EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityAthenaSplunkOpenSearch

Cloud Forensic Tools: Amazon Athena, Splunk & OpenSearch Investigations

Cloud-scale forensics requires tools capable of querying billions of log events in minutes. Amazon Athena, Splunk, and OpenSearch each provide this capability with different trade-offs. This article covers practical query patterns for forensic investigation.

Ashish Revar3 July 202620 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

Amazon Athena CloudTrail Log Analysis

AWS documentation on querying CloudTrail logs with Athena, including table creation and sample queries.

AWS Security Lake and OCSF

OCSF schema documentation for AWS Security Lake cross-source forensic queries.

Splunk Add-On for AWS

Splunk add-on for ingesting CloudTrail, VPC Flow Logs, and GuardDuty findings.

OpenSearch Security Analytics

OpenSearch Security Analytics documentation for threat detection and forensic querying.

More articlesTest your knowledge

The Scale Challenge in Cloud Forensics

A single AWS account with CloudTrail enabled across all regions and services can generate 10–100 million log events per day. A multi-account organisation with CloudTrail, VPC Flow Logs, S3 data events, and Lambda logs generates orders of magnitude more. Manual log analysis is not feasible at this scale.

Forensic investigation tools must be capable of:

  • Querying petabyte-scale data in minutes
  • Correlating events across multiple log sources
  • Timeline reconstruction sorting events by timestamp across sources
  • Pattern matching to identify TTPs (Tactics, Techniques, and Procedures) from MITRE ATT&CK

Amazon Athena for Cloud Forensics

Amazon Athena is a serverless SQL query service that analyses data stored in S3. For CloudTrail logs delivered to S3, Athena can query the raw JSON files directly using partition projection for performance.

Setting Up Athena for CloudTrail Forensics

-- Create external table for CloudTrail logs
CREATE EXTERNAL TABLE cloudtrail_logs (
  eventversion     STRING,
  useridentity     STRUCT<
    type:           STRING,
    principalid:    STRING,
    arn:            STRING,
    accountid:      STRING,
    accesskeyid:    STRING,
    username:       STRING,
    sessioncontext: STRUCT<
      attributes: STRUCT<
        mfaauthenticated: STRING,
        creationdate:     STRING
      >
    >
  >,
  eventtime        STRING,
  eventsource      STRING,
  eventname        STRING,
  awsregion        STRING,
  sourceipaddress  STRING,
  useragent        STRING,
  errorcode        STRING,
  requestparameters STRING,
  responseelements  STRING,
  requestid        STRING,
  eventid          STRING,
  resources        ARRAY<STRUCT<ARN:STRING,accountId:STRING,type:STRING>>,
  eventtype        STRING,
  apiversion       STRING,
  recipientaccountid STRING
)
COMMENT 'CloudTrail table'
PARTITIONED BY (region STRING, year STRING, month STRING, day STRING)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://your-cloudtrail-bucket/AWSLogs/ACCOUNTID/CloudTrail/'
TBLPROPERTIES ('classification'='cloudtrail');

Forensic Query Patterns

1. All actions by a specific IAM access key (compromised key investigation):

SELECT eventtime, eventname, eventsource, awsregion, sourceipaddress
FROM cloudtrail_logs
WHERE useridentity.accesskeyid = 'AKIAIOSFODNN7EXAMPLE'
  AND year = '2024' AND month = '07' AND day = '03'
ORDER BY eventtime ASC;

2. All S3 GetObject calls on a specific bucket (data exfiltration investigation):

SELECT eventtime,
       useridentity.arn,
       json_extract_scalar(requestparameters, '$.key') AS s3_key,
       sourceipaddress
FROM cloudtrail_logs
WHERE eventname = 'GetObject'
  AND eventsource = 's3.amazonaws.com'
  AND json_extract_scalar(requestparameters, '$.bucketName') = 'sensitive-data-bucket'
  AND year = '2024' AND month = '07'
ORDER BY eventtime ASC;

3. New IAM users created in the last 7 days (backdoor detection):

SELECT eventtime, useridentity.arn AS created_by,
       json_extract_scalar(requestparameters, '$.userName') AS new_user
FROM cloudtrail_logs
WHERE eventname = 'CreateUser'
  AND eventtime > to_iso8601(current_timestamp - interval '7' day)
ORDER BY eventtime DESC;

4. AssumeRole events to external accounts (lateral movement investigation):

SELECT eventtime,
       useridentity.arn AS caller,
       json_extract_scalar(requestparameters, '$.roleArn') AS assumed_role,
       sourceipaddress
FROM cloudtrail_logs
WHERE eventname = 'AssumeRole'
  AND json_extract_scalar(requestparameters, '$.roleArn')
      NOT LIKE '%:123456789012:%'   -- substitute your account ID
ORDER BY eventtime ASC;

Amazon OpenSearch for Real-Time Forensics

OpenSearch (formerly Elasticsearch, open-sourced by AWS) provides full-text search and real-time dashboards over log data. AWS OpenSearch Service is the managed version.

For forensic investigations, OpenSearch provides:

FeatureForensic Use
Kibana/OpenSearch DashboardsTimeline visualisations, IP frequency plots
AlertingReal-time alerts on forensic patterns as new logs arrive
Full-text searchFind specific error messages, usernames, IP addresses across all logs
Anomaly detectionML-based detection of unusual API call volumes or patterns
Cross-cluster searchQuery logs from multiple OpenSearch domains in one query

OpenSearch Query (DSL) for Forensic Investigation

{
  "query": {
    "bool": {
      "must": [
        {"term": {"eventName": "ConsoleLogin"}},
        {"term": {"responseElements.ConsoleLogin": "Failure"}}
      ],
      "filter": {
        "range": {"eventTime": {"gte": "now-1h"}}
      }
    }
  },
  "sort": [{"eventTime": "desc"}],
  "size": 100
}

Splunk for Cloud Forensics

Splunk's Search Processing Language (SPL) is widely used in enterprise SOC environments. The Splunk Add-On for AWS enables ingestion of CloudTrail, VPC Flow Logs, GuardDuty, and S3 access logs.

SPL query — detect CloudTrail disabled and re-enabled within 30 minutes:

index=cloudtrail eventName=StopLogging OR eventName=StartLogging
| stats list(eventName) as actions list(_time) as times by userArn
| where mvcount(actions) >= 2
| eval duration_minutes = (mvindex(times, -1) - mvindex(times, 0)) / 60
| where duration_minutes <= 30

This detects a pattern of "disable trail → do something → re-enable trail" that attackers use to hide their API calls.

Comparison: Athena vs OpenSearch vs Splunk

CriterionAthenaOpenSearchSplunk
Cost modelPay per query (TB scanned)Instance-based (EC2)Licence + ingestion volume
Data sourceS3 (files)OpenSearch index (ingested)Splunk index (ingested)
Query languageStandard SQLDSL / Lucene / PPLSPL (proprietary)
Real-time capabilityNear-real-time (log delivery lag)Real-time (seconds)Real-time
Historical analysisExcellent (full log history in S3)Limited by index retentionLimited by licence
Forensic use caseHistorical investigationReal-time detection + investigationReal-time + historical
Indian deploymentAWS ap-south-1 nativeAWS ap-south-1On-premises or BYOL cloud

For a pure forensic investigation (historical analysis of an already-completed incident), Athena against the raw S3 CloudTrail logs is the most cost-effective and comprehensive tool. For real-time threat hunting during an ongoing incident, OpenSearch or Splunk provides faster results.