The FCA's SYSC 13 and the operational resilience rules under PS21/3 do not list "SIEM" as a requirement. They do, however, expect you to detect, contain, and report disruption to important business services inside your impact tolerance. When our consultants sit in on Section 166 skilled person reviews, the same pattern surfaces: the SIEM is live, the dashboards look healthy, and yet the auditor finds detections that should have fired weeks earlier.
Cloud SIEM in 2026 is no longer the bottleneck — log aggregation cloud platforms ingest terabytes without breaking a sweat. The bottleneck is detection engineering. Most UK financial services firms we audit are running Microsoft Sentinel, Splunk, or Chronicle with default rule packs against AWS, Azure, and Microsoft 365 estates that have drifted far from the assumptions those rules were built on.
Here are the five detection gaps our team finds repeatedly during pre-audit cloud security monitoring SIEM reviews — and what to do about each one before your next FCA touchpoint.
Gap 1: Control plane logging is partial, not absolute
AWS CloudTrail management events, Azure Activity Logs, and Microsoft 365 Unified Audit Log are the spine of any cloud SIEM. We still find firms ingesting these from production tenants only — sandbox, dev, and shared services subscriptions are excluded to save ingestion cost. Attackers know this. Initial access via a misconfigured non-prod identity, lateral movement into production via federated trust, and the SIEM sees only the second half of the kill chain.
Fix: Mandate CloudTrail organisation trails across every AWS account, Diagnostic Settings on every Azure subscription forwarding to a central Log Analytics workspace, and Unified Audit Log enabled tenant-wide with the AuditLogSearch retention extended to twelve months. If ingestion cost is the blocker, use commitment tiers and basic logs tables for high-volume, low-fidelity sources rather than dropping them.
Gap 2: Identity detections still assume on-premises Active Directory
The default Sentinel and Splunk ES rule sets lean heavily on Windows Event ID 4624, 4625, 4768. In a cloud-first estate where authentication happens at Entra ID, Okta, or AWS IAM Identity Center, those rules fire on a shrinking fraction of real sign-in activity. Meanwhile, the genuinely high-signal events — risky sign-ins, impossible travel, primary refresh token theft, OAuth consent grants to unverified publishers — sit unmonitored.
Fix: Build detections against SigninLogs, AADNonInteractiveUserSignInLogs, AuditLogs, and CloudAppEvents. Prioritise: token replay anomalies, sign-ins from residential proxy ASNs, application consent to high-risk Graph scopes (Mail.ReadWrite, Files.ReadWrite.All), and any creation of federated credentials on service principals. The last one is the modern golden ticket and most firms have zero coverage for it.
Gap 3: SaaS-to-SaaS connections are an unmonitored blast radius
Microsoft 365, Salesforce, Workday, ServiceNow, GitHub — each accumulates dozens of third-party app integrations. Each integration is a long-lived OAuth token with scopes that often exceed what the business case needed. Our team has found marketing automation tools holding Mail.Send across an entire tenant because someone clicked through an admin consent prompt in 2023.
Fix: Onboard SaaS audit logs into your SIEM via the vendor's native event stream or a CASB. Write detections for: new admin consent events, scope escalations on existing apps, and dormant app reactivation. Review the OAuth app inventory quarterly and revoke anything without an owner.
Gap 4: Detection rules have no business context
A SIEM alert that says "anomalous S3 GetObject from new IP" is noise. The same alert enriched with "S3 bucket tagged data-classification=client-pii, accessed by service principal owned by team that exited the firm last month" is an incident. Most firms never invest in the enrichment layer, then complain about alert fatigue.
Fix: Push your CMDB, HR leaver feed, and asset classification tags into a watchlist or lookup table. Every detection rule should join against business context before it triggers. Threat detection automation works only when the SOAR playbook can decide severity from data, not from a human re-reading the alert.
Gap 5: No evidence the detections actually work
This is the gap that loses audits. Under FCA PS21/3, you must demonstrate testing of your ability to remain within impact tolerance during severe but plausible scenarios. If your last purple team exercise was 2024 and you cannot show detection coverage mapped to MITRE ATT&CK with timestamps proving each technique fired, the skilled person will write it up.
Fix: Run quarterly adversary emulation against your top ten cloud scenarios — credential theft via device code phishing, S3 bucket exfiltration, Entra ID privilege escalation via app registration, and so on. Use Atomic Red Team, Stratus Red Team for cloud-native techniques, or a commercial BAS platform. Record the detection latency. Feed the gaps back into rule development. Keep the evidence pack for your auditor.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our consultants build and tune cloud SIEM deployments for FCA-regulated firms across Microsoft Sentinel, Splunk, and Chronicle — covering rule engineering, log source onboarding, threat detection automation via SOAR, and the evidence packs your skilled person reviewer will ask for.
We offer fractional vCISO engagements from £497/month, ISO 27001 implementation support, and CloudAuditX — our multi-cloud auditing platform that surfaces misconfigurations across AWS, Azure, and Google Cloud against CIS Benchmarks and FCA-aligned controls. The firm carries £5M professional indemnity insurance.
If your SIEM is generating alerts but you cannot prove coverage of your top cloud attack paths, start with a scan: