Files
Anthropic-Cybersecurity-Skills/skills/detecting-aws-cloudtrail-anomalies/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

2.2 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
detecting-aws-cloudtrail-anomalies Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access. cybersecurity cloud-security
cloud-security
aws
cloudtrail
anomaly-detection
threat-detection
boto3
1.0 mahipal Apache-2.0
PR.IR-01
ID.AM-08
GV.SC-06
DE.CM-01

Detecting AWS CloudTrail Anomalies

Overview

AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's lookup_events API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats.

When to Use

  • When investigating security incidents that require detecting aws cloudtrail anomalies
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.9+ with boto3 library
  • AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents)
  • Understanding of AWS IAM and common API patterns
  • CloudTrail enabled in target AWS account (management events at minimum)

Steps

Step 1: Query CloudTrail Events

Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination.

Step 2: Build Activity Baseline

Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns.

Step 3: Detect Anomalies

Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes).

Step 4: Generate Detection Report

Produce a JSON report with anomaly scores, top suspicious users, and recommended investigation actions.

Expected Output

JSON report with event statistics, baseline deviations, anomalous users/IPs, sensitive API calls, and error rate analysis.