2_ds_amazon_aws_cloudtrail.md

April 15, 2026 · View on GitHub

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Cloud Data Protection	aws-bucket-create ↳amazon-awscloudtrail-json-bucket-create-awsapicall aws-bucket-policy ↳amazon-awscloudtrail-json-bucket-policy-modify-putbucketpolicy aws-bucket-policy-failed ↳amazon-awscloudtrail-json-bucket-policy-modify-putbucketpolicy aws-general-activity ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand aws-image-modify ↳amazon-awscloudtrail-json-image-modify-imageattribute aws-instance-creds-write ↳amazon-awscloudtrail-json-key-write-createkeypair aws-instance-login ↳amazon-awscloudtrail-json-endpoint-login-sendsshkey aws-instance-screenshot ↳amazon-awscloudtrail-json-app-activity-getscreenshot aws-policy-attach ↳amazon-awscloudtrail-json-user-policy-attach-success-attachuserpolicy ↳amazon-awscloudtrail-json-group-policy-attach-success-attachgrouppolicy ↳amazon-awscloudtrail-json-role-policy-attach-success-attachrolepolicy aws-policy-list ↳amazon-awscloudtrail-json-policy-list-success-rolepolicies ↳amazon-awscloudtrail-json-policy-list-success-grouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listuserpolicies ↳amazon-awscloudtrail-json-policy-list-success-userpolicies ↳amazon-awscloudtrail-json-policy-list-success-listgrouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listrolepolicies ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-policy-setversion ↳amazon-awscloudtrail-json-policy-modify-success-setpolicyversion aws-policy-write ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy ↳amazon-awscloudtrail-json-policy-modify-success-createpolicyversion ↳amazon-awscloudtrail-json-policy-create-success-putgrouppolicy ↳amazon-awscloudtrail-json-policy-create-success-putrolepolicy ↳amazon-awscloudtrail-json-policy-create-success-createpolicy ↳amazon-awscloudtrail-json-policy-create-success-putuserpolicy aws-role-assume ↳amazon-awscloudtrail-json-role-assume-renewrole ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-role-assumepolicy ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy aws-role-switch ↳amazon-awscloudtrail-json-role-assume-success-switchrole aws-role-write ↳amazon-awscloudtrail-json-role-create-success-createrole ↳amazon-awscloudtrail-json-role-create-success-createrole aws-snapshot-create ↳amazon-awscloudtrail-sk4-snapshot-create-success-sharedsnapshotvolumecreated ↳amazon-awscloudtrail-json-snapshot-create-awsapicall aws-snapshot-modify ↳amazon-awscloudtrail-json-snapshot-modify-awsapicall aws-storage-acl ↳amazon-awscloudtrail-json-bucket-permission-modify-putobjectacl ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketacl aws-storage-acl-failed ↳amazon-awscloudtrail-json-bucket-permission-modify-putobjectacl ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketacl aws-storage-list ↳amazon-awscloudtrail-json-bucket-list-success-listbucket ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-volume-attach ↳amazon-awscloudtrail-json-disk-attach-attachvolume aws-volume-create ↳amazon-awscloudtrail-json-disk-create-createvolume	T1074 - Data Staged T1113 - Screen Capture T1530 - Data from Cloud Storage Object T1580 - T1580 TA0001 - TA0001 TA0004 - TA0004 TA0007 - TA0007 TA0009 - TA0009	29 Rules 21 Models
Compromised Credentials	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin authentication-successful ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication aws-bucket-cors ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketcors aws-bucket-cors-failed ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketcors aws-bucket-create ↳amazon-awscloudtrail-json-bucket-create-awsapicall aws-bucket-create-failed ↳amazon-awscloudtrail-json-bucket-create-awsapicall aws-bucket-policy ↳amazon-awscloudtrail-json-bucket-policy-modify-putbucketpolicy aws-bucket-policy-failed ↳amazon-awscloudtrail-json-bucket-policy-modify-putbucketpolicy aws-compute-list ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-compute-list-failed ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-function-write ↳amazon-awscloudtrail-json-function-write-updatefunction ↳amazon-awscloudtrail-json-function-write-updateconfiguration ↳amazon-awscloudtrail-json-function-write-createfunction aws-function-write-failed ↳amazon-awscloudtrail-json-function-write-updatefunction ↳amazon-awscloudtrail-json-function-write-updateconfiguration ↳amazon-awscloudtrail-json-function-write-createfunction aws-general-activity ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand aws-general-activity-failed ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand aws-identity-addtogroup ↳amazon-awscloudtrail-json-group-member-add-addusertogroup aws-identity-addtogroup-failed ↳amazon-awscloudtrail-json-group-member-add-addusertogroup aws-identity-creds-write ↳amazon-awscloudtrail-json-user-key-create-createaccesskey aws-identity-creds-write-failed ↳amazon-awscloudtrail-json-user-key-create-createaccesskey aws-identity-list ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-identity-list-failed ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-identity-loginprofile ↳amazon-awscloudtrail-json-app-activity-updateprofile ↳amazon-awscloudtrail-json-app-activity-loginprofile aws-identity-loginprofile-failed ↳amazon-awscloudtrail-json-app-activity-updateprofile ↳amazon-awscloudtrail-json-app-activity-loginprofile aws-identity-write ↳amazon-awscloudtrail-json-user-create-creategroup ↳amazon-awscloudtrail-json-user-create-awsapicall aws-identity-write-failed ↳amazon-awscloudtrail-json-user-create-creategroup ↳amazon-awscloudtrail-json-user-create-awsapicall aws-image-create ↳amazon-awscloudtrail-json-image-create-awsapicall aws-image-create-failed ↳amazon-awscloudtrail-json-image-create-awsapicall aws-image-modify ↳amazon-awscloudtrail-json-image-modify-imageattribute aws-image-modify-failed ↳amazon-awscloudtrail-json-image-modify-imageattribute aws-instance-command ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-instance-command-failed ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-instance-create ↳amazon-awscloudtrail-json-endpoint-create-runinstances aws-instance-create-failed ↳amazon-awscloudtrail-json-endpoint-create-runinstances aws-instance-creds-read ↳amazon-awscloudtrail-json-key-read-getpassword aws-instance-creds-read-failed ↳amazon-awscloudtrail-json-key-read-getpassword aws-instance-creds-write ↳amazon-awscloudtrail-json-key-write-createkeypair aws-instance-creds-write-failed ↳amazon-awscloudtrail-json-key-write-createkeypair aws-instance-login ↳amazon-awscloudtrail-json-endpoint-login-sendsshkey aws-instance-login-failed ↳amazon-awscloudtrail-json-endpoint-login-sendsshkey aws-instance-modify ↳amazon-awscloudtrail-json-endpoint-modify-instanceattribute aws-instance-screenshot ↳amazon-awscloudtrail-json-app-activity-getscreenshot aws-instance-screenshot-failed ↳amazon-awscloudtrail-json-app-activity-getscreenshot aws-policy-attach ↳amazon-awscloudtrail-json-user-policy-attach-success-attachuserpolicy ↳amazon-awscloudtrail-json-group-policy-attach-success-attachgrouppolicy ↳amazon-awscloudtrail-json-role-policy-attach-success-attachrolepolicy aws-policy-attach-failed ↳amazon-awscloudtrail-json-user-policy-attach-success-attachuserpolicy ↳amazon-awscloudtrail-json-group-policy-attach-success-attachgrouppolicy ↳amazon-awscloudtrail-json-role-policy-attach-success-attachrolepolicy aws-policy-list ↳amazon-awscloudtrail-json-policy-list-success-rolepolicies ↳amazon-awscloudtrail-json-policy-list-success-grouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listuserpolicies ↳amazon-awscloudtrail-json-policy-list-success-userpolicies ↳amazon-awscloudtrail-json-policy-list-success-listgrouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listrolepolicies ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-policy-list-failed ↳amazon-awscloudtrail-json-policy-list-success-rolepolicies ↳amazon-awscloudtrail-json-policy-list-success-grouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listuserpolicies ↳amazon-awscloudtrail-json-policy-list-success-userpolicies ↳amazon-awscloudtrail-json-policy-list-success-listgrouppolicies ↳amazon-awscloudtrail-json-policy-list-success-listrolepolicies ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-policy-setversion ↳amazon-awscloudtrail-json-policy-modify-success-setpolicyversion aws-policy-setversion-failed ↳amazon-awscloudtrail-json-policy-modify-success-setpolicyversion ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-policy-write ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy ↳amazon-awscloudtrail-json-policy-modify-success-createpolicyversion ↳amazon-awscloudtrail-json-policy-create-success-putgrouppolicy ↳amazon-awscloudtrail-json-policy-create-success-putrolepolicy ↳amazon-awscloudtrail-json-policy-create-success-createpolicy ↳amazon-awscloudtrail-json-policy-create-success-putuserpolicy aws-policy-write-failed ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy ↳amazon-awscloudtrail-json-policy-modify-success-createpolicyversion ↳amazon-awscloudtrail-json-policy-create-success-putrolepolicy ↳amazon-awscloudtrail-json-policy-create-success-putgrouppolicy ↳amazon-awscloudtrail-json-policy-create-success-createpolicy ↳amazon-awscloudtrail-json-policy-create-success-putuserpolicy aws-role-assume ↳amazon-awscloudtrail-json-role-assume-renewrole ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-role-assume-failed ↳amazon-awscloudtrail-json-role-assume-renewrole ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-role-assumepolicy ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy aws-role-assumepolicy-failed ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy aws-role-switch ↳amazon-awscloudtrail-json-role-assume-success-switchrole aws-role-switch-failed ↳amazon-awscloudtrail-json-role-assume-success-switchrole aws-role-write ↳amazon-awscloudtrail-json-role-create-success-createrole ↳amazon-awscloudtrail-json-role-create-success-createrole aws-snapshot-create ↳amazon-awscloudtrail-sk4-snapshot-create-success-sharedsnapshotvolumecreated ↳amazon-awscloudtrail-json-snapshot-create-awsapicall aws-snapshot-create-failed ↳amazon-awscloudtrail-sk4-snapshot-create-success-sharedsnapshotvolumecreated ↳amazon-awscloudtrail-json-snapshot-create-awsapicall aws-snapshot-modify ↳amazon-awscloudtrail-json-snapshot-modify-awsapicall aws-snapshot-modify-failed ↳amazon-awscloudtrail-json-snapshot-modify-awsapicall aws-storage-acl ↳amazon-awscloudtrail-json-bucket-permission-modify-putobjectacl ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketacl aws-storage-acl-failed ↳amazon-awscloudtrail-json-bucket-permission-modify-putobjectacl ↳amazon-awscloudtrail-json-bucket-permission-modify-putbucketacl aws-storage-list ↳amazon-awscloudtrail-json-bucket-list-success-listbucket ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-storage-list-failed ↳amazon-awscloudtrail-json-bucket-list-success-listbucket ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-storageobject-copy ↳amazon-awscloudtrail-json-file-copy-copyobject aws-storageobject-copy-failed ↳amazon-awscloudtrail-json-file-copy-copyobject aws-storageobject-read ↳amazon-awscloudtrail-json-file-read-getobject aws-storageobject-write ↳amazon-awscloudtrail-json-file-write-putobject ↳amazon-awscloudtrail-json-file-write-success-putobject ↳amazon-awscloudtrail-json-file-write-success-objectcreated aws-storageobject-write-failed ↳amazon-awscloudtrail-json-file-write-putobject ↳amazon-awscloudtrail-json-file-write-success-putobject aws-volume-attach ↳amazon-awscloudtrail-json-disk-attach-attachvolume aws-volume-attach-failed ↳amazon-awscloudtrail-json-disk-attach-attachvolume aws-volume-create ↳amazon-awscloudtrail-json-disk-create-createvolume aws-volume-create-failed ↳amazon-awscloudtrail-json-disk-create-createvolume aws-volume-modify ↳amazon-awscloudtrail-json-disk-modify-modifyvolume aws-volume-modify-failed ↳amazon-awscloudtrail-json-disk-modify-modifyvolume database-query ↳amazon-awscloudtrail-json-database-query-success-querydb failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories T1535 - Unused/Unsupported Cloud Regions	67 Rules 40 Models
Data Access	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin database-query ↳amazon-awscloudtrail-json-database-query-success-querydb failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1213 - Data from Information Repositories	38 Rules 21 Models
Data Leak	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall	T1114 - Email Collection T1114.003 - Email Collection: Email Forwarding Rule	3 Rules
Lateral Movement	app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin authentication-successful ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Malware	app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin authentication-successful ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication aws-general-activity ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand aws-image-create ↳amazon-awscloudtrail-json-image-create-awsapicall aws-instance-command ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-sendcommand ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-instance-modify ↳amazon-awscloudtrail-json-endpoint-modify-instanceattribute aws-storageobject-write ↳amazon-awscloudtrail-json-file-write-putobject ↳amazon-awscloudtrail-json-file-write-success-putobject ↳amazon-awscloudtrail-json-file-write-success-objectcreated	T1037 - Boot or Logon Initialization Scripts T1078 - Valid Accounts T1204 - User Execution T1204.002 - T1204.002 T1204.003 - T1204.003 TA0002 - TA0002	7 Rules 4 Models
Privilege Abuse	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall app-activity-failed ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-fail-errorget app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin aws-identity-addtogroup ↳amazon-awscloudtrail-json-group-member-add-addusertogroup aws-identity-creds-write ↳amazon-awscloudtrail-json-user-key-create-createaccesskey aws-identity-list ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-identity-loginprofile ↳amazon-awscloudtrail-json-app-activity-updateprofile ↳amazon-awscloudtrail-json-app-activity-loginprofile aws-identity-write ↳amazon-awscloudtrail-json-user-create-creategroup ↳amazon-awscloudtrail-json-user-create-awsapicall aws-identity-write-failed ↳amazon-awscloudtrail-json-user-create-creategroup ↳amazon-awscloudtrail-json-user-create-awsapicall failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1087 - Account Discovery T1087.004 - T1087.004 T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions TA0003 - TA0003 TA0004 - TA0004	11 Rules 7 Models
Privilege Escalation	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall aws-instance-creds-read ↳amazon-awscloudtrail-json-key-read-getpassword aws-policy-attach ↳amazon-awscloudtrail-json-user-policy-attach-success-attachuserpolicy ↳amazon-awscloudtrail-json-group-policy-attach-success-attachgrouppolicy ↳amazon-awscloudtrail-json-role-policy-attach-success-attachrolepolicy aws-policy-write ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy ↳amazon-awscloudtrail-json-policy-modify-success-createpolicyversion ↳amazon-awscloudtrail-json-policy-create-success-putgrouppolicy ↳amazon-awscloudtrail-json-policy-create-success-putrolepolicy ↳amazon-awscloudtrail-json-policy-create-success-createpolicy ↳amazon-awscloudtrail-json-policy-create-success-putuserpolicy aws-role-assume ↳amazon-awscloudtrail-json-role-assume-renewrole ↳amazon-awscloudtrail-json-role-assume-success-assumerole aws-role-assumepolicy ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-policy-modify-success-updateassumerolepolicy aws-role-switch ↳amazon-awscloudtrail-json-role-assume-success-switchrole	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions TA0004 - TA0004	9 Rules 6 Models
Privileged Activity	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall app-activity-failed ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-fail-errorget app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts	2 Rules 1 Models
Ransomware	app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin authentication-successful ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts	2 Rules