3.4.3.7. Analyzing Logs, Metrics, and Security Findings

3.4.3.7. Analyzing Logs, Metrics, and Security Findings

Security analysis turns raw data into actionable intelligence. The right query at the right time is the difference between a 30-minute investigation and an all-night incident.

Athena queries for CloudTrail analysis:

-- Find all actions by a potentially compromised user
SELECT eventtime, eventsource, eventname, sourceipaddress, errorcode
FROM cloudtrail_logs
WHERE useridentity.arn LIKE '%compromised-user%'
  AND eventtime > '2025-01-15'
ORDER BY eventtime DESC;

-- Find all security group changes in the last 24 hours
SELECT eventtime, useridentity.arn, requestparameters
FROM cloudtrail_logs
WHERE eventsource = 'ec2.amazonaws.com'
  AND eventname IN ('AuthorizeSecurityGroupIngress','RevokeSecurityGroupIngress')
  AND eventtime > current_timestamp - interval '24' hour;

CloudWatch Logs Insights for VPC Flow Logs:

# Top 10 rejected connections (potential attacks)
filter action = "REJECT"
| stats count(*) as rejections by srcAddr
| sort rejections desc
| limit 10

# Unusual outbound traffic (data exfiltration indicator)
filter dstPort NOT IN [443, 80, 53]
  AND srcAddr LIKE /^10\.0\./
| stats sum(bytes) as totalBytes by dstAddr, dstPort
| sort totalBytes desc
| limit 20

Amazon Detective provides interactive investigation of security findings. Given a GuardDuty finding, Detective shows the full context: related API calls, network flows, resource interactions, and timeline visualization — reducing investigation time significantly.

Exam Trap: CloudTrail logs can be queried with both Athena (S3-stored logs) and CloudTrail Lake (purpose-built event data store). Athena requires creating a table definition and partitioning for performance. CloudTrail Lake pre-indexes events for faster queries but costs more. If the exam asks about "fastest time to query CloudTrail events during an incident," CloudTrail Lake is the answer — no setup required, immediate SQL queries.