WADWindowsEventLogsTable is the most interesting table for incident response and forensics, as it contains the Windows event logs. This is a great opportunity to obtain operating system logs without the need to log in the virtual machine itself.

Azure automatically creates a network security group (NSG) when you create a virtual machine: <name of machine>-nsg, unless an existing one is specified. After creating NSG rules, flow logs can be created. Flow logs are the source of truth for all network activity in your cloud environment and are a "must have" for any investigation.

Azure role-based access control (RBAC) lets you manage who has access to what resource and what they can do with that resource. Azure RBAC is an authorization system built on Azure Resource Manager. To control access to resources, you create role assignments. There are three elements to a role assignment:

1. Security principal – An object representing an entity such as a user or group, which can access the resource
2. Role definition – A collection of permissions such as read, write, and delete
3. Scope – Specifies which role can access a resource or resource group; scopes can be specified at four levels: management group, subscription, resource group, resource

While the portal is convenient for a quick search, it is very limited. The real power is in the Log Analytics workspace. The best solution is to send most relevant log types, including Azure Active Directory (AAD) logs, to the Log Analytics workspace. This provides a single location to see all your logs, which is very convenient.

For the AAD logs, you will need to complete the following steps in the Azure portal:

• Step 1: Search for and select the "Azure Active Directory" service
• Step 2: On the left menu, select "Diagnostic settings"
• Step 3: Select "Add diagnostic setting"

The user_principal_name field includes the Azure Active Directory (AAD) name of the login user, which is critical to include in detection methods but also useful for identifying the account used for specific actions.

When creating a snapshot, you can pick the cheapest standard HDD storage option. There is no need for a premium SSD because you will not be running forensic tools against the snapshot directly.

There are a large number of actions tracked in the operationName field in the StorageRead log, but for the purpose of tracking data exfiltration, you should focus on the GetBlob operation.