Skip to content

Instantly share code, notes, and snippets.

@andreswebs

andreswebs/CloudTrail.csv

Forked from invictus-ir/CloudTrail.csv
Created April 24, 2024 02:12
Show Gist options
  • Save andreswebs/e97c1ca0b5d610f7f16fc0571037ac60 to your computer and use it in GitHub Desktop.
Save andreswebs/e97c1ca0b5d610f7f16fc0571037ac60 to your computer and use it in GitHub Desktop.
Download ZIP
An overview of CloudTrail events that are interesting from an Incident Response perspective
Raw
CloudTrail.csv
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Exfiltration Impact
ConsoleLogin StartInstance CreateAccessKey CreateGroup StopLogging GetSecretValue ListUsers AssumeRole CreateSnapShot PutBucketVersioning
PasswordRecoveryRequested StartInstances CreateUser CreateRole DeleteTrail GetPasswordData ListRoles SwitchRole ModifySnapshotAttributes RunInstances
Invoke CreateNetworkAclEntry UpdateAccessKey UpdateTrail RequestCertificate ListIdentities ModifyImageAttribute DeleteAccountPublicAccessBlock
SendCommand CreateRoute PutGroupPolicy PutEventSelectors UpdateAssumeRolePolicy ListAccessKeys SharedSnapshotCopyInitiated
CreateLoginProfile PutRolePolicy DeleteFlowLogs ListServiceQuotas SharedSnapshotVolumeCreated
AuthorizeSecurityGroupEgress PutUserPolicy DeleteDetector ListInstanceProfiles ModifyDBSnapshotAttribute
AuthorizeSecurityGroupIngress AddRoleToInstanceProfile DeleteMembers ListBuckets PutBucketPolicy
CreateVirtualMFADevice AddUserToGroup DeleteSnapshot ListGroups PutBucketAcl
CreateConnection DeactivateMFADevice GetSendQuota
ApplySecurityGroupsToLoadBalancer DeleteCertificate GetCallerIdentity
SetSecurityGroups DeleteConfigRule DescribeInstances
AuthorizeDBSecurityGroupIngress DeleteAccessKey GetBucketAcl
CreateDBSecurityGroup LeaveOrganization GetBucketVersioning
ChangePassword DisassociateFromMasterAccount GetAccountAuthorizationDetails
DisassociateMembers
StopMonitoringMembers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment