Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

Finding the Right Balance: How to Choose the Log Data That Belongs in Your SIEM or SOAR

Finding the Right Balance: How to Choose the Log Data That Belongs in Your SIEM or SOAR

In today’s digital ecosystem, healthcare organizations generate more data than ever. Every click, connection, and cloud action creates telemetry, and while this information is essential for protecting the business, it’s also expensive to collect, store, and analyze.

This creates a familiar challenge for healthcare security leaders: how do we decide what log data should flow into our SIEM or SOAR platform without overwhelming budgets or leaving gaps in our defense?

From a CISO’s point of view, this balancing act is not just technical; it’s strategic. The goal is to collect the right data, not all the data.

Here’s how healthcare organizations can strike the right balance between cost, risk, and security value.

Why Logging Matters

Logs are the foundation of modern cybersecurity. They help healthcare IT teams:

  • Detect threats and anomalies
  • Investigate incidents
  • Understand user activity
  • Prove compliance
  • Automate response actions

But comprehensive logging doesn’t mean sending everything to a SIEM, especially when budgets and cloud environments are involved. Logging must be prioritized and purposeful.

Step 1: Understand What You’re Protecting

Before deciding where logs should go, start with a core question:

What are the crown jewels of the business?

A strong logging strategy aligns with business risk and focuses on telemetry that helps protect:

  • Sensitive data
  • Critical applications
  • Healthcare cloud environments
  • Mission-critical infrastructure
  • Identity and access systems

If a log source doesn’t help secure these assets or support compliance, it may not belong in your SIEM.

Step 2: Classify Logs by Their Security Value

One of the most effective ways to reduce cost while maintaining strong detection is to categorize logs by risk and usefulness.

Tier 1: Must-Have Logs

High-security value and should ALWAYS be ingested:

  • Identity and access (AD, Azure AD, Okta)
  • Cloud activity logs (AWS CloudTrail, Azure Activity, GCP Audit Logs)
  • Endpoint detection and response events
  • Firewall / IDS / WAF alerts
  • Privileged user activity
  • Logs from systems containing sensitive data

These logs are essential for detecting identity misuse, lateral movement, and cloud attacks.

Tier 2: Conditional Logs

Useful, but should be evaluated case-by-case:

  • VPN and remote access
  • Database audit trails
  • SaaS activity logs
  • Kubernetes audit logs
  • File access activity

Healthcare organizations should ingest these only if they support a specific threat-detection requirement or compliance mandate.

Tier 3: Optional or Low-Value Logs

Often too noisy or expensive for SIEM ingestion:

  • Application debug logs
  • Firewall allow logs
  • High-volume load balancer logs
  • Verbose cloud flow logs
  • System-level verbose logs

These can still be valuable, just not for real-time detection.

Step 3: Store Low-Value Logs Outside the SIEM

Not all logs need to be discarded. Many can be:

  • Stored in low-cost object storage
  • Queried only when needed
  • Accessed during investigations or audits

This approach helps healthcare organizations meet retention requirements and maintain forensic capability — all without flooding SIEM ingestion pipelines.

Step 4: Use a Log Pipeline to Control Costs

Modern logging should be routed through a log pipeline (e.g., DataDog Pipelines, Cribl, Logstash, Azure Data Explorer).

This allows teams to:

  • Filter noise
  • Dedupe repetitive events
  • Enrich logs before analysis
  • Route logs to the most cost-effective destination

A well-designed pipeline can reduce SIEM costs by 40–70% while improving the quality of data available for detection.

Step 5: Make SOAR Work for You — Not Against You

Not every log should trigger automation. Healthcare organizations should reserve SOAR workflows for meaningful, high-signal events such as:

  • Suspicious logins
  • Endpoint malware alerts
  • Privileged account activity
  • High-risk cloud changes
  • Unusual SaaS actions

This ensures that automation reduces analyst workload instead of amplifying noise.

Step 6: Treat Logging as a Living Program

Threats evolve. Cloud environments change. Business priorities shift.

Your logging strategy should, too.

Quarterly reviews ensure:

  • Useless logs are decommissioned
  • High-value logs are added
  • Costs stay aligned to value
  • New threats are covered

This keeps your SIEM/SOAR relevant and effective.

A CISO’s Recommendation Summary

Here’s what healthcare security leaders should prioritize:

  1. Build a logging strategy rooted in business risk.
    Not everything is equally important.
  1. Prioritize identity, cloud, and endpoint logs.
    Modern attackers target these areas first.
  1. Use a tiered ingestion model.
    Send high-value logs to SIEM; store the rest efficiently.
  1. Adopt log pipelines to reduce noise and control cost.
    Better routing = better security at lower cost.
  1. Review your logging program regularly.
    Make adjustments quarterly to stay ahead of risks.
  1. Keep cost and risk in balance.
    Overspending weakens the program just as much as under-logging.

The future of healthcare cybersecurity isn’t about collecting more data; it’s about using data smarter. Organizations that strike the right balance will not only lower operational costs but also enhance detection, accelerate response, and build a more resilient security posture.

A well-designed logging strategy gives healthcare IT teams greater visibility, greater efficiency, and greater confidence, without overwhelming the budget or the analysts behind the scenes. Reach out to CloudWave, so we can assist you with a strategy or help provide you with a balanced solution.

 

Ashini Surati is the
CISO at CloudWave.