Enhance your cloud security visibility with the updated AWS CloudTrail app

For organizations operating in the cloud, visibility is everything. You need a reliable source of truth to answer “who did what, when, and where,” whether you’re investigating a security incident, chasing compliance goals, or monitoring operational activity.

Enter the Sumo Logic CloudTrail App, your go-to solution for transforming raw AWS CloudTrail logs into meaningful, actionable insights.

With an important CloudTrail schema update on July 14, 2025, there’s no better time to make sure you’re getting maximum value from this powerful integration.

What is the Sumo Logic CloudTrail app?

AWS CloudTrail records every API call across your AWS infrastructure, spanning the console, SDKs, CLI, and even service-to-service activity. In their raw form, these logs can be dense and overwhelming.

The CloudTrail App in Sumo Logic simplifies this complexity by:

• Ingesting CloudTrail logs and enriching them with field extraction rules.
• Surfacing insights through pre-built dashboards for login activity, access attempts, configuration changes, and more.
• Flagging anomalies using detection rules tied to IAM activity, credential usage, and cross-region behavior.
• Benchmarking your environment against peer activity using Global Intelligence for CloudTrail SecOps.

The result? Real-time visibility and context-rich security monitoring that turns raw audit logs into high-confidence answers.

Note: These are Classic apps (V1), and reinstalling them will create a new folder in your Content Library with updated dashboards.

What changed in AWS CloudTrail on July 14, 2025?

To better support the IAM Identity Center (formerly AWS SSO), AWS is restructuring how certain identity-related fields appear in CloudTrail logs. These changes improve clarity and consistency but also require updates to how the logs are parsed and visualized.

Key schema changes

Without updates to the parsing logic and dashboard queries, these changes will break visibility into user activity starting July 14.

Steps to take due to the July 14, 2025 update

To maintain continuity and ensure your dashboards, alerts, and queries remain accurate, Sumo Logic has released updated versions of the affected apps with support for the new schema. Just follow the steps below to get started.

1. If you’re using any of the following apps, reinstall them from the App Catalog:

• Amazon CloudTrail – Cloud Security Monitoring & Analytics
• AWS CloudTrail
• CIS AWS Foundations Benchmark
• PCI Compliance for AWS CloudTrail
• Threat Intel for AWS
• Cloud Infrastructure Security for AWS

2. Review and update custom content:

• Use the new schema paths to update any search queries, dashboard panels, scheduled reports, or alerts that reference `userName`, `principalId`, `userId`, etc.
• Remove any logic dependent on `principalId`, which will no longer be available.

3. Test and validate changes:

• Run your updated dashboards side-by-side with current versions to verify alignment.
• Confirm data continuity.

Note: Cloud SIEM customers do not need to make changes—parser logic has already been updated by Sumo Logic behind the scenes.

Why this matters

This update is a great opportunity to enhance your cloud security and monitoring capabilities with richer insights.

By updating your CloudTrail app, you can:

• Modernize your AWS log ingestion strategy.
• Leverage improved user identity fidelity from IAM Identity Center logs.
• Stay fully aligned with AWS’s evolving event model.

Final thoughts

CloudTrail is a cornerstone of any observability or security strategy in AWS, and with this upcoming change, Sumo Logic customers have a clear path to stay ahead.

By reinstalling the updated apps and adjusting custom logic, you’ll not only maintain visibility but enhance it, ensuring your teams have the context they need to move with confidence in the cloud.

Curious to learn more about this update? Check out our AWS CloudTrail Updates release notes.  

Read the AWS Security Blog to understand the ins and outs of this update, directly from AWS.