implementing-cloud-trail-log-analysis

Featured

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing CloudTrail Log Analysis ## When to Use - When building security monitoring pipelines for AWS API activity - When investigating security incidents to trace attacker actions across AWS services - When compliance requires audit logging of all administrative and data access operations - When creating detection rules for known attack patterns in AWS environments - When establishing baseline API behavior for anomaly detection **Do not use** for real-time threat detection (use GuardDuty which already analyzes CloudTrail), for application-level logging (use CloudWatch Application Logs), or for network traffic analysis (use VPC Flow Logs). ## Prerequisites - CloudTrail enabled with management events and optionally data events across all accounts - S3 bucket configured as CloudTrail delivery channel with appropriate retention policies - Amazon Athena configured with CloudTrail log table for ad-hoc queries - CloudWatch Logs subscription for real-time analysis with Logs Insights - SIEM integration (Splunk, Elastic, or Security Lake) for production monitoring ## Workflow ### Step 1: Configure CloudTrail for Comprehensive Logging Ensure CloudTrail captures all relevant event types across the organization. ```bash # Create an organization trail (captures all accounts) aws cloudtrail create-trail \ --name org-security-trail \ --s3-bucket-name cloudtrail-logs-org-ACCOUNT \ --is-organization-trail \ --is-multi-region-trail \ --include-global-service-events \ ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-cloud-log-forensics-with-athena

Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.

12,642 Updated today
mukul975
AI & Automation Featured

performing-cloud-forensics-with-aws-cloudtrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-s3-data-exfiltration-attempts

Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers.

12,642 Updated today
mukul975