Book a demo

Complete this form to speak with one
of our sales representatives.

Threat Hunting with AWS CloudTrail: Detecting Anomalies for a Secure Cloud Environment

AWS CloudTrail is a powerful tool for cloud monitoring, but its true value lies in its ability to enable proactive threat hunting.
Back to Resources

In the ever-evolving landscape of cloud security, AWS CloudTrail has emerged as an essential tool for monitoring and understanding activity across your AWS environment. By logging user actions and resource behavior, CloudTrail provides invaluable insights for strengthening security, ensuring compliance, and creating a robust audit trail.

However, while CloudTrail captures a wealth of event data, the real challenge lies in identifying anomalies that could indicate potential threats. This blog explores how CloudTrail can be leveraged for threat hunting and anomaly detection, offering practical guidance and alert strategies to detect suspicious activities early.


What is AWS CloudTrail?


AWS CloudTrail records detailed logs of actions across AWS services, including:

  • Who performed an action
  • When it occurred
  • Where it originated

These logs form a comprehensive audit trail, aiding:

  • Security analysis by identifying unauthorized activities
  • Compliance auditing to meet regulatory requirements
  • Resource tracking to monitor and troubleshoot changes

Despite its comprehensive coverage, organizations often face challenges in identifying meaningful patterns amid the data, especially during an active attack where the attacker’s sequence of actions must be pieced together.


The Threat Landscape: Why Anomaly Detection is Crucial


Threat actors often begin with reconnaissance to find vulnerabilities, subsequently escalating privileges and exploiting resources. Detecting this early activity can significantly reduce potential damage. Yet, AWS doesn’t provide a built-in guide on which CloudTrail events to monitor or how to prioritize them.

To address this gap, Coralogix has developed a threat-hunting framework using CloudTrail, focusing on over 150 critical events. This includes a correlation alert with its foundational building blocks to link together multiple anomalous events that are usually seen during reconnaissance and an anomaly dashboard to identify suspicious activity effectively.



Building Blocks for Anomaly Detection


1. Multiple Events Detected (By User)

Alert Trigger:
This alert fires when more than 15 unique CloudTrail events that are part of 150 critical events as mentioned above, are detected from a single user within a 20-minute interval.

Rationale: External threat actors usually use automated tools to perform recon activities. When they run such tools, a high number of CloudTrail events are logged within a short interval of time. Many of these events are for “Get”, “List” and “describe” actions. 

Challenges & Fine-Tuning Recommendations:

  • False Positives: High activity by legitimate users can trigger this alert.
  • Fine-Tuning Recommendations:
    • Adjust threshold values based on usage patterns.
    • Whitelist specific users as needed.

This alert provides a high-fidelity signal for detecting unusual access patterns when fine-tuned to your organization’s needs.


2. Unique Error Types

Alert Trigger:
This alert fires when more than one unique error code is detected within a 20-minute interval for CloudTrail events from a single user.

Rationale:
Threat actors operating in unfamiliar environments often cause multiple unique errors due to insufficient knowledge of permissions and privileges.

Fine-Tuning Recommendations:

  • Understand the reasons behind these errors (e.g., misconfigurations or malicious attempts).
  • Whitelist legitimate users or error codes where appropriate.


3. More than Usual Errors

Alert Trigger:
This alert fires when an unusually high number of errors are detected in CloudTrail events for a single user within a 20-minute window.

Rationale:
Similar to the previous alert, attackers’ lack of familiarity often leads to failed actions, making this metric a strong indicator of suspicious activity.


Correlation Alert: Correlating Anomalies for Better Detection


To enhance detection fidelity, a correlation alert combines the above building blocks. This alert triggers when either of the following combinations occur within 20 minutes:

  • Combination 1:
    • Multiple Events Detected (By User)
    • Unique Error Types
  • Combination 2:
    • Multiple Events Detected (By User)
    • More than Usual Errors


Purpose of the Correlation Alert


This alert flags multiple anomalous activities by a user in a short time frame, especially those resulting in errors or unusual patterns. Such behavior is rarely legitimate and warrants further investigation. If the activity is benign, adjust the relevant building block alerts by:

  • Modifying thresholds
  • Whitelisting specific users or error codes


Dashboards: Visualizing the Anomalies


In addition to the alerts, Coralogix has also created a dashboard that provides:

  • A clear view of event trends and anomalies
  • Insights into top users triggering errors or anomalies
  • Breakdown of error codes by user, helping to pinpoint the root cause

By combining alerts with actionable insights, organizations can quickly identify and respond to potential threats.


Conclusion


AWS CloudTrail is a powerful tool for cloud monitoring, but its true value lies in its ability to enable proactive threat hunting. By implementing the above strategies, organizations can:

  • Detect and investigate suspicious activities early
  • Minimize false positives with tailored fine-tuning
  • Strengthen overall security posture

With the right tools, dashboards, and alert configurations, CloudTrail becomes a cornerstone of any robust cloud security strategy. Start your anomaly detection journey today to stay ahead of potential threats and protect your AWS environment.

Puneet Khandelwal

Book a demo

Complete this form to speak with one of our sales representatives.