‹ 首页

detecting-aws-cloudtrail-anomalies

@adriannoes · 收录于 1 周前

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

适合你,如果你需要识别 AWS 账户中的可疑活动或潜在安全威胁。

/ 下载安装
detecting-aws-cloudtrail-anomalies.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add adriannoes/awesome-vibe-coding/detecting-aws-cloudtrail-anomalies
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- adriannoes/awesome-vibe-coding/detecting-aws-cloudtrail-anomalies
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify adriannoes/awesome-vibe-coding/detecting-aws-cloudtrail-anomalies
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
44GitHub stars
~559最小装载
~559含声明引用
~953文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · e4ed3a9

Detecting AWS CloudTrail Anomalies

Overview

AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's lookup_events API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.

When to Use
  • When investigating security incidents that require detecting aws cloudtrail anomalies
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
Prerequisites
  • Python 3.9+ with boto3 library
  • AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents)
  • Understanding of AWS IAM and common API patterns
  • CloudTrail enabled in target AWS account (management events at minimum)
Steps
Step 1: Query CloudTrail Events

Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination.

Step 2: Build Activity Baseline

Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns.

Step 3: Detect Anomalies

Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes).

Step 4: Generate Detection Report

Produce a JSON report with anomaly scores, top suspicious users, and recommended investigation actions.

Expected Output

JSON report with event statistics, baseline deviations, anomalous users/IPs, sensitive API calls, and error rate analysis.

按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。