TheCloud.Events: A Catalog of Cloud Security Log Events
The Backstory
A lot of cloud IR and detection work comes down to staring at a single log entry and asking the same three questions. What is this event, does it actually matter, and what is a real one supposed to look like. You see AssumeRole or ConsoleLogin or some GCP method name a thousand times and most of the time it means nothing, until the one time it does.
Answering those questions usually means digging. The provider docs tell you what an API call does but not what the log looks like or why you’d care from a security angle. Blog posts fill some of the gaps but they go stale, and most of them are AWS only. Azure and GCP are thinner, and when you’re three coffees deep into an investigation you don’t really want to be cross-referencing four browser tabs to remember which field in a GCP audit log tells you who actually did the thing.
So at some point I just started keeping my own notes. One event, what it is, what the log looks like, which tactic it maps to. After a while the notes got big enough that a folder of markdown wasn’t cutting it.
What’s Already Out There
To be clear, there’s good stuff in this space already. AWS has a Threat Technique Catalog that maps CloudTrail event names to MITRE ATT&CK, which is genuinely useful. The catch is it’s AWS only and it doesn’t show you the actual log. Wiz has a Cloud Threat Landscape that’s great, but it’s built around incidents, actors, and tooling, not individual events. Sigma gives you a detection rule, which is the answer once you already know what you’re looking at, not the part where you’re figuring out what you’re looking at.
What I kept wanting was something that sat at the event level, covered all three major clouds, and showed me the raw log. I couldn’t really find that, so I built it.
TheCloud.Events
It’s live at thecloud.events. Right now it’s a catalog of 261 cloud security events across AWS, Azure, and GCP, each one mapped to MITRE ATT&CK tactics and techniques, and each one with a sample of what the event actually looks like in the logs.
The sample logs use made-up account IDs and names so nothing real is in there, but the shape of the log is meant to match the real thing, fields, structure, the values you’d actually see. That accuracy is the part I care about most, because a reference you can’t trust is worse than no reference.
What’s On Each Event
For every event you get a short description of what it is, why it matters from a security perspective, where the log comes from, and a sample log entry. The ATT&CK mapping is rendered right on the page so you can see the tactics and techniques it ties to.
I’m in the middle of adding a few more things per event as I go. Analyst notes that talk through what’s routine for that event versus what’s worth a second look, written so it doesn’t assume every instance is malicious, because most aren’t. The specific fields worth checking. And references out to the provider docs plus real, public write-ups of breaches where the event showed up. That last part is the bit I’m most into, since “this is the event behind that breach you read about” is a lot more useful than a dry definition.
Getting Around
You can filter the catalog by cloud provider and by tactic, or browse the MITRE map view to see everything laid out across the ATT&CK matrix. If you just want to know what GCP events fall under persistence, that’s a couple clicks.
Where It’s At
It’s early. 261 events is a decent start but it’s nowhere near everything, and the per-event analyst notes and references are getting filled in over time rather than all at once. The MITRE mappings are done, the sample logs are done, the rest is a work in progress.
If you do cloud detection or IR and you’ve ever had to go look up what some event means, give it a look and see if it saves you a tab or two.
Thanks for stopping by.