I've been a fan of Security Onion for a while. Richard Bejtlich's book "Practice of Network Security Monitoring" discusses setting it up and how to incorporate it into an operations center's routine.
Notably, Security Onion and other tools are very difficult to use in cloud environments where you don't control the network! There are ways of getting a sensor access to the relevant traffic, but they require careful architecture. Even when set up properly, encrypted traffic defeats much of the deep packet inspection-based monitoring.
Do you have any other resources to point me toward describing how you would set something like this up in a cloud environment? Are there other tools better suited for cloud environments?
SANS has a slightly dated paper ([1]) about setting up this sort of thing that gives a flavor for how it can work.
I think AWS's VPC Flow Logs are the foundation for better tools (disclaimer, my company develops these tools - [2]). I hope Azure and others follow suit.
Notably, Security Onion and other tools are very difficult to use in cloud environments where you don't control the network! There are ways of getting a sensor access to the relevant traffic, but they require careful architecture. Even when set up properly, encrypted traffic defeats much of the deep packet inspection-based monitoring.