performing-cloud-native-threat-hunting-with-aws-detective
Performing Cloud-Native Threat Hunting with AWS Detective
Overview
AWS Detective automatically collects and analyzes log data from AWS CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs to build interactive behavior graphs. These graphs enable security analysts to investigate entities (IAM users, roles, IP addresses, EC2 instances) across time, identify anomalous API calls, detect lateral movement between accounts, and correlate GuardDuty findings into coherent attack narratives — all without manual log parsing.
Prerequisites
- AWS account with Detective enabled (requires GuardDuty active for 48+ hours)
- AWS CLI v2 configured with appropriate IAM permissions (
detective:*,guardduty:List*) - Python 3.9+ with boto3
- IAM policy:
AmazonDetectiveFullAccessor custom policy withdetective:SearchGraph,detective:GetInvestigation,detective:ListIndicators
Key Concepts
| Concept | Description |
|---|---|
| Behavior Graph | Data structure linking CloudTrail, VPC Flow, GuardDuty, and EKS logs for an account/region |
| Entity | Investigable object: IAM user, IAM role, EC2 instance, IP address, S3 bucket, EKS cluster |
More from mukul975/anthropic-cybersecurity-skills
acquiring-disk-image-with-dd-and-dcfldd
Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
117analyzing-api-gateway-access-logs
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
103analyzing-android-malware-with-apktool
Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
99analyzing-cyber-kill-chain
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
90analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
83analyzing-active-directory-acl-abuse
Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
83