{
	"id": "1dfa294c-9bcd-4652-964f-d406e0558ec2",
	"created_at": "2026-04-06T00:11:40.341401Z",
	"updated_at": "2026-04-10T13:11:43.191767Z",
	"deleted_at": null,
	"sha1_hash": "3e995aa218d2682cd4d83965f8cce8c05af79111",
	"title": "Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126598,
	"plain_text": "Cloudy with a Chance of Bad Logs: Cloud Platform Log\r\nConfigurations to Consider in Investigations | Mandiant\r\nBy Mandiant\r\nPublished: 2023-05-03 · Archived: 2026-04-05 14:57:37 UTC\r\nWritten by: David Pany, Caitlin Hanley\r\nMore and more organizations utilize cloud technology for applications, file storage, and more. However, if an\r\nattacker compromises a cloud environment, organizations may not know how to investigate those technologies, or\r\nmay not even be logging the evidence that could allow the organization to identify what an attacker did.\r\nThis blog post describes a hypothetical scenario of a cloud platform compromise with multiple components that\r\nwould require investigation. Each component is an example of a real intrusion tactic that Mandiant has\r\ninvestigated across various cloud platforms, sometimes with logs available and sometimes without logs available.\r\nCloud Technology Themes\r\nFor each part of the compromise, we provide recommended logging configurations and investigation processes\r\norganized into cloud technology “themes” that group cloud services from Google Cloud Platform (GCP), Amazon\r\nWeb Services (AWS), and Microsoft Azure together:\r\nCloud Virtual Machines\r\nGCP Compute Engine Virtual Machines, AWS EC2 Instance, Azure Virtual Machine\r\nCloud Applications or Cloud Containers\r\nGCP Kubernetes Engine, AWS Elastic Kubernetes Service, Azure Kubernetes Service\r\nCloud Serverless Functions\r\nGCP Cloud Functions,AWS Lambda, Azure Functions\r\nCloud Database Services\r\nGCP Datastore, GCP Cloud Bigtable, GCP Cloud SQL, AWS DynamoDB, AWS Aurora, AWS\r\nRelational Database Service, Azure Database, Azure SQL Database\r\nCloud Authentication Services\r\nGCP Cloud Identity, Azure Active Directory, AWS Directory Service\r\nCloud Management Console\r\nGCP Console, Azure Portal, AWS Console,\r\nCloud Email\r\nGoogle Workspace, Microsoft 365, Amazon Simple Email Service\r\nCloud Code Repositories\r\nGCP Cloud Source, AWS CodeCommit, Azure Repos\r\nCloud Logging Platforms\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 1 of 15\n\nGCP Logs Explorer, AWS Athena, Azure Monitor, Microsoft Sentinel, Azure Log Analytics\r\nCloud Log Analysis Formats\r\nGCP Audit Logs, GCP VPC Flow Logs, AWS CloudTrail, AWS VPC Flow Logs, Azure AD Audit\r\nLogs, Azure AD Sign In Logs, Azure Resource Logs, Azure Activity Logs, Azure NSG Flow Logs\r\nCloud Networking\r\nGCP Virtual Private Cloud, AWS Virtual Private Cloud, Azure Virtual Network\r\nCloud File Storage\r\nGCP Cloud Storage, AWS Simple Storage Solution (S3), Azure Blob Storage\r\nMain Takeaways\r\nAfter reading through this scenario, you should be able to:\r\n1. Understand an example attack technique that targets each cloud technology theme\r\n2. Identify event log configurations that should be reviewed in your cloud platform to facilitate an\r\ninvestigation\r\n3. Develop and test incident response playbooks using the investigation recommendations\r\n4. Utilize the event log checklists to review logging configurations and create logging standards\r\nAreas to Research Further\r\nWhile we review many concepts, there are some limitations to be aware of in the scope of this post:\r\n1. These logging and investigation themes are just starting points to be aware of as you design cloud\r\nplatforms unique to your environment. Not all of the logs discussed may be available or feasible, but if\r\nimplemented they would assist in helping investigators identify malicious activity that may have only been\r\nrecorded in the logs. This improves the timeliness and accuracy of the investigation\r\n2. Since this blog post discusses a wide variety of cloud platforms, and configurations are frequently\r\nchanging, we do not provide log implementation steps. Please work with your cloud administration team\r\nand cloud vendors to identify the considerations, configurations, and costs associated with the logs\r\ndiscussed here.\r\n3. There are many hardening and configuration practices available to mitigate the malicious actions that occur\r\nin the post that are not covered here.\r\nThe Attack Path\r\n1. Credential Stuffing\r\nThe attacker gained access to the Cloud Email platform through a credential stuffing attack against a cloud\r\nadministrator account. Once the attacker found a valid password, the attacker authenticated with those credentials\r\nand the Cloud Email platform asked them which type of multi-factor authentication (MFA) process they preferred.\r\nThe attacker chose the “push” option, which sent an approval request to the legitimate user. The administrator user\r\ndeals with push authentication requests throughout the day for various services and mistakenly accepted the\r\nauthentication request, which provided initial access to the attacker.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 2 of 15\n\nInvestigation Theme: Cloud Authentication Services and Cloud Email\r\n1. Analyze logins for the cloud administrator account.\r\n2. Analyze Cloud Authentication Service alerts for risk-based patterns such as credential stuffing or\r\nauthentications from unexpected locations.\r\n3. Identify if IP addresses associated with failed logons have any successful logons.\r\n4. Identify user accounts logging in from multiple IP addresses in multiple locations, particularly if the IP\r\naddresses are unexpected based on previous legitimate user activity.\r\n5. Utilize threat intelligence to enrich context for suspicious IP addresses identified.\r\n6. Review emails received by users for possible credential harvesting phishing links, particularly if the user\r\nreported the email as phishing.\r\n7. Review Cloud Email alerts for suspicious emails identified by Cloud Email provider and users.\r\n8. Review logs from Cloud Authentication Service risk-based detections for user sign-ins.\r\nLogging Theme: Cloud Authentication Services\r\n1. Log user authentication with timestamp, username, and source IP address.\r\n2. Log multi-factor authentication details.\r\n3. Turn on risk-based detections, if available.\r\n2. Reconnaissance\r\nOnce the attacker identified the cloud administrator credentials and authenticated, they logged in to the Cloud\r\nManagement Console to identify other applications that the user could access.\r\nInvestigation Theme: Cloud Authentication Services\r\n1. Analyze the Cloud Management Console authentication logs for the previously identified suspicious source\r\nIP addresses and compromised user account.\r\n2. Analyze the Cloud Management Console application access logs to identify unusual application access\r\nactivity.\r\nLogging Theme: Cloud Authentication Service\r\n1. Log user authentication with timestamp, username, and source IP address.\r\n3. Reconfiguring Privileges\r\nThe attacker identified that the cloud administrator account had access to the Cloud Authentication Services\r\napplication and authenticated to it. In the Cloud Authentication Services application, the attacker changed the\r\nprivileges of the cloud administrator to the highest global administrator account privileges available and removed\r\nthe multi-factor requirement.\r\nInvestigation Theme: Cloud Authentication Services\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 3 of 15\n\n1. Analyze changes to user accounts, including password, permissions, and contact information such as phone\r\nnumbers for MFA or password reset.\r\n2. Analyze accounts that have weak security controls such as disabled MFA requirements.\r\n3. Analyze applications that have weak security controls such as disabled MFA requirements or access to\r\nunexpected user accounts.\r\n4. Analyze MFA settings per account for anomalies such as disabled MFA, multiple MFA methods registered,\r\nrecent MFA configuration changes, or configuration changes outside of policy.\r\nLogging Theme: Cloud Authentication Services\r\n1. Log access to all cloud services for authenticated users.\r\n2. Log user authentication with timestamp, username, and source IP address.\r\n3. Log changes to user permissions and configurations.\r\n4. Identifying Hard-coded Credentials in Code\r\nWhile in the Cloud Management Console, the attacker identified that the organization uses a custom Cloud\r\nApplication. The attacker accessed the Cloud Code Repository with the global administrator account and\r\nidentified the Cloud Application source code hosted there. The attacker accessed the code and identified plain-text\r\nhard-coded credentials for an application service account.\r\nInvestigation Theme: Cloud Applications or Containers, Cloud Code Repositories\r\n1. Analyze user access to application source code.\r\n2. Analyze creation and modification of application source code.\r\n3. Review accessed code to identify impact of exposed data, such as credentials.\r\n4. Review logs related to application-related files and code download, if available.\r\nLogging Themes: Cloud Authentication Services, Cloud Applications and Containers, and Cloud Code\r\nRepositories\r\n1. Log access to all cloud services for authenticated users.\r\n2. Log creation, modification, and access to application code.\r\n3. Log download of files and code related to application.\r\n4. Log web-based code views, downloads, and edits.\r\n5. Log code management access and modification through tools such as git.\r\n6. Log user authentication with timestamp, username, and source IP address.\r\n5. Identifying Hard-coded Credentials in Logs\r\nWhile in the Cloud Authentication Services application, the attacker identified that the Administrator had access to\r\nthe Cloud Logging platform. The attacker authenticated to the Cloud Logging platform and searched logs for\r\nkeywords related to plain-text credentials. The attacker exported logs that contained those keywords, particularly\r\ndatabase user credentials.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 4 of 15\n\nInvestigation Theme: Cloud Logging\r\n1. Analyze access to cloud log aggregation platforms.\r\n2. Analyze log queries performed.\r\n3. Analyze exported logs.\r\n4. Analyze log modification and deletion.\r\nLogging Theme: Cloud Logging\r\n1. Log authentication to logging services.\r\n2. Log queries executed for log data.\r\n3. Log data exports.\r\n4. Log modification/deletion of log data.\r\n6. Environment Enumeration\r\nThe attacker returned to the cloud Authentication Service application and performed reconnaissance on systems\r\nand users. The attacker exported all environment objects including systems and accounts.\r\nInvestigation Theme: Cloud Authentication Services\r\n1. Analyze access to Authentication Service queries and configurations viewed.\r\n2. Analyze exported Authentication Service and domain data.\r\n3. Analyze Authentication Service modifications for permissions and security parameters.\r\nLogging Theme: Cloud Authentication Services\r\n1. Log access to all cloud services for authenticated users.\r\n2. Log changes to user permissions and configurations.\r\n3. Log exported domain data.\r\n4. Log created user accounts.\r\n7. Infrastructure Creation\r\nNext, the attacker pivoted to the Cloud Virtual Machine infrastructure and created a templated virtual machine.\r\nThe attacker assigned the virtual machine to the application service account previously identified in the\r\napplication source code. The attacker configured the Cloud Networking rules to allow remote desktop protocol\r\n(RDP) access from the internet. The application service account did not require MFA for any authentication\r\nactivity because of its intended use. The attacker logged on to the virtual machine through RDP from their\r\ncommand and control (C2) server.\r\nInvestigation Theme: Virtual Machines\r\n1. Analyze virtual machine creation and modification events.\r\n2. Analyze virtual IP address actions such as create, delete, and modify.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 5 of 15\n\n3. Analyze changes made to network configurations.\r\n4. Analyze modifications to network controls.\r\n5. Analyze Authentication Service authentications for systems.\r\nLogging Themes: Virtual Machines and Cloud Networking\r\n1. Configure system event logs to follow standard endpoint logging policies for authentication, user activity,\r\nand privileged account use.\r\n2. Log virtual machine management actions such as start, pause, backup, snapshot, Create, Delete, and\r\nCommand executions.\r\n3. Log changes made to network configurations.\r\n4. Log virtual IP address management actions such as create, delete, and modify.\r\n5. Log network flow metadata.\r\n8. Database Access\r\nWhile logged on to the newly created virtual machine, the attacker identified a database server based on the\r\nhostname SQLDB01. The attacker moved laterally from the virtual machine they created to the database server\r\nvia RDP using the application service account.\r\nThe attacker connected to the database, which utilized a Cloud Database Service backend, using the database user\r\ncredentials previously identified in logs and explored the data by enumerating the table schema and running\r\n“select *” queries.\r\nInvestigation Theme: Cloud Database Services\r\n1. Analyze database authentication logs to identify unexpected authentications based on account name,\r\ntimeframe, or source of authentication.\r\n2. Analyze queries for reconnaissance activity such as “select *” or access to unexpected data.\r\n3. Analyze queries for modification and deletion activity.\r\nLogging Theme: Cloud Database Services\r\n1. Log database user authentication and source network address.\r\n2. Log data access including source network address and user.\r\n3. Log data modification and deletion including source network address and user.\r\n4. Log errors and long running queries, which could be indicative of data transfer or reconnaissance.\r\n9. Network Scanning\r\nWhile logged on to the attacker-created virtual machine, the attacker also performed internal reconnaissance to\r\nidentify other systems of interest. The attacker scanned the network for other systems using custom port scanning\r\nutilities that searched for open SSH, RPD, and SMB ports.\r\nInvestigation Themes: Cloud Virtual Machines and Cloud Networking\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 6 of 15\n\n1. Analyze endpoint artifacts on virtual machines based on endpoint forensic processes.\r\n2. Review internal network log data for patterns of network scanning.\r\nLogging Themes: Cloud Virtual Machines and Cloud Networking\r\n1. Configure system event logs to follow standard endpoint logging policies for authentication, user activity,\r\nand privileged account use.\r\n2. Forward system logs to a log management platform or SIEM as part of standard polices and processes.\r\n3. Log network flow metadata.\r\n10. File Theft\r\nThe attacker identified a network-shared file server that hosted files on a Cloud File Storage solution. After\r\nenumerating files stored on the network share, the attacker copied files to their C2 system using a bulk network\r\nfile transfer utility.\r\nInvestigation Theme: Cloud File Storage\r\n1. Analyze files accessed by user accounts and source IP addresses.\r\n2. Analyze users with a large number of file downloads during the timeframe.\r\n3. Analyze users with a large number of file deletions during the timeframe.\r\nLogging Themes: Cloud File Storage and Cloud Networking\r\n1. Log file download events with user account, source IP address, and timestamp.\r\n2. Log network flow metadata.\r\n3. Log file creation, modification, upload, and deletion events with user account, IP address, and timestamp.\r\n4. Log API access to file storage locations, folders, and files.\r\n5. Log file and directory listing metadata view.\r\n11. Placing Malware\r\nWhile accessing the file server, the attacker also decided to stage further backdoors in trojanized files that are\r\nlikely to be opened by users.\r\nInvestigation Theme: File Storage\r\n1. Analyze file uploads, creations, modifications, and deletions, particularly from compromised accounts and\r\nIP addresses.\r\n2. Analyze access to trojanized files to identify users whose systems need further investigation.\r\n3. Scan files with anti-virus.\r\n4. Analyze quarantined files.\r\nLogging Theme: File Storage\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 7 of 15\n\n1. Log user authentication.\r\n2. Log file creation, upload, modification, and deletion events, including IP addresses.\r\n3. Log file download events with user account, source IP address, and timestamp.\r\n4. Turn on alerts for suspicious activity, including malware and mass downloads, if available.\r\n12. Email Theft\r\nWhile logged on to cloud email for the administrator account, the attacker browsed through the last several days\r\nof messages. The attacker looked at email folders named “finance” and “hr” and downloaded attachments from\r\nsent messages.\r\nInvestigation Theme: Collaboration — Cloud Email\r\n1. Analyze messages viewed in a mailbox, particularly by compromised accounts and IP addresses.\r\n2. Analyze attachments downloaded in a mailbox.\r\n3. Analyze searches performed in a mailbox.\r\nLogging Theme: Collaboration — Cloud Email\r\n1. Log authentication to mailboxes.\r\n2. Log access and views of email messages.\r\n3. Log download and access of email attachments.\r\n4. Log searches of mailboxes.\r\n13. Spreading Malware\r\nThe attacker shared the uploaded trojanized backdoor file through the collaboration platform’s file sharing service\r\nwith 20 users.\r\nInvestigation Theme: Collaboration — Cloud File Sharing\r\n1. Analyze known bad files to see what accounts shared them and with whom.\r\n2. Analyze known bad file downloads.\r\nLogging Theme: Collaboration — Cloud File Sharing\r\n1. Log authentication of user account and source IP address.\r\n2. Log file creation, modification, upload, and deletion events with user account, IP address, and timestamp.\r\n3. Log file download events with user account, source IP address, and timestamp.\r\n4. Log location, folder, and file permission changes.\r\n5. Log API access to file storage locations, folders, and files.\r\n14. Impersonating Users\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 8 of 15\n\nSeveral users messaged the administrator’s account and asked questions about errors opening the new document\r\nthey downloaded through the collaboration platform based on an automated file shared email link. The attacker\r\nreplied to tell the users the document is legitimate.\r\nInvestigation Theme: Collaboration — Cloud Chat\r\n1. Analyze chat message logs sent by compromised accounts.\r\n2. Analyze chat message logs sent from users logged in from known malicious IP addresses.\r\nLogging Theme: Collaboration — Cloud Chat\r\n1. Log authentication of user account and source IP address.\r\n2. Log messages sent, received, edited, and deleted.\r\n3. Log files transferred and store content for review.\r\n15. Anti-forensics\r\nFinally, in an attempt to delay detection, the attacker created a mailbox rule to automatically delete replies to the\r\ncompromised file share email.\r\nInvestigation Steps\r\n1. Analyze current mailbox rule configurations to identify active mailbox rules.\r\n2. Analyze mailbox rule logs to identify if the attacker modified existing rules or deleted rules they no longer\r\nneeded.\r\n3. Analyze messages currently in “Deleted” folders.\r\n4. Analyze logs of messages permanently deleted.\r\n5. Analyze other email message storage locations such as security tools or e-discovery retention platforms.\r\nLogging theme: Collaboration — Email\r\n1. Log mailbox rule creation, modification, and deletion.\r\n2. Log message deletion.\r\nDetection and Response\r\nThe aforementioned hypothetical scenario took place in a matter of several days, reflecting how quickly the threat\r\nactors moved in the real scenarios this one is based on. In these cases, information security teams commonly have\r\nonly a few medium priority alerts fire that go unnoticed due to the abundance of alerts feeding from their tools.\r\nIn this scenario, suspicion started when several helpdesk team members realized they had separate reports of users\r\nwho had suspicious files shared with them. The helpdesk team escalated to Information Security per their\r\ndocumented processes and the Incident Response (IR) team started an investigation into the cloud file sharing\r\nplatform associated with the file sharing.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 9 of 15\n\nThe IR team quickly realized that the default logging available with their lowest cost license subscription recorded\r\nmany useful logs such as:\r\n1. Failed and successful logons associated with credential stuffing and initial compromise\r\n2. File sharing activity\r\n3. Mailbox rules created\r\n4. Files accessed in the cloud file sharing platform\r\nUnfortunately, the investigation could not answer the question “did the attacker access any email messages or\r\nsynchronize any mailboxes?” due to the default logging levels. The IR team also realized they were lucky the\r\nincident was detected relatively quickly because the default license subscription only stored logs for 90 days with\r\ntheir Cloud Logging platform.\r\nAfter a post-mortem review several months later, the organization realized the IR team only reviewed\r\ncollaboration platform authentications and did not cross reference against domain authentication logs. This meant\r\nthat the internal team never identified that the attacker compromised the cloud infrastructure platform and\r\nperformed follow-on activities such as creating and accessing a VM, elevating to domain administrator privileges,\r\nand interacting with file servers. They focused only the collaboration platform because the initial incident\r\nidentification occurred after the sharing of files on the Collaboration Cloud File Sharing platform. The\r\ninvestigation had to be reopened several months later when evidence had started to disappear from Cloud Logging\r\nsources.\r\nConclusion\r\nAs the scenario demonstrates, attackers have a wider surface area to persist and steal data because of the adoption\r\nof cloud infrastructure and collaboration platforms. The move to these cloud platforms brings useful functionality\r\nand security features, but configuring everything correctly can be overwhelming for a team that is new to the\r\ntechnology.\r\nNot only are there many access, permission, and protection configurations to consider, but teams should also make\r\nsure that they would be able to fully investigate various attacks that could happen by storing the correct logs.\r\nUnderstanding what technologies your organization uses and performing threat modeling is one way to make sure\r\nyou have these logs and investigative processes set up should you need to investigate.\r\nFor details on how Mandiant can assist with your cloud security, please check out the following resources:\r\nSecurity Assessment for Microsoft 365\r\nCloud Architecture and Security Assessment\r\nCritical Attack Path\r\nThe following attack path diagram visualizes how the actor accessed a wide range of cloud platforms from outside\r\na standard perimeter in this scenario. The actor also used cloud technologies to interact with systems in the non-cloud environment as well through connections and integrations.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 10 of 15\n\nInfrastructure Logging Checklist\r\nThe following checklist is designed to be copied or printed for your cloud infrastructure logging review efforts.\r\nThe provided logs are example categories of commonly utilized event logs for forensic investigations.\r\nReference\r\nNumber\r\nTechnology Log Type\r\n1.1.1\r\nCloud Virtual\r\nMachines\r\nConfigure system event logs to follow standard endpoint logging\r\npolicies for authentication, user activity, and privileged account use.\r\n1.1.2\r\nCloud Virtual\r\nMachines\r\nLog virtual machine management actions such as Start, pause,\r\nbackup, snapshot, create, delete, and command executions etc.\r\n1.1.3\r\nCloud Virtual\r\nMachines\r\nForward system logs to a log management platform or SEIM as part\r\nof standard polices and processes.\r\n1.2.1\r\nApplications or\r\nFunctions\r\nLog web server access to application including source IP address,\r\nprotocol used, request parameters, response status, user agent,\r\nreferrer, and response size. Ensure that source IP address is not\r\noverwritten by proxy or load balancer technology.\r\n1.2.2\r\nCloud Applications,\r\nContainers, and\r\nFunctions\r\nLog creation, modification, and access to application code.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 11 of 15\n\n1.2.3\r\nCloud Applications,\r\nContainers, and\r\nFunctions\r\nRecord successful and failed authentication activity including\r\nsource IP address.\r\n1.2.4\r\nCloud Applications,\r\nContainers, and\r\nFunctions\r\nLog application user activity including user account, information\r\nviewed, actions performed, and sensitive data accessed. \r\n1.2.5\r\nCloud Applications,\r\nContainers, and\r\nFunctions\r\nForward system logs to a log management platform or SEIM as part\r\nof standard polices and processes.\r\n1.3.1\r\nCloud Database\r\nServices\r\nLog database user authentication and source network address.\r\n1.3.2\r\nCloud Database\r\nServices\r\nLog data access including source network address and user.\r\n1.3.3\r\nCloud Database\r\nServices\r\nLog data modification and deletion including source network\r\naddress and user.\r\n1.3.4\r\nCloud Database\r\nServices\r\nForward system logs to a log management platform or SEIM as part\r\nof standard polices and processes.\r\n1.3.5\r\nCloud Database\r\nServices\r\nLog errors and long running queries, which could be indicative of\r\ndata transfer or reconnaissance.\r\n1.4.1 Cloud File Storage Log user authentication.\r\n1.4.2 Cloud File Storage\r\nLog file creation, modification, upload, and deletion events with\r\nuser account, IP address, and timestamp.\r\n1.4.3 Cloud File Storage\r\nLog file download events with user account, source IP address, and\r\ntimestamp\r\n1.4.4 Cloud File Storage Log location, folder, and file permission changes.\r\n1.4.5 Cloud File Storage Log API access to file storage locations, folders, and files.\r\n1.4.6 Cloud File Storage Log file and directory listing metadata view.\r\n1.4.7 Cloud File Storage\r\nTurn on alerts for suspicious activity, including malware and mass\r\ndownloads, if available.\r\n1.5.1\r\nCloud Authentication\r\nServices\r\nLog user authentication with timestamp, username, and source IP\r\naddress.\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 12 of 15\n\n1.5.2\r\nCloud Authentication\r\nServices\r\nLog changes to user permissions and configurations.\r\n1.5.3\r\nCloud Authentication\r\nServices\r\nLog created user accounts.\r\n1.5.4\r\nCloud Authentication\r\nServices\r\nLog all successful and failed authentications to cloud management\r\nplatform\r\n1.5.5\r\nCloud Authentication\r\nServices\r\nLog access to all cloud services for authenticated users. \r\n1.5.6\r\nCloud Authentication\r\nServices\r\nLog exported domain data. \r\n1.5.6\r\nCloud Authentication\r\nServices\r\nTurn on risk-based detections, if available.\r\n1.5.7\r\nCloud Authentication\r\nServices\r\nLog user authentication with timestamp, username, and source IP\r\naddress.\r\n1.6.1\r\nCloud Code\r\nRepositories\r\nLog web-based code views, downloads, and edits.\r\n1.6.2\r\nCloud Code\r\nRepositories\r\nLog code management access and modification through tools such\r\nas git.\r\n1.7.1 Cloud Logging Log authentication to logging services.\r\n1.7.2 Cloud Logging Log queries executed for log data.\r\n1.7.3 Cloud Logging Log data exports.\r\n1.7.4 Cloud Logging Log modification and deletion of log data.\r\n1.8.1 Cloud Networking Log network flow metadata. \r\n1.8.2 Cloud Networking Log changes made to network configurations.\r\n1.8.3 Cloud Networking\r\nLog virtual IP address management actions such as create, delete,\r\nand modify.\r\nCollaboration Platform Logging Checklist\r\nReference\r\nNumber\r\nTechnology Log Type\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 13 of 15\n\n2.1.1 Cloud Email\r\nLog inbound and outbound email metadata. Minimum details should\r\ninclude:\r\n1. Timestamp sent/received\r\n2. Sender\r\n3. Recipient(s)\r\n4. Attachment name\r\n5. Sender mail server address\r\n2.1.2 Cloud Email Log authentication to mailboxes.\r\n2.1.3 Cloud Email Log access and views of email messages.\r\n2.1.4 Cloud Email Log download and access of email attachments. \r\n2.1.5 Cloud Email Log creation and deletion of mailbox rules.\r\n2.1.6 Cloud Email Log deletion of messages.\r\n2.1.7 Cloud Email Log permission and access configuration changes to mailboxes.\r\n2.1.8 Cloud Email Log searches of mailboxes.\r\n2.2.1 Cloud Chat Log authentication of user account and source IP address.\r\n2.2.2 Cloud Chat Log messages sent, received, edited, and deleted.\r\n2.2.3 Cloud Chat Log files transferred and store content for review.\r\n2.2.4 Cloud Chat Log relevant data for applications connected to chat platforms.\r\n2.3.1\r\nCloud File\r\nSharing\r\nLog user authentication.\r\n2.3.2\r\nCloud File\r\nSharing\r\nLog file creation, modification, upload, and deletion events with user\r\naccount, IP address, and timestamp.\r\n2.3.3\r\nCloud File\r\nSharing\r\nLog file download events with user account, source IP address, and\r\ntimestamp\r\n2.3.4\r\nCloud File\r\nSharing\r\nLog location, folder, and file permission changes.\r\n2.3.5\r\nCloud File\r\nSharing\r\nLog API access to file storage locations, folders, and files.\r\nPosted in\r\nThreat Intelligence\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 14 of 15\n\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nhttps://www.mandiant.com/resources/blog/cloud-bad-log-configurations\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/cloud-bad-log-configurations"
	],
	"report_names": [
		"cloud-bad-log-configurations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434300,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e995aa218d2682cd4d83965f8cce8c05af79111.pdf",
		"text": "https://archive.orkl.eu/3e995aa218d2682cd4d83965f8cce8c05af79111.txt",
		"img": "https://archive.orkl.eu/3e995aa218d2682cd4d83965f8cce8c05af79111.jpg"
	}
}