Skip to content

TheCloud.Events

The cloud security
event catalog

261 audit events across AWS, Azure, and GCP, mapped to MITRE ATT&CK — what each one means, how adversaries use it, and how to read it in the log.

aws 143 azure 79 gcp 39 12 tactics

cloudtrail event of the day
{
  "eventSource": "lambda.amazonaws.com",
  "eventName": "AddPermission20150331v2",
  "userIdentity": { "type": "IAMUser", "userName": "draco" },
  "sourceIPAddress": "203.0.113.66"
}
  1. 01 Initial Access 9
  2. 02 Execution 24
  3. 03 Persistence 77
  4. 04 Privilege Escalation 63
  5. 05 Stealth 17
  6. 06 Defense Impairment 96
  7. 07 Credential Access 33
  8. 08 Discovery 16
  9. 09 Lateral Movement 25
  10. 10 Collection 24
  11. 11 Exfiltration 24
  12. 12 Impact 35