# Vector search for SOC

### Initialize connection to elasticsearch.

In [2]:
from dotenv import load_dotenv
from elasticsearch import Elasticsearch
import os
from pandas import json_normalize
import pandas as pd
import json
from IPython.display import display


pd.set_option('display.max_colwidth', None)

load_dotenv()
cloud_id = os.getenv('cloud_id')
api_key = os.getenv('api_key')


client = Elasticsearch(
    cloud_id=cloud_id,
    api_key=api_key
)


### 1. Start by searching for suspicious access to the S3 bucket with secret file
    First we can see example of problem with approximate kNN search capturing results that go in the right direction but lack precision. Model used here is SecureBERT. After experimenting wiht it I switched to elasticsearch sparse vector model called ELSER.

In [16]:
query = "get object from s3 bucket name bsides-zagreb"

''' Some other query examples also tried 
    query = "bucket name bsides-zagreb data exfiltration to external IP address"
    query = "bucket bsides-zagreb data leak"
    query = "get data from s3 bucket named bsides-zagreb"
''' 


response = client.search(
    index=".ds-logs-aws.cloudtrail-default-2025.03.04-000014",
    size=20,
    query={
      "knn": {
        "field": "message_secure_bert_max_inp",
        "k": 20,
        "num_candidates": 10000,
        "query_vector_builder": {
          "text_embedding": {
            "model_id": "secure-bert",
            "model_text": f"{query}"
      }
    }
  }
},
)

results = []

for hit in response["hits"]["hits"]:
    
    event_original = json.loads(hit["_source"]["event"]["original"])
    event_original['score'] = hit["_score"]
    results.append(event_original)
        
df_all = pd.DataFrame(results)
df_cleaned= df_all[['score','eventTime','userIdentity', 'eventName', 'awsRegion', "sourceIPAddress", 'userAgent', 'requestParameters', 'resources']]

display(df_cleaned)


Unnamed: 0,score,eventTime,userIdentity,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters,resources
0,3.863222,2025-02-25T09:17:32Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
1,3.858194,2025-02-25T09:17:32Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail/', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail/'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
2,3.854832,2025-02-25T09:17:02Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
3,3.852299,2025-02-25T17:43:43Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-south-1/2025/02/25/538539780105_CloudTrail-Digest_ap-south-1_monitroing-events_eu-central-1_20250225T171226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-south-1/2025/02/25/538539780105_CloudTrail-Digest_ap-south-1_monitroing-events_eu-central-1_20250225T171226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
4,3.85214,2025-02-25T19:43:42Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-south-1/2025/02/25/538539780105_CloudTrail-Digest_ap-south-1_monitroing-events_eu-central-1_20250225T191226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-south-1/2025/02/25/538539780105_CloudTrail-Digest_ap-south-1_monitroing-events_eu-central-1_20250225T191226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
5,3.851715,2025-02-26T11:14:02Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail/eu-central-1/2025/02/26/538539780105_CloudTrail_eu-central-1_20250226T1110Z_umtDl3Zo5tBNNWU6.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail/eu-central-1/2025/02/26/538539780105_CloudTrail_eu-central-1_20250226T1110Z_umtDl3Zo5tBNNWU6.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
6,3.851162,2025-02-26T10:45:44Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-southeast-1/2025/02/26/538539780105_CloudTrail-Digest_ap-southeast-1_monitroing-events_eu-central-1_20250226T101226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-southeast-1/2025/02/26/538539780105_CloudTrail-Digest_ap-southeast-1_monitroing-events_eu-central-1_20250226T101226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
7,3.851126,2025-02-25T16:44:45Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-northeast-2/2025/02/25/538539780105_CloudTrail-Digest_ap-northeast-2_monitroing-events_eu-central-1_20250225T161226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-northeast-2/2025/02/25/538539780105_CloudTrail-Digest_ap-northeast-2_monitroing-events_eu-central-1_20250225T161226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
8,3.850445,2025-02-25T15:43:46Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-northeast-1/2025/02/25/538539780105_CloudTrail-Digest_ap-northeast-1_monitroing-events_eu-central-1_20250225T151226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-northeast-1/2025/02/25/538539780105_CloudTrail-Digest_ap-northeast-1_monitroing-events_eu-central-1_20250225T151226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"
9,3.85022,2025-02-25T21:44:46Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE6C35PLXLV', 'arn': 'arn:aws:iam::538539780105:user/elastic-agent-cloudtrail', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AEZOIJ7U72', 'userName': 'elastic-agent-cloudtrail'}",GetObject,eu-central-1,10.0.0.57,[m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.10 md/GOOS#linux md/GOARCH#amd64 api/s3#1.60.1],"{'bucketName': 'cloudtrail-logs-131gfds', 'Host': 'cloudtrail-logs-131gfds.s3.eu-central-1.amazonaws.com', 'key': 'AWSLogs/538539780105/CloudTrail-Digest/ap-southeast-2/2025/02/25/538539780105_CloudTrail-Digest_ap-southeast-2_monitroing-events_eu-central-1_20250225T211226Z.json.gz', 'x-id': 'GetObject'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds/AWSLogs/538539780105/CloudTrail-Digest/ap-southeast-2/2025/02/25/538539780105_CloudTrail-Digest_ap-southeast-2_monitroing-events_eu-central-1_20250225T211226Z.json.gz'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::cloudtrail-logs-131gfds'}]"


#### Here we can see the same query with sparse vector search using Elastics ELSER model. We get exact results ranked at top so we will continue with sparse vector search.

In [18]:
query = "get object from s3 bucket name bsides-zagreb"

#query = "download object from s3 bucket from public IP" results in top 5

response = client.search(
    index=".ds-logs-aws.cloudtrail-default-2025.03.04-000016",
    size=5,
    query={
      "sparse_vector": {
        "field": "message_elser_v2",
         "inference_id": ".elser_model_2_linux-x86_64",
          "query": query

  }
},
)

results = []

for hit in response["hits"]["hits"]:
    
    event_original = json.loads(hit["_source"]["event"]["original"])
    event_original['score'] = hit["_score"]
    results.append(event_original)

df_all = pd.DataFrame(results)
df_cleaned= df_all[['score','eventTime','userIdentity', 'eventName', 'awsRegion', "sourceIPAddress", 'userAgent', 'requestParameters', 'resources']]


display(df_cleaned)

Unnamed: 0,score,eventTime,userIdentity,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters,resources
0,20.75167,2025-03-03T15:16:30Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE7KVE2CM3O', 'arn': 'arn:aws:iam::538539780105:user/lambda_s3_user', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AESBKH7OGC', 'userName': 'lambda_s3_user'}",GetObject,eu-central-1,95.168.107.4,[aws-cli/1.36.17 md/Botocore#1.35.71 ua/2.0 os/linux#5.15.0-86-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.71],"{'bucketName': 'bsides-zagreb', 'Host': 'bsides-zagreb.s3.eu-central-1.amazonaws.com', 'key': 'super_secret_text_file.txt'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::bsides-zagreb/super_secret_text_file.txt'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::bsides-zagreb'}]"
1,20.28714,2025-03-03T15:16:30Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE7KVE2CM3O', 'arn': 'arn:aws:iam::538539780105:user/lambda_s3_user', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AESBKH7OGC', 'userName': 'lambda_s3_user'}",HeadObject,eu-central-1,95.168.107.4,[aws-cli/1.36.17 md/Botocore#1.35.71 ua/2.0 os/linux#5.15.0-86-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.71],"{'bucketName': 'bsides-zagreb', 'Host': 'bsides-zagreb.s3.eu-central-1.amazonaws.com', 'key': 'super_secret_text_file.txt'}","[{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::bsides-zagreb/super_secret_text_file.txt'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::bsides-zagreb'}]"
2,19.995228,2025-03-03T15:13:31Z,"{'type': 'IAMUser', 'principalId': 'AIDAX2Y3Y5AE7KVE2CM3O', 'arn': 'arn:aws:iam::538539780105:user/lambda_s3_user', 'accountId': '538539780105', 'accessKeyId': 'AKIAX2Y3Y5AESBKH7OGC', 'userName': 'lambda_s3_user'}",ListObjects,eu-central-1,95.168.107.4,[aws-cli/1.36.17 md/Botocore#1.35.71 ua/2.0 os/linux#5.15.0-86-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.71],"{'list-type': '2', 'bucketName': 'bsides-zagreb', 'encoding-type': 'url', 'prefix': '', 'delimiter': '/', 'Host': 'bsides-zagreb.s3.eu-central-1.amazonaws.com'}","[{'type': 'AWS::S3::Object', 'ARNPrefix': 'arn:aws:s3:::bsides-zagreb/'}, {'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::bsides-zagreb'}]"
3,19.560778,2025-03-03T13:27:42Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AERI7TIC4B', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",GetBucketObjectLockConfiguration,eu-central-1,95.168.107.4,"[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]","{'bucketName': 'bsides-zagreb', 'object-lock': '', 'Host': 's3.eu-central-1.amazonaws.com'}","[{'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::bsides-zagreb'}]"
4,18.78233,2025-03-03T13:48:47Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE6TDYY4HN', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",GetBucketObjectLockConfiguration,eu-central-1,95.168.107.4,"[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36]","{'bucketName': 'bsides-zagreb', 'object-lock': '', 'Host': 's3.eu-central-1.amazonaws.com'}","[{'accountId': '538539780105', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::bsides-zagreb'}]"


### 2. See what else we can find related to before mentioned user **lambda_s3_user**
- By user name we can't really find connection to previous actions, this indicates that attacker escalated to this user.
- We still have IP address that commands came from. From username we can assume that is is somehow related to lambda functions so we can check the actions performed on any lambda function.
- Lambda functions can often leak hardcoded credentials in code or env variables.
- Here we can see some problems with getting high score results for get function query since the event name for it is actually GetFunction20150331v2.
- Listfunction api calls are executed via CLI using assumed role **S3_Lambda**

In [458]:
query = "listfunctions"

#query = "actions by user name lambda_s3_user from aws cli"


response = client.search(
    index=".ds-logs-aws.cloudtrail-default-2025.03.04-000016",
    size=15,
    query={
      "sparse_vector": {
        "field": "message_elser_v2",
         "inference_id": ".elser_model_2_linux-x86_64_ingest",
          "query": query

  }
},
)

results = []

for hit in response["hits"]["hits"]:
    
    event_original = json.loads(hit["_source"]["event"]["original"])
    event_original['score'] = hit["_score"]
    results.append(event_original)


df_all = pd.DataFrame(results)
df_cleaned = df_all[['score','eventTime','userIdentity', 'eventName', 'awsRegion', "sourceIPAddress", 'userAgent', 'requestParameters']]

pd.set_option('display.max_colwidth', None)

display(df_cleaned)

Unnamed: 0,score,eventTime,userIdentity,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters
0,11.164793,2025-03-03T15:08:55Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_retriever', 'qualifier': '$LATEST'}"
1,10.742123,2025-03-03T13:52:10Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_data_retriever', 'qualifier': '$LATEST'}"
2,10.72697,2025-03-03T13:53:41Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_data_retriever', 'qualifier': '$LATEST'}"
3,10.449755,2025-03-03T13:54:31Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_retriever', 'qualifier': '$LATEST'}"
4,10.370233,2025-03-03T13:55:25Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_retriever', 'qualifier': '$LATEST'}"
5,9.990437,2025-03-03T13:56:32Z,"{'type': 'AWSService', 'invokedBy': 'AWS Internal'}",GetFunctionConfiguration20150331v2,eu-central-1,AWS Internal,AWS Internal,"{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_retriever', 'qualifier': '$LATEST'}"
6,9.94055,2025-03-03T15:07:29Z,"{'type': 'AssumedRole', 'principalId': 'AROAX2Y3Y5AE6DTGFUMM5:i-0905d72baf3abed14', 'arn': 'arn:aws:sts::538539780105:assumed-role/S3_Lambda/i-0905d72baf3abed14', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE7E5AQW4F', 'sessionContext': {'sessionIssuer': {'type': 'Role', 'principalId': 'AROAX2Y3Y5AE6DTGFUMM5', 'arn': 'arn:aws:iam::538539780105:role/S3_Lambda', 'accountId': '538539780105', 'userName': 'S3_Lambda'}, 'attributes': {'creationDate': '2025-03-03T14:41:59Z', 'mfaAuthenticated': 'false'}, 'ec2RoleDelivery': '2.0'}}",ListFunctions20150331,eu-central-1,95.168.107.4,aws-cli/1.36.17 md/Botocore#1.35.71 ua/2.0 os/linux#5.15.0-86-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.71,
7,9.581711,2025-03-03T13:53:43Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE3LOFEY7L', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",GetFunction20150331v2,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_data_retriever'}
8,9.279804,2025-03-03T13:52:15Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE3LOFEY7L', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",GetFunction20150331v2,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",{'functionName': 'arn:aws:lambda:eu-central-1:538539780105:function:s3_data_retriever'}
9,9.200465,2025-03-03T13:54:31Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE3LOFEY7L', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",GetFunctionRecursionConfig,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",{'functionName': 's3_retriever'}


## 4. Investigate events related to instance i-0905d72baf3abed14
    From role ARN arn:aws:sts::538539780105:assumed-role/S3_Lambda/*i-0905d72baf3abed14* we can conclude that this was role attached to an EC2 instance with ID i-0905d72baf3abed14. Requests are coming from public IP and not directly from instance which leads us to assuming temporary credentials related to this EC2 instance have been stolen.

In [4]:
query = "instance metadata"


response = client.search(
    index="logs-aws.cloudtrail*",
    size=15,
    query={
      "sparse_vector": {
        "field": "message_elser_v2",
         "inference_id": ".elser_model_2_linux-x86_64_ingest",
          "query": query

  }
},
)

results = []

for hit in response["hits"]["hits"]:

    event = json.loads(hit["_source"]["event"]["original"])

        
    event["score"] = float(hit["_score"])
    results.append(event)

df_all = pd.DataFrame(results)
df_cleaned= df_all[['score','eventTime','userIdentity', 'eventName', 'awsRegion', "sourceIPAddress", 'userAgent', 'requestParameters']]

pd.set_option('display.max_colwidth', None)

display(df_cleaned)

Unnamed: 0,score,eventTime,userIdentity,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters
0,8.260045,2025-03-03T13:02:47Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AETZBV3KQ3', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"
1,8.24274,2025-03-03T13:03:01Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AETZBV3KQ3', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"
2,8.188886,2025-03-03T11:02:41Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEWA6423XI', 'sessionContext': {'sessionIssuer': {}, 'webIdFederationData': {}, 'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",SendSSHPublicKey,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'instanceId': 'i-0905d72baf3abed14', 'instanceOSUser': 'ec2-user', 'sSHPublicKey': 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1LWlMvgrpq6nnYgL7EFYOwu+cDkisEZPEMLwerqSfb '}"
3,8.184713,2025-03-03T12:46:08Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEQPTQTSZJ', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"
4,8.175696,2025-03-03T13:00:15Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AETZBV3KQ3', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"
5,8.114229,2025-03-03T13:01:31Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AESX7XQOGC', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-id', 'valueSet': {'items': [{'value': 'i-0905d72baf3abed14'}]}}]}}"
6,8.106265,2025-03-03T09:48:50Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE52RL4LVH', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'running'}]}}]}}"
7,8.103455,2025-03-03T13:00:12Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AETZBV3KQ3', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"
8,8.095818,2025-03-03T08:17:25Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEZAGZGTGE', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",StartInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",{'instancesSet': {'items': [{'instanceId': 'i-0bc50e165a1466a00'}]}}
9,7.992964,2025-03-03T11:33:37Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE4TVWXVZS', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeInstances,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'maxResults': 1000, 'instancesSet': {}, 'filterSet': {'items': [{'name': 'instance-state-name', 'valueSet': {'items': [{'value': 'pending'}, {'value': 'running'}, {'value': 'shutting-down'}, {'value': 'stopping'}, {'value': 'stopped'}]}}, {'name': 'vpc-id', 'valueSet': {'items': [{'value': 'vpc-02094c25ac0a1fa5b'}]}}]}}"


## 5. Pivot to Application load balancer logs for more info

- Cloudtrail by itself doesn't log requests to instance metadata service
- We can connect API explitation attempts to the compromised instance
- From ALB logs we can confirm that attacker abused instance metadata service to obtain credentials to impersonate role S3_lambda.

In [12]:
query = "meta data iam S3_lambda"


response = client.search(
    index="logs-aws.elb_logs-default",
    size=15,
    query={
      "sparse_vector": {
        "field": "message_elser_v2",
         "inference_id": ".elser_model_2_linux-x86_64_ingest",
          "query": query
  }
},
)

for hit in response["hits"]["hits"]:
        
    print(f"Score:{hit['_score']}")
    print(f"Message: {hit['_source']['event']['original']}",end=f"\n\n{120*'-'}\n\n")
    

Score:9.403352
Message: http 2025-03-03T14:52:17.471449Z app/vuln-app-alb/72fb0c71304e1795 95.168.107.4:29916 10.0.0.78:9000 0.001 0.006 0.000 200 200 361 1817 "GET http://vuln-app-alb-404212911.eu-central-1.elb.amazonaws.com:8234/get?url=http%3A%2F%2F169.254.169.254%2Flatest%2Fmeta-data%2Fiam%2Fsecurity-credentials%2FS3_Lambda HTTP/1.1" "HTTPie/3.2.4" - - arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f "Root=1-67c5c221-5e9ceb4670872dca2cfc87fa" "-" "-" 0 2025-03-03T14:52:17.464000Z "forward" "-" "-" "10.0.0.78:9000" "200" "-" "-" TID_d29df88a9bdf6747aa8fdc8672cd8e73

------------------------------------------------------------------------------------------------------------------------

Score:4.930862
Message: http 2025-03-03T14:27:42.122817Z app/vuln-app-alb/72fb0c71304e1795 95.168.107.4:33746 10.0.0.78:9000 0.001 0.002 0.000 405 405 320 208 "GET http://vuln-app-alb-404212911.eu-central-1.elb.amazonaws.com:8234/put?url=http%3A%2F%2

### 6. Find more about the connection with specific instance by querying for target group
    If we can find event of target group creation and registration we can confirm that instance belongs to vulnerable target group and was the entry point for the attacker.

In [20]:
query = "target group vuln-app-targets i-0905d72baf3abed14"


response = client.search(
    index="logs-aws.cloudtrail*",
    size=15,
    query={
      "sparse_vector": {
        "field": "message_elser_v2",
         "inference_id": ".elser_model_2_linux-x86_64",
          "query": query

  }
},
)

results = []

for hit in response["hits"]["hits"]:

    event = json.loads(hit["_source"]["event"]["original"])

        
    event["score"] = float(hit["_score"])
    results.append(event)  

df_all = pd.DataFrame(results)
df_cleaned= df_all[['score','eventTime','userIdentity', 'eventName', 'awsRegion', "sourceIPAddress", 'userAgent', 'requestParameters']]


pd.set_option('display.max_colwidth', None)

display(df_cleaned)

Unnamed: 0,score,eventTime,userIdentity,eventName,awsRegion,sourceIPAddress,userAgent,requestParameters
0,18.524036,2025-03-03T07:56:13Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEWYXOCTBN', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",RegisterTargets,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'targets': [{'id': 'i-0905d72baf3abed14', 'port': 8000}]}"
1,18.34184,2025-03-03T12:52:55Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEZI24OWWS', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",ModifyListener,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'listenerArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:listener/app/vuln-app-alb/72fb0c71304e1795/98e36c045d78111c', 'port': 8234, 'protocol': 'HTTP', 'defaultActions': [{'type': 'forward', 'order': 1, 'forwardConfig': {'targetGroups': [{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'weight': 1}], 'targetGroupStickinessConfig': {'enabled': False, 'durationSeconds': 3600}}}]}"
2,18.207516,2025-03-03T11:33:36Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE3RJTLRG4', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",RegisterTargets,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'targets': [{'id': 'i-0905d72baf3abed14', 'port': 9000}]}"
3,18.010761,2025-03-03T12:56:24Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEVIVCRLH7', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",ModifyTargetGroup,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'healthCheckProtocol': 'HTTP', 'healthCheckPort': 'traffic-port', 'healthCheckPath': '/get', 'healthCheckIntervalSeconds': 30, 'healthCheckTimeoutSeconds': 10, 'healthyThresholdCount': 5, 'unhealthyThresholdCount': 2, 'matcher': {'httpCode': '422'}}"
4,17.95819,2025-03-03T12:59:21Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEVIVCRLH7', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",ModifyTargetGroup,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'healthCheckProtocol': 'HTTP', 'healthCheckPort': 'traffic-port', 'healthCheckPath': '/get', 'healthCheckIntervalSeconds': 30, 'healthCheckTimeoutSeconds': 10, 'healthyThresholdCount': 2, 'unhealthyThresholdCount': 2, 'matcher': {'httpCode': '422'}}"
5,17.755571,2025-03-03T07:53:14Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEWYXOCTBN', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",CreateTargetGroup,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'name': 'vuln-app-targets', 'protocol': 'HTTP', 'port': 8000, 'vpcId': 'vpc-02094c25ac0a1fa5b', 'healthCheckProtocol': 'HTTP', 'healthCheckPort': 'traffic-port', 'healthCheckPath': '/', 'healthCheckIntervalSeconds': 30, 'healthCheckTimeoutSeconds': 5, 'healthyThresholdCount': 5, 'unhealthyThresholdCount': 2, 'matcher': {'httpCode': '200'}, 'targetType': 'instance', 'protocolVersion': 'HTTP1', 'ipAddressType': 'ipv4'}"
6,17.286861,2025-03-03T12:57:36Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEZI24OWWS', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeTargetHealth,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f'}
7,17.25103,2025-03-03T12:59:42Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AEVIVCRLH7', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",ModifyTargetGroup,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'healthCheckProtocol': 'HTTP', 'healthCheckPort': 'traffic-port', 'healthCheckPath': '/get', 'healthCheckIntervalSeconds': 10, 'healthCheckTimeoutSeconds': 8, 'healthyThresholdCount': 2, 'unhealthyThresholdCount': 2, 'matcher': {'httpCode': '422'}}"
8,17.24084,2025-03-03T12:49:36Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AERUJIFQTM', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",DescribeTargetHealth,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'include': ['AnomalyDetection']}"
9,17.203327,2025-03-03T11:39:26Z,"{'type': 'Root', 'principalId': '538539780105', 'arn': 'arn:aws:iam::538539780105:root', 'accountId': '538539780105', 'accessKeyId': 'ASIAX2Y3Y5AE3RJTLRG4', 'sessionContext': {'attributes': {'creationDate': '2025-03-03T07:49:19Z', 'mfaAuthenticated': 'true'}}}",ModifyTargetGroup,eu-central-1,95.168.107.4,"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","{'targetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:538539780105:targetgroup/vuln-app-targets/28bc56e20e82ee3f', 'healthCheckProtocol': 'HTTP', 'healthCheckPort': 'traffic-port', 'healthCheckPath': '/fetch', 'healthCheckIntervalSeconds': 30, 'healthCheckTimeoutSeconds': 5, 'healthyThresholdCount': 5, 'unhealthyThresholdCount': 2, 'matcher': {'httpCode': '200'}}"
