Every detection rule, every threat hunt, every AI agent you deploy rests on one silent assumption: that the data describing an attack actually reached your tools. When it doesn’t, nothing above it can save you, and no one gets an alert that the data was missing.
Security teams invest heavily in the sharp end of the stack: detection content, threat intelligence, response playbooks, and increasingly, AI agents to triage and investigate at machine speed. But all of that sits on top of one of the least-audited layers in security: your security telemetry coverage — the share of security-relevant activity that actually reaches your tools as usable data.
Ask a team how they detect threats, and you’ll hear about their SIEM and their analysts. Ask how the data gets there, and which sources they don’t collect, and the conversation gets vague.
That gap is where attackers live.
Security telemetry coverage is a decision you’re making by accident
A blind spot rarely announces itself. A source you never onboarded doesn’t throw an error; it simply produces no events, and the dashboards stay green. Detection logic can only match on data that arrives. So every source you skip quietly shrinks your coverage, without anyone deciding it should.
This has always mattered. It matters more now for two reasons.
First, attackers are faster. Mandiant’s M-Trends 2026 reports that the window between initial compromise and hand-off to the crew that does the real damage collapsed from more than eight hours in 2022 to 22 seconds in 2025.
At the same time, global median dwell time rose to 14 days in 2025, reversing recent gains. Much of that came from long-dwell espionage and North Korean IT-worker campaigns — and from intruders who persist on edge devices and appliances that don’t support EDR, infrastructure that produces almost none of the telemetry defenders rely on. The less you collect, the longer they stay invisible.
Second, you’re now building AI on top of this. An AI agent reasoning about an incident consumes telemetry as context. It can only reason about what it’s given. A blind spot isn’t just about a missed alert anymore: it means an autonomous system confidently drawing the wrong conclusion, because the evidence it needed was never there. Weak data in, weak reasoning out, at machine speed.
What log sources should a SOC collect?
Not all telemetry carries equal weight. Six source categories carry the highest-value signal for detection: network, application and SaaS, identity and access, cloud and infrastructure, endpoint, and AI agents. Miss any one and an entire class of attack unfolds with no data to catch it.
Network: the ground truth of what moved. Firewall, DNS, VPC flow, and proxy traffic. Without it, command-and-control beaconing and data exfiltration run unseen; you lose the ability to prove what left your environment. (Palo Alto, Fortinet, Cisco, Zscaler.)
Application & SaaS: where the business actually runs. Microsoft 365, Salesforce, GitHub, and the rest. Without these logs, OAuth token abuse and mass data theft look like ordinary activity. Modern breaches increasingly never touch an endpoint at all. (Microsoft 365, Salesforce, GitHub.)
Identity & access: the new perimeter. Sign-ins, privilege changes, and directory events. Without them, account takeover, MFA fatigue, and privilege escalation are invisible, and identity is a leading entry point for intrusions. (Entra ID, Okta, Active Directory, Ping.)
Cloud & infrastructure: the control plane. AWS CloudTrail, Azure Activity, GCP audit, Kubernetes. Without it, control-plane abuse, resource hijacking, and crypto-mining unfold in accounts no one is watching. (AWS CloudTrail, Azure, GCP, Kubernetes.)
Endpoint / EDR: host-level intent. Process, file, and execution telemetry. Without it, ransomware detonation and living-off-the-land techniques blend into normal operations. (CrowdStrike, Microsoft Defender, SentinelOne.)
AI & agents: the surface you just created. Prompts, tool calls, and agent actions. As you deploy agents, they become a target: prompt injection, tool misuse, and agent hijacking. If you don’t log what your agents do, you cannot supervise, audit, or secure them. (OpenAI, Anthropic, Azure OpenAI, MCP tool logs.)
Collected data still has to arrive fast, whole, and consistent
Turning on the right sources is only the start. That data then has to arrive completely, even under peak load; fast, because everything downstream waits on it, and delayed telemetry means detection and agents work from a picture that’s already out of date; and in a consistent structure, so both can actually use it.
A source that’s collected but delivered late, incompletely, or in a raw vendor-specific format is only a partial answer, and for an AI agent, an inconsistent schema means higher token cost, slower reasoning, and more mistakes.
This is why visibility is a pipeline problem, not just a logging checklist. The pipeline decides what your detection tools and agents can see.
What good telemetry coverage looks like
If you’re deciding where to start, four questions cut through it:
- Which of the six source categories above are we not collecting today, and which attacks does that leave us blind to?
- Under peak load, does our pipeline keep up, or does it fall behind and drop the events we need most?
- How much of what we think we’re collecting actually reaches the SIEM intact?
- Is our data normalized to a consistent schema before it lands, or is every source a custom project for our analysts and our AI agents?
Closing visibility gaps is the unglamorous foundation work that decides whether everything above it (your SIEM, your detections, and your AI agents) works or fails silently. VirtualMetric DataStream exists to make that foundation solid: it closes visibility gaps across all six source categories with 300+ vendor packs, delivers telemetry fast without silent loss, and normalizes every source to a consistent schema (ASIM, OCSF, CIM, UDM, ECS) before it reaches your tools, so your agents reason on complete, clean data instead of inheriting your blind spots.
Build the foundation before you scale the agents.
See VirtualMetric DataStream in action
Start your free trial to experience safer, smarter data routing with full visibility and control.