Logging, Alerting, and Detection Ownership

Logging, alerting, and detection ownership begins where raw telemetry becomes an operational program. Providers may offer log sources, analytics tools, and managed monitoring features, but customers still decide what to collect, where to route it, how long to retain it, what constitutes suspicious behavior, and which team is responsible for responding when an alert fires.

This matters because “the logs exist somewhere” is not the same as having usable detection coverage. A customer can run entirely on managed services and still miss a critical incident because the wrong logs were disabled, retained too briefly, never routed into a central pipeline, or never tied to actionable alert logic.

The operational flow usually looks like this:

    flowchart LR
	    A["Identity, audit, workload, network, and data logs"] --> B["Central routing and retention pipeline"]
	    B --> C["Detection rules and alerting"]
	    C --> D["SOC, SRE, or on-call team"]
	    D --> E["Triage and escalation"]

What to notice:

• logging is not done when the event is emitted; it is done when the event can be retained, searched, and acted on
• alerting belongs to the customer because the customer defines risk tolerance, critical assets, and escalation paths
• response quality depends on the whole pipeline, not on any single log source

What Customers Usually Own

Customer-owned logging and detection responsibilities often include:

• enabling relevant audit, identity, workload, and data-access logs
• routing logs into a central analytics or security platform
• defining retention and immutability rules
• writing alert logic for abuse, misconfiguration, and suspicious behavior
• assigning triage ownership and escalation paths
• reviewing alert quality so noisy rules do not become ignored rules

Provider tooling helps with the mechanics. It does not decide which business events matter to the customer or which detections are strong enough for that environment.

A Practical Detection Pipeline

 1logging_program:
 2  sources:
 3    - cloud_audit
 4    - identity_signin
 5    - workload_application
 6    - network_edge
 7    - data_access_for_sensitive_stores
 8  routing:
 9    destination: security-lake
10    immutable_archive_days: 365
11  detections:
12    - name: privileged_role_assigned
13      severity: high
14    - name: impossible_travel_signin
15      severity: medium
16    - name: sensitive_table_export
17      severity: high
18  owners:
19    pipeline: security-platform
20    triage: security-operations
21    workload_log_quality: application-team

What this demonstrates:

• detection ownership is broader than “turn logging on”
• retention, routing, and triage ownership are part of the control
• provider features still need customer-defined use cases and owners

Why Provider Tooling Does Not Replace Operations

Cloud platforms often make it easy to click a box and enable a logging feature. That can create a false sense of completion. Detection is not complete until someone has decided which signals indicate abuse, how urgently they matter, and who will investigate them. Without that operational layer, the customer has observability data but not detection capability.

Common Mistakes

• enabling logs without routing them to a searchable or retained destination
• keeping default retention that is too short for investigation or audit needs
• writing only availability alerts and skipping identity, privilege, and data-use detections
• assigning alert ownership vaguely across platform, security, and application teams

Design Review Question

A company says its detection program is covered because the cloud platform can emit logs for identity, audit, and storage access. The company has not centralized those logs, built alert rules for sensitive actions, or assigned a team to investigate them. Is that a strong control posture?

No. The stronger answer is that provider log sources are only inputs. The customer still owns routing, retention, alert design, triage, and investigation if it wants those signals to become real security controls.

Check Your Understanding