detection.wiki

AWS CloudTrail telemetry sources

AWS records control-plane and data-plane activity in CloudTrail, which identifies each observable action by an (eventSource, eventName) pair rather than a numbered event log. The catalog models each eventSource (an AWS service endpoint such as iam.amazonaws.com) as a synthetic AWS-<service> provider, and each eventName (an API action such as CreateUser) as an event. These pages are kept separate from the Windows event catalog.

Services

ServiceEvents
Amazon API Gateway2
Amazon Bedrock45
Amazon CloudFront2
Amazon CloudWatch1
Amazon CloudWatch Logs2
Amazon DynamoDB3
Amazon EC253
Amazon EC2 Instance Connect2
Amazon Elastic Container Registry (ECR)2
Amazon Elastic Container Service3
Amazon Elastic File System2
Amazon Elastic Kubernetes Service8
Amazon ElastiCache6
Amazon EventBridge2
Amazon GuardDuty11
Amazon Macie11
Amazon Relational Database Service22
Amazon Route 533
Amazon Route 53 Domains2
Amazon Route 53 Resolver1
Amazon S337
Amazon Simple Email Service10
Amazon Simple Queue Service1
Amazon WorkDocs0
Amazon WorkMail0
AWS Account Management2
AWS Backup2
AWS CloudFormation2
AWS CloudShell1
AWS CloudTrail7
AWS Config12
AWS Glue3
AWS IAM Access Analyzer1
AWS IAM Identity Center0
AWS IAM Identity Center4
AWS IAM Identity Center Directory4
AWS IAM Roles Anywhere2
AWS Identity and Access Management (IAM)60
AWS Key Management Service (KMS)8
AWS Lambda7
AWS Organizations15
AWS Secrets Manager1
AWS Security Hub4
AWS Security Token Service8
AWS Sign-In3
AWS sns3
AWS Systems Manager12
AWS WAF (Classic)0
AWS WAF Regional (Classic)0
AWS WAF V24
Elastic Load Balancing4
Service Quotas1

The admitted services and eventNames are corpus-demand-gated: each entry is referenced by at least one ingested detection rule, plus a curated high-value data-event seed. See the cross-vendor AWS coverage matrix for which rules cover which API calls.

The CloudTrail event model

Each CloudTrail record carries a common envelope: eventSource (the service that received the call), eventName (the API action), eventType (the category, e.g. AwsApiCall or AwsConsoleSignIn), userIdentity (the calling IAM entity), sourceIPAddress, awsRegion, and action-specific requestParameters / responseElements. A detection keys on the (eventSource, eventName) pair to identify the action, then on the envelope and parameters to score it.

Source: AWS: CloudTrail record contents reference.

Management events and data events

CloudTrail distinguishes management events (control-plane operations such as CreateUser or AuthorizeSecurityGroupIngress, logged by default) from data events (high-volume data-plane operations such as S3 GetObject, Lambda Invoke, or KMS Decrypt, logged only when the trail is explicitly configured for them). The catalog includes high-value data events because detection rules cover them; their pages note that capturing them requires non-default trail configuration.

Source: AWS: logging management and data events.

eventSource and eventName naming

The provider name derives from the actual CloudTrail eventSource, not the IAM prefix: CloudWatch logs under monitoring.amazonaws.com (provider AWS-monitoring), and all console sign-in events log under signin.amazonaws.com (provider AWS-signin) regardless of the target service. A handful of eventNames diverge from their IAM action name: s3:ListAllMyBuckets appears as eventName ListBuckets, and lambda:InvokeFunction appears as Invoke. The catalog stores the actual CloudTrail eventName.

Source: AWS Service Authorization Reference.