The Riskiest Alert Types and Why Enterprise Soc Doesn't Triage Them
Feb 23, 2026
Every few years, a breach happens that security teams study for the wrong reasons. SolarWinds is a good example. When the compromised Orion update started reaching customer environments in early 2020, the signals were already there: unusual DNS requests, unexpected authentication behavior in Azure AD, odd SAML token activity, and lateral movement from on-premises Active Directory into cloud environments. None of it looked like an attack. Each signal sat at low or medium severity, and they were scattered across domains. The attackers had close to a year of dwell time before FireEye, a victim itself, discovered the breach while investigating a stolen red-team toolkit. We tend to call SolarWinds a one-off. It wasn't. The real lesson from that breach, and from the ones that have followed it, is structural. SOCs are designed, staffed, and measured around routine work: phishing, endpoint detections, and user anomalies. The people, processes, dashboards, and tools are ...
