Cloud detection and response (CDR) in Log360

Cloud workloads, SaaS apps, and on-prem systems live in different consoles, and attackers count on the gaps between them. Log360 brings AWS, Azure, GCP, Microsoft 365, and Salesforce activity into the same SIEM as your endpoints, AD, and firewalls. Detection runs against the combined dataset, so a compromise that starts in the cloud and lands on a server gets caught as one chain.

How Log360 benefits your organization

 

One view across every cloud you run:

Native collectors for AWS (CloudTrail, GuardDuty, VPC Flow Logs, S3), Azure (Activity Logs, Microsoft Entra ID, Defender), GCP (Cloud Audit Logs), Microsoft 365, Salesforce, and Box, all normalized into the same schema.

 

Detect cloud-specific attack patterns:

Prebuilt correlation rules for IAM misuse, anomalous API calls, public S3 buckets, cross-account role assumption, and impossible-travel logins. UEBA baselines per cloud identity.

 

Respond inside the same platform:

Automated playbooks revoke IAM roles, disable users in Microsoft Entra ID, isolate compromised instances, and block malicious IPs at the cloud firewall, with native SOAR included.

 

Sanctioned and shadow-app visibility:

An integrated CASB layer tracks which cloud apps users actually touch, flags risky usage, and stops data movement to unsanctioned platforms.

How Log360 unifies threat management across your environment

Cloud detection and response in Log360 runs on four pillars: unified cloud telemetry, cloud-native threat detection, behavior analytics for cloud identities, and automated response that acts on cloud control planes. Together, they close the visibility gap between cloud and on-prem.

  • Unified telemetry across AWS, Azure, GCP, and SaaS
  • Detection built for cloud attack patterns
  • Behavior analytics for cloud identities
  • Automated response on the cloud control plane
  •  

Unified telemetry across AWS, Azure, GCP, and SaaS

The starting point for cloud detection is getting the logs in. Log360 collects from the major public clouds and the SaaS apps that sit on top of them, then normalizes everything into the same schema as on-prem sources.

  • Amazon Web Services: CloudTrail, GuardDuty, VPC Flow Logs, S3 access logs, CloudFront, Lambda, EKS. Audit who did what across accounts, regions, and services.
  • Microsoft Azure: Activity Logs, Microsoft Entra ID sign-ins, Defender for Cloud alerts, Network Security Group flow logs. Track identity, control plane, and network layers in one place.
  • Google Cloud Platform: Cloud Audit Logs, VPC Flow Logs, IAM activity, Cloud Storage access. Catch privilege misuse and data access anomalies across projects.
  • SaaS platforms: Microsoft 365, Salesforce, Box, and Google Workspace audit feeds, including OneDrive, SharePoint, Teams, and Exchange Online activity.

Benefit: Cloud activity stops sitting in three different consoles and starts living in the same index as the rest of the environment.

Comprehensive MITRE ATT&CK-mapped detection rules

Detection built for cloud attack patterns

Cloud attacks don't look like on-prem attacks. The control plane is the new perimeter, IAM is the new firewall, and API calls are the new logon events. Log360 ships detections built for that shape of attack.

  • IAM and identity abuse: Detect cross-account role assumption, escalation through policy attachment, console logins without MFA, and access keys used from unexpected geographies.
  • Misconfigurations turning into incidents: Public S3 buckets, security groups opened to 0.0.0.0/0, disabled CloudTrail, and modifications to log destinations.
  • API call anomalies: Sudden spikes in RunInstances, CreateAccessKey, PutBucketPolicy, or AssumeRole against a user's baseline.
  • Impossible travel and concurrent session detection: Across Microsoft Entra ID, AWS console logins, and Salesforce sessions, using behavior analytics.
  • MITRE ATT&CK Cloud Matrix coverage: All cloud rules are mapped to the Cloud Matrix so the SOC can see which cloud techniques are covered and which aren't.

Benefit: The cloud doesn't get its own siloed detection stack. It uses the same rules engine and the same ATT&CK mapping as the rest of the SIEM.

Streamlined threat investigation with Zia Insights

Behavior analytics for cloud identities

Static rules catch the obvious moves. UEBA catches the ones that look like normal work until they aren't. Log360 baselines every cloud identity individually and scores deviations in real time.

  • Per-identity baselines: Normal API call volume, normal services touched, normal source ASNs, normal hours. Deviations get a risk score, not just an alert.
  • Privileged-account focus: Higher sensitivity on IAM admins, root accounts, and global admins in Microsoft Entra ID, because the blast radius is bigger.
  • Cross-cloud correlation: A user logging into AWS from one IP and Microsoft Entra ID from another IP at the same time gets flagged, even though each individual login looks fine.
  • Insider and compromised-account detection: Catches data access spikes in OneDrive, mass file shares in SharePoint, and bulk database exports that look routine to a static rule.

Benefit: Account takeover and insider misuse get caught from behavior, not from signatures the attacker already knows how to dodge.

MITRE ATT&CK-aligned dashboards

Automated response on the cloud control plane

Detection without response is a dashboard. Log360's native SOAR acts on the cloud directly, with no separate response product to license.

  • Identity actions: Disable a user in Microsoft Entra ID, force a password reset, revoke active sessions, and remove newly enrolled MFA factors.
  • IAM actions on AWS: Revoke an access key, detach a policy, deny a role assumption, and quarantine an IAM user pending review.
  • Workload isolation: Update a security group to block traffic to a compromised EC2 instance, or stop the instance through the AWS API.
  • Bucket and storage protection: Revoke public access on an S3 bucket, alert on the change, and create a ServiceDesk Plus ticket for the bucket owner.
  • ITSM integration: Two-way sync with ServiceDesk Plus, Jira, and Zendesk, with severity mapped to each platform's priority scheme.

Benefit: The cloud incident doesn't have to wait for someone to log into a cloud console. The response runs from the same place the detection fired.

Automated response with MITRE ATT&CK-aligned playbooks

Cloud detection and response in action

Three scenarios drawn from the prebuilt playbook library. Each one follows the same enrich, decide, respond pattern.

  • Scenario 2: Microsoft 365 account takeover (High, MITRE T1078)

    Log360 catches an impossible-travel sign-in followed by mailbox forwarding and shuts the account down before data leaves.

    Example scenario: A Microsoft 365 user signs in from one country and then from another country 20 minutes later, then creates a mailbox forwarding rule to an external address.

  • Scenario 3: Public S3 bucket exposure (High, MITRE T1530)

    Log360 catches a bucket policy change that opens an S3 bucket to the internet, reverts the change, and routes the incident to the bucket owner.

    Example scenario: A developer applies a bucket policy that grants s3:GetObject to *, exposing customer data to the public internet.

How Log360 responds:

  • Detection and AI enrichment: CloudTrail data triggers a correlation rule. Zia Insights summarizes the activity, maps it to T1078.004, and pulls IP reputation and geolocation.
  • Automated containment: The "Compromised Access Key" playbook deactivates the access key through the AWS API, detaches the policies attached during the session, stops the EC2 instances launched by the key, and notifies the SOC and the IAM user's manager.
  • Collaborative tracking: A critical-priority ticket is created in ServiceDesk Plus and synced two ways as remediation moves forward.

How Log360 responds:

  • Detection: Microsoft Entra ID sign-in logs trigger an impossible-travel rule. The mailbox forwarding rule trips a separate correlation rule. Log360 ties them together into one incident.
  • Automated response: The "Microsoft 365 account compromise" playbook disables the user in Microsoft Entra ID, revokes active sessions and refresh tokens, removes the mailbox forwarding rule, removes newly enrolled MFA factors, and notifies the SOC.
  • Forensics: The Incident Workbench renders the sign-in path, the mailbox activity, and any SharePoint or OneDrive access during the session.

How Log360 responds:

  • Detection: A correlation rule on CloudTrail PutBucketPolicy events flags the change. The rule also checks whether the bucket contains data classified as sensitive by the DLP layer.
  • Automated containment: The "Public bucket exposure" playbook reverts the bucket policy to the prior version, enables S3 Block Public Access on the bucket, snapshots the bucket access logs for the exposure window, and notifies the bucket owner and the cloud security team.
  • Audit trail: Every step is logged in the incident's activity trail for compliance review.

Bring cloud detection and response into one platform

Cloud, SaaS, and on-prem belong in the same workflow. Log360 keeps them there, with no separate cloud SIEM, no separate CASB product, and no per-execution SOAR fee.

Elevate your security posture

Log360's unified SIEM platform is built for modern SOCs, with scalable architecture, deep detection, and an extensibility layer that runs across every phase of the security lifecycle.

 

Scalable and resilient platform

A distributed, high-availability architecture that supports growing log volumes and keeps collection, indexing, and analysis running.

Learn more  
 

Real-time security analytics

Unified insight across endpoints, networks, and cloud, so detection, investigation, and response work from one view.

Learn more  
 

Advanced threat detection

Over 2,000 MITRE ATT&CK-mapped correlation rules and UEBA to spot multi-stage attacks like insider threats and anomalous behavior.

Learn more  
 

Integrated CASB

Sanctioned and shadow cloud app visibility, with policy controls for risky use and data movement.

Learn more  
 

Streamlined compliance management

Coverage for over 30 regulatory mandates including GDPR, HIPAA, and PCI DSS, with secure log archiving and audit-ready reports.

Learn more  
 

Flexible, extensible security ecosystem

Native integration with hybrid infrastructures, with room to extend without disrupting the work already running.

Learn more  
  •  

    We wanted to make sure that one, we can check the box for different security features that our clients are looking for us to have, and two, we improve our security so that we can harden our security footprint.

    Carter Ledyard

  •  

    The drill-down options and visual dashboards make threat investigation much faster and easier. It’s a truly user-friendly solution.

    Sundaram Business Services

  •  

    Log360 helped detect insider threats, unusual login patterns, privilege escalations, and potential data exfiltration attempts in real time.

    CIO, Northtown Automotive Companies

  •  

    Before Log360, we were missing a centralized view of our entire infrastructure. Now, we can quickly detect potential threats and respond before they escalate.Log360 has been invaluable for improving our incident response and ensuring compliance with audit standards. It’s a game-changer for our team.

    ECSO 911

Fill this form to schedule a
personalized web demo

  • By clicking " Submit", you agree to processing of personal data according to the Privacy Policy.

Your request for a demo has been submitted successfully. Our support technicians will get backto you at the earliest.

FAQs

Cloud detection and response is the practice of detecting threats across cloud workloads, identities, and SaaS apps, and responding to them through automated actions on the cloud control plane. Log360 runs CDR as part of the same SIEM that handles on-prem activity, so cloud telemetry and on-prem telemetry sit in one index.

CSPM (cloud security posture management) finds misconfigurations. CWPP (cloud workload protection) protects the workload itself. CDR is the detection-and-response layer that watches activity, finds threats, and acts on them. Log360 focuses on CDR and integrates with CASB for SaaS coverage.

AWS, Azure, GCP, Microsoft 365 (including Microsoft Entra ID, Exchange, SharePoint, OneDrive, Teams), Salesforce, Box, and Google Workspace. Detection runs against the combined dataset alongside on-prem sources.

Yes. Cloud detections are mapped to the MITRE ATT&CK Cloud Matrix, and a dedicated dashboard shows which cloud tactics and techniques are active.

Yes. Native SOAR playbooks can disable users in Microsoft Entra ID, deactivate AWS access keys, revoke IAM roles, stop EC2 instances, and revert S3 bucket policies, among other actions.

The integrated CASB layer surfaces sanctioned and shadow app usage from network and proxy logs, flags risky apps, and can block data movement to unsanctioned destinations through policy.

No. Cloud telemetry collectors, cloud detection rules, UEBA for cloud identities, CASB, and SOAR are all part of the Log360 platform.

Cloud detections create incidents in the same incident workbench as on-prem alerts. A cloud incident that spreads to an on-prem host shows up as one chain, with one set of playbook actions covering both sides.

From alerts to action

Use Log360 to detect, hunt, enrich, and respond from one console. Cut tool sprawl, cut hand-offs, and cut the time it takes to close out a real threat.