{"attack_type": "normal", "blackout_count": 0, "event_count": 4, "events": [{"action": "sts:AssumeRole", "index": 0, "ip": "ip:corp", "principal_arn": "parn:arn:aws:iam::111122223333:role/dev_role", "principal_type": "ptype:AssumedRole", "region": "region:us-east-1", "resource": "res:arn:aws:iam::111122223333:role/dev_role", "source": "src:sts.amazonaws.com", "time_bin": "time:t00", "ua": "ua:awscli"}, {"action": "ecs:DescribeServices", "index": 1, "ip": "ip:corp", "principal_arn": "parn:arn:aws:iam::111122223333:role/dev_role", "principal_type": "ptype:AssumedRole", "region": "region:us-east-1", "resource": "res:arn:aws:ecs:us-east-1:111122223333:service/demo-service", "source": "src:ecs.amazonaws.com", "time_bin": "time:t01", "ua": "ua:awscli"}, {"action": "ecs:UpdateService", "index": 2, "ip": "ip:corp", "principal_arn": "parn:arn:aws:iam::111122223333:role/dev_role", "principal_type": "ptype:AssumedRole", "region": "region:us-east-1", "resource": "res:arn:aws:ecs:us-east-1:111122223333:service/demo-service", "source": "src:ecs.amazonaws.com", "time_bin": "time:t02", "ua": "ua:awscli"}, {"action": "s3:PutObject", "index": 3, "ip": "ip:corp", "principal_arn": "parn:arn:aws:iam::111122223333:role/dev_role", "principal_type": "ptype:AssumedRole", "region": "region:us-east-1", "resource": "res:arn:aws:s3:::identity-assurance-demo/output.json", "source": "src:s3.amazonaws.com", "time_bin": "time:t03", "ua": "ua:awscli"}], "identity_context": {"ip_categories": ["ip:corp"], "principals": ["parn:arn:aws:iam::111122223333:role/dev_role"], "regions": ["region:us-east-1"], "user_agents": ["ua:awscli"]}, "label": "normal", "observed_event_count": 4, "recommended_actions": ["Retain as baseline context unless correlated with another alert."], "risk_level": "low", "risk_score": 6, "schema_version": "gifts-workflow-finding-v1", "session_id": "session-normal-001", "signals": [{"description": "Session contains actions that often deserve identity-security review.", "evidence": ["[03] s3:PutObject"], "name": "sensitive_actions", "weight": 6}], "suspicious_actions": [{"action": "s3:PutObject", "index": 3, "reason": "Sensitive identity, logging, data, or infrastructure action.", "weight": 6}], "workflow_uses": ["SOC triage", "identity-control review", "incident reconstruction support", "red-team or tabletop evaluation"]} {"attack_type": "resource_hijack", "blackout_count": 3, "event_count": 5, "events": [{"action": "sts:AssumeRole", "index": 0, "ip": "ip:external", "principal_arn": "parn:arn:aws:sts::111122223333:assumed-role/suspicious-role/session", "principal_type": "ptype:AssumedRole", "region": "region:us-west-2", "resource": "res:arn:aws:iam::111122223333:role/suspicious-role", "source": "src:sts.amazonaws.com", "time_bin": "time:t00", "ua": "ua:sdk"}, {"action": "", "index": 1, "ip": "ip:", "principal_arn": "parn:", "principal_type": "ptype:", "region": "region:", "resource": "res:", "source": "src:", "time_bin": "time:", "ua": "ua:"}, {"action": "", "index": 2, "ip": "ip:", "principal_arn": "parn:", "principal_type": "ptype:", "region": "region:", "resource": "res:", "source": "src:", "time_bin": "time:", "ua": "ua:"}, {"action": "", "index": 3, "ip": "ip:", "principal_arn": "parn:", "principal_type": "ptype:", "region": "region:", "resource": "res:", "source": "src:", "time_bin": "time:", "ua": "ua:"}, {"action": "cloudwatch:PutMetricData", "index": 4, "ip": "ip:external", "principal_arn": "parn:arn:aws:sts::111122223333:assumed-role/suspicious-role/session", "principal_type": "ptype:AssumedRole", "region": "region:us-west-2", "resource": "res:arn:aws:cloudwatch:us-west-2:111122223333:metric/demo", "source": "src:monitoring.amazonaws.com", "time_bin": "time:t04", "ua": "ua:sdk"}], "identity_context": {"ip_categories": ["ip:external"], "principals": ["parn:arn:aws:sts::111122223333:assumed-role/suspicious-role/session"], "regions": ["region:us-west-2"], "user_agents": ["ua:sdk"]}, "label": "attack", "observed_event_count": 2, "recommended_actions": ["Open an identity-security triage item for this session.", "Review the principal, source IP category, user agent, and target resources.", "Check whether logging gaps, suppressed telemetry, or event-delivery delays explain the missing segment.", "Correlate the source network with VPN, geolocation, and known corporate egress paths."], "risk_level": "high", "risk_score": 62, "schema_version": "gifts-workflow-finding-v1", "session_id": "session-blackout-attack-001", "signals": [{"description": "Session contains intentionally missing or blacked-out event slots.", "evidence": ["missing_indices=[1, 2, 3]"], "name": "missing_or_blacked_out_events", "weight": 30}, {"description": "Principal naming suggests an unknown, suspicious, or stolen-token context in the example data.", "evidence": ["parn:arn:aws:sts::111122223333:assumed-role/suspicious-role/session"], "name": "suspicious_principal_label", "weight": 18}, {"description": "Session includes access from an external or Tor-like source category.", "evidence": ["ip:external"], "name": "external_or_tor_source", "weight": 14}], "suspicious_actions": [], "workflow_uses": ["SOC triage", "identity-control review", "incident reconstruction support", "red-team or tabletop evaluation"]}