BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Log ranking
  • Microsoft / Azure
  • AWS
  • Google
  1. 16_Best Practices

Cloud Incident Readiness

Key logs for cloud incidents

Log ranking

CISOs and cloud security teams need to make choices, one of them is which logs they enable. Sometimes compliance is the reason for enabling a log and retaining it for a specific period. However, sometimes there are budget constraints and you cannot enable everything. In this blog we want to help you make the right decision. We will rank the relevant logs for each provider, from a cloud incident response perspective. One thing to keep in mind: no logs, no crime!

  • ‍Must-Have 🔥 – Essential logs required for detecting, investigating, and responding to security incidents. These logs should be enabled and retained by default where possible.

  • Should-Have ✅ – Valuable logs that provide additional insights into cloud activity. They enhance security monitoring but may not be strictly necessary for every organization.

  • Nice-to-Have 📌 – Supplementary logs that can help with deeper analysis but are often not crucial for basic incident response.

Microsoft / Azure

Let's start with the Microsoft cloud, covering Entra ID, Microsoft 365 and Azure. In the Microsoft world, logs are generated on the tenant level mostly by Entra ID, additionally you will have Azure specific logging and also from resources within Azure. To further complicate it you also have Microsoft 365 services that record their activities in a separate log. The table below shows the major logs and some basic details:

Name
Description
Enabled by default
Retention (days)

Entra ID Audit logs

Logs changes and activities related to Entra ID resources.

✅

30

Entra ID Sign-in logs

Tracks sign-in attempts, including success and failure reasons.

✅

30

Unified Audit Log

Provides audit trails for multiple Microsoft 365 services.

✅

180

Azure Activity logs

Captures control-plane events within an Azure subscription.

✅

90

Storage audit logging

Records access and modifications to Azure Storage accounts.

❌

Varies

Netflow logging

Monitors network traffic flow for security and analysis.

❌

Varies

Microsoft Graph Activity Logs

Tracks API calls and activities within Microsoft Graph.

❌

Varies

‍Must-have

  • Entra ID Sign-in logs

  • Entra ID Audit logs

  • Azure Activity log

  • Unified Audit Log

Should-have

  • Microsoft Graph Activity Logs

Nice-to-have

  • Storage audit logging

  • Netflow logging

  • Other resource logs (e.g. Kubernetes logging, SQL logging).

Example case: Cryptomining

Let's go over an example case in Microsoft, where we supported a client that became victim of a crypto-mining case. The client was alerted due to a huge increase in the bill, which started the investigation. They engaged us to figure out how it was possible that someone spun up over 20 virtual machines with very high specs. The investigation started with figuring out who launched the virtual machines, we then used that information to determine what other actions were performed by this account. Of course we also performed analysis into sign-in events for this user and found out a suspicious VPN IP in the login events. Additionally, we performed analysis of a snapshot of the host to determine what mining software was used and which pool was used for the malicious activity. In the mindmap below we have mapped the logs to the main investigative questions:

AWS

Moving on to AWS, from a logging perspective it's a bit easier than Microsoft, because if you use any internal AWS IAM flavour it's part of the default logging.

Name
Description
Enabled by default
Retention (days)

CloudTrail Management Events

Logs management operations performed on AWS resources, such as IAM changes and API calls.

✅

90

GuardDuty Findings (when in use)

Detects and reports potential security threats using machine learning and anomaly detection.

✅

Unlimited

CloudTrail Data Events

Captures API operations on data resources, such as S3 object access and Lambda function executions.

❌

Varies

S3 Access logging

Records detailed access logs for Amazon S3 buckets to track read and write operations.

❌

Varies

Route53 DNS Logs

Monitors DNS query activity to detect unusual domain resolution patterns.

❌

Varies

Netflow Logging

Tracks network traffic flows to analyze communication patterns and detect anomalies.

❌

Varies

Load Balancer Logging

Captures HTTP/S request details and traffic patterns through AWS Elastic Load Balancer.

❌

Varies

‍Must-have

  • CloudTrail Management events

  • GuardDuty findings (when in use)

Should-have‍

  • CloudTrail Data events

  • S3 Access logging

Nice-to-have

  • Route53 DNS logs

  • Netflow logging

  • Load Balancer logging

  • Resource logs (e.g. EKS, ECS)

Example case: Ransomware in S3

In one of our cases we were engaged because a client found a ransom note in their S3 bucket. We were tasked with figuring out how the threat actor was able to get into the environment and what they had done to data and resources in the AWS environment. The first thing we did was checking what logs were configured on the S3 bucket in question, based on that information we were able to determine which user performed actions against this bucket. Through analysis of CloudTrail we were able to find various discovery actions against the S3 service and bucket in question. This was all done by an IAM key which we used to track down any other malicious actions performed by the threat actor. The below figure shows the logs you can (and should) use to answer the main investigative questions.

Google

We will cover both Google Cloud and Google Workspace in this category of logs. The table below describes the major logs for GC and GWS:

Name
Description
Enabled by default
Retention (days)

Admin Activity Logging

Tracks changes made to GC resources by users and service accounts.

✅

400

System Event Audit Logs

Captures system-level activities, such as VM restarts and automatic service actions.

✅

400

Policy Denied Audit Logs

Records access attempts blocked due to security policies or IAM restrictions.

✅

400

Google Workspace Login Logs

Monitors user sign-in activity across Google Workspace applications.

✅

180

Google Workspace Admin Logs

Logs administrative actions taken within Google Workspace.

✅

180

Google Workspace Drive Logs

Tracks file access, sharing, and modifications in Google Drive.

✅

180

Google Workspace Gmail Logs

Records email activity, including message delivery and security events.

✅

180

Data Access Audit Logs

Captures read operations on GC resources to monitor data access.

❌

Varies

Must-have

  • Admin Activity logging

  • System event audit logs

  • Policy Denied audit logs

  • Google Workspace Login logs

  • Google Workspace Admin logs

  • Google Workspace Drive logs

  • Google Workspace Gmail logs

Should-have

  • Data Access audit logs

  • Other Google Workspace services logging

Nice-to-have

  • Resource logs (e.g. Cloud Run, Kubernetes)

Example case: Data theft from Google Cloud Storage

Recently we worked on a case where a company used Google Cloud Storage buckets, as the storage back-end for an application hosted in Google Cloud. In this case the threat actor was able to extract a large amount of files. Our investigation started again with the files in question that were taken, we were able to determine that it was possible due to the fact that the files were publicly accessible. The investigation then led into if there was internal involvement or potentially someone misconfiguring this application and the associated storage. Last but not least we analyzed the Google Workspace logs to check for indication of compromise there. Let's see what logs we needed to answer the investigative questions:

PreviousBest Data Sources for DetectionNext17_Threat Hunt

Last updated 13 days ago