← detection engineer
Take Quiz →
Cloud Detection Engineering — AWS, Azure, GCP, SaaS, Identity
advanced 5h
Author cloud-specific detections covering identity attack paths, data exfil, persistence, and SaaS log sources.
After this module you will
- › Map the cloud kill chain and enumerate persistence options per provider
- › Write AWS detections for assumed-role chains and persistent IAM changes
- › Write Azure/Entra ID detections for service principal abuse and consent grants
- › Author GCP detections covering service account impersonation
- › Identify what SaaS logs (Okta, GitHub, Slack) contain and what they miss
Lessons
1 The Cloud Kill Chain — How Attacks Differ in AWS, Azure, and GCP
20 min 2 AWS Detection Patterns — CloudTrail, GuardDuty, and IAM Analysis
25 min 3 Azure and Entra ID Detection — Sign-in Logs, Activity Logs, and Defender
25 min 4 GCP Detection — Cloud Audit Logs, IAM Anomalies, and Workspace
20 min 5 SaaS Log Sources — M365, Okta, and the Unified Audit Log
25 min Module Quiz
Test your knowledge before moving on.