detecting-aws-cloudtrail-anomalies
Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.
Best use case
detecting-aws-cloudtrail-anomalies is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.
Teams using detecting-aws-cloudtrail-anomalies should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-aws-cloudtrail-anomalies/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-aws-cloudtrail-anomalies Compares
| Feature / Agent | detecting-aws-cloudtrail-anomalies | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting AWS CloudTrail Anomalies ## Overview AWS CloudTrail records API calls across AWS services. This skill covers querying CloudTrail events with boto3's `lookup_events` API, building statistical baselines of normal API activity, detecting anomalies such as unusual event sources, geographic anomalies, high-frequency API calls, and first-time API usage patterns that indicate compromised credentials or insider threats. ## When to Use - When investigating security incidents that require detecting aws cloudtrail anomalies - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `boto3` library - AWS credentials with CloudTrail read permissions (cloudtrail:LookupEvents) - Understanding of AWS IAM and common API patterns - CloudTrail enabled in target AWS account (management events at minimum) ## Steps ### Step 1: Query CloudTrail Events Use boto3 CloudTrail client's lookup_events to retrieve recent API activity with pagination. ### Step 2: Build Activity Baseline Aggregate events by user, source IP, event source, and event name to establish normal behavior patterns. ### Step 3: Detect Anomalies Flag unusual patterns: new event sources per user, first-time API calls, geographic IP changes, high error rates, and sensitive API usage (IAM, KMS, S3 policy changes). ### Step 4: Generate Detection Report Produce a JSON report with anomaly scores, top suspicious users, and recommended investigation actions. ## Expected Output JSON report with event statistics, baseline deviations, anomalous users/IPs, sensitive API calls, and error rate analysis.