| --- |
| language: |
| - en |
| license: llama3.1 |
| library_name: transformers |
| base_model: meta-llama/Llama-3.1-8B-Instruct |
| tags: |
| - aws |
| - cloud-security |
| - security-analysis |
| - wazuh |
| - threat-detection |
| - llama |
| - peft |
| - lora |
| - aws-security |
| - cloudtrail |
| - guardduty |
| - compliance |
| pipeline_tag: text-generation |
| widget: |
| - text: 'Analyze this AWS GuardDuty finding: UnauthorizedAccess:EC2/SSHBruteForce from IP 45.142.120.10' |
| example_title: "AWS GuardDuty Alert" |
| - text: 'Analyze CloudTrail event: AttachUserPolicy with AdministratorAccess by root user' |
| example_title: "AWS IAM Policy Change" |
| model-index: |
| - name: aws-security-analyst |
| results: |
| - task: |
| type: text-generation |
| name: AWS Security Analysis |
| metrics: |
| - type: loss |
| value: 0.03 |
| name: Training Loss |
| - type: eval_loss |
| value: 0.08 |
| name: Validation Loss |
| --- |
| |
| # aws-security-analyst |
|
|
| ## Model Details |
|
|
| - **Model Name:** aws-security-analyst |
| - **Base Model:** OpenNix base model(LLaMA 3.1 8B based) |
| - **License:** llama3.1 |
| - **Model Type:** Causal Language Model (Fine-tuned with LoRA for AWS Security) |
| - **Architecture:** 8B parameters |
| - **Specialization:** AWS Cloud Security Events Analysis |
|
|
| ## Model Description |
|
|
| LLaMA 3.1 8B Instruct model fine-tuned for AWS cloud security event analysis. |
|
|
| Analyzes events from 20+ AWS security sources including CloudTrail, GuardDuty, Security Hub, Macie, Inspector, Config, VPC Flow Logs, WAF, and more. |
|
|
| ### Key Features |
|
|
| - **20+ AWS Security Sources:** CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc. |
| - **MITRE ATT&CK Mapping:** 135 cloud techniques, 14 tactics |
| - **Compliance Framework Support:** 195 items (CIS, PCI-DSS, HIPAA, GDPR, FedRAMP, NIST) |
| - **Attack Scenario Detection:** 20 multi-step attack scenarios |
| - **Severity Mapping:** AWS native scales → Wazuh levels (0-15) |
| - **Advanced Analysis:** Threat assessment, incident response recommendations |
|
|
| ## Training Data |
|
|
| - **Total Samples:** 2000 |
| - **AWS Sources:** 20 (CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.) |
| - **Attack Scenarios:** 20 multi-step scenarios |
| - **MITRE Techniques:** 135 cloud techniques |
| - **Compliance Items:** 195 (CIS 62, PCI-DSS 49, HIPAA 35, GDPR 15, FedRAMP 3, NIST 31) |
|
|
| **Distribution:** |
| - GuardDuty Findings: 86 types |
| - CloudTrail Events: 74 types |
| - Security Hub Findings: CIS, PCI-DSS, HIPAA compliance |
| - VPC Flow Logs: 5 attack patterns |
|
|
| ## Capabilities |
|
|
| ### AWS Security Event Analysis |
|
|
| ```python |
| # Example usage |
| from transformers import AutoModelForCausalLM, AutoTokenizer |
| |
| model = AutoModelForCausalLM.from_pretrained("pyToshka/aws-security-analyst") |
| tokenizer = AutoTokenizer.from_pretrained("pyToshka/aws-security-analyst") |
| |
| # Analyze AWS GuardDuty finding |
| prompt = """Analyze this AWS security event: |
| Event Source: GuardDuty |
| Finding Type: UnauthorizedAccess:EC2/SSHBruteForce |
| Severity: 8.0 |
| Resource: EC2 instance i-1234567890abcdef0 |
| Source IP: 45.142.120.10 |
| |
| Provide: |
| 1. Threat assessment |
| 2. MITRE ATT&CK techniques |
| 3. Compliance impact |
| 4. Recommended actions |
| """ |
| |
| inputs = tokenizer(prompt, return_tensors="pt") |
| outputs = model.generate(**inputs, max_new_tokens=512) |
| response = tokenizer.decode(outputs[0]) |
| ``` |
|
|
| ### Supported AWS Sources |
|
|
| - CloudTrail API calls |
| - GuardDuty threat findings |
| - Security Hub compliance findings |
| - VPC Flow Logs network traffic |
| - WAF web application attacks |
| - Macie data sensitivity findings |
| - Inspector vulnerability findings |
| - Config compliance events |
| - IAM Access Analyzer findings |
| - Route 53 DNS queries |
| - RDS database logs |
| - EKS Kubernetes audit logs |
| - CloudWatch alarms |
| - EventBridge events |
| - AWS Budgets alerts |
| - Threat Intelligence IOCs |
|
|
| ## Use Cases |
|
|
| - AWS security event triage and analysis |
| - GuardDuty finding interpretation |
| - CloudTrail event investigation |
| - Compliance violation detection (CIS, PCI-DSS, HIPAA, GDPR) |
| - MITRE ATT&CK technique mapping |
| - Multi-source event correlation |
| - Attack scenario detection |
| - Incident response planning |
|
|
| ## Limitations |
|
|
| - Trained on synthetic AWS security events |
| - May require validation on real-world data |
| - Performance depends on input quality |
| - Best used as assistant tool, not replacement for human analysis |
|
|
| ## Citation |
|
|
| If you use this model in your research or application, please cite: |
|
|
| ```bibtex |
| @misc{{wazuh_aws_security_llama_aws_security_analyst, |
| title={{Wazuh AWS Security Analyst based on LLaMA 3.1 8B}}, |
| author={{pyToshka}}, |
| year={{2025}}, |
| publisher={{HuggingFace}}, |
| url={{https://huggingface.co/pyToshka/aws-security-analyst}} |
| }} |
| ``` |
|
|
| ## Acknowledgments |
|
|
| Built with: |
|
|
| - **Data:** AWS security documentation, MITRE ATT&CK Cloud Matrix, Wazuh Rules, and more |
| - **Training:** Wazuh, AWS |
|
|
| ## License |
|
|
| This model inherits the LLaMA 3.1 Community License from the base model. |
|
|
| ## Contact |
|
|
| Issues: Please open an issue on the repository |
|
|
| ## Disclaimer |
|
|
| This model is provided for research and educational purposes. Always validate outputs with human security expertise before taking action on security incidents. |
|
|
