Traditional security operations don't translate directly to cloud. The speed of change, the API-driven nature, and the shared responsibility model require new approaches.
Cloud-Native SIEM
Azure Sentinel (now Microsoft Sentinel) collects logs from everywhere:
SecurityEvent
| where EventID == 4625
| summarize FailedLogins = count() by TargetAccount
| where FailedLogins > 10
Detection as Code
Version control your detection rules:
name: Suspicious Azure AD Sign-in
query: |
SigninLogs
| where ResultType == 50074
| where Location != "US"
severity: Medium
tactics:
- InitialAccess
Automation and SOAR
Automate response to common scenarios:
- Alert triggers
- Playbook executes
- Context gathered
- Containment applied
- Ticket created
Cloud Forensics
When incidents happen:
- Preserve logs before retention expires
- Snapshot affected resources
- Document timeline
- Coordinate with cloud provider if needed