Vendor: Amazon

April 15, 2026 · View on GitHub

Product: AWS CloudTrail

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
138	78	29	79	43

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin authentication-successful ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication failed-app-login ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1133 - External Remote Services	15 Rules 4 Models
Account Manipulation	app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-json-app-activity-headobject ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-success-awsserviceevent ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-json-app-activity-success-cloudtrailapicall ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsconsoleaction ↳amazon-awscloudtrail-json-app-activity-success-createlogstream ↳amazon-awscloudtrail-json-app-activity-awsapicall	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Cryptomining	aws-instance-create ↳amazon-awscloudtrail-json-endpoint-create-runinstances	T1074 - Data Staged T1496 - Resource Hijacking	1 Rules 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Valid Accounts: Cloud Accounts Exploit Public Fasing Application	User Execution	Boot or Logon Initialization Scripts External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Boot or Logon Initialization Scripts Valid Accounts	Valid Accounts Unused/Unsupported Cloud Regions		Account Discovery		Screen Capture Data from Information Repositories Email Collection Data from Cloud Storage Object Data Staged Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy		Resource Hijacking