CDR: Cloud Detection & Response
What CDR detects
Cloud audit logs are noisy. The detection set focuses on the high-signal patterns that actual cloud incidents follow:
| Tactic | Examples |
|---|---|
| Privilege escalation | Self-attached admin-equivalent policies, role assumption chains, IAM self-modification |
| Initial access | New user creation outside business hours, IP from anonymising service |
| Persistence | Backdoor IAM user, scheduled function with broad permissions, new SSH key on a VM |
| Discovery | Burst of IAM enumeration calls |
| Lateral movement | Role assumed from unusual accounts, cross-cloud token use |
| Defense evasion | Audit-log disabled, log retention shortened, bucket logging removed |
| Exfiltration | High-volume object reads, cross-account share creation, snapshot copied to another account |
| Impact | Resource group / project deletion, encryption key destruction |
Every rule has a MITRE ATT&CK technique and tactic mapping, so detections are correlatable with the rest of your threat model.
T1078.004Cloud Accounts T1567.002Exfiltration to Cloud Storage T1078.001Default AccountsHow CDR consumes logs
| Cloud | Source |
|---|---|
| Scaleway | Audit logs |
| AWS | CloudTrail |
| GCP | Cloud Audit Logs |
| Azure | Activity Log |
OVHcloud CDR is on the roadmap and not in scope today.
Setup adds a small amount of permission to your read-only credential, the ability to read the audit log stream. That's it. We never touch your data plane.
Findings vs incidents
CDR produces two related shapes:
- Findings: individual events that match a detection rule. Most are interesting on their own; some only matter in clusters.
- Incidents: auto-grouped findings that share an actor (identity, source IP) and a time window. An incident with eight privilege-escalation findings from one identity is one thing to triage, not eight.
Incidents have their own status workflow (OPEN, INVESTIGATING, CONTAINED,
RESOLVED) and a timeline view.
Response actions
For a subset of detections we can suggest, and with explicit approval execute, response actions:
- Disable an IAM user.
- Revoke an active session.
- Detach a recently-attached policy.
- Quarantine a security group (replace its rules with deny-all).
By default, all response actions are suggestions only. Auto-execution is opt-in per rule. The full action catalogue is in the Runtime module page.
What's next
- The Runtime (CDR) module
- CIEM, Identity & entitlements, for the posture counterpart to CDR's runtime view of identities
- Toxic combinations, when a CDR alert lands on a resource that already sits on an attack path, you have an active incident