Skill

detecting-aws-cloudtrail-anomalies

From asi

Detects unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized access. Useful for security incident investigations and threat hunting.

Python

AWS

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's `lookup_events` API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.

SKILL.md

Similar Skills

detecting-aws-cloudtrail-anomalies

5.9k

Detects anomalies in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to flag credential compromise, privilege escalation, and unauthorized access.

3 files

cybersecurity-skills

detecting-aws-cloudtrail-anomalies

Detects anomalous API call patterns in AWS CloudTrail logs using boto3, statistical baselines, and behavioral analysis to identify credential intrusion, privilege escalation, and unauthorized access.

3 files

cybersecurity-skills-zh

implementing-cloud-trail-log-analysis

Implements AWS CloudTrail log analysis using Athena, CloudWatch Logs Insights, and SIEM for security monitoring, threat detection, and forensic investigation of unauthorized access and suspicious API activity.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting AWS CloudTrail Anomalies

Overview

AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's lookup_events API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.

When to Use

When investigating security incidents that require detecting aws cloudtrail anomalies

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with boto3 library

AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents)

Understanding of AWS IAM and common API patterns

CloudTrail enabled in target AWS account (management events at minimum)

Steps

Step 1: Query CloudTrail Events

Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination.

Step 2: Build Activity Baseline

Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns.

Step 3: Detect Anomalies

Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes).

Step 4: Generate Detection Report

Produce a JSON report with anomaly scores, top suspicious users, and recommended investigation actions.

Expected Output

JSON report with event statistics, baseline deviations, anomalous users/IPs, sensitive API calls, and error rate analysis.