AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/cloud-aws-cloudtrail/generator.yml \
--id cloudtrail \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| AssumeRole | Assume an IAM role (STS) | ~33% | authentication |
| DescribeInstances | List/describe EC2 instances | ~15% | host |
| GetCallerIdentity | Retrieve caller identity (STS) | ~9% | authentication |
| ConsoleLogin | AWS Management Console sign-in | ~6% | authentication |
| DescribeSecurityGroups | List/describe security groups | ~7% | network |
| RunInstances | Launch new EC2 instances | ~2% | host |
| CreateUser | Create a new IAM user | <1% | iam |
| AttachRolePolicy | Attach managed policy to role | <1% | iam |
Realism Features
- Jinja2 macros eliminate boilerplate across 22 templates
- 4 identity types — AssumedRole (65%), IAMUser (20%), AWSService (12%), Root (0.5%)
- Shared state correlations — AssumeRole generates temp credentials reused by subsequent API calls
- Error injection (~4%) — 20 realistic error scenarios mapped to specific API operations
- Console login flow with MFA tracking and ~5% login failure rate
- Multi-account environment — 3 AWS accounts (production, staging, development)
- 10 IAM users across 7 departments, 12 IAM roles with distinct trust services
Sample Output
{
"@timestamp": "2026-03-04T14:22:31+00:00",
"cloud": {
"account": { "id": "123456789012", "name": "acme-production" },
"provider": "aws",
"region": "us-east-1"
},
"event": {
"action": "AssumeRole",
"category": ["authentication"],
"dataset": "aws.cloudtrail",
"kind": "event",
"module": "aws",
"outcome": "success"
},
"user": {
"name": "michael.chen",
"id": "AIDAEXAMPLE3MCHEN001"
},
"aws": {
"cloudtrail": {
"event_source": "sts.amazonaws.com",
"event_name": "AssumeRole",
"event_type": "AwsApiCall",
"user_identity": {
"type": "IAMUser",
"arn": "arn:aws:iam::123456789012:user/michael.chen"
}
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | a1b2c3d4-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
| event_version | 1.09 | CloudTrail event version |
| error_rate | 4 | Error injection rate (percentage, 0-100) |
Related Generators
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.
Azure Activity Log
Azure Monitor Activity Log — control plane operations across VMs, storage, networking, and RBAC. Covers all 7 log categories: Administrative, Security, Service Health, Alert, Autoscale, Policy, and Recommendation.