# GIFTS M41 Splunk AWS CreateAccessKey Results Last updated: `2026-05-24` Status: `M41B public-data run completed; M41C conversion audit completed` This note records the first non-synthetic labeled AWS attack-scenario run against `GIFTS`. ## Source Selected scenario: - Scenario ID: `splunk_aws_createaccesskey` - Source page: - Source catalog: `examples/public_log_sources_v1/aws_attack_scenario_candidates.json` - Source path listed by Splunk: `/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json` - Sourcetype listed by Splunk: `aws:cloudtrail` Raw public data was downloaded outside Git: ```text /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/raw/ ``` No raw logs were committed. ## Acquisition Downloaded from GitHub media because the ordinary raw GitHub URL returned a Git LFS pointer. Media download URL: ```text https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json ``` Raw file: ```text /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/raw/aws_cloudtrail_events.json ``` Working JSONL copy: ```text /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/raw/aws_cloudtrail_events.jsonl ``` Observed source details: | Item | Value | | --- | --- | | Raw bytes | `89943` | | Raw records | `75` | | Raw SHA-256 | `88c3aadd3cd9afc4db25fecd488b7eced3b1e0160f1f20592c043b327e853a8e` | | Ordinary raw URL result | `130` byte Git LFS pointer | ## Commands ```bash python3 -m gifts \ --convert-cloudtrail-jsonl /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/raw/aws_cloudtrail_events.jsonl \ --output /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/transformed/sessions.jsonl \ --cloudtrail-conversion-audit-path /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/reports/conversion_audit.json \ --cloudtrail-conversion-report-path /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/reports/conversion_audit.md python3 -m gifts \ --validate-session-file /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/transformed/sessions.jsonl python3 -m gifts \ --score-session-file /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/transformed/sessions.jsonl \ --policy config/policies/balanced.yml \ --findings-path /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/reports/findings.jsonl \ --findings-csv /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/reports/findings.csv \ --workflow-report-path /tmp/gifts-public-corpus/splunk-attack-data/aws_createaccesskey/reports/workflow_report.md ``` ## Conversion Result | Metric | Value | | --- | --- | | Raw records | `75` | | Session records | `39` | | Session-contract validation | `valid` | | Transformed session SHA-256 | `be1e0776f2d1dfbd03d068cac3f2f5e84af59c3060c6d16923c9591d1e44e973` | | Events preserved in session output | `68` | | Events truncated by event cap | `7` | | Sessions truncated by event cap | `1` | | Missing/blackout events in output | `0` | Important caveat: The current CloudTrail conversion path caps events per session using the project-level `MAX_EVENTS` setting. This run preserved `68` events in session output from `75` raw records. That is acceptable for a first public-data validation run, but not enough for final benchmark claims. M41C status: ```text CloudTrail conversion audit/cap reporting was run for this dataset and confirms that one 17-event session was capped to 10 events. ``` ## Scoring Result Balanced policy result: | Risk | Count | | --- | ---: | | critical | `14` | | high | `20` | | low | `5` | Signal counts: | Signal | Count | | --- | ---: | | external_or_tor_source | `39` | | sensitive_actions | `34` | | privilege_change_sequence | `34` | Action counts in transformed output: | Action | Count | | --- | ---: | | iam:CreateAccessKey | `60` | | kms:CreateKey | `8` | ## Expected Versus Observed Expected: - `iam:CreateAccessKey` should trigger `sensitive_actions`; - the scenario should meet at least a medium risk floor; - GIFTS should not claim production accuracy from this public scenario. Observed: - `34` sessions had `sensitive_actions`; - `34` sessions were high or critical; - `5` sessions were low and mainly reflected external-source context without the same sensitive-action sequence; - the scenario mapped cleanly through the existing CloudTrail converter once saved with a `.jsonl` working filename. ## Claim Boundary This run supports: - public AWS CloudTrail adapter validation; - labeled attack-scenario regression planning; - initial expected-signal comparison; - SOC/export workflow confidence for non-synthetic AWS traces. This run does not support: - production false-positive claims; - tenant-specific benign manifold calibration; - full-fidelity benchmark claims until the session event cap is handled; - proof that every `CreateAccessKey` event is malicious.