Cloud Console Cartographer: Tapping Into Mapping- Slogging Thru Logging

Cloud console sessions generate large volumes of noisy logs - a single UI click can produce hundreds of events in the background

Key differences exist between cloud providers:

• AWS logs both read and change events extensively
• Azure mainly logs change/update events
• AWS CloudTrail retention is 90 days vs Azure’s 30 days

Two main types of cloud logging:

• Control plane logs (configuration/management actions)
• Data plane logs (resource access/operations)

Attackers (like Scattered Spider) still actively use cloud consoles due to:

• Console access bypassing CLI/SDK restrictions
• Easier enumeration of resources
• Less logging limitations compared to APIs

Critical logging considerations:

• Enable proper log collection and retention
• Monitor log pipeline health
• Understand logging limitations per service
• Account for costs and volume

Signal mapping helps reduce noise by:

• Grouping related events together
• Identifying anchor events vs optional events
• Providing context for user actions
• Extracting relevant metadata

Tool features for log analysis:

• Two-pass approach for event labeling and signal generation
• Dynamic URL and summary updates
• Filtering and visualization capabilities
• Merging of adjacent signals

Proper event normalization and baselining is crucial for:

• Reducing false positives
• Understanding normal vs suspicious activity
• Identifying service-specific logging patterns

Successful cloud logging strategy requires:

• Full permissions for comprehensive visibility
• Understanding of service-specific logging behaviors
• Proper storage and retention configuration
• Automated analysis capabilities

Manual investigation challenges include:

• High volume of background events
• Inconsistent logging across services
• Complex user agent variations
• Need for extensive spreadsheet tracking