AWS CloudTrail Threat Hunting
Welcome to the CloudTrail AWS Threat Hunting Repository! This repository serves as a comprehensive resource for enhancing your threat detection and hunting capabilities within your AWS environment using AWS CloudTrail and other AWS services. Whether you are new to threat hunting or a seasoned pro, this repository offers valuable insights and tools to supercharge your security efforts.
CloudTrail is the central logging source for each AWS account. It provides a perfect foundation for creating threat hunting queries, which can be used for offline analysis or integrated into a SIEM based on Athena, (H)ELK, Splunk, or a custom solution.
The CloudTrail dataset can be enriched with information such as geoIP, threat data, access level, and MITRE ATT&CK TTPs.
Other AWS offerings that can provide deeper insights into your AWS environment include S3 bucket access logs, VPC FlowLogs, VPC DNS queries (collected over Route 53 Resolver Query Logs), CloudWatch Logs, load balancer access logs, and traffic mirroring (one of the most awesome features of Nitro Instances).
All or even a subset of these log sources can be used to build a mature threat hunting and alerting system for your AWS cloud.
More ideas for hunting queries can be found in my Blog
Happy hunting!
This repository includes the following resources:
- Jupyter Notebook: A comprehensive Jupyter Notebook with insightful plots and examples of Threat Hunting Queries based on CloudTrail.
- Cloud Trail Logs: These logs were released by Scott Piper anonymized CloudTrail logs from flaws.cloud which contain real malicious events, to practice some Threat Hunting capabilities
- Slidedeck: Slidedeck that belongs to this code, showing how to do Threat Hunting
Explore and leverage the power of threat hunting within your AWS environment using our Jupyter Notebook. This notebook provides detailed examples, visualizations, and step-by-step guides to help you get started with CloudTrail-based threat hunting.
To get started with the Jupyter Notebook, follow these steps:
- Clone this repository to your local machine or AWS environment.
- Open the Jupyter Notebook and follow the instructions provided within the notebook.
- You want at least the following pip dependencies:
pandas matplotlib tabulate seaborn
Make sure you have the necessary permissions and credentials to access your AWS environment and CloudTrail logs before running any queries in the notebook against your real data. The data used within the demo are real malicious provided by Scott Piper
We welcome contributions from the community to improve and expand the capabilities of this repository. If you have ideas, improvements, or additional resources to share, please feel free to submit a pull request.
This repository is licensed under the MIT License.
Thank you for visiting the CloudTrail Threat Hunting Repository. I hope this resource enhances your AWS security efforts and helps you better protect your cloud environment. Happy hunting! 🌟
Maintained with ❤️ by BenjiTrapp