Along with this, looking at this CloudTrail log file for sign-in failure caused by an incorrect user name from the 'Log events with CloudTrail' documentation by AWS.

{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"eventTime": "2015-03-31T22:20:42Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-2",
"sourceIPAddress": "192.0.2.101",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0",
"errorMessage": "No username found in supplied account",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Failure"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "a7654656-0417-45c6-9386-ea8231385051",
"eventType": "AwsConsoleSignin",
"recipientAccountId": "123456789012"
}

From the above raw CloudTrail log file snippet of the corresponding event, we can see that the log file itself contains the value of 'HIDDEN_DUE_TO_SECURITY_REASONS' as the username. It also contains the error message with a value of 'No username found in supplied account'. 

As 'HIDDEN_DUE_TO_SECURITY_REASONS' is the userName returned by the actual CloudTrail event, this is the same value shown in the corresponding Lacework event.

In some scenarios, such as a failed attempt to login to the AWS Console with an incorrect username, the event captured in the CloudTrail log will have a null value for the error code and the username will also be defined as 'HIDDEN_DUE_TO_SECURITY_REASONS'. This is more often seen with 'AWS Console Login' alerts than 'API Failed with Error', however, the cause is the same and should be interpreted that an attempt to login to the AWS console was unsuccessful.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity....