Enabled logging is only a starting point
Cloud investigations may need control-plane changes, identity events, network-flow records, application logs, database audit records, object-storage access, container or orchestration events, serverless logs, security-service findings, and configuration history. Enabled logging does not guarantee complete visibility or effective detection. Sources can be delayed, filtered, inaccessible, misrouted, or missing fields needed to answer the question.
Cloud logging inventory
| Source | Operational question |
|---|---|
| Control plane and configuration | Who changed a resource, policy, route, or identity control; when; and from which context? |
| Identity and workload events | Which identity signed in, assumed a role, used a credential, or accessed a service? |
| Network and application telemetry | Which traffic and request evidence is available, where is it sampled, and which owner interprets it? |
| Findings and asset inventory | Which security findings, configuration states, asset attributes, and enrichment sources are retained? |
Minimum evidence checklist
- Document log-source owner, account or region scope, collection route, retention, access control, and time synchronization.
- Centralize copies where the architecture requires resilience, while preserving least privilege and cost-aware retention decisions.
- Alert on disabled collection, failed delivery, changed retention, inaccessible destinations, and unexpected privileged logging changes.
- Keep log access separate from ordinary workload administration where feasible; an incident may involve the workload administrator.
- Record which sources are unavailable, sampled, delayed, or excluded. A gap is an investigation fact, not a reason to call an event harmless.
Detection-readiness workflow
- Start with incident questions: identity use, configuration change, data access, network path, workload behavior, or external action.
- Map each question to a source, owner, retention period, collection dependency, and review route.
- Test a bounded alert and evidence retrieval path with approved activity. Confirm timestamps, correlation fields, access permissions, and escalation contacts.
- Set alert routing, enrichment, and review expectations. Detection content should explain what was observed and what remains uncertain.
- Preserve source-backed evidence and configuration context during triage before short-retention records expire.
Fictional suspicious-access example
A monitoring team sees an unusual role assumption in the central account. The analyst retrieves the identity event, source IP context, target-resource audit record, and relevant network data, then confirms whether a scheduled deployment matches the time. A delivery failure has left one project outside the central route, so the handoff names the gap rather than claiming complete scope. The team fixes collection separately from the event investigation.
Common mistakes
Common mistakes include collecting every possible log without an owner or retrieval plan, treating a security-service finding as a confirmed incident, or retaining logs where responders cannot access them. Cost and retention tradeoffs need explicit decisions; reducing volume may be appropriate, but should not silently remove evidence required for high-value services or emergency access.
Incident triage handoff
A cloud handoff should identify the observed event, source and collection time, affected account or project, identity or workload, confidence, relevant configuration context, and the next evidence request. Preserve immutable or short-retention sources through approved procedures before making broad conclusions. Name unavailable sources, delayed ingestion, and access restrictions. Escalation may be appropriate when a sensitive identity, public service, destructive change, or material data path is involved, but priority should still account for evidence quality, scope, owner availability, and operational impact.
Related Vuln Signal content
See Detection Readiness, Security Alert Intake, Incident Evidence Preservation, Incident Response Learn, and Detection Rule Review practice.