AWS Cloud Logs

Upwind Now Supports CloudTrail Log Aggregation for More Accurate Detections

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Sep 22, 2025

A security team at a large financial services company once spotted a troubling pattern: a low-privilege IAM role listed IAM users, created an inline policy, and then assumed a higher-privilege role. Each action looked routine on its own and slipped past their detection system, which analyzed events in isolation. Only later, during a manual review, did the team realize these actions formed a clear privilege escalation sequence – and that it had gone unaddressed for days.

This kind of visibility gap is common when relying solely on single-event detections. AWS CloudTrail provides detailed logs of AWS activity, but without the ability to connect related actions across time and resources, it’s easy to miss high-risk behavior.

That’s where Upwind helps. We’re introducing a new capability to the platform: AWS CloudTrail log aggregation. With this capability, Upwind analyzes patterns of activity across multiple events, allowing teams to identify suspicious behavior that would otherwise remain hidden in isolated logs.

In this blog, we’ll explain what AWS CloudTrail logs are, why detecting threats based on them is challenging, how Upwind solves this problem through aggregation, and the benefits this brings to security teams.

What Are AWS CloudTrail Logs?

AWS CloudTrail is a logging service that captures a detailed record of actions taken by users, roles, or services in an AWS environment. These include management operations such as creating resources, updating configurations, or modifying access controls. Each CloudTrail event contains key information: the identity of the actor, the action taken, the target resource, and the timestamp. This makes CloudTrail an essential source for security auditing and forensic investigations. Because of it, organizations rely on CloudTrail to understand who did what, when, and where across their cloud infrastructure.

The Challenge with CloudTrail-Based Detections

Despite the depth of information CloudTrail provides, detecting threats using these logs remains difficult for most teams. This is primarily due to three limitations:

  • Event-level isolation: Each CloudTrail log reflects a single action. Without broader context, it’s difficult to tell if that action is part of normal operations or something more suspicious.
  • Lack of behavioral correlation: Malicious actors often spread their actions across time and services to avoid detection. A privilege escalation or data exfiltration attempt might involve several steps that appear unrelated when viewed individually.
  • High noise levels: CloudTrail logs often create significant amounts of noise. In environments with thousands of daily events, it’s hard to separate truly risky activity from routine operations.

The result is that many real threats either go undetected or are only discovered long after the fact, during manual log reviews or post-incident investigations.

The Upwind Solution: Log Aggregation for Pattern Detection

Upwind now supports AWS CloudTrail log aggregation, enabling the platform to correlate and analyze related activity across multiple events in real time. Instead of evaluating each log entry in isolation, Upwind now tracks repeated or sequenced behavior by the same user or role across different resources. This makes it possible to identify patterns that indicate threats such as privilege escalation, misuse of access, or reconnaissance activity.

This enhancement introduces support for three detection types:

1. Binary Detection: Triggered by a single high-risk CloudTrail event, such as disabling logging or deleting a KMS key. This continues to support clear, standalone security violations.

side-panel-1
The Upwind Platform detects a binary event triggered by the creation of a service-linked role for auto scaling.

2. Count-Based Detection
Triggered when a specific action is repeated multiple times. For example, if a role lists S3 buckets hundreds of times in a short window, this may indicate reconnaissance or automated enumeration.

side-panel-2
When a singular event happens multiple times, the Upwind Platform is able to condense it into a singular detection.

3. Sequence-Based Detection
Triggered by a defined sequence of different actions that, together, suggest malicious intent. A common example might be listing IAM users, attaching a policy, and then assuming a new role.

side-panel-4
The Upwind Platform correlates multiple AWS CloudTrail events that suggest malicious behavior

Final Thoughts

CloudTrail is a powerful tool for understanding activity in AWS environments, but event-level logging alone isn’t enough to catch sophisticated threats. Without the ability to aggregate and correlate related actions, security teams are left with blind spots and delayed responses.

Upwind’s new CloudTrail log aggregation addresses this gap by enabling pattern-based detection across multiple events, leading to more reliable alerts, better context, and faster resolution.

See It in Action

Want to see how AWS CloudTrail log aggregation can improve detection in your environment? Book a personalized demo with our team to explore how Upwind can help your team detect threats earlier and respond faster.

Upwind Now Supports CloudTrail Log Aggregation for More Accurate Detections

Further Reading

Threat Dashboard
Product

Introducing Upwind’s New Threat Dashboard: Simplifying Complexity to Drive Action

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Sep 16, 2025

Today, we’re excited to announce the release of the enhanced Upwind Threat Dashboard, part of our ongoing commitment to continuously improving how we help security teams protect their environments. Threat landscapes are evolving rapidly, and so are we. This upgrade builds on what customers already rely on, introducing powerful new capabilities that make it easier […]

Severless framework
Product

A New Standard for Serverless Security: The Upwind Serverless Framework

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Sep 12, 2025

Today, we’re introducing the Upwind Serverless Framework, a new runtime-first compliance framework purpose-built for serverless environments. Upwind has long provided runtime visibility into serverless workloads; this framework builds on that foundation by aligning real-time behavior with compliance controls, making it easier to detect misconfigurations, enforce least privilege, and surface risks that matter. It helps security […]

murky-panda
Product, Research

MURKY PANDA and the Blind Spot in Modern Cloud Security

A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Sep 10, 2025

August 21, 2025 – CrowdStrike disclosed ongoing activity by MURKY PANDA, a state-aligned Chinese espionage group purpose-built for the cloud. Unlike many threat actors who adapt legacy tactics, MURKY PANDA designs operations around cloud-native infrastructure from the ground up. Their latest campaign combines a Linux malware strain, a Commvault zero-day exploit, and identity abuse in Microsoft […]

Footer-Logo-07_03_2025

Stay In Touch

This field is for validation purposes and should be left unchanged.

Product

CNAPP
CSPM
CWPP
Container Security
Identity Security
Vulnerability Management
DSPM
CADR
API Security
GenAI Security

General

About
Contact
Careers
We are hiring!
Events
Case Studies
Get A Demo

Social

X
LinkedIn
Instagram

Resources

UpwindTV
Feed
Glossary
Integrations
Newsroom

Documentation

Privacy Policy
Terms of Use

© 2025 Upwind Security