Collect AWS CloudTrail Logs on an AWS Sensor

Amazon Web Services (AWS) CloudTrail provides a complete audit log for all actions taken with the Amazon API, either through the web user interface (UI), the AWS Command Line Interface (CLI ASCII text-based interface to an operating system or device, that allows execution of commands to perform operations such as administration, configuration, or other maintenance operations.), or an AWS software development kit (SDK). Ongoing monitoring of this log gives you visibility of end user and automated actions in your environment. This helps you quickly detect abuse cases and security incidents, such as a user trying to make changes to an AWS account that are inconsistent with their privileges.

USM Anywhere automatically detects AWS CloudTrail and retrieves your AWS CloudTrail logs across all regions within a single AWS account. USM Anywhere also provides you the credentials to securely access your AWS CloudTrail logs. When a new trail is detected, a new log collection job is automatically created and enabled to capture the logs in that trail. Similarly, if a trail is deleted, the existing job that was created for it is automatically deleted.

As the AWS Sensor collects this raw log data, USM Anywhere uses its AWS CloudTrail data source to normalize Normalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the data and generate meaningful events. Depending on the size and activity in your AWS account, this log collection can produce an excessive number of events. See Managing Collected CloudTrail Event Logs for a list of possible CloudTrail events. Similarly, if your AWS instance includes organizations, you may create a trail that will log all events for any AWS accounts assigned to an organization.

Note: If you choose not to enable AWS CloudTrail, USM Anywhere processes all stored logs at initial startup. See the Amazon documentation for information about enabling AWS CloudTrail. After that initial processing, log collection jobs run every five minutes to ensure that logs are captured and can generate meaningful events in a timely manner.

Note: Sometimes you may see that the CloudTrail events in USM Anywhere display a different username compared to the raw log. This is because CloudTrail provides different types of user identities, one of which is AssumedRole. When the user identity type is set to AssumedRole, it means that the user credential is temporary and the username you see in the raw log is not the actual username. See Amazon documentation for more information.

To enable AWS CloudTrail for your AWS Sensor

  1. Go to Settings > Scheduler.
  2. Search for CloudTrailin the Job Scheduler Filter By field.
  3. In the row for the CloudTrail job, click the icon to enable the AWS CloudTrail jobs.

    This turns the icon green.

    Job Scheduler Main Page

The following video demonstrates how to configure AWS to capture CloudTrail logs and where USM Anywhere displays CloudTrail events:

Related Video Content

To view other related training videos, click here.