Skill

analyzing-cloud-storage-access-patterns

Detects anomalies in AWS S3, GCS, Azure Blob Storage access via CloudTrail, audit logs, Storage Analytics. Flags bulk downloads, new IPs, API spikes, exfiltration using stats and time-series detection.

Python

AWS

GCP

Azure

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing cloud storage access patterns

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing Cloud Storage Access Patterns

When to Use

When investigating security incidents that require analyzing cloud storage access patterns
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with cloud security concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install boto3 requests
Query CloudTrail for S3 Data Events using AWS CLI or boto3.
Build access baselines: hourly request volume, per-user object counts, source IP history.
Detect anomalies:
- After-hours access (outside 8am-6pm local time)
- Bulk downloads: >100 GetObject calls from single principal in 1 hour
- New source IPs not seen in the prior 30 days
- ListBucket enumeration spikes (reconnaissance indicator)
Generate prioritized findings report.

python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json

Examples

CloudTrail S3 Data Event

{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
 "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}