Threat Detection, Logging & SIEM in Cloud
Cloud logging fundamentals, SIEM platforms, native threat detection services, and detecting real attacks through log analysis.
Learning Outcomes
- Identify key log sources for security monitoring across AWS, Azure, and GCP
- Understand SIEM platforms: Microsoft Sentinel, Splunk, and native cloud detection
- Detect common cloud attack patterns through log analysis
- Triage cloud security alerts effectively using priority frameworks
Cloud Logging & Threat Detection
Cloud Log Sources — Three Clouds
| Log Source | Cloud | What It Captures |
|---|---|---|
| CloudTrail | AWS | All API calls (management plane): who called what API, when, from where. The primary forensic log in AWS. |
| CloudWatch Logs | AWS | Application logs, OS logs, Lambda logs, VPC Flow Logs — operational/application plane. |
| VPC Flow Logs | AWS | Network traffic metadata (src IP, dst IP, port, protocol, accept/reject) — no payload. |
| Azure Activity Log | Azure | Control plane events: resource creation, deletion, configuration changes across Azure subscriptions. |
| Azure Resource Diagnostic Logs | Azure | Data plane logs for specific services (e.g., Azure SQL audit, Storage access, Key Vault operations). |
| Entra ID Sign-in Logs | Azure | All sign-in attempts, MFA events, Conditional Access outcomes, risk detections. |
| NSG Flow Logs | Azure | Network traffic metadata at NSG level — similar to AWS VPC Flow Logs. |
| Cloud Audit Logs | GCP | Admin Activity (default on), Data Access (off by default, very verbose), System Events. Equivalent to CloudTrail. |
| VPC Flow Logs | GCP | Network flow logs for GCP VPCs — enabled per subnet. |
SIEM Platforms for Cloud
| Platform | Type | Key Features |
|---|---|---|
| Microsoft Sentinel | Cloud-native SIEM/SOAR (Azure) | KQL queries, Analytics rules, Playbooks (Logic Apps), UEBA, Threat Intelligence, Workbooks, 200+ data connectors, pay-per-GB |
| Splunk Cloud | Cloud SIEM (multi-cloud) | SPL queries, Universal Forwarder, HEC ingestion, AWS/Azure/GCP apps, ML-based UEBA, SOAR (SIEM + Phantom) |
| AWS native stack | Detection services (not traditional SIEM) | GuardDuty (threat detection) + Security Hub (aggregation) + EventBridge (automation) + Detective (investigation) |
| Google Chronicle | Cloud-native SIEM (GCP) | Petabyte-scale log storage, UDM (Unified Data Model), YARA-L rules, VirusTotal integration, sub-second queries |
| Elastic SIEM | Open-source / cloud | EQL queries, detection rules, endpoint integration (Elastic Agent), self-hosted or Elastic Cloud |
Native Cloud Threat Detection
| Service | Cloud | How It Works | Example Findings |
|---|---|---|---|
| AWS GuardDuty | AWS | ML + threat intel on CloudTrail, VPC Flow, DNS logs — no agents, no configuration required | UnauthorizedAccess:IAMUser/ConsoleLoginSuccess, CryptoCurrency:EC2/BitcoinTool.B, Backdoor:EC2/C&CActivity |
| Azure Defender plans | Azure | Per-workload threat detection: Defender for Servers (MDE), SQL, Storage, Kubernetes, Key Vault, App Service | Possible SQL brute force, Suspicious VM activity, Sensitive Key Vault operation |
| GCP SCC Threat Detection | GCP | Event Threat Detection uses ML on Cloud Logging; Container Threat Detection for GKE runtime | Cryptomining, Brute force SSH, Data exfiltration, Outbound connections to known C2 |
Detecting Common Cloud Attacks via Logs
| Attack | Log Signal | Detection Logic |
|---|---|---|
| IAM Brute Force | CloudTrail ConsoleLogin | >10 failed logins from same IP in 5 min → alert |
| Privilege Escalation | CloudTrail AttachUserPolicy, CreateLoginProfile, AddUserToGroup | User grants themselves admin policy → alert |
| Data Exfiltration (S3) | S3 Access Logs / CloudTrail GetObject | Large volume GetObject from unknown external IP → alert |
| Crypto Mining | VPC Flow Logs outbound to known mining pools; CloudWatch CPU | EC2 connecting to stratum+tcp port 3333/4444 → alert |
| Impossible Travel | Entra ID Sign-in Logs / CloudTrail | Login from London then Tokyo within 30 min → physically impossible → alert |
| Lateral Movement | CloudTrail AssumeRole across accounts; VPC Flow Logs new connections | Role assumed in unexpected account; internal scanning → alert |
| Resource Hijacking | CloudTrail RunInstances with unusual instance types (GPU) | Sudden deployment of p3/g4 instances by non-ML team → alert |
CloudTrail vs CloudWatch — Key Distinction
What: API call audit log for the management plane
Captures: Who (IAM), What (API action), When, Where (IP), Resource
Use: Security forensics, compliance, detecting IAM abuse
Default retention: 90 days in console; unlimited via S3
What: Metrics, logs, alarms for the operational plane
Captures: Application logs, OS logs, Lambda output, custom metrics
Use: Operational monitoring, performance, custom security metrics
Alarms: Trigger SNS/Lambda on metric thresholds
Interview Questions & Model Answers
CloudTrail logs include:
- Management events: Control plane operations (create/modify/delete resources, IAM changes, console sign-ins) — enabled by default
- Data events: Data plane operations (S3 GetObject/PutObject, Lambda invocations, DynamoDB operations) — opt-in, high volume
- Insights events: Unusual API call rate or error rate patterns — anomaly detection
Default retention: 90 days in CloudTrail console. For long-term retention, configure a Trail to deliver to S3 (with optional S3 Glacier lifecycle for cheap archival).
| Aspect | CloudTrail | CloudWatch |
|---|---|---|
| Purpose | API audit — management plane | Operational monitoring — metrics + logs |
| What it captures | Who called which AWS API, when, from where | Application logs, metrics, custom data |
| Primary use | Security forensics, compliance, detecting IAM abuse | Performance monitoring, alerting, custom dashboards |
| Default on? | Yes (management events) | Metrics yes; logs must be configured |
| Example | "User Alice deleted S3 bucket at 3am from IP 1.2.3.4" | "Lambda function errored 50 times in 5 minutes" |
- Azure Monitor: The foundational monitoring platform for Azure — collects metrics and logs from Azure resources, VMs, applications, and custom sources. Provides Alerts, Dashboards, Log Analytics workspace (Kusto/KQL queries), Application Insights, and VM Insights. It's an operational monitoring tool — not a SIEM.
- Microsoft Sentinel: A cloud-native SIEM and SOAR platform built on top of Azure Monitor's Log Analytics. It adds security-specific capabilities: Analytics rules for threat detection, Security incidents, Playbooks (SOAR automation), UEBA, Threat Intelligence, Watchlists, and 200+ data connectors.
- Data connectors: 200+ connectors to ingest logs from AWS, GCP, Azure, M365, Syslog, CEF, custom APIs
- Log Analytics workspace: The underlying data store — all logs are ingested here and queried with KQL
- Analytics rules: KQL-based scheduled rules that run on ingested data and create Incidents when matched
- Incidents: Correlated groups of Alerts with severity, assignee, and investigation tools
- Workbooks: Interactive dashboards/reports built with KQL
- Playbooks: Logic Apps triggered by incidents for automated response (notify, block IP, disable user)
- UEBA: User and Entity Behaviour Analytics — baselines normal behaviour and flags anomalies
- Threat Intelligence: Integration with MISP, TI platforms, Microsoft TI — auto-enriches alerts with IOC context
- Watchlists: CSV-based reference lists (e.g., list of VIPs, known bad IPs) used in KQL queries
How it works:
- Ingests CloudTrail (management + S3 data events), VPC Flow Logs, DNS query logs, and EKS audit logs
- No agents required — reads logs from the AWS backend, zero performance impact
- Correlates with threat intel (known malicious IPs, Tor exit nodes, crypto mining domains, malware C2)
- Uses ML to establish baselines and detect anomalies (unusual API calls, unexpected regions)
Findings are sent to Security Hub, EventBridge, and an S3 bucket. EventBridge can trigger Lambda for auto-response.
| Aspect | SIEM (Sentinel/Splunk) | GuardDuty |
|---|---|---|
| Type | General-purpose log aggregation + detection | AWS-specific threat detection service |
| Data sources | Any log source (multi-cloud, on-prem, apps) | CloudTrail, VPC Flow, DNS, EKS only |
| Detection | Custom KQL/SPL rules + built-in rules | AWS-managed ML models + threat intel |
| Scope | Cross-platform correlation (AWS + Azure + endpoints) | AWS account only |
| SOAR | Built-in (Playbooks/Phantom) | Via EventBridge → Lambda (manual setup) |
| Cost | Per-GB ingested (expensive at scale) | Per-event analyzed (predictable, lower) |
- IAM/Identity logs: CloudTrail (AWS), Entra ID Sign-in Logs (Azure), Cloud Audit Logs (GCP) — detect credential compromise, privilege escalation, lateral movement
- Network flow logs: VPC Flow Logs (AWS), NSG Flow Logs (Azure), GCP VPC Flow Logs — detect exfiltration, C2 communication, lateral movement
- Management plane logs: CloudTrail, Azure Activity Log, GCP Admin Activity — detect configuration changes, resource creation
- Endpoint/VM logs: Windows Event Logs (4624, 4625, 4688, 4697), Linux auditd, Sysmon — detect malware execution, persistence
- Application logs: Web server access logs, application error logs — detect web attacks
- Storage access logs: S3 Server Access Logs, Azure Storage Analytics — detect data exfiltration from object storage
- DNS logs: Route 53 DNS query logs, Azure DNS — detect DNS tunneling, domain generation algorithms
- Unusual source IP or geolocation: Login from a country/region never seen before; TOR exit node; known malicious IP (match against threat intel)
- Unusual time: API calls at 3am when the user normally works 9-5
- New API actions: User calling APIs they've never used (e.g., CreateUser, AttachUserPolicy, RunInstances in unusual region)
- Privilege escalation patterns: AttachUserPolicy, CreateLoginProfile, AddUserToGroup — attacker trying to escalate or persist
- Reconnaissance: ListUsers, ListRoles, GetAccountAuthorizationDetails, DescribeInstances — attacker mapping the environment
- Unusual resource creation: EC2 instances in never-used regions, large instances (p3 for crypto mining)
- API errors: AccessDenied errors across many services — attacker probing permissions
Key operators:
| where— filter rows (like SQL WHERE)| project— select columns (like SQL SELECT)| summarize— aggregate (like SQL GROUP BY)| join— join tables on a key| extend— add computed columns| render— visualize as chart/table
SigninLogs | where ResultType != 0 | summarize FailCount=count() by UserPrincipalName, IPAddress | where FailCount > 10
Key SPL commands:
search/ keywords — filter events| stats count by field— aggregate and count| table field1 field2— display columns| where field > value— conditional filter| eval newfield = expression— computed fields| rex field=_raw— extract fields with regex| lookup— join against a lookup table (like threat intel IOC list)
index=aws sourcetype=cloudtrail eventName=ConsoleLogin | stats count by sourceIPAddress, userIdentity.userName | where count > 5
In Microsoft Sentinel UEBA:
- Builds a behavioural profile for each user/entity over a rolling time window
- Factors in: login times, locations, devices, applications accessed, data volumes, peer group comparison
- Generates entity pages: a unified view of all activity for a user/device across all connected data sources
- Creates anomaly alerts without needing pre-written rules — ML-driven
- Adds UEBA context to existing Analytics rule alerts (e.g., "this user's behaviour is unusual — peer group score: 98%")
- Helps detect insider threats: legitimate credentials used abnormally
- GuardDuty CryptoCurrency:EC2/BitcoinTool.B: EC2 instance making DNS queries or network connections to known crypto mining pools or software signatures
- VPC Flow Logs: Outbound connections to known mining pool domains/IPs (e.g., stratum+tcp:// on ports 3333, 4444, 14444)
- CloudWatch CPU metrics: EC2 instances running at sustained 90–100% CPU (GPU instances too if used for GPU mining)
- CloudTrail: Sudden deployment of many EC2 instances, especially GPU types (p3, g4) in unusual regions
- Cost anomaly: Sudden spike in AWS bill — Cost Anomaly Detection can alert on this
- Process-level (if agent): Known mining process names (xmrig, ethminer, nbminer) running on EC2
AWS:
- CloudTrail log file validation: each log file is signed with a SHA-256 HMAC — tampering is detectable even if the file is modified
- S3 Object Lock (WORM — Write Once Read Many): prevents deletion or overwrite for a specified retention period; compliance mode can't be overridden even by root account
- SCP to deny
s3:DeleteObjectandcloudtrail:DeleteTrailacross the organization
- Azure immutable blob storage: time-based or legal hold retention policies on storage accounts containing logs
- Azure Monitor Log Analytics workspace data retention lock
- Cloud Storage bucket lock (retention policy + locked bucket): prevents deletion of logs
- Cloud Audit Logs have tamper detection built in
Types of Analytics Rules:
- Scheduled: KQL query runs every X minutes/hours; create alerts if results exceed a threshold
- NRT (Near Real Time): Runs every minute — for high-urgency detections
- Microsoft Security: Auto-generates incidents from other Microsoft security products (Defender, Entra ID Protection)
- Anomaly: Built-in ML models from UEBA that generate alerts without KQL
- Fusion: ML-based correlation of multiple low-fidelity alerts into high-confidence multi-stage attack incidents
- Event source: GuardDuty finding, Security Hub finding, CloudTrail API call, Config rule violation, Health event
- Rule: Pattern match on the event (e.g., GuardDuty finding severity ≥ HIGH and type contains "CryptoCurrency")
- Target: Lambda (custom remediation), SNS (notification), SQS, Step Functions, Systems Manager Automation
- GuardDuty CryptoCurrency finding → EventBridge → Lambda → terminate EC2 instance + revoke IAM credentials
- Config rule violation (public S3 bucket) → EventBridge → Lambda → call
put_bucket_acl(private) - CloudTrail root login → EventBridge → SNS → PagerDuty alert to on-call SOC
- Security Hub CRITICAL finding → EventBridge → JIRA ticket creation via Lambda
Causes: overly broad detection rules, ingesting too many low-quality log sources, no tuning, using default rules without customisation.
Reducing alert fatigue:
- Tune detection rules: Add suppression for known-good IPs, service accounts, scheduled tasks that trigger false positives
- Alert grouping/deduplication: Group related alerts into a single Incident (Sentinel Fusion, Splunk ESCU correlation)
- Risk-based alerting: Score each alert by asset value × severity × confidence; only page on high-risk combinations
- UEBA for context: Add behavioural context so analysts can quickly assess if an alert is anomalous for that user
- Auto-close low-fidelity alerts: Use ML to auto-close alerts that match historical false positive patterns
- Tier-based routing: Low-severity → ticketing system; Critical → immediate page + auto-response
- Regular review: Weekly false positive analysis; retire rules with >90% FP rate
ThreatPurpose:ResourceTypeAffected/ThreatFamilyName
Three important examples:
- UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B — A console login from a previously unseen IP address or location, possibly using stolen credentials.
- CryptoCurrency:EC2/BitcoinTool.B — EC2 instance is communicating with a known bitcoin/crypto mining pool (pool domains/IPs). Indicates cryptojacking.
- Backdoor:EC2/C&CActivity.B!DNS — EC2 instance is making DNS queries to a known Command & Control domain. Indicates the instance may be part of a botnet or running malware.
- Recon:IAMUser/MaliciousIPCaller — API calls from a known malicious IP
- PrivilegeEscalation:IAMUser/AdministrativePermissions — User attempting to grant themselves admin access
- Exfiltration:S3/ObjectRead.Unusual — Unusual pattern of S3 data read activity
- InitialAccess:IAMUser/AnomalousBehavior — First-ever API call from an IAM entity from a new region
- GuardDuty Exfiltration:S3/ObjectRead.Unusual: ML-based detection of unusual GetObject patterns (new IP, high volume, unusual time)
- S3 Server Access Logs: Enable per-bucket and alert on: large number of GetObject requests from external IPs, access from TOR exit nodes, non-corporate source IPs accessing sensitive buckets
- CloudTrail S3 Data Events: Enable for sensitive buckets; alert on: GetObject from unusual principal, GetObject before a DeleteObject (copy-then-delete), cross-account access by unknown accounts
- VPC Flow Logs: High-volume outbound traffic from VPC resources (if using VPC endpoints for S3 access); data transfer to unexpected external IPs
- AWS Macie: Auto-discovers PII/sensitive data in S3 and alerts on access patterns inconsistent with data classification
- Cost monitoring: Sudden spike in S3 data transfer costs — data transfer out is charged; large exfiltration = large bill spike
Common playbook actions:
- Send Teams/Slack/email notification to SOC analyst
- Create a ServiceNow/Jira ticket with alert details
- Block a malicious IP in Azure Firewall or NSG
- Disable a compromised Azure AD user account
- Revoke all active sessions for a suspicious user
- Enrich the incident with VirusTotal, Shodan, or threat intel lookups
- Add a user to a conditional access block policy
- Isolate a VM by removing it from its NSG and placing it in a quarantine NSG
Option 1: Microsoft Sentinel as central SIEM
- AWS: AWS data connector (CloudTrail, GuardDuty, Security Hub via EventBridge → SQS → Sentinel connector)
- Azure: Native connectors (Activity Log, Entra ID, Defender for Cloud — one-click)
- GCP: GCP data connector (Pub/Sub → Log export → Sentinel connector)
- AWS: Splunk Add-on for AWS (S3-based CloudTrail, SQS for real-time, Kinesis)
- Azure: Splunk Add-on for Azure (Event Hub → Splunk)
- GCP: Splunk Add-on for GCP (Pub/Sub → Splunk)
- All clouds → centralized S3 bucket (cross-account) or Kafka/Kinesis → SIEM pull
- Better for normalization before SIEM ingestion; lower SIEM costs
Multiple Choice Questions
Cloud Log Source Identifier
Match each description to the correct cloud log source or service.
Threat Detection Scenario
Read each simplified log excerpt and identify the attack type being detected.
SIEM Platform Feature Matcher
Match each feature or capability to the correct SIEM platform.
Alert Priority Triage
Rate each security alert: Investigate Immediately, Investigate Soon, Monitor, or False Positive.
Module Complete!
You've finished Module 06: Threat Detection, Logging & SIEM in Cloud.