Examples relate to distributed detection of malicious cloud actors. In some examples, outgoing cloud packets from the cloud server are intercepted and processed to determine if a preliminary threshold is exceeded, where the outgoing cloud packets are used to identify a customer. At this stage, a potential outgoing intrusion event of a number of potential outgoing intrusion events is generated when the preliminary threshold is exceeded. The potential outgoing intrusions events are used to update an aggregate log, where the aggregate log tracks a customer subset of the cloud servers that is associated with the customer. In response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, a notification of malicious activity by the customer is provided, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.