A key element of Change Audit is getting good data in:

A problem faced by many security teams is understanding all the signal data collected from their security tools. The risk with “tuning monitoring down” is that you’re often left throwing away data that can be critical in forensic analysis, but in “keeping the volume up” you have to face challenges with spotting interesting data outliers.

I weigh in on the Tripwire.com blog about what's useful - check out here: https://www.tripwire.com/state-of-security/bright-future-forensic-analysis