Detects AWS Lambda event source mapping creation by monitoring CloudTrail for successful CreateEventSourceMapping actions. A mapping attaches an event source (SQS, Kinesis or DynamoDB streams, MSK or self-managed Kafka, or Amazon MQ) to a Lambda function so the function is invoked automatically as new records arrive. While legitimate deployments often create mappings, adversaries with lambda:CreateEventSourceMapping permissions can abuse this to establish durable, stealthy persistence and potential data exfiltration by funneling records into attacker-controlled code. The rule targets successful CloudTrail events with data_stream.dataset: aws.cloudtrail, event.provider: lambda.amazonaws.com, and event.action: CreateEventSourceMapping*, and outcome: