mukul975/analyzing-cloud-storage-access-patterns
skills/analyzing-cloud-storage-access-patterns/SKILL.md
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
$ install --global
skillsauthnpx skillsauth add mukul975/cyber-skills analyzing-cloud-storage-access-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 3:42 PM15.2s1 file scanned
SKILL.md
- name:
- analyzing-cloud-storage-access-patterns
- description:
- Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
- domain:
- cybersecurity
- subdomain:
- cloud-security
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Analyzing Cloud Storage Access Patterns
When to Use
- When investigating security incidents that require analyzing cloud storage access patterns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
- Install dependencies:
pip install boto3 requests - Query CloudTrail for S3 Data Events using AWS CLI or boto3.
- Build access baselines: hourly request volume, per-user object counts, source IP history.
- Detect anomalies:
- After-hours access (outside 8am-6pm local time)
- Bulk downloads: >100 GetObject calls from single principal in 1 hour
- New source IPs not seen in the prior 30 days
- ListBucket enumeration spikes (reconnaissance indicator)
- Generate prioritized findings report.
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json
Examples
CloudTrail S3 Data Event
{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
"sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}
Related Skills
mukul975/acquiring-disk-image-with-dd-and-dcfldd
content-media
VerifiedTrustedCommunity
Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
13,651SKILL.mdUpdated Apr 16, 2026
mukul975/building-phishing-reporting-button-workflow
tools
VerifiedTrustedCommunity
Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.
12,656SKILL.mdUpdated May 31, 2026
mukul975/building-patch-tuesday-response-process
development
VerifiedTrustedCommunity
Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates within risk-based remediation SLAs.
12,656SKILL.mdUpdated May 31, 2026
mukul975/building-malware-incident-communication-template
development
VerifiedTrustedCommunity
Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.
12,656SKILL.mdUpdated May 31, 2026