Cloudtrail Threat Detectorv1.0.0

A bank's security team detects unusual IAM activity in their AWS account and uses this skill to analyze exported CloudTrail logs. The analysis reveals an attacker from a foreign IP address created new access keys and attached admin policies to a compromised user, mapping the activity to MITRE ATT&CK credential access techniques.

An e-commerce company performs a routine security review after a spike in S3 bucket policy changes. By providing S3 CloudTrail log downloads, the skill identifies unauthorized PutBucketPolicy events that made buckets public, helping trace the incident to an insider threat or misconfigured automation.

A healthcare provider suspects a data breach involving EC2 instances. Using exported CloudWatch Logs from CloudTrail integration, the skill analyzes RunInstances and DescribeInstances events from unfamiliar IPs, uncovering a reconnaissance and execution attack chain aimed at patient data storage.

A tech startup notices failed login attempts followed by successful ConsoleLogin events without MFA. By inputting CloudTrail event exports, the skill flags root account usage and credential stuffing patterns, providing a timeline and containment steps like revoking keys and enabling MFA.

A government agency needs to audit AWS activity for compliance with security standards. The skill processes provided CloudTrail data to detect high-risk events like DeleteTrail or StopLogging, identifying defense evasion attempts and recommending improved CloudWatch alerts for future detection.

Offer this skill as part of a monthly security monitoring package for small to medium businesses. Customers pay a recurring fee for access to threat detection analysis, with tiered pricing based on the volume of CloudTrail data processed and support levels.

Integrate the skill into a professional services offering where security consultants use it during breach investigations or audits. Charge per incident or on a retainer basis, providing detailed reports and containment guidance to clients in high-stakes environments.

Bundle this skill with existing security information and event management (SIEM) or cloud security posture management (CSPM) tools. Sell it as an advanced analytics module that enhances threat detection capabilities, targeting large enterprises with complex AWS infrastructures.