Day 7: Oh, no. I'M SPEAKING IN CLOUDTRAIL!
Task 1 - What is the other activity made by the user glitch aside from the ListObject action?
- To find other activities I used following command
jq -r '.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares" and .userIdentity.userName == "glitch") | .eventName' cloudtrail_log.json
Answer 👉 PutObject
Task 2 - What is the source IP related to the S3 bucket activities of the user glitch?
jq -r '.Records[] | select(.userIdentity.userName == "glitch") | .sourceIPAddress' cloudtrail_log.jsonAnswer 👉 53.94.201.69
Task 3 - Based on the eventSource field, what AWS service generates the ConsoleLogin event?
jq -r '.Records[] | select(.eventName == "ConsoleLogin") | .eventSource' cloudtrail_log.json
Answer 👉 signin.amazonaws.com
Task 4 - When did the anomalous user trigger the ConsoleLogin event?
jq -r '.Records[] | select(.eventName == "ConsoleLogin") | .userIdentity.userName +" " + .eventTime' cloudtrail_log.jsonAnswer 👉 2024-11-28T15:21:54Z
Task 5 - What was the name of the user that was created by the mcskidy user?
jq -r '.Records[] | select(.eventName == "CreateLoginProfile") ' cloudtrail_log.jsonAnswer 👉 glitch
Task 6 - What type of access was assigned to the anomalous user?
jq -r '.Records[] | select(.eventName == "AttachUserPolicy")' cloudtrail_log.json
Answer 👉 AdministratorAccess
Task 7 - Which IP does Mayor Malware typically use to log into AWS?
jq -r '.Records[] | select(.userIdentity.userName=="mayor_malware") | .sourceIPAddress' cloudtrail_log.json
Answer 👉 53.94.201.69
Task 8 - What is McSkidy's actual IP address?
jq -r '.Records[] | select(.userIdentity.userName=="mcskidy") | .sourceIPAddress' cloudtrail_log.json
Answer 👉 31.210.15.79
Task 9 - What is the bank account number owned by Mayor Malware?
grep -i "mayor malware" rds.log
Answer 👉 2394 6912 7723 1294
Task 10 - Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!
No Answer Needed