Skip to main content
Sumo Logic

Global Intelligence for AWS CloudTrail

Global Intelligence for AWS CloudTrail
The Global Intelligence for AWS CloudTrail App enables you to detect potentially malicious configuration changes in your AWS account by comparing AWS CloudTrail events in your account against a cohort of AWS customers.

The Global Intelligence for AWS CloudTrail App enables you to detect potentially malicious configuration changes in your AWS account by comparing AWS CloudTrail events in your account against a cohort of AWS customers. CloudTrail events are curated from AWS penetration tests and operational best practices.

The App dashboard displays enable you to determine the following: 

  • How your attack surface compares to your peers 
  • MITRE Attack Framework tactics that are evident in your organization compared to your peers. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.  
  • Resources that are impacted 
  • An action plan to improve security posture in your AWS infrastructure

The current scope of this application includes the following AWS services and associated resource types: 

  1. Amazon EC2: count of compute instances, security groups, route tables and Amazon Machine Images
  2. Amazon S3: count of buckets
  3. Amazon RDS: count of database instances, DB security groups
  4. Amazon Redshift: count of database clusters and parameter groups 
  5. AWS Lambda: count of function names
  6. AWS IAM: count of IAM users, roles and groups
  7. AWS CloudTrail: counts of trail instances

Log Types 

Global Intelligence for AWS CloudTrail App uses AWS CloudTrail logs.