Collect Logs for the GI for AWS CloudTrail SecOps App

Availability

This feature is available in the following account plans.

Collection process overview

The following illustration is a graphical representation of the process for collecting logs from AWS CloudTrail and delivering them to Sumo Logic.

Configuring log collection

To configure log collection for Global Intelligence for AWS CloudTrail, follow the steps described here.

Sample log message

{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDAJK3NPEULWEXAMPLE","arn":"arn:aws:iam::224064EXAMPLE:user/username","accountId":"2240example0808","userName":"Pamelia@example.com"},"eventTime":"2020-01-11 00:42:12+0000","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-example","sourceIPAddress":"10.10.10.10","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"LoginTo":"https://us-example.console.aws.amazon...sauthcode=true","MobileVersion":"No","MFAUsed":"Yes"},"eventID":"8fd88195-8576-example-8330cb492604","eventType":"AwsConsoleSignIn","recipientAccountId":"22406424example0808"}

Query example

The following sample query is from the Unique AWS Resource Types panel of Dashboard 01: Attack Surface Benchmark.

_sourceCategory=Labs/AWS/CloudTrail/Analytics 

| json "eventSource", "errorCode" nodrop 

| where isBlank(errorCode) 

| count_distinct(eventSource) as count 

| "ResourcesCount_Service" as benchmarkname 

| fillmissing values("ResourcesCount_Service") in benchmarkname 

| toInt(count) as count

| infer _category=cloudtrail _model=benchmark

| first(count) as MyCompany, first(lower_limit) as cohort_low, first(median) as cohort_median, first(upper_limit) as cohort_high by benchmarkname