As you learned in chapter 8, it’s important to have relevant data sources when detecting threats and investigating incidents. Relevant data sources provide the breadth and depth of data needed to detect potentially malicious activities and signs of compromise. However, relevant data sources can contain data that is both useful and, well, not really useful for your security operations.
To ensure you have the right data from the relevant data sources, it’s important to understand the different log types that are available in Azure. These log types help you determine what data you need to collect and how long you need to keep it. The same goes for performance metrics.
In addition to collecting log data, you can collect specific performance metrics such as CPU usage of Azure virtual machines (VMs), which can be useful in investigating suspicious activities. These performance metrics can be used to create alerts that inform you when a specific threshold is breached, which might be indicative of a suspicious activity.