# GIFTS Workflow Findings Report

- Source file: `examples/aws_cloudtrail_identity_incident_demo/sessions.jsonl`
- Sessions scored: `2`
- Policy: `balanced-gifts-fast-path-policy`
- Suppressions applied: `0`
- Risk mix: `critical=1`, `high=0`, `medium=0`, `low=1`

## Executive Summary

- Priority queue: `1` critical/high session(s) out of `2`.
- Most common top drivers: `sensitive_actions, logging_control_action, suspicious_principal_label`.
- Sessions with missing or blacked-out telemetry: `0`.
- Sessions with baseline matches: `0`.
- Sessions with policy suppressions applied: `0`.
- Use this report for analyst triage and review notes, not automatic enforcement.

## Triage Queue

| Session | Risk | Score | Access tier | Session type | Top signals | Recommended first action |
| --- | --- | ---: | --- | --- | --- | --- |
| `aws-demo-unknown-access-key-002` | `critical` | 100 | `tenant_admin` | `admin_console_session` | sensitive_actions, logging_control_action, suspicious_principal_label | Open an identity-security triage item for this session. |
| `aws-demo-release-bot-001` | `low` | 0 | `privileged_operator` | `assumed_role_session` | none | Retain as baseline context unless correlated with another alert. |

## Session `aws-demo-unknown-access-key-002`

- Risk: `critical` / `100`
- Label: `attack`
- Attack type: `privilege_escalation`
- Provider: `aws`
- Access tier: `tenant_admin`
- Session type: `admin_console_session`
- Events: `5` total, `0` missing or blacked out

Observed facts:
- Observed events: `5`
- Missing or blacked-out events: `0`
- Principals: `parn:arn:aws:iam::111122223333:user/unknown-user`
- IP categories: `ip:external`
- Regions: `region:ap-southeast-1, region:us-west-2`

Timeline:

| # | Action | Principal | IP | Region | Resource |
| ---: | --- | --- | --- | --- | --- |
| 0 | `sts:GetCallerIdentity` | `parn:arn:aws:iam::111122223333:user/unknown-user` | `ip:external` | `region:us-west-2` | `res:arn:aws:iam::111122223333:user/unknown-user` |
| 1 | `iam:CreateAccessKey` | `parn:arn:aws:iam::111122223333:user/unknown-user` | `ip:external` | `region:us-west-2` | `res:arn:aws:iam::111122223333:user/unknown-user` |
| 2 | `iam:AttachUserPolicy` | `parn:arn:aws:iam::111122223333:user/unknown-user` | `ip:external` | `region:us-west-2` | `res:arn:aws:iam::111122223333:policy/AdministratorAccess` |
| 3 | `cloudtrail:StopLogging` | `parn:arn:aws:iam::111122223333:user/unknown-user` | `ip:external` | `region:us-west-2` | `res:arn:aws:cloudtrail:us-west-2:111122223333:trail/org-trail` |
| 4 | `ec2:RunInstances` | `parn:arn:aws:iam::111122223333:user/unknown-user` | `ip:external` | `region:ap-southeast-1` | `res:arn:aws:ec2:ap-southeast-1:111122223333:instance/*` |

Signals:
- `sensitive_actions` (+35): Session contains actions that often deserve identity-security review. Evidence: [01] iam:CreateAccessKey; [02] iam:AttachUserPolicy; [03] cloudtrail:StopLogging; [04] ec2:RunInstances
- `logging_control_action` (+20): Session includes a logging-control action that can reduce audit visibility. Evidence: cloudtrail:StopLogging
- `suspicious_principal_label` (+18): Principal naming suggests an unknown, suspicious, or stolen-token context in the example data. Evidence: parn:arn:aws:iam::111122223333:user/unknown-user
- `privilege_change_sequence` (+18): Session includes privilege, access-key, or policy-change behavior. Evidence: iam:CreateAccessKey; iam:AttachUserPolicy
- `external_or_tor_source` (+14): Session includes access from an external or Tor-like source category. Evidence: ip:external
- `unknown_user_agent` (+8): Session contains an unknown user-agent bucket. Evidence: ua:unknown
- `multi_region_session` (+6): Session spans multiple regions. Evidence: region:ap-southeast-1; region:us-west-2

Scoring layers:
- `global_policy_signals`: score `100` (delta `+100`)
- `provider_context`: score `100` (delta `0`)
- `access_tier_context`: score `100` (delta `0`)
- `session_type_context`: score `100` (delta `0`)
- `baseline_context`: score `100` (delta `0`)
- `suppression_context`: score `100` (delta `0`)
- `final`: score `100` (delta `0`)

Recommended actions:
- Open an identity-security triage item for this session.
- Review the principal, source IP category, user agent, and target resources.
- Verify whether the privilege change was approved and revoke unexpected access changes.
- Correlate the source network with VPN, geolocation, and known corporate egress paths.
- Confirm CloudTrail or audit logging continuity for the affected account or tenant.

Next checks:
- Confirm whether the sensitive actions match an approved change, deployment, or access request.
- Compare the source IP category with VPN, SSO, device, and geolocation records.
- Review the principal's recent role, group, policy, token, and access-key changes.
- Verify audit logging continuity and confirm no trail, stream, or retention setting was weakened.
- Check whether the user agent maps to a known automation, SDK, scanner, or unmanaged tool.
- Resolve the principal owner and confirm whether the naming pattern is expected in this tenant.
- Check whether the regional spread is normal for this workload and time window.

Review fields:
- Status: `unreviewed`
- Disposition: `unknown`
- False-positive reason: `unset`

## Session `aws-demo-release-bot-001`

- Risk: `low` / `0`
- Label: `benign`
- Attack type: `approved_release_automation`
- Provider: `aws`
- Access tier: `privileged_operator`
- Session type: `assumed_role_session`
- Events: `3` total, `0` missing or blacked out

Observed facts:
- Observed events: `3`
- Missing or blacked-out events: `0`
- Principals: `parn:arn:aws:iam::111122223333:role/release-bot`
- IP categories: `ip:corp`
- Regions: `region:us-east-1`

Timeline:

| # | Action | Principal | IP | Region | Resource |
| ---: | --- | --- | --- | --- | --- |
| 0 | `sts:AssumeRole` | `parn:arn:aws:iam::111122223333:role/release-bot` | `ip:corp` | `region:us-east-1` | `res:arn:aws:iam::111122223333:role/release-bot` |
| 1 | `ecr:GetAuthorizationToken` | `parn:arn:aws:iam::111122223333:role/release-bot` | `ip:corp` | `region:us-east-1` | `res:arn:aws:ecr:us-east-1:111122223333:repository/api` |
| 2 | `ecs:UpdateService` | `parn:arn:aws:iam::111122223333:role/release-bot` | `ip:corp` | `region:us-east-1` | `res:arn:aws:ecs:us-east-1:111122223333:service/api` |

Signals:
- No elevated workflow signals found.

Scoring layers:
- `global_policy_signals`: score `0` (delta `0`)
- `provider_context`: score `0` (delta `0`)
- `access_tier_context`: score `0` (delta `0`)
- `session_type_context`: score `0` (delta `0`)
- `baseline_context`: score `0` (delta `0`)
- `suppression_context`: score `0` (delta `0`)
- `final`: score `0` (delta `0`)

Recommended actions:
- Retain as baseline context unless correlated with another alert.

Next checks:
- Retain as baseline context unless correlated with another alert, review outcome, or control gap.

Review fields:
- Status: `unreviewed`
- Disposition: `unknown`
- False-positive reason: `unset`

## Interpretation Guardrail

Findings are workflow-prioritization outputs. They help analysts decide what to review; they are not final forensic conclusions or production enforcement decisions.