performing-cloud-log-forensics-with-athena

Featured

Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Cloud Log Forensics with AWS Athena ## When to Use - When investigating AWS security incidents that require querying massive volumes of cloud logs - When performing forensic analysis across CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs - When building reusable Athena tables with partition projection for ongoing incident response - When hunting for indicators of compromise across multiple AWS log sources simultaneously - When creating evidence-grade SQL queries for compliance audits or legal proceedings ## Prerequisites - AWS account with Athena, S3, and Glue permissions - CloudTrail configured to deliver logs to an S3 bucket - VPC Flow Logs enabled and publishing to S3 - S3 server access logging enabled on target buckets - ALB access logging enabled and publishing to S3 - Python 3.8+ with boto3 installed - Appropriate IAM permissions for Athena queries and S3 access ## Instructions ### Phase 1: Create Athena Database and CloudTrail Table Create a dedicated forensics database and CloudTrail table using partition projection to automatically discover partitions without manual ALTER TABLE statements. ```sql CREATE DATABASE IF NOT EXISTS cloud_forensics; CREATE EXTERNAL TABLE cloud_forensics.cloudtrail_logs ( eventVersion STRING, userIdentity STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, invokedBy: STRING, accessKeyId: STRING, userName: STRING, sessi...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-cloud-forensics-with-aws-cloudtrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-cloud-trail-log-analysis

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

performing-cloud-forensics-investigation

Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

12,642 Updated today
mukul975