Amazon CloudTrail - Cloud Security Monitoring and Analytics
This set of CloudTrail monitoring and analytics dashboards provide one dashboard for the most critical analytics. Think of this bundle of dashboards as a good starting place to see trends and outliers on specific aspects of your CloudTrail data -- including access monitoring, login activity, system monitoring, privileged activity, and threat intelligence.
Collecting Logs for the AWS CloudTrail PCI Compliance App
This section has instructions for configuring log collection for the AWS CloudTrail app.
If you intend to use the AWS CloudTrail app in multiple environments, see Configure the AWS CloudTrail App in Multiple Environments.
To configure an AWS CloudTrail Source, perform these steps:
- Configure CloudTrail in your AWS account.
- Confirm that logs are being delivered to the Amazon S3 bucket.
- Add an AWS CloudTrail Source to Sumo Logic.
- Grant Sumo Logic access to an Amazon S3 bucket.
- Generate the Role-Based Access CloudFormation template in Sumo Logic and download the template.
- Create the CloudFormation stack in AWS Management Console using the template.
- Copy the Role ARN from the Outputs tab and paste it in the Role ARN field in Sumo Logic CloudTrail Source created in step 3. For more information, see Configuring your AWS source with CloudFormation.
- Enable Sumo to track AWS Admin activity. This step is optional, but if you don't do it, the administrator activity panels in the AWS CloudTrail - User Monitoring dashboard won't be populated.
- Install the Sumo Logic App for AWS CloudTrail.
Once you begin uploading data, your daily data usage will increase. It's a good idea to check the Account page to make sure that you have enough quota to accommodate additional data in your account. If you need additional quota, you can upgrade your account at any time.
Sample Log Message
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",
| parse "\"sourceIPAddress\":\"*\"" as source_ipaddress
| parse "\"eventName\":\"*\"" as event_name
| parse "\"eventSource\":\"*\"" as event_source
| parse "\"awsRegion\":\"*\"" as aws_Region
| parse "\"userName\":\"*\"" as user
_sourceCategory=AWS_EAGLE (*Security* OR *Network*)
| parse "\"userName\":\"*\"" as user
| parse "\"eventName\":\"*\"" as event
| parse regex field=event "^(?<event_type>[A-Z][a-z]+?)[A-Z]"
| where (event matches "*Security*" OR event matches "*Network*") and event_type in ("Create","Delete")
| count by event
| sort _count
In some cases, your query results may show
"HIDDEN_DUE_TO_SECURITY_REASONS" as the value of the
userName field. That's because AWS does not log the user name that was entered when a sign-in failure is caused by an incorrect user name.
Installing the PCI Compliance AWS CloudTrail App
Now that you have set up collection, install the Amazon CloudTrail - Cloud Security Monitoring and Analytics app to use the preconfigured searches and Dashboards that provide insight into your data.
To install the app:
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
- From the App Catalog, search for and select the app.
- Select the version of the service you're using and click Add to Library. Version selection is applicable only to a few apps currently. For more information, see the Install the Apps from the Library.
- To install the app, complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Select either of these options for the data source.
- Choose Source Category, and select a source category from the list.
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
Viewing AWS CloudTrail Dashboards
The Cloud Security Monitoring & Analytics for AWS CloudTrail App provides dashboards that you can modify for your specific security operational needs.
- Access Monitoring
- Login Activity
- Account and System Monitoring
- Privileged Activity
- Threat Intelligence
Security Analytics - Access Monitoring
Description: See the details of security group activities and all AWS activities divided by read only and non read only.
Use Case: Provides analysis of group activity events including revoking and authorizing access, creating and deleting groups, and other events.
Security Analytics - Login Activity
Description: See the details of login activity successes and failures for API, console, and the root account.
Use Case: Provides analysis of login activity. For API access analysis is provided with trending failed API calls and a detailed table of the recent reasons for failure. Additionally a stacked bar chart shows the comparison of overall failed API calls broken down by account. For console and root activity success and failure are broken down with trending and a detailed table provided in each case.
Security Monitoring - Account and System Monitoring
Description: See the details of identity and access management for users, roles, access keys and other aspects of identity.
Use Case: Provides analysis of IAM activity. Analysis of created and deleted users as well as a summary of IAM events. Created and deleted roles are evidenced. An additional set of analysis looks into password management, user changes in groups and other events.
Security Monitoring - Overview
Description: Monitoring overview providing one dashboard for the most critical analytics.
Use Case: Provides summary of the dashboards in one location. A good starting place to see trends and outliers before digging into the individual analytic dashboards that will provide more detail.
AWS CloudTrail - Security Analytics - Privileged Activity
Description: Provides analytics on events that require elevated privileges.
Use Case: Provides top events, trending and outliers on configuration changes, security group events, and security policy changes.
AWS CloudTrail - Security Analytics - Threat Intelligence
Description: Review this dashboard for details on potential threats and IOCs for AWS CloudTrail.
Use Case: Provides analysis on Threats Associated with CloudTrail Events, Threats By Actor, Threats by Events and I.P, Threats by Events and Result, Threats by Geo Location, Threats Over Time by Result.