Serverless Workload Cannot Host EDR Agent
The compromised workload is serverless (AWS Lambda, GCP Cloud Functions, Azure Functions, Cloudflare Workers) and cannot host a traditional EDR agent. Execution environments are ephemeral and container-isolated; evidence must come from cloud-provider execution logs, function code/config, trigger/event sources, and attached IAM role activity.
Signals
- •Suspected compromise points to a serverless resource (Lambda ARN, Cloud Function name)
- •Standard EDR console has no agent for the affected compute
- •CloudTrail / Cloud Audit Logs show abnormal invocation or configuration patterns for the function
Pivot Actions
- 1.Pull function code and environment variables via provider CLI (`aws lambda get-function`, `gcloud functions describe`) -- preserve before any rollback
- 2.Pull execution and invocation logs (CloudWatch Logs for Lambda, Cloud Logging for GCF, Application Insights for Azure Functions) covering the compromise window
- 3.Pull CloudTrail / Cloud Audit events for the function ARN: `UpdateFunctionCode`, `UpdateFunctionConfiguration`, `PublishLayerVersion`, role-attachment changes
- 4.Pull execution-role activity: trace what AWS/GCP/Azure APIs the function called with the attached role during the window
- 5.Check layer/package sources (Lambda Layers, GCF deployed packages) for supply-chain indicators; validate integrity against expected digest
- 6.Enable distributed tracing (AWS X-Ray, Cloud Trace, Application Insights) for near-term visibility during active investigation
Alternate Evidence Sources
- •AWS Lambda: CloudWatch Logs, CloudTrail management events, X-Ray traces, function code via `get-function`
- •GCP Cloud Functions: Cloud Logging execution logs, Cloud Audit Logs, Cloud Trace, source code via `functions describe`
- •Azure Functions: Application Insights, Activity Log, Log Analytics, function code via Azure Resource Manager
- •Cloudflare Workers: Workers Trace Events, Analytics Engine, audit logs
- •Execution-role activity in the respective cloud audit trail