0PricingLogin
AWS Security Academy · Lesson

Investigating Incidents with SQL Queries

Filter millions of events down to the actions that matter.

Investigation as Querying

With CloudTrail and Flow Logs cataloged, an investigation becomes a series of SQL queries that filter billions of events down to the few that matter. The skill is knowing what to ask: who did what, from where, and when. This lesson covers the query patterns investigators rely on.

Finding Activity by a Principal

When a credential is suspected compromised, you query all actions by that principal. Filtering CloudTrail on userIdentity.arn or access key ID reveals every API call it made, in order. This timeline of the attacker's actions is often the single most valuable output of an investigation.

SELECT eventtime, eventname, sourceipaddress
FROM cloudtrail_logs
WHERE useridentity.accesskeyid = 'AKIAEXAMPLE'
ORDER BY eventtime

All lessons in this course

  1. Querying S3 Logs with Athena
  2. Building Tables Over CloudTrail Data
  3. Investigating Incidents with SQL Queries
  4. Partitioning Logs for Speed and Cost
← Back to AWS Security Academy