Skip to content

Cloud Services

Overview

Implementing use cases for cloud services like AWS, Azure, and Google Cloud to detect threats related to cloud-native activity, account compromise, compliance violations, and unauthorized access.

Sample products

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • VMware Cloud
  • Microsoft Azure

Use Case Categories

Category Description
Cloud Native Threat Detection Focuses on detecting threats native to cloud environments by analyzing logs from cloud services. Alerts triggered for suspicious activities, unauthorized access, or behaviors indicative of cloud-specific threats.
Account Compromise Detection Monitors cloud services logs for signs of compromised accounts. Alerts triggered for unusual login activities, multiple failed login attempts, or deviations from normal user behavior indicating potential account compromise.
Cloud Access Anomaly Detection Analyzes cloud services logs to identify anomalous access patterns. Alerts triggered for deviations from normal access behavior, unexpected resource access, or patterns indicative of potential security incidents.
Compliance Violation Detection Focuses on detecting violations of compliance standards within cloud services logs. Alerts triggered for actions or configurations that deviate from established compliance requirements.
Cloud Storage Misconfiguration and Unsecured Data Storage Detection Analyzes cloud services logs to identify misconfigurations and unsecured data storage instances. Alerts triggered for open or improperly configured storage containers, unauthorized access to sensitive data, or changes in storage configurations.

Core Use Cases

Alert Name Description
Unusual API Calls Detection Monitors cloud services logs for unusual API calls. Alerts triggered for API calls that deviate from normal patterns, indicating potential malicious activity.
Unexpected Resource Provisioning Analyzes cloud services logs to identify unexpected resource provisioning. Alerts triggered for instances of resource provisioning that are not in line with typical usage or deployment patterns.
Cloud-Specific Attack Behavior Focuses on detecting behaviors indicative of cloud-specific attacks. Alerts triggered for activities that match known cloud attack techniques, such as server-side request forgery (SSRF) or cloud-based exploitation.
Anomalous Data Exfiltration Monitors cloud services logs for anomalous data exfiltration attempts. Alerts triggered for unusual data transfer patterns, large-scale data transfers, or unexpected access to sensitive resources.
Unusual Login Activities Detection Monitors cloud services logs for unusual login activities. Alerts triggered for login attempts or activities that deviate from normal user behavior, indicating potential account compromise.
Multiple Failed Login Attempts Analyzes cloud services logs for multiple failed login attempts. Alerts triggered when a threshold of failed login attempts is reached within a specified time frame.
Abnormal User Resource Access Focuses on detecting abnormal user resource access within cloud services logs. Alerts triggered for users accessing resources outside their typical usage patterns or privilege levels.
Unusual Account Activity Patterns Monitors cloud services logs for unusual account activity patterns. Alerts triggered for deviations from normal account behaviors, indicating potential compromise or misuse.
Unauthorized Data Retrieval Focuses on detecting unauthorized data retrieval attempts within cloud services logs. Alerts triggered for activities attempting to retrieve data in an unauthorized or unexpected manner.
Unusual Geo-location Access Monitors cloud services logs for unusual geo-location access. Alerts triggered for access attempts from geographically unexpected locations, indicating potential unauthorized access.
Security Policy Violation Focuses on detecting violations of security policies within cloud services logs. Alerts triggered for actions or configurations that deviate from established security policies or compliance standards.
Non-Compliant Resource Provisioning Analyzes cloud services logs for non-compliant resource provisioning. Alerts triggered for instances of resource provisioning that violate established compliance requirements or security policies.
Sensitive Data Exposure Monitors cloud services logs for potential sensitive data exposure events. Alerts triggered for activities indicating unauthorized access, sharing, or exposure of sensitive data within the cloud environment.
Compliance Audit Trail Monitoring Focuses on monitoring the compliance audit trail within cloud services logs. Alerts triggered for anomalies or deviations in the audit trail that may indicate non-compliance with regulatory or industry standards.
Publicly Accessible Storage Detection Analyzes cloud services logs for publicly accessible storage. Alerts triggered for instances of storage being configured as public, potentially exposing sensitive data to unauthorized access.
Unusual Data Access Patterns Monitors cloud services logs for unusual data access patterns. Alerts triggered for activities that deviate from normal data access patterns, indicating potential data exfiltration or misuse.
Insecure Data Encryption Configuration Monitors cloud services logs for insecure data encryption configurations. Alerts triggered for instances where data encryption is inadequately configured, potentially exposing sensitive information.

MITRE ATT&CK

T1534, T1573, T1550, T1526, T1083, T1565, T1048, T1537, T1552, T1110, T1081, T1056, T1547, T1560, T1102, T1087, T1085, T1106, T1548, T1072, T1071, T1070