How would you parse and correlate logs from CloudWatch, VPC Flow Logs, and application logs to trace an attacker's steps?