BigSnarf blog

Infosec FTW

Monitor Cloudtrail logs with this Python Slackbot – Who is using AWS Console?

Screen Shot 2016-07-05 at 11.44.32 PM

#! /usr/local/env python
# coding: utf-8
import gzip
import json
from pprint import pprint
import pandas as pd
from import json_normalize
import sys
import socket
import boto
import os
import ipaddress
import asyncio
import glob
from urllib.parse import urljoin
from urllib.parse import urlencode
import urllib.request as urlrequest
class Slack():
def __init__(self, url=""):
self.url = url
self.opener = urlrequest.build_opener(urlrequest.HTTPHandler())
def notify(self, **kwargs):
Send message to slack API
return self.send(kwargs)
def send(self, payload):
Send payload to slack API
payload_json = json.dumps(payload)
data = urlencode({"payload": payload_json})
req = urlrequest.Request(self.url)
response =, data.encode('utf-8')).read()
return response.decode('utf-8')
class CloudtrailAnalysis():
def check_value(file_name, df_data, value):
if df_data[df_data['eventName'] == value].empty:
frame = df_data[df_data['eventName'] == value]
#print(df_data[df_data['eventName'] == value])
normalized_name = frame['userIdentity.userName'].values[0]
normalized_name = "noNameFound"
result = value, frame['eventTime'].values[0], frame['sourceIPAddress'].values[0], normalized_name
return result
async def get_file_analyse_local_events(zipped, event, outgoing_message):
#print("+++ Found new log: ", f)
with, "rb") as f:
d = json.loads("ascii"))
records = d["Records"]
df_data = json_normalize(records)
if CloudtrailAnalysis.check_value(zipped, df_data, event) == None:
outgoing_message.append(CloudtrailAnalysis.check_value(zipped, df_data, event))
return CloudtrailAnalysis.check_value(zipped, df_data, event)
async def main(unzipped, event, outgoing_message):
await get_file_analyse_local_events(unzipped, event, outgoing_message)
#security_events = ['ConsoleLogin','CreateKeyPair', 'CheckMfa','PutUserPolicy','DeleteTrail']
# list group of Cloudtrail logs you want processed
hdd_files = glob.glob("/Users/bigsnarfdude/cloudtrail_logs/*.json.gz")
security_events = ['ConsoleLogin']
outgoing_message = []
loop = asyncio.get_event_loop()
for zipped in hdd_files:
for event in security_events:
loop.run_until_complete(main(zipped, event, outgoing_message))
deduped = [ str(x) for x in list(set(outgoing_message))]
sort_deduped = deduped.sort()
post = "\n".join(deduped)
# put in the details of your slack webhook
slack = Slack(url="")
slack.notify(text=post, channel="#testing", username="security-bot", icon_emoji=":robot_face:")

view raw
hosted with ❤ by GitHub

One response to “Monitor Cloudtrail logs with this Python Slackbot – Who is using AWS Console?

  1. Pingback: Security ChatBots | BigSnarf blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: