To navigate to the AWS CloudTrail page, select AWS > CloudTrail in the Lacework Console.
To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Lacework for AWS.
Lacework provides visibility into your account security through the continued monitoring and analysis of CloudTrail. This CloudTrail page provides graphs and panels that summarize the CloudTrail data that is collected during this monitoring and analysis.
Use the account drop-down to limit the results displayed in the dashboard to a single specific AWS account or for all AWS accounts integrated with Lacework. The account drop-down is located in the top middle of the panel and defaults to All Accounts.
At the top of the panel, you can specify global filters that apply to all the data displayed in the CloudTrail page, for example, you can only report only activity within the last 2 days. This functionality is useful when attempting to pinpoint a specific date range and the activities that occurred within your account(s) at that time frame.
If no events are listed in the timeline, consider increasing the size of the date range as described below.
To set a date/time range to report on, add a filter using one of the following methods:
- Click the start date and select the calendar icon. Repeat for the end date.
- Open the DATE RANGE drop-down by selecting the down arrow next to the clock icon, and select an option.
Verify the start and end times are correct for your date/time range and change them if required, for example, if you select Last 7 days from the DATE RANGE drop-down at 3 PM on March 21 2019, the following date/time ranges are reported: Mar 14, 2019 12 AM to Mar 21, 2019 12 AM. Note the end time is 12 AM but if you want to view all the events for today, change the end time to 3 PM.
Specify a time for the start and end dates, by selecting the clock icon.
Besides filtering by date range, you can also filter on the parameters: API, Caller Account, Event ID, Region, Service, Source IP, and User.
To filter on these parameters:
- To add filters using these parameters, click in the field next to the funnel.
- Select a parameter type such as Region.
- Select a filter OPERATOR.
Select includes if the value of the parameter in the CloudTrail logs must match the value or regular expression specified in the condition, for example, specify Region includes us-* if you want the filter to return data generated from all us regions, such as us-west-1, us-east-1, us-east-2 etc.
Select excludes if the value of the parameter in the CloudTrail logs should not match the value or regular expression specified in the condition, for example, specify Region excludes us-west-1 if you do not want the filter to return data generated in the us-west-
- Enter a value or regular expression to compare against. Do not enter quotes, the Lacework adds the quotes when you enter return. You can specify the * wildcard to match one or more characters.
- You can optionally add multiple filter checks. In addition, you can filter on date/time ranges as described above.
You can also add a filter by selecting the funnel icon next to an API, Event, Region, Service and User Name in all the tables under Timeline as shown here:
A new filter is added and visible at the top of the page.
The following visual graphs are displayed on the left:
- Unique UserNames
- Unique APIs
- Unique Accounts
- Unique Regions
- Unique Services
- Unique Errors
All data, including these graphs will correlate with the date range and parameters set in the global filter. Each graph can be refreshed for updated data or expanded to view full screen. Hover over a specific point in time on one graph simultaneously pinpoints the data to that date on the other graphs.
To the right of the visual graphs is the Timeline panel. The Timeline panel displays a timeline of AWS CloudTrail events that match the date/time filter and any specified optional parameter filters set at the top of the page. Because only CloudTrail events are being assessed in this page, the only applicable event category tile for the timeline is CLOUD ACTIVITY. This timeline can assist you in locating and identifying the specific date/time in which a non-compliance resource may have taken effect.
The Timeline panel displays counts of matching events grouped by severity. To optionally filter events by severities, click one or more severity tiles, for example, if only the Critical tile is selected, only critical events are listed. A selected tile has a blue background. Note that filtering by severity only affects the events listed in the timeline and has no effect on the other tables in this page.
To view more details about an event in the timeline, click the Expand event details down arrow.
For a complete history of the event, click the Open Event Dossier icon located to the left of the Expand event details.
In the Polygraph panel, you can visualize your data in a streamlined way which can help identify any misconfigurations or events that both should and should not be occurring. For CloudTrail, the Polygraph displays API behavior, in the following order from left to right:
AWS Account > Region > CallType > User/Role > Region > AWS Service > Action > Resource
The CloudTrail logs listed in the CloudTrail panel are similar to the logs you would see in the AWS Console (AWS > CloudTrail), however, in the Lacework console you can search and utilize filters to identify and analyze actions within your AWS account(s).
For many of the values in the CloudTrail Logs panel, you can click the funnel icon to add a filter, for example, click the funnel next to us-east-1 to create a region filter to only show data from the us-east-1 region. The new filter appears at the top of the panel. Multiple filters including both includes as well as excludes can be utilized to isolate what you really want to view and inspect.
CloudTrail User Details
The CloudTrail User Details panel displays a list of CloudTrail user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in activity, as well as information such as whether or not MFA is enabled on a particular account.
The User Events panel displays Service, User Name, Event, Alert Count, and Event Count information. This panel is useful when looking into specific users or IAM service account roles to see what particular alert and events are being generated and how many (count).
API Error Information
The API Error Information panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your AWS account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your AWS account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.