detecting-aws-cloudtrail-anomalies

Solid

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
89
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting AWS CloudTrail Anomalies ## Overview AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's `lookup_events` API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats. ## When to Use - When investigating security incidents that require detecting aws cloudtrail anomalies - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `boto3` library - AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents) - Understanding of AWS IAM and common API patterns - CloudTrail enabled in target AWS account (management events at minimum) ## Steps ### Step 1: Query CloudTrail Events Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination. ### Step 2: Build Activity Baseline Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns. ### Step 3: Detect Anomalies Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes). ### S...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-cloud-forensics-with-aws-cloudtrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-aws-iam-privilege-escalation

Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations

12,642 Updated today
mukul975
AI & Automation Featured

implementing-cloud-trail-log-analysis

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-s3-data-exfiltration-attempts

Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers.

12,642 Updated today
mukul975