Beyond Endpoints: Key Data Sources for Holistic Threat Detection
By
<p>Modern security teams are increasingly recognizing that relying solely on endpoint detection is no longer sufficient to protect against sophisticated threats. As adversaries expand their attack surfaces into networks, cloud environments, and identity systems, organizations must adopt a broader strategy that captures telemetry from every corner of the IT ecosystem. Unit 42's expert analysis underscores the urgency of this shift, emphasizing the need for a comprehensive security strategy that spans every IT zone. Below, we explore the essential data sources that empower detection beyond the endpoint—and how to harness them effectively.</p>
<h2 id="network-traffic-and-flow-data">Network Traffic and Flow Data</h2>
<p>Network traffic remains one of the richest sources for detecting lateral movement, data exfiltration, and command-and-control communications. By analyzing <strong>NetFlow</strong>, <strong>full packet captures</strong>, or <strong>DNS logs</strong>, security teams can identify anomalies that endpoint tools might miss—especially when an attacker has compromised credentials or uses living-off-the-land binaries.</p><figure style="margin:20px 0"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/13_Cloud_cybersecurity_research_Overview_1920x900.jpg" alt="Beyond Endpoints: Key Data Sources for Holistic Threat Detection" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: unit42.paloaltonetworks.com</figcaption></figure>
<h3>Key Metrics to Monitor</h3>
<ul>
<li><strong>Unusual outbound connections</strong> to rare domains or IP addresses</li>
<li><strong>Large data transfers</strong> during off-hours</li>
<li><strong>Protocol mismatches</strong> (e.g., SSH traffic on an HTTP port)</li>
</ul>
<h2 id="cloud-audit-logs-and-apis">Cloud Audit Logs and APIs</h2>
<p>Cloud platforms like AWS, Azure, and GCP generate detailed audit logs (e.g., AWS CloudTrail, Azure Activity Log) that record every API call and configuration change. These logs are invaluable for detecting <strong>credential misuse</strong>, <strong>privilege escalation</strong>, and <strong>data access anomalies</strong> that bypass traditional endpoints entirely.</p>
<h3>Integrating Cloud Logs into Your SIEM</h3>
<p>Modern SIEMs can ingest these logs in real time. Look for patterns such as <em>multiple failed console logins</em> followed by a successful one, or an <em>IAM role used from an unexpected geographic location</em>. Correlation with other data sources strengthens detection accuracy.</p>
<h2 id="identity-and-authentication-telemetry">Identity and Authentication Telemetry</h2>
<p>Identity attacks—like phishing, MFA fatigue, and token theft—often leave traces in authentication systems. Sources such as <strong>Active Directory logs</strong>, <strong>Azure AD sign-in logs</strong>, and <strong>Okta Events API</strong> provide a chronological view of user actions.</p>
<h3>Key Detections</h3>
<ol>
<li><strong>Impossible travel</strong>: A user logs in from two distant locations in an unrealistic timeframe.</li>
<li><strong>Massive failed logins</strong> for a single account (brute-force attempt).</li>
<li><strong>Unusual service principal usage</strong> that mimics legitimate application access.</li>
</ol>
<h2 id="email-and-collaboration-logs">Email and Collaboration Logs</h2>
<p>Phishing and business email compromise (BEC) begin in the inbox. Email gateway logs, Microsoft 365 Unified Audit Logs, and collaboration platform logs (e.g., Slack, Teams) reveal malicious activity before it reaches endpoints. Monitoring for <strong>unusual forwarding rules</strong>, <strong>mass internal emails</strong>, or <strong>sensitive document sharing with external users</strong> can stop attacks early.</p><figure style="margin:20px 0"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/07/PANW_Parent.png" alt="Beyond Endpoints: Key Data Sources for Holistic Threat Detection" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: unit42.paloaltonetworks.com</figcaption></figure>
<h2 id="sensors-and-iot-data">Sensors and IoT Data</h2>
<p>Operational technology (OT) and IoT devices often lack endpoint agents, but they emit valuable data through <strong>SNMP traps</strong>, <strong>syslog</strong>, and <strong>vendor-specific APIs</strong>. Analyzing these streams helps detect physical tampering, firmware anomalies, or unusual traffic patterns that may indicate a supply chain compromise.</p>
<h2 id="orchestrating-multiple-data-sources">Orchestrating Multiple Data Sources</h2>
<p>Collecting data is only half the battle. Effective detection requires <strong>correlation</strong> across sources. For instance, a network anomaly combined with an identity anomaly yields higher confidence. Use <a href="#network-traffic-and-flow-data">network data</a> and <a href="#identity-and-authentication-telemetry">identity telemetry</a> together to spot red flags.</p>
<h3>Recommended Approach</h3>
<ul>
<li><strong>Normalize logs</strong> into a common schema (e.g., OCSF, CEF).</li>
<li><strong>Build detection rules</strong> that span two or more data categories.</li>
<li><strong>Automate response</strong> via SOAR playbooks to contain threats quickly.</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>The endpoint is no longer the perimeter. As Unit 42 highlights, a genuinely comprehensive strategy must draw on data from networks, cloud environments, identity systems, email, and even IoT sensors. By embracing these essential sources and linking them through intelligent analytics, organizations can detect threats that would otherwise slip through the cracks. Start by auditing your current data ingestion—are you missing any of these critical feeds?</p>