Document toolboxDocument toolbox

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

Connect AWS CloudTrail with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for AWS CloudTrail.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Region: Enter a valid Region. Example: us-west-1.

  9. API key: The API key to connect to the AWS CloudTrail.

  10. Secret Key: Secret Key For CloudTrail.

  11. After you've entered all the details, click Connect.

Actions for AWS CloudTrail

Lookup Events

Looks up management events captured by CloudTrail.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Max Events

The number of events to return. Possible values are 1 through 50000 (default is 1000).

Optional

Attribute Key

Attribute Key to lookup.

Optional

Attribute Value

Attribute value to lookup.

Optional

Action Timeout

Timeout in seconds (default is 360 seconds).

Optional

Output

A JSON object containing event version details.

{json}{ "CloudTrailEvent": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIXOY7ENQC3XZWEUO6:ed7eab45-8886-4294-afa2-10bca651\",\"arn\":\"arn:aws:sts::827505017847:assumed-role/obsrvbl_role/ed7eab45-8886-4294-afa2-10bca651\",\"accountId\":\"827505017847\",\"accessKeyId\":\"ASIA4BKZEQP37B6GUG6L\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIXOY7ENQC3XZWEUO6\",\"arn\":\"arn:aws:iam::827505017847:role/obsrvbl_role\",\"accountId\":\"827505017847\",\"userName\":\"obsrvbl_role\"},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2021-01-19T12:42:12Z\"}}},\"eventTime\":\"2021-01-19T12:42:27Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"LookupEvents\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"52.54.41.7\",\"userAgent\":\"Boto3/1.16.0 Python/3.6.9 Linux/4.15.0-1060-aws Botocore/1.19.0\",\"errorCode\":\"ThrottlingException\",\"errorMessage\":\"Rate exceeded\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"304b7f68-e5e7-4244-b37c-9d6ed003985f\",\"eventID\":\"89c7cc6e-0938-433e-8502-8aa4a4c2858c\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"eventCategory\":\"Management\",\"recipientAccountId\":\"827505017847\"}", "EventId": "89c7cc6e-0938-433e-8502-8aa4a4c2858c", "EventName": "LookupEvents", "EventSource": "cloudtrail.amazonaws.com", "EventTime": "2021-01-19 12:42:27+00:00", "Resources": [], "Username": "ed7eab45-8886-4294-afa2-10bca651", "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.0.11 - Added documentation link in the automation library.