Hello,
About Heartbreaker-Denouement (Sherlock), I’ve successfully answered all the questions but Question 11.
For some reason I can’t find the ARNs especially when using the opposite filter of Question 10.
Any idea of what field I should be looking at (resources.ARN, responseElement.ARN…) ?
1 Like
Did you figure this one out? I am also stuck
Hi there, no sadly I haven’t. I’m stuck on 93% completion…
Dang 
Ok someone helped me out. Filter by IPs, filter out error, filter for events with describe, list, get. Then filter out the ARM that is tied to the instance. Should be 2
1 Like
Thanks a lot !!! It worked like a charm.
Out of curiosity, how did handled the thousands of log files. I’ve developed a quick python script to parse to Elastic and Kibana.
No problem. I used free splunk. First had to run some Linux cli stuff to get the json logs consolidated into one file.
Any tips on Tasks 8 and 13? I can only see one account ID, where else should I be looking?
Task 8 :
So you have unveiled the username : xxxxxx-xxx
Now, filter on username and successful API calls.
A successful API call is a call on which errorCode or errorMessage don’t exist.
You should find two regions, which are from the same country.
Taks 13 :
We know that the attacker has created DB Snapshots.
And now, here we are, the attacker is finally going to exfiltrate the data.
That can’t be a coincidence, right ?
Luckily, we can filter events on the eventName : xxxxxxDBSnapshotxxxxxxxxx.
Then, within the logs, we look for requestParameters.valuesxxxxx, and that’s the answer.
Good luck !
1 Like
For easy search through the many json.gz files, I suggest the techniques described here: Quick and Dirty CloudTrail Threat Hunting Log Analysis | by George Fekkas | Medium
1 Like
Great article !! Thanks for sharing