RajChowdhury240/demn.md

Created September 8, 2025 14:02

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/RajChowdhury240/554ff696d961e8bde2f4b967c41c7126.js"></script>
Save RajChowdhury240/554ff696d961e8bde2f4b967c41c7126 to your computer and use it in GitHub Desktop.

Raw

index=* sourcetype=*
| rex field=_raw "(?<aws_access_key_id>(AKIA|ASIA)[0-9A-Z]{16})"
| rex field=_raw "(?<aws_secret_access_key>[A-Za-z0-9/+=]{40})"
| rex field=_raw "(?<aws_session_token>(?i)aws_session_token[\"'=:\s]+[A-Za-z0-9/+=]{80,})"
| where isnotnull(aws_access_key_id) OR isnotnull(aws_secret_access_key) OR isnotnull(aws_session_token)
| table _time host source aws_access_key_id aws_secret_access_key aws_session_token