JU

juansasoc/AWS-Threat-Hunting-Field-Guide

Field guide for threat hunting in AWS: workbooks, queries, and frameworks tailored for CloudTrail, GuardDuty, Detective, and real-world SOC investigations.

aws aws-cloudtrail aws-guardduty cloud cloud-forensics cloud-threat-hunting cybersecurity security-operations soc threat-hunting

AWS Threat Hunting — Field Guide

Hunts-first AWS detection-engineering field guide with ES|QL queries, Sigma scaffolds, and AI prompt templates.
Coverage: IAM, S3, CloudTrail/Config/KMS, VPC/Network, EC2/EBS, Lambda, EKS, DNS, CloudFront/API, Secrets, GuardDuty correlations.

Quick Start

Browse detections/ for copy/paste queries.
Use prompts/ to tune hunts for your schema.
Track readiness with checklists/hunt-readiness.md.

Portable Artifacts

ES|QL: esql/core/*
Sigma: sigma/core/*

See detections/ for hunts, prompts/ for LLM tuning, sigma/ and esql/ for portable artifacts.

On this page

Contributors

Other

Created October 31, 2025

Updated November 3, 2025