PS Product SecurityKnowledge Base

๐ŸŽฏ High-Signal Detection Patterns and SIEM Examples

Intro: Teams rarely need more alerts. They need better ones. Product Security detections should focus on identity misuse, tenant-boundary stress, delivery-path abuse, and runtime behaviors that are hard to explain away as normal.

What this page includes

  • detection patterns that repeatedly matter in product environments
  • SIEM examples for KQL, SPL, and cloud-native query styles
  • what to tune out
  • how to explain a detection to an engineering team

Detection families worth building first

1. identity expansion

Examples:

  • unusual role assumption from CI or workload identities;
  • first-time access to secrets or registries by a service account;
  • admin impersonation outside support hours.

2. tenant-boundary stress

Examples:

  • burst of object-not-found or forbidden responses across many object IDs;
  • export jobs spanning unexpected tenants or object counts;
  • unusual fan-out in GraphQL or search APIs.

3. release-path tampering

Examples:

  • image tag moved without expected pipeline context;
  • manifest changed from an unexpected repo, branch, or runner class;
  • protected environment approval removed or bypassed.

4. runtime behavior drift

Examples:

  • shell execution in app containers;
  • binary execution from writable paths;
  • metadata endpoint access from pods or app workers;
  • privileged pod creation or sudden hostPath mounts.

Tuning rules

Good detections are usually scoped by:

  • expected actor population;
  • expected environment;
  • expected business time window;
  • approved maintenance patterns.

For example, โ€œAssumeRole from CIโ€ is too noisy. โ€œAssumeRole from CI outside repositories approved for deployment to productionโ€ is useful.

Sample KQL ideas

CloudAppEvents
| where ActionType == "AssumeRole"
| where AccountType in ("ServicePrincipal", "ManagedIdentity", "Workload")
| summarize count(), firstSeen=min(Timestamp), lastSeen=max(Timestamp) by Identity, TargetRole, Repo, Branch
| where count_ > 5 and Branch !in ("main", "release")

AppRequests
| where ApiRoute startswith "/exports"
| summarize exports=count(), tenants=dcount(TenantId), objects=dcount(ObjectId) by ActorId, bin(Timestamp, 15m)
| where tenants > 1 or objects > 500

Sample SPL idea

index=cloudtrail eventName=GetSecretValue OR eventName=AssumeRole
| stats count values(eventName) values(userIdentity.arn) values(requestParameters.secretId) by sourceIPAddress userAgent
| where count > 3

Noise to avoid first

  • generic 4xx spikes with no actor or tenant context;
  • all pod restarts;
  • all denied requests;
  • unactionable โ€œsuspicious user-agentโ€ lists without business context.

Engineering translation

When handing a detection to engineers, describe it as a broken expectation:

  • โ€œthis workload identity read a secret family it has never read beforeโ€;
  • โ€œthis user attempted object access across more tenants than the workflow allowsโ€;
  • โ€œthis pipeline changed a production deployment path without the usual branch and approval chain.โ€

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.