I am trying to create a detection of the AWS exploitation tool Pacu.py. It is to detect the use of the enumeration tool within Pacu.py, which executes the following AWS commands in less than a second:
First Event: 2022-05-19 10:02:25
Last Event: 2022-05-19 10:02:26
Each command generates a separate event so I was wondering if it is possible to create a search which detects these command executed from the same account within a 1 second timeframe? I am unsure how to specify a time window so if you could help, that would be greatly appreciated.
index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies" | table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command