Managing Collected CloudTrail Event Logs

Amazon Web Services (AWS) CloudTrail produces log data for numerous AWS cloud services. Depending on the size and activity in your AWS account, the AWS CloudTrail log collection in USM Anywhere can produce an excessive number of events. Some of these events reflect normal activity and you will most likely want to create suppression rules to eliminate these events in the future. For other event types that are important and require attention, you may want to generate alarms Alarms provide notification of an event or sequence of events that require attention or investigation. or send notifications Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms..

USM Anywhere uses the logged action to populate the name for the event during the normalization process. You can use the Event Name field to specify a match condition for the events you want to manage using a rule.

Use the Event Name field to match a logged CloudTrail action

Important: The order of the conditions is significant because USM Anywhere follows a specific order when it evaluates the rule conditions, reading them from left to right. If your rule includes the packet_type and plugin_device fields, these should always occur first in the order.

For more information about creating rules, see Orchestration Rules.

CloudTrail Event Names by Type