Quick Start

Generate your first telemetry events in under 5 minutes.

This guide walks you through running your first Tracemill scenario — an AWS CloudTrail brute-force simulation.

Prerequisites

Run the Built-in Example

Tracemill ships with example scenarios. Run the AWS brute-force scenario:

tracemill run examples/aws-brute-force.yaml

This generates a sequence of CloudTrail ConsoleLogin events simulating a credential-stuffing attack — failed attempts followed by a successful login from the same source IP.

Events are written to stdout in JSONL format. Each line is a self-contained JSON object with envelope fields (tracemill_type, tracemill_timestamp, tracemill_seq) plus the event payload.

What Just Happened?

The scenario file defines:

  1. State variables — resolved once per run (source IP, user identity, session ID)
  2. Steps — an ordered sequence of event emissions, each referencing an event type
  3. Expressionsgen.ipv4(), gen.uuid(), ref.source_ip — dynamically generating realistic values while maintaining correlation across steps

Next Steps

  • Scenarios — understand the scenario model in depth
  • Jobs — orchestrate multiple scenarios with shared pools
  • Expressions — the ExprStr grammar for dynamic values

Installation

How to download and install the Tracemill CLI.

Expressions

The ExprStr grammar for dynamic values in scenarios and jobs.

On this page

PrerequisitesRun the Built-in ExampleWhat Just Happened?Next Steps