feat(demo): add synthetic CloudTrail IAM investigation

README.md

@@ -19,17 +19,19 @@ Latest milestone: [v0.6.0 — fourth demo and config-change investigation](https
 - [ai-assisted-detection-demo](demos/ai-assisted-detection-demo/README.md)
 - [rule-evaluation-and-dedup-demo](demos/rule-evaluation-and-dedup-demo/README.md)
 - [config-change-investigation-demo](demos/config-change-investigation-demo/README.md)
+- [cloud-iam-change-investigation-demo](demos/cloud-iam-change-investigation-demo/README.md)
 
 | Demo | Input | Deterministic core | LLM role | Main artifacts | Guardrails / non-goals |
 | --- | --- | --- | --- | --- | --- |
 | [telemetry-window-demo](#telemetry-window-demo) | JSONL / CSV events | Windows<br>Features<br>Alert thresholds | None | `features.csv`<br>`alerts.csv`<br>`summary.json`<br>3 PNG plots | Local demo only<br>No realtime<br>No case management |
 | [ai-assisted-detection-demo](demos/ai-assisted-detection-demo/README.md) | JSONL auth / web / process | Normalize<br>Rules<br>Grouping<br>ATT&CK mapping | JSON-only case drafting | `rule_hits.json`<br>`case_bundles.json`<br>`case_summaries.json`<br>`case_report.md`<br>`audit_traces.jsonl` | Human verification required<br>No autonomous response<br>No final verdict |
 | [rule-evaluation-and-dedup-demo](demos/rule-evaluation-and-dedup-demo/README.md) | JSON raw rule hits | Scope resolution<br>Cooldown grouping<br>Suppression reasoning | None | `rule_hits_before_dedup.json`<br>`rule_hits_after_dedup.json`<br>`dedup_explanations.json`<br>`dedup_report.md` | No realtime<br>No dashboard<br>No AI stage |
 | [config-change-investigation-demo](demos/config-change-investigation-demo/README.md) | JSONL config changes<br>Policy denials<br>Follow-on events | Normalize<br>Risky-change rules<br>Bounded correlation | None | `change_events_normalized.json`<br>`investigation_hits.json`<br>`investigation_summary.json`<br>`investigation_report.md` | No realtime<br>No dashboard<br>No AI stage |
+| [cloud-iam-change-investigation-demo](demos/cloud-iam-change-investigation-demo/README.md) | Synthetic CloudTrail-like JSONL | Validate<br>IAM rules<br>Bounded correlation<br>ATT&CK mapping | None | `normalized_cloudtrail_events.json`<br>`investigation_signals.json`<br>`investigation_summary.json`<br>`investigation_report.md` | Synthetic only<br>No live AWS<br>No final verdict |
 
 ## What This Repo Is
 
-`telemetry-lab` is a small portfolio repository for constrained detection workflows. It is not a SIEM, dashboard, or monitoring platform; it is organized as four local, file-based demos that are reproducible from committed sample data and intentionally scoped for public review rather than production use.
+`telemetry-lab` is a small portfolio repository for constrained detection workflows. It is not a SIEM, dashboard, or monitoring platform; it is organized as five local, file-based demos that are reproducible from committed sample data and intentionally scoped for public review rather than production use.
 
 ### telemetry-window-demo
 
@@ -46,6 +48,10 @@ Latest milestone: [v0.6.0 — fourth demo and config-change investigation](https
 ### config-change-investigation-demo
 
 `config-change-investigation-demo` follows risky configuration changes into bounded follow-on evidence such as policy denials and service signals. It stays deterministic, file-based, and review-oriented, with no added AI stage.
+
+### cloud-iam-change-investigation-demo
+
+`cloud-iam-change-investigation-demo` uses synthetic CloudTrail-like events to review IAM changes, failed console logins, CloudTrail logging changes, and security group ingress changes with bounded deterministic rules. It has no live AWS account, no real account ID, no production detection claim, and no final incident verdict.
 
 ## Quick Run
 
@@ -62,6 +68,7 @@ Other demo entrypoints:
 - `python -m telemetry_window_demo.cli run-ai-demo`
 - `python -m telemetry_window_demo.cli run-rule-dedup-demo`
 - `python -m telemetry_window_demo.cli run-config-change-demo`
+- `python -m telemetry_window_demo.cli run-cloud-iam-change-demo`
 
 Useful inspection commands:
 
@@ -99,7 +106,8 @@ For a quick coherence pass across the demos:
 1. Run `python -m telemetry_window_demo.cli run --config configs/default.yaml` and confirm `data/processed/summary.json` reports `41` events, `24` windows, and `12` alerts.
 2. Run `python -m telemetry_window_demo.cli run-rule-dedup-demo` and confirm `demos/rule-evaluation-and-dedup-demo/artifacts/dedup_report.md` shows `10` raw hits reduced to `6` retained alerts with `4` suppressions.
 3. Run `python -m telemetry_window_demo.cli run-config-change-demo` and confirm `demos/config-change-investigation-demo/artifacts/investigation_report.md` shows `4` normalized changes, `3` risky changes, and `3` investigations.
-4. Run `python -m telemetry_window_demo.cli run-ai-demo` and confirm `demos/ai-assisted-detection-demo/artifacts/case_report.md` shows `3` deterministic cases with human verification and no final incident verdict.
+4. Run `python -m telemetry_window_demo.cli run-cloud-iam-change-demo` and confirm `demos/cloud-iam-change-investigation-demo/artifacts/investigation_report.md` shows `14` CloudTrail-like events and `5` investigation signals.
+5. Run `python -m telemetry_window_demo.cli run-ai-demo` and confirm `demos/ai-assisted-detection-demo/artifacts/case_report.md` shows `3` deterministic cases with human verification and no final incident verdict.
 
 ## Demo Variants
 
@@ -150,6 +158,7 @@ Cooldown behavior:
 
 - [`demos/rule-evaluation-and-dedup-demo/README.md`](demos/rule-evaluation-and-dedup-demo/README.md) explains the third demo and links its committed before/after dedup artifacts
 - [`demos/config-change-investigation-demo/README.md`](demos/config-change-investigation-demo/README.md) explains the config-change investigation demo and its committed artifacts
+- [`demos/cloud-iam-change-investigation-demo/README.md`](demos/cloud-iam-change-investigation-demo/README.md) explains the synthetic CloudTrail-like IAM investigation demo and its committed artifacts
 - [`docs/README.md`](docs/README.md) indexes current reviewer docs, supporting design notes, and historical release evidence
 - [`docs/reviewer-pack.md`](docs/reviewer-pack.md) is the top-level no-guessing reviewer pack and artifact naming contract
 - [`docs/reviewer-brief.md`](docs/reviewer-brief.md) gives the short problem, value, evidence, and boundary summary
@@ -164,11 +173,11 @@ Cooldown behavior:
 
 ## v0.7 / v1.0 Direction
 
-- stabilize the four-demo matrix and avoid broad platform expansion
+- stabilize the five-demo matrix and avoid broad platform expansion
 - freeze reviewer-visible artifact names unless a rename is intentionally coordinated across docs, tests, and sample outputs
 - use [`docs/reviewer-pack.md`](docs/reviewer-pack.md) and [`docs/architecture.md`](docs/architecture.md) as the consolidation entrypoints
 - use the [`v1 readiness gate`](docs/reviewer-pack.md#v1-readiness-gate) before treating the repo as consolidated
-- add at most one more demo before v1-style consolidation
+- avoid additional demo expansion before v1-style consolidation
 
 ## Scope
 

demos/cloud-iam-change-investigation-demo/README.md

@@ -0,0 +1,108 @@
+# Cloud IAM Change Investigation Demo
+
+This demo is part of `telemetry-lab` and stays intentionally small, local, and reviewer-friendly.
+
+It uses synthetic CloudTrail-like events to show bounded investigation logic around IAM and nearby cloud-control-plane changes. It does not connect to AWS and does not produce a final incident verdict.
+
+## Purpose
+
+The goal is to make one compact CloudTrail-style investigation path legible from committed sample data.
+
+The demo starts from one JSONL file, then:
+
+- validates a CloudTrail-like event skeleton
+- normalizes events into deterministic internal records
+- applies five bounded investigation rules
+- attaches a small ATT&CK mapping set for reviewer orientation
+- writes machine-readable summaries and a short reviewer-facing report
+
+## Quick Start
+
+From the repository root:
+
+```bash
+python -m pip install -e .
+python -m telemetry_window_demo.cli run-cloud-iam-change-demo
+```
+
+Generated artifacts are written to `demos/cloud-iam-change-investigation-demo/artifacts/`.
+
+## Demo Input
+
+- events: `data/raw/synthetic_cloudtrail_like_events.jsonl`
+- investigation config: `config/investigation.yaml`
+
+Every input record includes this CloudTrail-like skeleton:
+
+- `eventTime`
+- `userIdentity`
+- `eventSource`
+- `eventName`
+- `awsRegion`
+- `sourceIPAddress`
+- `userAgent`
+- `errorCode`
+- `requestParameters`
+- `responseElements`
+- `eventID`
+
+AWS CloudTrail documentation describes event record contents for who made a request, the service and action, request parameters, response data, errors, source IP, user agent, Region, time, and event ID. This demo uses a synthetic subset of that shape for local review only.
+
+Reference:
+
+- [AWS CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html)
+
+## Rules
+
+The deterministic rules are:
+
+- failed console login burst
+- new access key creation after failed logins
+- policy attachment after unusual source IP
+- CloudTrail logging disabled near IAM change
+- security group ingress opened after identity change
+
+## ATT&CK Mapping
+
+The config intentionally keeps the mapping set small:
+
+- [Valid Accounts: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)
+- [Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+- [Account Manipulation: Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001/)
+- [Disable or Modify Cloud Log](https://attack.mitre.org/techniques/T1685/002/)
+- [Modify Cloud Compute Infrastructure](https://attack.mitre.org/techniques/T1578/)
+
+These mappings are reviewer context, not a verdict.
+
+## Expected Artifacts
+
+- `artifacts/normalized_cloudtrail_events.json`
+- `artifacts/investigation_signals.json`
+- `artifacts/investigation_summary.json`
+- `artifacts/investigation_report.md`
+
+## Expected Run Summary
+
+The bundled sample run should report:
+
+- `14` normalized CloudTrail-like events
+- `5` evaluated investigation rules
+- `5` investigation signals
+- `5` ATT&CK mapping entries
+
+## Reviewer Walkthrough
+
+1. Open `synthetic_cloudtrail_like_events.jsonl` and verify the CloudTrail-like fields are synthetic placeholders.
+2. Open `normalized_cloudtrail_events.json` and confirm the sample was normalized without adding external context.
+3. Open `investigation_signals.json` and inspect which event IDs each bounded rule attached.
+4. Open `investigation_summary.json` and confirm the boundaries remain explicit.
+5. Open `investigation_report.md` and verify the report stays reviewer-facing, not incident-final.
+
+## Boundaries
+
+- synthetic CloudTrail-like events only
+- no live AWS account
+- no real account ID
+- no production detection claim
+- no final incident verdict
+- no SIEM, dashboard, alert routing, case-management, realtime ingestion, or autonomous response

demos/cloud-iam-change-investigation-demo/artifacts/investigation_report.md

@@ -0,0 +1,71 @@
+# Cloud IAM Change Investigation Demo Report
+
+This deterministic demo reviews synthetic CloudTrail-like events for bounded IAM and cloud-control-plane signals.
+It uses no live AWS account, no real account IDs, no realtime ingestion, and no final incident verdict.
+
+## Run Summary
+
+- source_type: synthetic CloudTrail-like JSONL
+- normalized_events: 14
+- investigation_signals: 5
+- attack_mapping_count: 5
+
+## Signals
+
+### CTI-001 - failed console login burst
+
+- Severity: medium
+- Actor: USER_A
+- Primary event: evt-cti-003
+- Evidence event IDs: evt-cti-001, evt-cti-002, evt-cti-003
+- ATT&CK mapping: Brute Force: Password Spraying, Valid Accounts: Cloud Accounts
+- Bounded reason: 3 failed ConsoleLogin events for USER_A fell inside a 5 minute window.
+- Scope: synthetic reviewer signal only; no production claim or final verdict
+
+### CTI-002 - new access key creation after failed logins
+
+- Severity: high
+- Actor: USER_A
+- Primary event: evt-cti-005
+- Evidence event IDs: evt-cti-001, evt-cti-002, evt-cti-003, evt-cti-005
+- ATT&CK mapping: Account Manipulation: Additional Cloud Credentials, Valid Accounts: Cloud Accounts
+- Bounded reason: CreateAccessKey for USER_A occurred after 3 failed console login event(s) inside 15 minutes.
+- Scope: synthetic reviewer signal only; no production claim or final verdict
+
+### CTI-003 - policy attachment after unusual source IP
+
+- Severity: high
+- Actor: USER_A
+- Primary event: evt-cti-006
+- Evidence event IDs: evt-cti-006
+- ATT&CK mapping: Valid Accounts: Cloud Accounts
+- Bounded reason: AttachUserPolicy came from 203.0.113.45, which is not in the demo's expected source IP list.
+- Scope: synthetic reviewer signal only; no production claim or final verdict
+
+### CTI-004 - CloudTrail logging disabled near IAM change
+
+- Severity: critical
+- Actor: USER_A
+- Primary event: evt-cti-007
+- Evidence event IDs: evt-cti-005, evt-cti-006, evt-cti-007
+- ATT&CK mapping: Disable or Modify Cloud Log, Valid Accounts: Cloud Accounts
+- Bounded reason: StopLogging occurred within 10 minutes of 2 IAM change event(s).
+- Scope: synthetic reviewer signal only; no production claim or final verdict
+
+### CTI-005 - security group ingress opened after identity change
+
+- Severity: high
+- Actor: USER_A
+- Primary event: evt-cti-008
+- Evidence event IDs: evt-cti-005, evt-cti-006, evt-cti-008
+- ATT&CK mapping: Modify Cloud Compute Infrastructure, Valid Accounts: Cloud Accounts
+- Bounded reason: AuthorizeSecurityGroupIngress opened a world-routable range after 2 IAM change event(s) inside 15 minutes.
+- Scope: synthetic reviewer signal only; no production claim or final verdict
+
+## Boundaries
+
+- Synthetic CloudTrail-like events only
+- No live AWS account
+- No real account ID
+- No production detection claim
+- No final incident verdict