Skip to content

AWS CloudTrail

aws-logo

About

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account. Optionally, you can enable AWS CloudTrail Insights on a trail to help you identify and respond to unusual activity.

You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of trails you create, and control how users view CloudTrail events.

Product Details

Vendor URL: AWS CloudTrail

Product Type: Log Aggregator

Product Tier: Tier II

Integration Method: Custom

Integration URL: AWS Cloudtrail - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: 90%

Data Label: AWS_CLOUDTRAIL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
additionalEventData.LoginTo target.url
additionalEventData.MFAUsed extensions.auth.auth_details
additionalEventData.SamlProviderArn security_result.about.user_management_chain.userid
awsAccountId principal.cloud.project.id
awsRegion principal.location.name
configRuleInputParameters.BlockPublicAcls target.resource.attribute.labels
configRuleInputParameters.BlockPublicPolicy target.resource.attribute.labels
configRuleInputParameters.IgnorePublicAcls target.resource.attribute.labels
configRuleInputParameters.RestrictPublicBuckets target.resource.attribute.labels
digestS3Bucket principal.cloud.project.parent
digestS3Object principal.cloud.project.product_object_id
errorCode security_result.rule_id
errorMessage security_result.description
eventCategory security_result.category_details
eventID metadata.product_log_id
eventName metadata.product_event_type
eventName security_result.summary
eventSource target.application
eventType additional.eventType
eventType metadata.description
insightDetails.eventName metadata.product_event_type
insightDetails.eventSource target.application
insightDetails.insightContext.attributions.0.insight.0.value principal.user.userid
insightDetails.insightContext.attributions.1.insight.0.value network.http.user_agent
insightDetails.insightContext.attributions.2.insight.0.value security_result.rule_id
insightDetails.insightType additional.insightType
logfile.hashValue src.file.sha256
logfile.newestEventTim
logfile.s3Bucket target.file.full_path
logfile.s3Object src.file.full_path
puserId principal.user.userid
readOnly additional.readOnly
recipientAccountId target.resource.attribute.labels
requestID target.resource.attribute.labels
requestParameters about.labels
requestParameters.attributeType additional.createVolumePermission_attributeType
requestParameters.attributeType additional.launchPermission_attributeType
requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicAcls target.resource.attribute.labels
requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.BlockPublicPolicy target.resource.attribute.labels
requestParameters.CreateAccessPointRequest.PublicAccessBlockConfiguration.RestrictPublicBuckets target.resource.attribute.labels
requestParameters.createVolumePermission.add.items.0.userId additional.createVolumePermission_userId
requestParameters.destinationCidrBlock target.labels
requestParameters.encryptionAlgorithm security_result.detection_fields.labels.encryptionAlgorithm
requestParameters.granteePrincipal principal.hostname
requestParameters.groupName src.group.group_display_name
requestParameters.groupName target.group.group_display_name
requestParameters.imagesSet.items.0.imageId additional.imagesSet
requestParameters.launchPermission.add.items.0.userId additional.launchPermission_userId
requestParameters.layerDigest src.file.sha256
requestParameters.name.0 security_result.about.application
requestParameters.names.0 security_result.about.application
requestParameters.newGroupName target.group.group_display_name
requestParameters.newUserName target.user.user_display_name
requestParameters.outputS3BucketName src.file.full_path
requestParameters.policyArn target.resource.attribute.labels
requestParameters.policyDocument target.resource.attribute.roles.description
requestParameters.PublicAccessBlockConfiguration.BlockPublicAcls target.resource.attribute.labels
requestParameters.PublicAccessBlockConfiguration.BlockPublicPolicy target.resource.attribute.labels
requestParameters.PublicAccessBlockConfiguration.IgnorePublicAcls target.resource.attribute.labels
requestParameters.PublicAccessBlockConfiguration.RestrictPublicBuckets target.resource.attribute.labels
requestParameters.registryId target.resource.id
requestParameters.repositoryName target.resource.name
requestParameters.roleArn target.resource.id
requestParameters.roleName target.resource.attribute.roles.name
requestParameters.roleName target.user.role_name
requestParameters.roleSessionName target.resource.name
requestParameters.s3BucketName target.file.full_path
requestParameters.securityGroupRuleIds.items.0.securityGroupRuleId security_result.rule_id
requestParameters.userName src.user.user_display_name
requestParameters.userName src.user.userid
resources.accountId about.resource.id
resources.accountId target.resource.id
resources.ARN about.resource.name
resources.ARN target.resource.name
resources.type about.resource.type
resources.type target.resource.type
responseElements.assumedRoleUser.arn security_result.about.resource.id
responseElements.assumedRoleUser.assumedRoleId security_result.about.resource.name
responseElements.command.outputS3BucketName target.file.full_path
responseElements.group.arn target.group.product_object_id
responseElements.group.groupName target.group.group_display_name
responseElements.image.imageId.imageDigest src.file.sha256
responseElements.image.imageManifestMediaType src.file.mime_type
responseElements.keyMetadata.encryptionAlgorithms security_result.detection_fields.labels.encryptionAlgorithm
responseElements.securityGroupRuleSet.items.0.cidrIpv4 principal.labels
responseElements.securityGroupRuleSet.items.0.fromPort principal.port
responseElements.securityGroupRuleSet.items.0.groupId security_result.rule_labels
responseElements.securityGroupRuleSet.items.0.ipProtocol network.ip_protocol
responseElements.securityGroupRuleSet.items.0.isEgress network.direction
responseElements.securityGroupRuleSet.items.0.securityGroupRuleId security_result.rule_id
responseElements.securityGroupRuleSet.items.0.toPort target.port
responseElements.user.arn target.user.userid
responseElements.user.userName target.user.user_display_name
responseParameters about.labels
sourceIPAddress principal.ip
tlsDetails.cipherSuite network.tls.cipher
tlsDetails.tlsVersion network.tls.version
userAgent network.http.user_agent
userIdentity.accessKeyId additional.accessKeyId
userIdentity.accountId principal.user.group_identifiers
userIdentity.arn principal.user.employee_id
userIdentity.arn principal.user.labels
userIdentity.arn principal.user.userid
userIdentity.arn target.user.userid
userIdentity.invokedBy principal.user.userid
userIdentity.principalId principal.user.product_object_id
userIdentity.sessionContext.attributes.mfaAuthenticated principal.user.labels
userIdentity.sessionContext.sessionIssuer.arn security_result.about.user.userid
userIdentity.sessionContext.sessionIssuer.userName principal.user.user_display_name
userIdentity.type principal.resource.type
userIdentity.userName principal.user.user_display_name
userIdentity.userName target.user.user_display_name

Product Event Types

Some products we only support certain event types. Here are the supported AWS Cloudtrail events.

eventType UDM Event Classification
all others GENERIC_EVENT
AuthorizeSecurityGroupEgress RESOURCE_PERMISSIONS_CHANGE
AuthorizeSecurityGroupIngress RESOURCE_PERMISSIONS_CHANGE
AwsCloudTrailInsight GROUP_MODIFICATION
ChangePassword USER_CHANGE_PASSWORD
ConsoleLogin USER_LOGIN
CreateGrant USER_RESOURCE_CREATION
CreateGroup GROUP_CREATION
CreateKey USER_RESOURCE_CREATION
CreateLogGroup GROUP_CREATION
CreateUser USER_CREATION
Decrypt USER_RESOURCE_ACCESS
DeleteGroup GROUP_DELETION
DeleteUser USER_DELETION
DescribeInstances USER_RESOURCE_ACCESS
DescribeInstanceStatus USER_RESOURCE_ACCESS
DescribeKey USER_RESOURCE_ACCESS
DescribeReservedCacheNodes USER_RESOURCE_ACCESS
DescribeReservedDBInstances USER_RESOURCE_ACCESS
DescribeReservedElasticsearchInstances USER_RESOURCE_ACCESS
DescribeReservedInstances USER_RESOURCE_ACCESS
DescribeReservedNodes USER_RESOURCE_ACCESS
DescribeRouteTables USER_RESOURCE_ACCESS
DescribeTags USER_RESOURCE_ACCESS
Encrypt USER_RESOURCE_ACCESS
ExitRole USER_CHANGE_PERMISSIONS
GetSecretValue USER_RESOURCE_ACCESS
ListAttachedRolePolicies USER_RESOURCE_ACCESS
ListBuckets USER_RESOURCE_ACCESS
ListDomainNames USER_RESOURCE_ACCESS
ListObjects USER_RESOURCE_ACCESS
ListRolePolicies USER_RESOURCE_ACCESS
RemoveUserFromGroup GROUP_MODIFICATION
RenewRole USER_CHANGE_PERMISSIONS
RevokeSecurityGroupEgress RESOURCE_PERMISSIONS_CHANGE
RevokeSecurityGroupIngress RESOURCE_PERMISSIONS_CHANGE
SwitchRole USER_CHANGE_PERMISSIONS
UpdateAssumeRolePolicy RESOURCE_PERMISSIONS_CHANGE
UpdateGroup GROUP_MODIFICATION
UpdateUser USER_UNCATEGORIZED

Log Sample

{"awsRegion":"cloud-region","eventCategory":"Management","eventID":"c9q9134","eventName":"DescribeTrails","eventSource":"cloudtrail.domain.com","eventTime":"2022-05-10T13:36:55Z","eventType":"AwsApiCall","eventVersion":"1.08","managementEvent":true,"readOnly":true,"recipientAccountId":"account123","requestID":"a125938","requestParameters":{"includeShadowTrails":true},"responseElements":null,"sourceIPAddress":"securityhub.domain.com","userAgent":"securityhub.domain.com","userIdentity":{"accessKeyId":"access123","accountId":"account123","arn":"arn:aws:sts::account123:assumed-role/AWSServiceRoleForSecurityHub/securityhub","invokedBy":"securityhub.domain.com","principalId":"id14059:securityhub","sessionContext":{"attributes":{"creationDate":"2022-05-10T13:36:55Z","mfaAuthenticated":"false"},"sessionIssuer":{"accountId":"account123","arn":"arn:aws:iam::account123:role/aws-service-role/securityhub.domain.com/AWSServiceRoleForSecurityHub","principalId":"id14059","type":"Role","userName":"AWSServiceRoleForSecurityHub"},"webIdFederationData":{}},"type":"AssumedRole"}}

Sample Parsing

metadata.product_log_id = "c9q9134"
metadata.event_timestamp = "2022-05-10T13:36:55Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "AMAZON"
metadata.product_name = "AWS_CLOUDTRAIL"
metadata.product_event_type = "DescribeTrails"
metadata.description = "AwsApiCall"
metadata.ingested_timestamp = "2022-05-10T13:54:36.170896Z"
additional.access_key_id = "access123"
additional.Event Type = "AwsApiCall"
principal.hostname = "securityhub.domain.com"
principal.user.userid = "arn:aws:sts::account123:assumed-role/AWSServiceRoleForSecurityHub/securityhub"
principal.user.user_display_name = "AWSServiceRoleForSecurityHub"
principal.user.product_object_id = "id14059:securityhub"
principal.user.attribute.labels.key = "readOnly"
principal.user.attribute.labels.value = "true"
principal.user.attribute.labels.key = "mfaAuthenticated"
principal.user.attribute.labels.value = "false"
principal.user.attribute.labels.key = "ARN"
principal.user.attribute.labels.value = "arn:aws:sts::account123:assumed-role/AWSServiceRoleForSecurityHub/securityhub"
principal.user.group_identifiers = "account123"
principal.location.name = "cloud-region"
principal.resource.type = "AssumedRole"
principal.asset.hostname = "securityhub.domain.com"
principal.asset.attribute.cloud.environment = "AMAZON_WEB_SERVICES"
target.application = "cloudtrail.domain.com"
target.resource.attribute.labels.key = "Request ID"
target.resource.attribute.labels.value = "a125938"
target.resource.attribute.labels.key = "Recipient Account Id"
target.resource.attribute.labels.value = "account123"
security_result.about.user.userid = "arn:aws:iam::account123:role/aws-service-role/securityhub.domain.com/AWSServiceRoleForSecurityHub"
security_result.category_details = "Management"
security_result.action = "ALLOW"
network.http.user_agent = "securityhub.domain.com"
extensions.auth.mechanism = "REMOTE"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon