Cloud Forensics (AWS GuardDuty / CloudTrail / S3)
CommunityTurn AWS logs into an incident-ready timeline
System Documentation
What problem does it solve?
It reduces the time and guesswork needed to triage AWS cloud incidents by transforming GuardDuty and CloudTrail evidence into prioritized findings, timelines, and exfiltration/persistence indicators.
Core Features & Use Cases
- GuardDuty finding triage: Decompress GuardDuty
.jsonl.gzand generate high-severity exports, principal pivots, and network IOC-focused extracts. - CloudTrail timeline reconstruction: Decompress CloudTrail
.json.gz, flattenRecordsinto JSONL, and produce event frequency summaries, error/denied-event lists, and CSV timelines for investigation. - Threat pattern detection: Identify AWS IMDS credential theft signals, IAM persistence (new keys/policy changes), and S3 exfiltration patterns (GetObject/Deletes) from log artifacts.
Use case: You receive a customer’s S3-copied GuardDuty and CloudTrail archives and need to quickly determine whether an attacker attempted credential theft, established IAM persistence, and accessed or deleted S3 objects—without touching originals.
Quick Start
Use the cloud-forensics skill to parse GuardDuty and CloudTrail logs from your case root and produce CSV exports under exports/cloud and analysis/cloud for prioritized triage.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: Cloud Forensics (AWS GuardDuty / CloudTrail / S3) Download link: https://github.com/rjonhaas/SIFTics/archive/main.zip#cloud-forensics-aws-guardduty-cloudtrail-s3 Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.