The most expensive logging program is not always the most useful. Real forensic value comes from collecting the identity, control plane, administrative, and access data that lets investigators reconstruct what happened with confidence.
Log for reconstruction, not for volume
Many teams collect far more telemetry than they can meaningfully use, while still missing the records that matter most during an investigation. The goal is not to retain every possible event forever. The goal is to preserve the evidence that answers who acted, from where, against what system, and with what result.
In AWS, start with the control plane and identity activity
AWS investigations often fail when teams have partial infrastructure logging but weak visibility into identity and administrative activity.
A practical baseline usually includes:
- CloudTrail for management events across all accounts
- high-value data events for critical S3 buckets, Lambda, and other sensitive services
- VPC Flow Logs where network reconstruction matters
- GuardDuty and Security Hub findings if they are part of the response workflow
- EKS, RDS, and load balancer logs where those services support material workloads
The key is not only turning these on. It is centralizing them and keeping them available long enough for delayed detection scenarios.
In Azure, control plane, identity, and resource logs need to line up
Azure environments often spread evidence across Microsoft Entra ID, Azure Activity Logs, service diagnostics, and Microsoft 365 controls. If those streams are not designed to correlate, investigations become slower and more error-prone.
Focus on:
- Azure Activity Logs for subscription-level administrative changes
- Entra ID sign-in logs and audit logs
- Azure Monitor diagnostics for high-value services
- NSG Flow Logs or equivalent network visibility where segmentation and access paths matter
- Key Vault, Storage, and privileged management activity for sensitive workloads
SaaS evidence is usually the missing layer
A surprising number of incidents rely on SaaS platforms more heavily than cloud infrastructure. If the company cannot reconstruct what happened in its email platform, collaboration suite, identity provider, CRM, or ticketing system, the investigation will still be incomplete.
Prioritize logs from:
- Microsoft 365 or Google Workspace administrative actions
- email transport and mailbox access events
- identity provider sign-in, policy, and lifecycle changes
- file sharing, external collaboration, and link creation events
- privileged actions in systems such as CRM, ticketing, and source control
What to preserve first
When budgets are tight, preserve the sources that explain identity use and administrative change before expanding everything else.
That usually means:
- sign-in and authentication activity
- audit logs for configuration and privilege changes
- control plane logs in cloud environments
- file, mailbox, and collaboration access in key SaaS platforms
- targeted network and application logs for crown-jewel systems
Design around queryability, retention, and correlation
Logging that exists but cannot be correlated quickly is less valuable than teams expect. Normalize where practical, preserve key fields consistently, and ensure investigators can pivot from identity to asset to action without rebuilding context manually.
Useful telemetry engineering leaves behind something concrete: coverage maps, retention tiers, documented field requirements, and a clear understanding of which logs are essential for investigations versus merely nice to have.
Prioritize evidence that proves identity use, administrative changes, data access, and movement paths.
Logs need retention tiers and restore paths so delayed investigations still have usable evidence.
Normalize around identities, assets, source addresses, resources, and actions so investigators can move quickly.
How to use this telemetry guidance
Cloud, SaaS, identity, endpoint, and network logging programs where the goal is investigation quality, not just log volume.
The organization has at least one centralized log destination or can export records from core platforms during an investigation.
Get specialist help when logs cannot answer who acted, what changed, what data was touched, or whether the incident is still expanding.
- Identity sign-ins, MFA events, policy changes, and privileged role changes.
- Cloud control plane events, storage access, workload logs, and network flow records.
- SaaS administrative actions, sharing events, mailbox rules, OAuth grants, and external access changes.
- Retention settings, archive restore steps, field normalization notes, and detection coverage maps.
DefendArm Telemetry Evidence Value Ladder
Rank each log source by the investigation questions it can answer, then fund retention and normalization around the highest-value evidence first.
- Identity: prove who authenticated, how, from where, and with what risk signals.
- Administration: prove what privileged action changed a user, policy, workload, key, or data store.
- Access: prove what sensitive mailbox, file, bucket, database, or application object was touched.
- Movement: prove network paths, remote access, endpoint execution, and persistence attempts.
- Recovery: prove what evidence is retained, restorable, and legally usable after the first triage window.
- Questions to ask ITWhich logs would show administrative change across cloud, identity, email, source control, and critical SaaS platforms?
- Signals to verifyConfirm sign-ins, MFA changes, privileged role changes, storage access, mailbox rules, OAuth grants, and endpoint isolation state.
- Artifacts to produceCreate a source-by-source coverage matrix with owner, retention tier, query path, archive restore process, and investigation use case.
- Owner to assignName one owner for collection, one for retention cost, and one for investigation query readiness.
- Keeping high-volume infrastructure logs while missing identity and SaaS administrative records.
- Assuming a log source is useful because it exists, even when nobody can query or restore it quickly.
- Treating retention as one global number instead of separating hot search, investigation storage, and deep archive.
- Normalizing fields after an incident starts instead of defining pivot fields before pressure arrives.
Use these references for the article's guidance on forensic evidence quality, retention tiers, normalized telemetry, and investigation workflow readiness.
Turn this identity guidance into a review of MFA strength, privileged access, lifecycle controls, and audit visibility.