This cheat sheet serves as a high-speed, tactical reference guide designed for threat detection, incident response (IR), and cloud security monitoring. It bypasses high-level theory to focus on the raw telemetry generated by the three major cloud providers: AWS, Azure AD, and Google Cloud Platform (GCP).

Beyond simple event listing, it offers technical recipes for using jq to parse JSON logs and defines a universal schema of Correlation Keys to help analysts stitch together disparate events into a coherent attack timeline.

Table of Contents

• Top 20 CloudTrail events
• High-Severity Event Combinations
• Top 20 Azure AD log types
• Top 20 GCP IAM & Audit Logs
• JQ Extraction Recipes
• SIEM Correlation Keys

Who is this for?

This guide is written for technical practitioners who work directly with log data:

• SOC Analysts:For identifying Red Flags like source IPs outside normal regions or MFA bypasses during triage and for understanding specific attack signatures like impossible travel or password spray attempts.
• Threat Hunters:For proactively searching for Persistence techniques and "Defense evasion indicators" hidden in the noise and for utilizing specific Threat Hunting Patterns to find suspicious IPs or unusual API calls.
• SIEM Engineers:For building detection logic using the "Universal Correlation Key Set" to ensure logs from different clouds can be correlated effectively and for implementing the recommended "SOC Playbook Mappings" that link attack techniques to specific log types.
• Incident Responders:For rapid investigation of Critical IOCs such as security groups opening port 22 to the world and for scoping the blast radius of compromised identities using User Identity Keys like userIdentity.arn or userPrincipalName.

Page Count: 28

Format: PDF

Note: This product is not eligible for a refund.

If you have concerns regarding the product, kindly contact consultation@motasem-notes.net and clarify your issue and explain why the eligibility for a refund.