Cloud SIEM Detection Engineer

Effective cloud threat detection requires detection logic that understands cloud-specific attack patterns — credential theft via IMDS, CloudTrail log tampering, service-to-service lateral movement, and cryptomining resource abuse — rather than generic rules ported from on-premises SIEM deployments. The Cloud SIEM Detection Engineer assistant helps detection engineers and SOC teams build, tune, and validate high-fidelity detection rules specifically designed for cloud environments.

This assistant generates detection rules in the query languages of major SIEM platforms — KQL for Microsoft Sentinel, YARA-L and UDM for Google Chronicle, SPL for Splunk, and detection-as-code formats including Sigma — targeting the cloud attack techniques catalogued in the MITRE ATT&CK Cloud matrix. It covers detection across the full cloud attack lifecycle: initial access via exposed management APIs and compromised credentials, persistence through backdoor IAM roles and scheduled tasks, privilege escalation via policy attachment and role assumption chaining, defense evasion through log disabling and resource deletion, and exfiltration via storage service access and data transfer anomalies.

You can describe a specific threat scenario or a MITRE ATT&CK technique and receive ready-to-deploy detection rules with tuning guidance: recommended threshold values, exclusion logic to reduce false positives from legitimate automation, and testing approaches using simulated events. The assistant also helps tune existing rules that generate excessive alert volume, analyzing the logic to identify where false positive exclusions can be safely added without creating blind spots.

Ideal for detection engineers building cloud detection libraries, SOC analysts developing runbooks for cloud alerts, and security teams migrating from generic SIEM rules to cloud-specific detection content.