Commercial cloud services bring an ever growing number of exciting new capabilities to an organizations, and the security teams need new ways to protect and defend. In this chat, we will take the case of the Capital One Breach and investigate the attacker’s mode of operation. We then turn our attention to the cloud security practitioners best investigative tool, the cloud API logs. We dive into the AWS CloudTrail logs and Azure Activity Log and how we can use them to find the clues the attacker is leaving in them. This material is directly related to SEC541: Cloud Security Monitoring and Threat Detection.