What data types to prioritize in your security information and event management (SIEM)

Security teams ask this question all the time: Which data sources should we send to our SIEM to get the most value without blowing the budget?

Consumption-based pricing is the driver behind most of these conversations. More log data equals more money, so enterprises have to make a difficult choice about which log sources and data are most important. But with this, critical data gets excluded, there are more blind spots, and analysts are left pivoting between tools and consoles just to piece together context during an investigation.

Most organizations aren’t logging everything they want, and even fewer are centralizing all relevant data in one place. When teams repeatedly hit data limits, the SIEM ends up with a fragmented view of activity across the environment. That lack of context directly reduces its effectiveness for threat detection, incident response, and threat hunting.

Why data volume shouldn’t mean blind spots

Cost models often force teams to limit the number of logs they’re ingesting. When teams can’t afford to ingest key telemetry, they accept blind spots and compensate with manual investigation across disconnected tools. 

At Sumo Logic, we offer flexible licensing that lets you choose the right approach for your data, so analysts can focus on investigations.

“If you’re looking for a tool that can dynamically ingest virtually any log or data source you need at a reliable and reasonable rate and then turn that data into measurable business value, Sumo Logic has proven that for us. Its webhook connections and ingest mechanisms make it easy to bring data in without needing months of training before you can get started.”

—Brandon Hewgill, Head of Information Security at Patrianna

Log sources to prioritize in your SIEM

Several data types are worth prioritizing across the board. Many of these are common sense, but some of these may not be centralized to one location in your enterprise today, so start here:

1. Firewall logs

Firewall logs are a great source of detailed flow information. However, with many next-generation firewalls, you also get rich data on application types, threats, malware, C2 and more.

Don’t limit this data to just your perimeter firewalls. If you have firewalls between your user segment and your data center or even micro-segmentation inside the data center, send all these logs to your SIEM system. Where your end users connect is critical information for threat analysis and detecting possible insider threats.

2. Proxy/web filtering logs 

Your next-generation firewall may already include this data, but if you use a separate proxy or web filtering solution, these logs should be sent to your SIEM as well. The IP, domain, and URL information is important and can reveal connections to known-bad locations.

If you can also capture the User-Agent string, do so. This can give the threat hunter insight into what might be happening. There are countless stories of finding major breaches and issues by monitoring user-agent strings across an environment and investigating the anomalous or uncommon ones you find.

3. Cloud control plane logs

Cloud attacks are now overwhelmingly identity-driven and control-plane–focused. Monitor your AWS CloudTrail, Azure activity logs, and GCP audit logs.

4. SaaS application logs and federation logs

Every major breach in the last three years had an identity/SaaS component, so make sure to get visibility into your Microsoft 365 unified audit logs, Okta system logs, Google Workspace audit logs, as well as Salesforce, GitHub, GitLab, Atlassian, Zoom, and Slack.

5. Identity provider and federation logs

These logs detect session hijacking, token theft, and phishing-resistant MFA bypass. Your OAuth/Tokens, MFA events, OIDC flows, and SAML assertions are key for detecting identity-related threats.

6. Container and Kubernetes logs

Your Kubernetes audit, API server, admission controller, and container runtime logs are critical to modern infrastructure and provide strong indicators of lateral movement and privilege escalation.

7.  Application authentication and telemetry

These logs detect business logic abuse, token replay, internal attacker movement, and insider threats.

8. Other network security products 

Some may already be covered with a next-generation firewall, but you may have standalone systems. Logs from tools like Network IPS/IDS, Network DLP, Sandboxes, and even router NetFlow data are rich sources of intelligence for the SOC analyst.

9. Network sensors

Network sensors deployed on TAP or SPAN ports provide deep visibility into east-west and north-south traffic. These sensors will provide deeper metadata on traffic flows than a traditional NetFlow solution would. 

They can detect detailed metadata, such as SMB writes and deletes, HTTP header information, user-agent strings, and more. This additional detail is valuable for detecting anomalous activity that could indicate lateral movement. These sensors can help you track down events you wouldn’t have seen otherwise.

10. Windows authentication and Active Directory data

As we all know, users move around and often get new IPs. If this happens during a security event, it can be challenging to pick up the trail and connect the dots. By tracking user authentication information, disparate record types across various IPs can be combined to paint a clearer picture of the overall activity surrounding the event. 

In addition, tying a user to the events can help determine whether this user should be accessing these resources. And it makes it easier to track that device down if needed for manual intervention or cleaning.

11. Endpoint security data

Endpoint data adds critical context to alerts and investigations in two key ways:

• Asset enrichment: OS type, logged-in users, group memberships, and system state can immediately help analysts determine whether an alert is relevant.
• Alert correlation: Endpoint alerts may indicate that an initial threat was blocked, but attackers often adapt. Correlating endpoint alerts with network or behavioral anomalies can reveal follow-on activity that warrants deeper investigation.

12. Threat intelligence

Threat intelligence feeds dramatically improve investigation efficiency. Even free threat intel sources can help enrich alerts and identify known malicious indicators.

Paid feeds typically offer higher fidelity, better context, and more reliable updates. Threat intel hits in your device logs could indicate malware that got past your endpoint solution or some other cybersecurity breach. You can also bring in your own threat intel feeds, so you’re not limited to the same sources everyone else uses and can tailor intelligence to your industry and risk appetite.

13. AI agent/LLM logging

Agentic AI systems can interact with sensitive data and act on behalf of users, so logging their data is necessary for security and compliance. With these logs, you can detect prompt injection attempts, privilege escalation events, and other AI security risks. With AI agents becoming more autonomous, this telemetry is key to maintaining visibility within your environment. 

Build SIEM visibility around what matters most

No two organizations are the same. When deciding what data to ingest next, start with what’s most critical to your business. That might mean application authentication logs, web server errors, SaaS audit logs, or custom application telemetry.

If you’ve ever thought, “I wish this alert had more context,” that’s your answer. Add the data that fills in those gaps so analysts don’t have to jump between tools to complete the story. Don’t let blind spots be your weak spot.

Learn how Sumo Logic Cloud SIEM and log analytics can broaden your visibility and speed up incident investigations.