AWS CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
Connect AWS CloudTrail with Devo SOAR
Navigate to Automations > Integrations.
Search for AWS CloudTrail.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Region: Enter a valid Region. Example: us-west-1.
API key: The API key to connect to the AWS CloudTrail.
Secret Key: Secret Key For CloudTrail.
After you've entered all the details, click Connect.
Actions for AWS CloudTrail
Lookup Events
Looks up management events captured by CloudTrail.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Max Events | The number of events to return. Possible values are 1 through 50000 (default is 1000). | Optional |
Attribute Key | Attribute Key to lookup. | Optional |
Attribute Value | Attribute value to lookup. | Optional |
Action Timeout | Timeout in seconds (default is 360 seconds). | Optional |
Output
A JSON object containing event version details.
{json}{
"CloudTrailEvent": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIXOY7ENQC3XZWEUO6:ed7eab45-8886-4294-afa2-10bca651\",\"arn\":\"arn:aws:sts::827505017847:assumed-role/obsrvbl_role/ed7eab45-8886-4294-afa2-10bca651\",\"accountId\":\"827505017847\",\"accessKeyId\":\"ASIA4BKZEQP37B6GUG6L\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIXOY7ENQC3XZWEUO6\",\"arn\":\"arn:aws:iam::827505017847:role/obsrvbl_role\",\"accountId\":\"827505017847\",\"userName\":\"obsrvbl_role\"},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2021-01-19T12:42:12Z\"}}},\"eventTime\":\"2021-01-19T12:42:27Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"LookupEvents\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"52.54.41.7\",\"userAgent\":\"Boto3/1.16.0 Python/3.6.9 Linux/4.15.0-1060-aws Botocore/1.19.0\",\"errorCode\":\"ThrottlingException\",\"errorMessage\":\"Rate exceeded\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"304b7f68-e5e7-4244-b37c-9d6ed003985f\",\"eventID\":\"89c7cc6e-0938-433e-8502-8aa4a4c2858c\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"eventCategory\":\"Management\",\"recipientAccountId\":\"827505017847\"}",
"EventId": "89c7cc6e-0938-433e-8502-8aa4a4c2858c",
"EventName": "LookupEvents",
"EventSource": "cloudtrail.amazonaws.com",
"EventTime": "2021-01-19 12:42:27+00:00",
"Resources": [],
"Username": "ed7eab45-8886-4294-afa2-10bca651",
"error": null,
"has_error": false
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystemv1.0.11
- Added documentation link in the automation library.