# CloudTrail record contents for aggregated events
AWS CloudTrail aggregated event records include fields that are different from other CloudTrail events in their JSON payload. Aggregated events contain the following fields:
**`eventVersion`**
The version of the aggregated event.
**Since:** 1.0
**Optional:** False
**`accountId`**
The account ID that received this event.
**Since:** 1.0
**Optional:** False
**`eventId`**
A GUID generated by CloudTrail to uniquely identify each aggregated event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.
**Since:** 1.0
**Optional:** False
**`eventCategory`**
Identifies the category of the event. For aggregated events, this value is always `Aggregated`. Use this field for filtering when you query events by category.
**Since:** 1.0
**Optional:** False
**`eventType`**
Identifies the type of aggregated event. For aggregated events, this value is `AwsAggregatedEvent`.
**Since:** 1.0
**Optional:** False
**`awsRegion`**
The AWS Region of the atomic CloudTrail events that were aggregated into this record, such as `ap-northeast-1`. This is typically the Region where the service API calls were made.
**Since:** 1.0
**Optional:** False
**`eventSource`**
The AWS service for which the underlying events were recorded.
**Since:** 1.0
**Optional:** False
**`timeWindow`**
The time interval over which atomic CloudTrail events were aggregated into this aggregated event record. The `timeWindow` field contains details such as window start time, window end time and window size.
**Since:** 1.0
**Optional:** False
**`windowStart`**
The start of the aggregation window, inclusive, in Universal Time (UTC), represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`windowEnd`**
The end of the aggregation window, exclusive, in UTC, represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`windowSize`**
The duration of the aggregation window. The difference `windowEnd − windowStart` should correspond to `windowSize`. The `windowSize` is represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`summary`**
An aggregation summary for the underlying atomic events, grouped by a primary dimension (for example, `eventName`, `resourceARN` or `userIdentity`) and optionally broken down by additional dimensions (for example, `userAgent`, `sourceIpAddress`, `errorCodes`).
**Since:** 1.0
**Optional:** False
The summary contains the following fields:
**`primaryDimension`**
The primary aggregation dimension for this `AwsAggregatedEvent`. This is the main view of the aggregated data. For instance, in the `API_ACTIVITY` aggregation template, the primary dimension is `eventName`; in the `RESOURCE_ACCESS` template, it is `resourceARN`; and in the `USER_ACTIONS` template, it is `userIdentity`.
**Since:** 1.0
**Optional:** False
**`details`**
Additional dimensions that provide more detail about aggregated atomic events. Each Detail object may provide an additional view of the same underlying events, such as `eventName`, `resourceARN`, `userIdentity`, `userAgent` and `sourceIpAddress` depending on the aggregation template.
**Since:** 1.0
**Optional:** False
Each detail provides the following information:
**`dimension`**
The name of the dimension used to group the aggregated events. Common values include:
+ `eventName`
+ `resourceARN`
+ `userIdentity`
+ `userAgent`
+ `sourceIpAddress`
**Since:** 1.0
**Optional:** False
**`statistics`**
A list of statistics for this dimension, where each entry represents one bucket (for example, one event name or one resource ARN) and its aggregated value.
**Since:** 1.0
**Optional:** False
Each entry in statistics contains the following information:
**`name`**
The bucket identifier or key for this statistic within the associated dimension.
**`value`**
The aggregated numeric value for the specified name in the given dimension.
**`aggregationType`**
The type of aggregation applied to compute `statistics.value` for this dimension. Allowed values:
+ `Count` – Number of events.
**Since:** 1.0
**Optional:** False
**`addendum`**
Carries metadata about delayed delivery or updates to an existing AggregatedEvent.
**Since:** 1.0
**Optional:** False
**`reason`**
The reason why an `AwsAggregatedEvent` was delayed, updated, or otherwise supplemented. Common values can include (non-exhaustive):
+ `DELIVERY_DELAY` – Delivery of aggregated data was delayed (for example, network issues or high volume).
+ `UPDATED_DATA` – Aggregated data was recomputed or corrected.
+ `SERVICE_OUTAGE` – Underlying service outage affected event availability.
**Since:** 1.0
**Optional:** True
## Example aggregated event
The following is an example of a CloudTrail aggregated event (`AwsAggregatedEvent`). In this example, CloudTrail aggregates `PutAuditEvents` calls to `cloudtrail-data.amazonaws.com` over a five-minute time window in the `us-east-1` Region. The summary block shows the primary aggregation dimension (`eventName`) and that 30 `PutAuditEvents` calls occurred during the time window. The details entries further break down those calls by `resourceARN`, `userIdentity`, `userAgent`, and `sourceIpAddress` to show how activity is distributed across resources, principals, and clients.
```
{
"eventVersion": "1.0",
"accountId": "111122223333",
"eventId": "4da798a8-1db6-4d17-8b51-4c33df06b56d",
"eventCategory": "Aggregated",
"eventType": "AwsAggregatedEvent",
"awsRegion": "us-east-1",
"eventSource": "cloudtrail-data.amazonaws.com",
"timeWindow":
{
"windowStart": "2025-10-30 23:45:00",
"windowEnd": "2025-10-30 23:50:00",
"windowSize": "PT5M"
},
"summary":
{
"primaryDimension":
{
"dimension": "eventName",
"statistics":
[
{
"name": "PutAuditEvents",
"value": 30
}
],
"aggregationType": "Count"
},
"details":
[
{
"dimension": "resourceARN",
"statistics":
[
{
"name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/1234abcd-12ab-34cd-56ef-1234567890ab",
"value": 20
},
{
"name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/6789abcd-12ab-34cd-56ef-6789012345ab",
"value": 10
}
],
"aggregationType": "Count"
},
{
"dimension": "userIdentity",
"statistics":
[
{
"name": "AWSAccount:111122223333",
"value": 20
},
{
"name": "AWSService:AWS Internal",
"value": 10
}
],
"aggregationType": "Count"
},
{
"dimension": "userAgent",
"statistics":
[
{
"name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"value": 20
},
{
"name": "AWS Internal",
"value":10
}
],
"aggregationType": "Count"
},
{
"dimension": "sourceIpAddress",
"statistics":
[
{
"name": "1.2.3.4",
"value": 20
},
{
"name": "AWS Internal",
"value": 10
}
],
"aggregationType": "Count"
}
]
}
}
```