cloud
cloud
Create a cloud investigation view with faceted summaries of cloud activity, grouped by provider, account, region, service, or resource.
Description
The cloud command builds an interactive investigation view for cloud infrastructure activity. It groups and summarizes cloud events across providers (AWS, GCP, Azure) and lets you drill down by account, region, service, or individual resource. Optionally includes MFA usage analysis.
Syntax
... | cloud [by=<dimension>] [show_mfa=<true|false>]Optional Arguments
by
Syntax: by=<dimension>
Description: Primary grouping dimension for the cloud view.
Values: provider, account, region, service, resource
Default: service
show_mfa
Syntax: show_mfa=<true|false>
Description: Include an MFA usage analysis panel in the view.
Default: false
Grouping Dimensions
| Dimension | Groups by | Cloud Field |
|---|---|---|
provider | Cloud provider (AWS, GCP, Azure) | cloud_provider |
account | Cloud account ID | cloud_account_id |
region | Cloud region | cloud_region |
service | Cloud service (IAM, EC2, S3, etc.) | cloud_service |
resource | Individual resource | resource_id, resource_name, resource_type |
Cloud View
The cloud view displays:
- Summary Cards — Event counts, unique accounts/regions/services, top activity types
- Activity Breakdown — Faceted summary grouped by the selected dimension
- Top Activities — Most common cloud actions within each group
- MFA Panel (optional) — MFA usage statistics across accounts and users
Examples
Investigate all AWS activity
cloud_provider=aws | cloudGroup by account
cloud_provider=aws | cloud by=accountGroup by region
cloud_provider=gcp | cloud by=regionInvestigate a specific service
cloud_service=iam | cloud by=accountInclude MFA analysis
cloud_service=iam | cloud by=account show_mfa=trueGroup by resource
cloud_service=s3 | cloud by=resourceInvestigate cross-provider activity
* | cloud by=providerNarrow to a specific account and investigate services
cloud_account_id="123456789012" | cloudUsage Notes
Filter first: Narrow your search to relevant cloud events before piping to cloud. The command works best when scoped to a provider, account, or service.
Cloud fields: The command relies on UDM cloud fields (cloud_provider, cloud_account_id, cloud_region, cloud_service, resource_id, resource_name, resource_type). Ensure your log sources populate these fields.
MFA panel: The show_mfa=true option adds an MFA usage analysis panel, useful for IAM investigations. It works best when filtered to authentication-related services (e.g., cloud_service=iam).