Observability and Incident Response in Managed Serverless Environments Using Ontology-Based Log Monitoring

In fully managed serverless environments, cloud service providers handle the underlying infrastructure, reducing application developers’ operational and maintenance efforts. However, these environments limit the use of traditional cybersecurity frameworks and tools, compromising observability and situational awareness capabilities for security tasks (e.g., risk assessment, incident response). Additionally, existing security frameworks for serverless applications often lack generalizability across architectures and require specialized expertise. In this paper, we propose a three-layer security stack for fully managed serverless applications. The first layer establishes a foundational generic ontology that models serverless application resources and their interactions using API logs. In the second layer, the ontology is leveraged via perimeterless pipeline, to map the logs into a unified application activity KG, and in the third layer, two situational awareness tools that utilize the graph-based representation are implemented: (1) an incident response dashboard that leverages the ontology to visualize and examine application activity logs in the context of cybersecurity alerts; our user study showed that this dashboard enabled participants to respond 10% more accurately and almost twice as fast than the examined baseline tool, and (2) a criticality of asset (CoA) risk assessment framework that enables efficient expert-based prioritization in cybersecurity contexts; our expert-based questionnaire demonstrated strong agreement, achieving a Kendall-W score of 0.7179.