# GIFTS Dry-Run Response Plan

- Source findings: `examples/aws_cloudtrail_identity_incident_demo/findings.jsonl`
- Generated at: `2026-05-24T02:09:04.998372Z`
- Mode: `dry_run`
- Requires analyst approval: `True`
- Minimum risk: `high`
- Planned sessions: `1`

## Guardrails

- No user, role, policy, token, network, or logging system was changed.
- No ticket, SIEM alert, SOAR case, or cloud-control API was called.
- All tasks are analyst-review recommendations only.

## Sessions

| Session | Risk | Signals | Tasks |
| --- | --- | --- | ---: |
| `aws-demo-unknown-access-key-002` | `critical` | external_or_tor_source, logging_control_action, multi_region_session, privilege_change_sequence, sensitive_actions, suspicious_principal_label, unknown_user_agent | 5 |

## Session `aws-demo-unknown-access-key-002`

- Risk: `critical`
- Attack type: `privilege_escalation`

Tasks:
- `Open analyst review`: Create a review item containing the GIFTS finding and normalized event sequence.
- `Correlate source network`: Check the source category against VPN, corporate egress, geolocation, and known allowlists.
- `Review privilege changes`: Compare privilege, access-key, or policy changes with approved change records.
- `Verify audit continuity`: Confirm whether CloudTrail, audit logs, or delivery pipelines remained continuous.
- `Review GIFTS recommendations`: Have an analyst approve, reject, or annotate each recommended action.