- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
2.9 KiB
name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack, mitre_f3
| name | description | domain | subdomain | tags | version | author | license | nist_csf | mitre_attack | mitre_f3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| detecting-aws-cloudtrail-anomalies | Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access. | cybersecurity | cloud-security |
|
1.0 | mahipal | Apache-2.0 |
|
|
|
Detecting AWS CloudTrail Anomalies
Overview
AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's lookup_events API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.
When to Use
- When investigating security incidents that require detecting aws cloudtrail anomalies
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
boto3library - AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents)
- Understanding of AWS IAM and common API patterns
- CloudTrail enabled in target AWS account (management events at minimum)
Steps
Step 1: Query CloudTrail Events
Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination.
Step 2: Build Activity Baseline
Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns.
Step 3: Detect Anomalies
Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes).
Step 4: Generate Detection Report
Produce a JSON report with anomaly scores, top suspicious users, and recommended investigation actions.
Expected Output
JSON report with event statistics, baseline deviations, anomalous users/IPs, sensitive API calls, and error rate analysis.