The slides from Eugene Kogan's talk on cloud security monitoring at Auth0, presented at Security BSides Seattle, 2017. More details at our blog: https://auth0.engineering/cloud-security-monitoring-at-auth0-ff5e87ad1141
22. _sourceCategory=cloudtrail_aws_logs* | json auto | where event_name
matches "*Trail" or event_name matches "StartLogging" or event_name
matches "StopLogging" | lookup awsaccountname from /shared/
awsaccounts on recipient_account_id = awsaccountid | count as count
by event_name, recipient_account_id, awsaccountname, user_name,
principle_id, accesskey_id
33. You should be doing
cloud security monitoring
today.
34. Action items
Know which cloud services your organization uses
Have a modern platform for collection, analysis, alerting
Collect the right data from cloud and internal systems
Use this data wisely
Ensure your staff has the right skills to do all of the above