aws-cloudtrail-threat-detector
Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anmolnagpal/cloudtrail-threat-detectorWhat This Skill Does
The AWS CloudTrail Threat Detector is a specialized forensic analysis agent designed to ingest AWS CloudTrail logs and transform raw JSON event data into a coherent security narrative. As an OpenClaw AI skill, it acts as a virtual incident responder. It parses complex, high-volume event logs to identify unauthorized API calls, privilege escalation attempts, persistence mechanisms, and reconnaissance activities. By mapping event sequences to the MITRE ATT&CK Cloud Matrix, it helps security teams quickly transition from raw log exploration to concrete containment and remediation steps.
Installation
To integrate this skill into your environment, run the following command within your OpenClaw interface:
clawhub install openclaw/skills/skills/anmolnagpal/cloudtrail-threat-detector
Ensure your local environment or workspace has proper read permissions if you intend to stream log data directly into the agent.
Use Cases
- Post-Incident Forensic Reconstruction: Reconstruct an attacker's steps after an alert is triggered, linking disparate events into a single kill chain.
- Unauthorized Privilege Escalation Detection: Automatically flag
AttachUserPolicyorCreateLoginProfilecalls that deviate from standard CI/CD deployment patterns. - Threat Hunting: Proactively audit logs for 'Low and Slow' reconnaissance patterns, such as repeated
DescribeInstancescalls originating from unfamiliar external IPs. - Compliance Reporting: Generate a clean, plain-English summary of suspicious activity for stakeholders who do not have deep familiarity with AWS CloudTrail JSON structures.
Example Prompts
- "I've noticed unusual activity in our production account between 2 AM and 4 AM. Please analyze this JSON file [attach file] and let me know if there's any evidence of credential theft."
- "Look at these CloudWatch log events. Someone managed to create a new IAM user and attach AdministratorAccess. Tell me exactly what happened, when it happened, and how I can contain this."
- "I suspect an attacker has modified our bucket policies to make them public. Analyze these logs and provide a summary of the source IP, the identity involved, and a list of impacted S3 buckets."
Tips & Limitations
- Context is King: The more logs you provide, the higher the accuracy of the timeline. Always try to include a 15-minute buffer before and after the suspected breach window.
- Data Privacy: This skill performs client-side analysis. It does not possess direct AWS credentials or live access to your environment; it processes only the text you provide.
- False Positives: Automated tools might flag legitimate administrative automation. Always verify the 'principal' field against your list of known service accounts and CI/CD pipelines.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anmolnagpal-cloudtrail-threat-detector": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: data-collection
Related Skills
aws-compliance-analyzer
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
aws-terraform-security-reviewer
Review Terraform plans and HCL files for AWS security misconfigurations before deployment
azure-storage-exposure-auditor
Identify publicly accessible Azure Storage accounts and misconfigured blob containers
aws-tagging-auditor
Audit AWS resource tagging compliance and identify unallocatable spend for FinOps teams
gcp-bigquery-optimizer
Analyze BigQuery query patterns and storage to dramatically reduce the