AWS CloudTrail Log Detections Mod

Tailpipe is an open-source CLI tool that allows you to collect logs and query them with SQL.

AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

The AWS CloudTrail Log Detections Mod contains pre-built dashboards and detections, which can be used to monitor and analyze activity across your AWS accounts.

Documentation

• Dashboards →
• Benchmarks and detections →

Getting Started

Install Powerpipe from the downloads page:

# MacOS
brew install turbot/tap/powerpipe

# Linux or Windows (WSL)
sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"

This mod also requires AWS CloudTrail logs to be collected using Tailpipe with the AWS plugin:

• Get started with the AWS plugin for Tailpipe →

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections

Browsing Dashboards

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Benchmarks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161

Different output formats are also available, for more information please see Output Formats.