Module 17: Cloud SOC — Defending Beyond the Perimeter
Cloud-native logging, attack patterns, and detection for AWS, Azure, and GCP.
You'll investigate the attacker's cloud pivot — console login from 185.220.101.42, IAM key creation, S3 policy changes.
Lessons & Labs
Cloud Audit Trails
AWS CloudTrail, Azure AD Sign-In Logs, GCP Audit Logs — cloud log sources, key fields, ingestion into Wazuh
Lab 17.1 — CloudTrail Log Analysis
Analyze pre-loaded CloudTrail events in Wazuh: IAM user creation, policy changes, S3 bucket modification, unusual console login.
Cloud Attack Patterns
IAM privilege escalation, S3 bucket exposure, Lambda abuse, SSRF to IMDS, Azure AD token theft, GCP service account theft, cross-cloud lateral movement — mapped to ATT&CK Cloud matrix
Lab 17.2 — Cloud Attack Detection
Browser-only: Given raw CloudTrail JSON events, identify attack techniques, map to ATT&CK Cloud matrix, write detection logic.
Cloud Detection & Response
CloudTrail-based Sigma rules, Azure Sentinel KQL, GCP Chronicle YARA-L, cloud-native containment, IR playbooks for compromised instances and stolen credentials
Lab 17.3 — Cloud IR Playbook
Browser-only: Design containment steps, credential rotation plan, and evidence preservation strategy for a cloud breach scenario.
Multi-Cloud Investigation
Cross-cloud identity federation attacks, multi-cloud correlation techniques, unified timeline building, cross-cloud kill chain reconstruction
Lab 17.4 — Multi-Cloud Investigation
Browser-only: Analyze cross-cloud JSON logs (CloudTrail + Azure Sign-In + GCP Audit), reconstruct multi-cloud attack, map to ATT&CK Cloud Matrix.