Multi-Cloud Logging Strategy: Controlling SIEM Costs Without Detection Gaps

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Cloud log volume scales with workload count, not with security signal. A single autoscaling group can produce more VPC flow log data in a day than your entire on-prem firewall fleet did in a month, and your SIEM vendor will happily ingest all of it. By the time finance asks why the security data bill tripled, the architecture is sunk-cost; nobody wants to be the engineer who turned off a log and missed the breach.
The answer is not to ingest everything and tier later; the answer is to be deliberate about what goes into hot SIEM storage, what goes into cheap object storage for retrospective hunting, and what gets transformed or dropped at source. This guide walks through the practical decisions for AWS, Azure, and GCP, with specific log sources, filtering patterns, and the non-negotiable signals that must always reach the SIEM regardless of cost.
Assume you are paying $2 to $5 per GB ingested (Sentinel, Splunk, Chronicle, Sumo). The math changes how you architect, not just how you tune.
AWS: CloudTrail, Config, and GuardDuty vs Raw Flow Logs
CloudTrail management events are the highest-signal AWS log source; ingest all of them into the SIEM, organization-wide, with a 12 month minimum retention. Data events (S3 object-level, Lambda invocations, DynamoDB) are 10 to 100 times the volume and should be selective: enable S3 data events only on buckets tagged sensitive=true or in production, enable Lambda data events only for functions with IAM roles granting cross-account or sensitive permissions. Use CloudTrail Lake for the long-tail data events at $2.50/GB ingested but $0.005/GB scanned, which is far cheaper than SIEM hot storage for events you query monthly rather than daily. AWS Config is low volume and high signal for resource configuration drift; ingest the configuration item snapshots and rule compliance events. GuardDuty findings are pre-correlated detections and should go straight to the SIEM as alerts, not as raw logs. VPC Flow Logs are where most teams hemorrhage budget: a busy production VPC can emit 500 GB per day. Send VPC Flow Logs to S3 (not directly to SIEM), use Athena or a Kinesis Firehose with a Lambda transform to filter to only REJECT records plus ACCEPT records to/from external IPs, and only ingest the filtered subset. Keep the raw logs in S3 with a 90 day lifecycle to Glacier for incident response.
Azure: Diagnostic Settings Tiers and What to Enable
Azure diagnostic settings are configured per-resource and per-category, which means an Azure environment with 5000 resources has roughly 25,000 logging decisions to make. Use Azure Policy to enforce diagnostic settings by resource type so the decision is made once. The non-negotiable categories: Azure Activity Log (all subscriptions, all categories, 100% to Sentinel; this is your CloudTrail equivalent), Entra ID Sign-in Logs and Audit Logs (these are not in Activity Log, configure under Entra ID > Diagnostic settings), Microsoft 365 audit log via the Office 365 connector (UAL), Key Vault AuditEvent, Storage Account StorageRead/StorageWrite for sensitive accounts only, SQL Database SQLSecurityAuditEvents. Network Security Group flow logs and Azure Firewall logs are the volume problem; route them to a Log Analytics workspace in the Basic Logs tier ($0.65/GB ingested, 8 day retention, limited query) and only summarize aggregated denials into the analytics workspace. For Defender for Cloud, alerts should go to Sentinel; the underlying recommendations and assessments should stay in Defender and be queried via the API rather than ingested. Use Sentinel's commitment tiers (100 GB/day, 300 GB/day, etc.) for a 20 to 50% discount once volume is stable.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
GCP: Admin Activity vs Data Access Audit Logs
GCP Cloud Audit Logs split into four streams: Admin Activity (always on, free), System Event (always on, free), Data Access (off by default, billable), and Policy Denied (off by default, billable). Admin Activity is the equivalent of CloudTrail management events and must be exported to your SIEM via a Pub/Sub log sink for all projects in the organization. Configure the sink at the organization or folder level, not per-project, or you will miss new projects. Data Access logs are off by default for good reason: enabling them on BigQuery, Cloud Storage, or Cloud SQL can produce tens of TB per day. Enable Data Access DATA_READ and DATA_WRITE only on projects tagged sensitive, and within those projects only on the specific services where you need read auditability. For Cloud Storage, prefer Storage Audit Logs filtered to administrative actions plus reads of buckets with specific labels. VPC Flow Logs in GCP are configured per-subnet and sampled by default (0.5 to 1.0 sample rate); keep the sample rate low (0.1) for non-sensitive subnets and 1.0 for DMZ or PCI subnets. Pipe everything through a Pub/Sub topic with a Dataflow filter job before sending to the SIEM.
Pre-Ingestion Filtering: Lambda, Event Hub, and Pub/Sub Transforms
The cheapest log is the one you never ingest. In AWS, the pattern is CloudWatch Logs > Kinesis Firehose > Lambda transform > S3 or HTTP endpoint to SIEM. The Lambda transform receives a batch of records, applies filters, and returns only the matching records. Typical filters: drop AWS service principals from CloudTrail (eventSource ends with .amazonaws.com and userIdentity.type = AWSService) except for assumeRole events, drop healthcheck and metadata service calls (userAgent contains 'aws-internal'), drop expected scheduled events (eventName = DescribeInstances from known automation roles). In Azure, use an Event Hub between the diagnostic setting and Sentinel for high-volume sources, with an Azure Function consumer that filters before forwarding via the Sentinel REST API. In GCP, Pub/Sub with a Dataflow streaming pipeline does the same job; the Apache Beam SDK supports stateful filtering, which is useful for deduplicating retry storms. Document every filter rule in source control (Terraform module or similar) and tag with a justification and a review date. A filter that drops 95% of volume and saves $50k a month is also a single line of code an attacker would love to add.
Tiered Storage: Hot SIEM vs Warm Lake vs Cold Archive
Adopt a three-tier model. Hot tier: 30 to 90 days in the SIEM, fully indexed, used for active detection and recent incident response. This is the most expensive storage and should only contain logs that drive real-time detections or are queried multiple times a week. Warm tier: 6 to 24 months in a data lake (Snowflake, AWS Security Lake, Azure Data Explorer, Google BigQuery, or Splunk Smart Store). Queries are slower (seconds to minutes) but cost is 5 to 20 times lower per GB. Use the warm tier for retrospective hunts, compliance queries, and incidents that turn out to have a long dwell time. Cold tier: 2 to 7 years in object storage with Glacier or Archive storage class, compressed and partitioned by date. Cost is roughly $0.001/GB/month but retrieval takes hours. Use cold for compliance retention floors (SOX, HIPAA, PCI 1 year minimum, varies by jurisdiction). The transitions are not just storage tier changes; design the schema so the warm and cold tiers are queryable by the same field names as the hot tier (use OCSF or ECS as the common schema). Otherwise an analyst pivoting from a SIEM alert to a 6 month lookback hits a schema wall.
What to Never Drop, Regardless of Cost
Some events must reach the SIEM no matter what the volume looks like, because they are the only record of the highest-impact attacker behaviors. IAM events: every IAM policy change, role creation, access key creation, and cross-account assumption in AWS; every Entra ID role assignment, application consent grant, and conditional access policy change in Azure; every IAM policy binding and service account key creation in GCP. Authentication events: every sign-in success and failure for human and service identities, including the IP, user agent, and authentication method. Cross-account, cross-tenant, and cross-project calls: anything that crosses a trust boundary is high-signal and low-volume relative to total log volume. KMS and Key Vault operations: encryption key access, deletion, and rotation events; these are the canary for ransomware in cloud environments. Resource deletion events: any DeleteBucket, DeleteVM, DeleteDatabase, especially when issued by a non-automation principal. Build a quarterly review where the security team and the cloud platform team confirm these categories are still flowing end-to-end with a synthetic test event in each cloud.
The bottom line
Treat cloud logging as a portfolio of decisions, not a checkbox. The IAM and authentication events are non-negotiable hot-tier ingestion; flow logs, data access logs, and metadata service calls belong in cheaper tiers or filtered out entirely. Build the filtering in code, in source control, with named justifications, and review it every quarter.
The target metric is detection coverage per dollar, not log volume. If you can move from 60% of SIEM cost being cloud noise to 25% being high-signal cloud events, you have bought yourself the budget for the next year of detection engineering.
Frequently asked questions
Should we use the cloud-native SIEM (Sentinel for Azure, Security Lake for AWS) or a third-party?
Use both, deliberately. The cloud-native tools are cheap or free for first-party log ingestion (CloudTrail to Security Lake, Azure Activity Log to Sentinel within the same tenant) and they have purpose-built detections for cloud-native attacks. Use the third-party SIEM for the correlated view across clouds, on-prem, identity, and endpoint. The pattern is: native tool ingests and runs cloud-specific detections, then forwards alerts and a subset of high-signal logs to the enterprise SIEM. Avoid the trap of ingesting every cloud log into the enterprise SIEM only because that's the platform of record.
How do we measure detection coverage across cloud log sources?
Map your detection rules to MITRE ATT&CK Cloud Matrix tactics and techniques, then verify that each rule's required log source is reaching the SIEM. Use Atomic Red Team for AWS, Stratus Red Team, or PurpleSharp Cloud to execute the techniques and confirm the detection fires end-to-end. Track two metrics: percentage of ATT&CK Cloud techniques with at least one detection, and mean detection latency from event to alert. Run the test suite monthly in a non-production tenant or subscription so you catch silent failures in log delivery.
What about Kubernetes audit logs on EKS, AKS, and GKE?
Kubernetes audit logs are extremely verbose by default. Configure the audit policy to log Metadata level for most resources, Request level for secrets and configmap access, and RequestResponse only for impersonation and exec/attach events. On EKS, enable control plane logging selectively (api, audit, authenticator). On AKS, configure diagnostic settings on the AKS resource for kube-audit-admin (not kube-audit, which includes read calls). On GKE, use the Cloud Logging audit log integration with a workload-identity-scoped sink. Pipe to a Kubernetes-aware data lake or SIEM with parsers for the audit log JSON; raw ingestion without parsing burns volume without delivering queryable signal.
How do we handle logs from SaaS apps that sit alongside our cloud workloads?
Treat SaaS logs as a separate stream with their own connectors: Microsoft 365 UAL, Google Workspace audit, Okta system log, Salesforce event monitoring, GitHub audit log, Slack audit log. These are usually low to medium volume and high signal, so ingest in full to the hot SIEM tier. Use the SIEM vendor's prebuilt connectors where they exist; for SaaS apps without a native connector, the Push API or a webhook to a Lambda/Function endpoint that posts to the SIEM HTTP collector is the standard pattern. SaaS-side rate limits will be your operational constraint, not log volume.
Is AWS Security Lake worth the migration effort?
If you are already using OCSF or planning to, yes; Security Lake normalizes AWS-native logs to OCSF and charges $0.75 per GB ingested with Glue and Athena charged separately, which is significantly cheaper than third-party SIEM ingestion for the same data. The migration effort is real: detection rules written against raw CloudTrail JSON have to be rewritten against the OCSF schema. The win is that downstream consumers (your SIEM, your data science team, a future XDR vendor) all consume the same schema, which compounds the longer you run the architecture. Pilot with CloudTrail and Route 53 query logs first; expand to VPC flow logs once the team is comfortable with the partitioning and query patterns.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
