The append-only record every cloud provider keeps of API calls made against the cloud control plane.
Every cloud has an audit-log service: AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs. Each entry records who (the IAM identity), what (the API method), when, where (source IP, user-agent), and the request and response payloads.
Cloud audit logs are the foundational data source for cloud-detection engineering. DCV's coverage matrix is built almost entirely on what is detectable in cloud audit logs. Endpoint techniques (process injection, browser-stored credential theft) require EDR; network techniques (lateral movement over SMB, DNS tunnelling) require NDR; cloud audit logs cover the cloud control plane and nothing else.