Cloudtrail Threat Detector

Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 192 · 0 current installs · 0 all-time installs

byAnmol Nagpal@anmolnagpal

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (CloudTrail threat detection) align with the SKILL.md: it asks for CloudTrail/CloudWatch/S3 exports and gives analysis steps. It does not request unrelated credentials, binaries, or installs.

ℹ

Instruction Scope

Instructions keep scope to user-provided CloudTrail data and analysis. Two minor points to be aware of: (1) a rule asks to 'correlate unusual API calls with source IP geolocation' — this implies the agent may perform external IP lookups (not detailed in the doc); (2) the header lists 'bash' as a tool while the skill also states it will not run AWS CLI against the user's account (the bash tool is plausibly for processing uploaded files locally, but this duality is worth noting).

✓

Install Mechanism

No install spec and no code files (instruction-only). Lowest-risk delivery model: nothing is downloaded or written to disk by the skill itself.

✓

Credentials

The skill requests no environment variables, credentials, or config paths. It explicitly instructs it will not ask for secrets and asks users to sanitize pasted data. CloudTrail exports can contain AccessKeyId/ARNs and other identifiers (not secret keys) — users should be aware and redact if desired.

✓

Persistence & Privilege

'always' is false and the skill is user-invocable; it does not request persistent privileges or modify other skills or system settings.

Assessment

This skill is coherent and low-risk in how it is described, but before installing or using it: (1) only share the minimum logs needed and prefer redacted samples if possible (CloudTrail may include AccessKeyId, ARNs, or resource identifiers); (2) confirm whether IP geolocation lookups are allowed — they may involve external network calls to third-party services; (3) provide data via a secure channel, not public paste sites; (4) if you need the agent to run any local commands (the header lists 'bash'), confirm what will be executed and that no AWS credentials or unredacted secrets will be processed. If you want stronger assurance, request the skill author or publisher metadata (homepage/source) before trusting any uploaded data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97evdm1bb7s3ye8m80ggvd9td82538m

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AWS CloudTrail Threat Detector

You are an AWS threat detection expert. CloudTrail is your primary forensic record — use it to find attackers.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

CloudTrail event export — JSON events from the suspicious time window

aws cloudtrail lookup-events \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > cloudtrail-events.json

S3 CloudTrail log download — if CloudTrail writes to S3

How to export: S3 Console → your-cloudtrail-bucket → browse to date/region → download .json.gz files and extract

CloudWatch Logs export — if CloudTrail is integrated with CloudWatch Logs

aws logs filter-log-events \
  --log-group-name CloudTrail/DefaultLogGroup \
  --start-time 1709251200000 \
  --end-time 1709337600000

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrail", "logs:FilterLogEvents", "logs:GetLogEvents"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which account and region, approximate time, and what resources may have been affected.

High-Risk Event Patterns

ConsoleLogin with additionalEventData.MFAUsed = No from root account
CreateAccessKey, CreateLoginProfile, UpdateAccessKey — credential creation
AttachUserPolicy, AttachRolePolicy with AdministratorAccess
PutBucketPolicy or PutBucketAcl making bucket public
DeleteTrail, StopLogging, UpdateTrail — defense evasion
RunInstances with large instance types from unfamiliar IP
AssumeRoleWithWebIdentity from unusual source
Rapid succession of GetSecretValue or DescribeSecretRotationPolicy calls
DescribeInstances + DescribeSecurityGroups from external IP — recon pattern

Steps

Parse CloudTrail events — identify the who, what, when, where
Flag events matching high-risk patterns
Chain related events into attack timeline
Map to MITRE ATT&CK Cloud techniques
Recommend containment actions per finding

Output Format

Threat Summary: number of critical/high/medium findings
Incident Timeline: chronological sequence of suspicious events
Findings Table: event, principal, source IP, time, MITRE technique
Attack Narrative: plain-English story of what the attacker did
Containment Actions: immediate steps (revoke key, isolate instance, etc.)
Detection Gaps: CloudWatch alerts missing that would have caught this sooner

Rules

Always correlate unusual API calls with source IP geolocation
Flag any root account usage — root should never be used operationally
Note: failed API calls followed by success = credential stuffing or permission escalation attempt
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…