To navigate to the AWS CloudTrail page, select Resources > Cloud > AWS CloudTrail in the Lacework Console.
To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Lacework for AWS.
Lacework provides visibility into your account security through the continued monitoring and analysis of CloudTrail. This CloudTrail page provides graphs and panels that summarize the CloudTrail data that is collected during this monitoring and analysis.
Use the account drop-down to limit the results displayed in the dashboard to a single specific AWS account or for all AWS accounts integrated with Lacework. The account drop-down is located in the top middle of the panel and defaults to All Accounts.
At the top of the panel, you can specify global filters that apply to all the data displayed in the CloudTrail page, for example, you can report activity within the last 2 hours only. This functionality is useful when attempting to pinpoint a specific date range and the activities that occurred during that time frame.
If no events are listed in the timeline, consider increasing the size of the date range as described below.
To set a date/time range to report on, add a filter using one of the following methods:
Click the start date and select the calendar icon. Repeat for the end date.
Open the Date Range drop-down by selecting the down arrow next to the clock icon, and select an option.
Verify the start and end times are correct for your date/time range and change them if required, for example, if you select Last 7 days from the Date Range drop-down at 3 PM on March 21 2019, the following date/time ranges are reported: Mar 14, 2019 12 AM to Mar 21, 2019 12 AM. Note the end time is 12 AM. If you want to view all events for today, change the end time to 3 PM.
Specify a time for the start and end dates by selecting the clock icon.
In addition to filtering by date range, you can filter on optional parameters.
To filter on these parameters:
To add filters using these parameters, click in the field next to the funnel.
Select a parameter type such as Region.
Select a filter Operator.
- Select includes if the value of the parameter in the CloudTrail logs must match the value or regular expression specified in the condition, for example, specify Region includes us- if you want the filter to return data generated from all us regions, such as us-west-1, us-east-1, us-east-2 etc.
- Select excludes if the value of the parameter in the CloudTrail logs should not match the value or regular expression specified in the condition, for example, specify Region excludes us-west-1 if you do not want the filter to return data generated in that region.
- Enter a value or regular expression to compare against. Do not enter quotes, the Lacework Console adds the quotes when you enter return. You can specify the * wildcard to match one or more characters.
- You can optionally add multiple filter checks. In addition, you can filter on date/time ranges as described above.
In the tables under the Timeline, some column values allow you to add a filter by selecting the adjacent funnel icon as shown here:
A new filter is added and visible at the top of the page.
The following visual graphs are displayed on the left:
- Unique UserNames
- Unique APIs
- Unique Accounts
- Unique Regions
- Unique Services
- Unique Errors
All data, including these graphs, correlates with the date range and parameters set in the global filter. Each graph can be refreshed for updated data or expanded to view full screen. Hover over a specific point in time on one graph simultaneously pinpoints the data to that date on the other graphs.
To the right of the visual graphs is the Timeline panel. The Timeline panel displays a timeline of events that match the date/time filter and any specified optional parameter filters set at the top of the page. Because only CloudTrail events are assessed in this page, the only applicable event category tile for the timeline is Cloud Activity. This timeline can assist you in locating and identifying the specific date/time when a non-compliance resource may have taken effect.
The Timeline panel displays counts of matching events grouped by severity. To optionally filter events by severities, click one or more severity tiles, for example, if only the Critical tile is selected, only critical events are listed. A selected tile has a blue background. Note that filtering by severity only affects the events listed in the timeline and has no effect on the other tables in this page.
To view more details about an event in the timeline, click the Expand event details down arrow.
For a complete history of the event, click the Open Event Dossier icon located to the left of the Expand event details.
In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring. For CloudTrail, the Polygraph displays API behavior in the following order from left to right:
AWS Account > Region > CallType > User/Role > Region > AWS Service > Action > Resource
The logs listed in the CloudTrail Logs panel are similar to the logs you would see in the AWS Console (AWS > CloudTrail), however, in the Lacework Console you can search and utilize filters to identify and analyze actions within your AWS account(s).
For some values in this panel, you can click the funnel icon to add a filter, for example, click the funnel next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. You can use multiple filters, including includes and excludes, to isolate what you really want to view and inspect.
The User Details panel displays a list of CloudTrail user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in an activity, as well as information such as whether or not MFA is enabled on a particular account.
The User Events panel displays Service, User Name, Event, Alert Count, and Event Count information. This panel is useful when looking into specific users or IAM service account roles to see what particular alert and events are being generated and how many (count).
API Error Events
The API Error Events panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your AWS account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your AWS account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.