--- id: aws-cloudtrail title: Amazon CloudTrail - Cloud Security Monitoring and Analytics sidebar_label: Amazon CloudTrail description: Introduction to Amazon CloudTrail - Cloud Security Monitoring and Analytics. slug: /help/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/ canonical: https://www.sumologic.com/help/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; Amazon CloudTrail - Cloud Security Monitoring and Analytics icon

Amazon CloudTrail - Cloud Security Monitoring and Analytics icon

This set of CloudTrail monitoring and analytics dashboards provide one dashboard for the most critical analytics. Think of this bundle of dashboards as a good starting place to see trends and outliers on specific aspects of your CloudTrail data -- including access monitoring, login activity, system monitoring, privileged activity, and threat intelligence. ## Collecting logs for the AWS CloudTrail app This section has instructions for configuring log collection for the AWS CloudTrail app. If you intend to use the AWS CloudTrail app in multiple environments, see [Configure the AWS CloudTrail App in Multiple Environments](/docs/integrations/amazon-aws/cloudtrail/#configuring-the-aws-cloudtrail-app-in-multiple-environments). To configure an AWS CloudTrail Source, perform these steps: 1. [Configure CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_started_top_level.html) in your AWS account. 2. Confirm that logs are being delivered to the Amazon S3 bucket. 3. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source) to Sumo Logic. 4. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket. * Generate the Role-Based Access CloudFormation template in Sumo Logic and download the template. * Create the CloudFormation stack in AWS Management Console using the template. * Copy the Role ARN from the Outputs tab and paste it in the Role ARN field in Sumo Logic CloudTrail Source created in step 3. For more information, see [Configuring your AWS source with CloudFormation](/docs/send-data/hosted-collectors/amazon-aws/configure-your-aws-source-cloudformation). 5. [Enable Sumo to track AWS Admin activity](/docs/integrations/amazon-aws/cloudtrail/#enable-sumo-logic-to-track-aws-admin-activity). This step is optional, but if you do not do it, the administrator activity panels in the **AWS CloudTrail - User Monitoring** dashboard won't be populated. 6. Install the Sumo Logic App for AWS CloudTrail. Once you begin uploading data, your daily data usage will increase. It's a good idea to check the **Account** page to make sure that you have enough quota to accommodate additional data in your account. If you need additional quota, you can upgrade your account at any time. ### Sample log messages ```json { "eventVersion":"1.01", "userIdentity":{ "type":"IAMUser", "principalId":"AIDAJ6IGVQ4XQZQDAYEOA", "arn":"arn:aws:iam::956882708938:user/Olaf", "accountId":"956882708938", "userName":"system" }, "eventTime":"2017-09-27T20:00:10Z", "eventSource":"signin.amazonaws.com", "eventName":"ConsoleLogin", "awsRegion":"us-east-1", "sourceIPAddress":"65.98.119.36", "userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36", "requestParameters":null, "responseElements":{ "ConsoleLogin":"Failure" }, "additionalEventData":{ "MobileVersion":"No", "LoginTo":"https://console.aws.amazon.com/console/home?state\u003dhashArgs%23\u0026isauthcode\u003dtrue", "MFAUsed":"No" }, "eventID":"f36c1d07-73cf-4ab8-84b1-04c93ac2aaeb" } ``` ```sumo title="Field Extraction Template" | parse "\"sourceIPAddress\":\"*\"" as source_ipaddress | parse "\"eventName\":\"*\"" as event_name | parse "\"eventSource\":\"*\"" as event_source | parse "\"awsRegion\":\"*\"" as aws_Region | parse "\"userName\":\"*\"" as user ``` ### Sample queries ```sumo title="Created and Deleted Network and Security Events" _sourceCategory=AWS_EAGLE (*Security* OR *Network*) | parse "\"userName\":\"*\"" as user | parse "\"eventName\":\"*\"" as event | parse regex field=event "^(?[A-Z][a-z]+?)[A-Z]" | where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete") | count by event | sort _count ``` In some cases, your query results may show `"HIDDEN_DUE_TO_SECURITY_REASONS"` as the value of the `userName` field. That's because AWS does not log the user name that was entered when a sign-in failure is caused by an incorrect user name. ## Installing the AWS CloudTrail app Now that you have set up collection, install the Amazon CloudTrail - Cloud Security Monitoring and Analytics app to use the preconfigured searches and Dashboards that provide insight into your data. import AppInstallV2 from '../../reuse/apps/app-install-v2.md'; ## Viewing AWS CloudTrail dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Security Analytics - Access Monitoring **Description:** See the details of security group activities and all AWS activities divided by read only and non read only. **Use Case:** Provides analysis of group activity events including revoking and authorizing access, creating and deleting groups, and other events. Amazon CloudTrail - Security Analytics dashboards

Amazon CloudTrail - Security Analytics dashboards

### Security Analytics - Login Activity **Description:** See the details of login activity successes and failures for API, console, and the root account. **Use Case:** Provides analysis of login activity. For API access analysis is provided with trending failed API calls and a detailed table of the recent reasons for failure. Additionally a stacked bar chart shows the comparison of overall failed API calls broken down by account. For console and root activity success and failure are broken down with trending and a detailed table provided in each case. Amazon CloudTrail - Security Analytics dashboards

### Security Monitoring - Account and System Monitoring **Description:** See the details of identity and access management for users, roles, access keys and other aspects of identity. **Use Case:** Provides analysis of IAM activity. Analysis of created and deleted users as well as a summary of IAM events. Created and deleted roles are evidenced. An additional set of analysis looks into password management, user changes in groups and other events. Amazon CloudTrail - Security Analytics dashboards

### Security Monitoring - Overview **Description:** Monitoring overview providing one dashboard for the most critical analytics. **Use Case:** Provides summary of the dashboards in one location. A good starting place to see trends and outliers before digging into the individual analytic dashboards that will provide more detail. Amazon CloudTrail - Security Analytics dashboards

### AWS CloudTrail - Security Analytics - Privileged Activity **Description:** Provides analytics on events that require elevated privileges. **Use Case:** Provides top events, trending and outliers on configuration changes, security group events, and security policy changes. Amazon CloudTrail - Security Analytics dashboards

### AWS CloudTrail - Security Analytics - Threat Intelligence **Description:** Review this dashboard for details on potential threats and IOCs for AWS CloudTrail. **Use Case:** Provides analysis on Threats Associated with CloudTrail Events, Threats By Actor, Threats by Events and I.P, Threats by Events and Result, Threats by Geo Location, Threats Over Time by Result. Amazon CloudTrail - Security Analytics dashboards

### Security Analytics - Data Exfiltration and Exposure **Description:** Dashboard analyzing API-level data access, publicly exposed resource creation, and cross-account access patterns to detect data exfiltration attempts. **Use Case:** Provides analysis of data exposure risks including publicly exposed resources over time, secret accesses via Secrets Manager, KMS decrypt and SSM decryption activity, and sensitive access outliers to help identify potential data exfiltration. Amazon CloudTrail - Security Analytics dashboards

### Security Analytics - Suspicious Indicators **Description:** This dashboard tracks ransomware signals like KMS key deletions, backup/snapshot removals, and S3 data protection downgrades. **Use Case:** Provides visibility into ransomware and destructive activity indicators including KMS key deletions and disables over time, backup deletion events, S3 data protection configuration changes, and detailed tables of impacted resources. Amazon CloudTrail - Security Analytics dashboards

## Create monitors for the AWS CloudTrail app import CreateMonitors from '../../reuse/apps/create-monitors.md'; ### AWS CloudTrail alerts | Name | Description | Alert Condition | Recover Condition | |:--|:--|:--|:--| | `CloudTrail Logging Stopped or Deleted` | This alert is triggered when CloudTrail logging is stopped or a trail is deleted. `Note: Please change the _sourceCategory to match your collector's source category instead of using the default value.` | Count > 0 | Count < = 0 | | `GuardDuty Disabled` | This alert is triggered when GuardDuty is disabled or a member account is disassociated from its master account. `Note: Please change the _sourceCategory to match your collector's source category instead of using the default value.` | Count > 0 | Count < = 0 | | `Root Account Used` | This alert is triggered when the AWS root account is used to perform an action. `Note: Please change the _sourceCategory to match your collector's source category instead of using the default value.` | Count > 0 | Count < = 0 | ## Upgrade/Downgrade the AWS CloudTrail app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; ## Uninstalling the AWS CloudTrail app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md';