Identity-first detection engineering for AWS IAM, nested access paths, and reviewable security context.
IdentityRiskGraph starts with realistic CloudTrail IAM events, detects risky identity control-plane changes, resolves nested access paths, and turns noisy IAM activity into reviewable risk context.
Real screenshots from the running app and terminal detector are stored in screenshots/.
| View | Screenshot |
|---|---|
| Overview | |
| CloudTrail IAM Detections |  |
| Risky Identities |  |
| Detection Finding Detail |  |
| User Investigation |  |
| Identity Graph |  |
| Terminal Detector Output |  |
IAM and SOC teams often receive alerts that are technically accurate but operationally noisy. A policy attachment, group membership change, or console login may be normal in one context and risky in another.
This project shows how identity context can make detection engineering more useful: who the identity is, what role they have, how access was inherited, what device or IP was used, and whether recent changes explain the activity.
Many alerts stop at the event name:
AttachUserPolicyAddUserToGroupCreateAccessKeyConsoleLoginStopLogging
Those event names matter, but they are not enough. The same event can mean different things depending on whether the target is a contractor, service account, global admin, dormant account, finance user, or inherited member of a privileged group.
IdentityRiskGraph asks:
Is this event weird for this identity, in this role, from this device, at this time, with this access path?
Risk scoring uses:
- user type and department
- account status and stale behavior
- direct and inherited roles
- nested group depth
- sensitive permissions
- device trust
- location anomalies
- recent role and group changes
- CloudTrail IAM control-plane findings
- MITRE ATT&CK-mapped detection severity
cloudtrail_detector.py parses raw CloudTrail-style JSON and prints readable IAM alerts for fast command-line review.
python cloudtrail_detector.py --file data/cloudtrail/sample_cloudtrail_iam_events.json
python cloudtrail_detector.py --engine yaml --file data/cloudtrail/suspicious_cloudtrail_events.jsonThe dashboard combines CloudTrail findings with simulated enterprise IAM context, permission resolution, risk context, graph visualization, exports, and analyst notes.
python -m streamlit run app.py- Python data parsing
- CloudTrail IAM event analysis
- Detection engineering logic
- IAM risk modeling
- Nested group and permission resolution
- MITRE ATT&CK mapping
- Streamlit dashboard development
- Investigation workflow
- Explainable risk context
- Test coverage and documentation
- CloudTrail parser supporting single-event, list, and
Records[]formats - AWS IAM detections for risky control-plane activity
- Clean terminal alert output
- Streamlit dashboard with CloudTrail, identity risk, findings, graph, investigation, raw event, and export pages
- Simulated enterprise IAM data with users, groups, roles, devices, resources, events, and account changes
- Effective permission resolver for direct roles, inherited roles, nested groups, denies, and permission boundaries
- Rule-specific recommendations and MITRE mappings
- Detection-as-code foundation in
rules/cloudtrail_iam_rules.yaml - Optional YAML detection engine for simple CloudTrail IAM rule execution
- Splunk-friendly JSON export
- GitHub REST API adapter for public repository context and review notes
- Pytest suite and GitHub Actions CI
flowchart LR
A[CloudTrail JSON] --> B[CloudTrail Parser]
B --> C[AWS IAM Detections]
C --> D[Terminal Alerts]
C --> E[Normalized Findings]
F[Simulated IAM Data] --> G[Permission Resolver]
G --> H[Enterprise Detections]
E --> I[Risk Engine]
H --> I
G --> J[Identity Graph]
I --> K[Streamlit Dashboard]
J --> K
K --> L[CSV / JSON / Markdown / Splunk Export]
CloudTrail IAM:
- AdministratorAccess attached to user
- AdministratorAccess attached to group
- User added to privileged group
- Inline policy created for user or group
- Access key created for human-style user
- Console login from unusual IP
- CloudTrail
StopLoggingorDeleteTrail - AssumeRole into sensitive role
- Policy version broadened with wildcard access
- Repeated IAM reconnaissance before privilege change
Enterprise IAM simulation:
- Toxic permission combinations
- Nested group privilege escalation
- Dormant account access
- Privileged access from untrusted device
- Impossible travel
- Role change followed by sensitive access
- Service account interactive login
- Contractor with privileged access
- Data exfiltration pattern
Risk scores are deterministic and explainable.
Bands:
- Low: 0-29
- Medium: 30-59
- High: 60-79
- Critical: 80-100
Every user has a factor breakdown showing what added points and why. Example factors include privilege level, inherited roles, nested group depth, sensitive permissions, stale status, device trust, and detection deltas.
- Open CloudTrail IAM Detections.
- Review
AdministratorAccess Attached To User. - Note the actor, target identity, policy, source IP, and MITRE mapping.
- Open Risky Identities and find the target or related actor.
- Open User Investigation to review effective permissions, recent events, group paths, and detections.
- Use Identity Graph to inspect how access is inherited.
- Export findings as CSV, JSON, Markdown, or Splunk-friendly JSON.
For a presenter-friendly walkthrough, see docs/demo_walkthrough.md.
IdentityRiskGraph/
app.py
cloudtrail_detector.py
data/
cloudtrail/
users.json
groups.json
roles.json
events.json
docs/
rules/
cloudtrail_iam_rules.yaml
screenshots/
src/
aws_iam_detections.py
cloudtrail_parser.py
detections.py
permission_resolver.py
risk_engine.py
rule_loader.py
splunk_export.py
tests/
Install:
python -m pip install -r requirements.txtRun tests:
python -m pytest -qRun dashboard:
python -m streamlit run app.pyRun CloudTrail demo:
python cloudtrail_detector.py --file data/cloudtrail/sample_cloudtrail_iam_events.json
python cloudtrail_detector.py --file data/cloudtrail/suspicious_cloudtrail_events.json
python cloudtrail_detector.py --engine yaml --file data/cloudtrail/suspicious_cloudtrail_events.jsonFetch public GitHub repository context:
python -m src.github_repo_context srkyn/IdentityRiskGraphThis optional adapter reads public GitHub REST API metadata and prints review notes for repository visibility, maintenance state, topics, issue workflow, and licensing. See docs/github_api_integration.md.
Makefile shortcuts:
make install
make test
make run
make cloudtrail-demo
make github-contextThe test suite covers:
- CloudTrail
Records[]parsing - normalized CloudTrail output
- AWS IAM detections
- YAML rule loading
- YAML rule execution against CloudTrail events
- Splunk export shape
- nested group resolution
- permission boundaries
- enterprise detection logic
- risk band and explainability output
- Expand YAML detection-as-code execution beyond the current rule foundation.
- Add ATT&CK Navigator layer export.
- Add Sigma-style export for IAM detections.
- Add AWS IAM Access Analyzer-style simulated import.
- Add GCP IAM policy import using the same inheritance model.
- Add Entra ID / Microsoft Graph simulated import.
- Add persisted analyst notes with SQLite.
- Add screenshots and a short demo GIF.
Python, Streamlit, CloudTrail, AWS IAM, identity security, detection engineering, SOC investigation workflows, MITRE ATT&CK, risk modeling, graph analysis, JSON/YAML parsing, pytest, GitHub Actions, and technical documentation.
All data is simulated. This project is defensive only. It does not collect credentials, use real API keys, connect to production tenants, or perform offensive exploitation.
For public reporting boundaries and safe sample-data guidance, see SECURITY.md.