AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services (source: AWS CloudTrail Overview).
The following table lists the data source offered by this integration.
||Cloudtrail events are analyzed in detail|
||CloudTrail logs activities from all AWS Services|
As a prerequisite you need an existing CloudTrail trail and configure it to record activities from services that you want to monitor.
In the AWS console, navigate to:
Services > CloudTrail > Trails. From there, enable the events that you want to record:
- Management events: provide visibility into management operations that are performed on resources in your AWS account.
- Insights events: help AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events. Insights events are logged when CloudTrail detects unusual write management API activity in your account.
- Data events: provide visibility into the resource operations performed on or within a resource.
Activate the logging on the trail through the switch button (On/Off) located on the top right hand corner of the trail page.
Create the intake
Go to the intake page and create a new intake from the format
Set up the module configuration with the AWS Access Key, the secret key and the region name. Set up the trigger configuration with the name of the S3 Bucket, hosting the CloudTrail logs, and a prefix to the CloudTrail objects (e.g
At the end of the playbook, set up the action
Push events to intake with a SEKOIA.IO API key and the intake key, from the intake previously created.
Start the playbook and enjoy your events.