A security team is designing SIEM use-case logic to detect privilege escalation attempts on Windows...

Once the event sources are validated, the next logical step is to define the detection logic—correlation rules and conditions that represent privilege escalation patterns. In SOC engineering, validated sources mean you have the raw ingredients; now you must specify what “bad” looks like in those logs. For privilege escalation on Windows, this might include abnormal group membership changes, creation of new privileged accounts, suspicious privilege assignment events, UAC bypass indicators, or admin logons from non-admin workstations. Defining correlation rules also includes setting time windows, selecting strong pivots (account, host, SID), and incorporating context to reduce noise (approved admin accounts, maintenance windows, known tooling). Defining response actions is important, but it should follow detection logic so you don’t automate reactions to unstable or noisy detections. Testing immediately in production is risky; best practice is to test in a controlled manner or pilot mode first to avoid operational disruption and excessive false positives. Collecting historical logs can help tune baselines, but the scenario states sources are already validated; the next step is to codify the conditions that detect the targeted behavior.