-cloud correlation, GCP Audit Logs and Security Command Center findings feed into the same detection engine, and third-party SaaS security signals (Okta, CrowdStrike, Palo Alto) join the data set. The detection benefit: an attacker who compromises an AWS access key and uses it to access Azure resources is detected through cross-cloud correlation — the AWS key creation event and the Azure resource access are connected in a single investigation timeline. Single-cloud monitoring misses this pattern entirely.
SOC Operating Model: People + Technology
SIEM and SOAR are tools. The Security Operations Center (SOC) is the team that operates them. The SOC operating model for cloud environments: Tier 1 analysts review alerts triaged by automation (SOAR handles initial response; Tier 1 validates and investigates), Tier 2 analysts investigate complex incidents that Tier 1 escalates (multi-stage attacks, advanced persistent threats), Tier 3 / threat hunters proactively search for threats that detection rules haven't caught (hypothesis-driven investigation using KQL queries against historical data). For mid-size enterprises (500-5,000 employees), the SOC can be: fully in-house (3-8 security analysts), hybrid (1-2 in-house + managed detection service), or fully managed (MSSP operates the SIEM and responds to alerts). The model depends on: budget, internal security expertise, and the organization's risk tolerance for outsourcing security operations.
Detection Rule Lifecycle: Build, Tune, Retire
Detection rules aren't static. New attack techniques emerge (new rules needed), existing rules generate false positives (tuning needed), and old techniques become irrelevant (rules retired). The detection engineering lifecycle: deploy new rules in alert-only mode (generate alerts but don't trigger automated response) for 2 weeks, tune to reduce false positives based on the alert-only period, promote to active mode (triggers automated response), review effectiveness quarterly (rules that haven't triggered in 6 months may be retired), and update based on threat intelligence (new MITRE ATT&CK techniques get new detection rules). A healthy detection engine adds 5-10 rules per month, tunes 10-15, and retires 2-3 — continuously improving coverage while managing alert fatigue.
Threat Intelligence Integration
Threat intelligence feeds enrich detection by correlating internal security events with known external threats. Microsoft Sentinel integrates threat intelligence through: Microsoft Threat Intelligence (built-in — known malicious IPs, domains, file hashes from Microsoft's global visibility), STIX/TAXII feeds (industry-standard threat intelligence sharing — connect to ISAC feeds for your industry), and custom indicators (your security team's internal threat intelligence — IOCs from past incidents, industry alerts, vulnerability disclosures). Every network connection, DNS resolution, and file hash in your environment is compared against threat intelligence — transforming individual events from "a connection was made" into "a connection was made to a known command-and-control server." This context is what separates high-fidelity alerts from noise.
The Xylity Approach
We deploy cloud threat detection with the 4-layer SIEM/SOAR architecture — data collection from all sources, detection analytics (rules + ML + threat intel), investigation tools, and automated response playbooks. Our cloud security engineers implement Microsoft Sentinel, configure detection rules mapped to MITRE ATT&CK, build response playbooks for the 6 critical use cases, and tune the detection engine to minimize false positives while maximizing threat coverage.
Go Deeper
Continue building your understanding with these related resources from our consulting practice.
Detect Threats in Minutes, Not Months
SIEM, SOAR, ML-powered analytics — cloud threat detection that contains breaches in minutes with automated response playbooks.
Start Your Threat Detection Deployment →