AWS CloudTrail Page
Lacework provides visibility into your account security through the continued monitoring and analysis of CloudTrail. This CloudTrail page provides graphs and panels that summarize the CloudTrail data that is collected during this monitoring and analysis. Lacework ingests management events only, see Log Types for more information.
Select Resources > Cloud > AWS CloudTrail in the Lacework Console to display the AWS CloudTrail page.
To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Integrate Lacework with AWS.
Use the account filter to limit the results to a single specific AWS account or all AWS accounts integrated with Lacework.
Use the following methods to further refine the data displayed on the CloudTrail page.
- Use the search bar or filters at the top of the page to filter by specific fields, operators, and values. You can specify the * wildcard to match one or more characters. Additionally, some table's column values let you add a filter by selecting the adjacent funnel icon .
- To remove an active filter, click its filter and then click Reset or x. To remove all filters, click Reset, which is next to the filters.
To change the time range, use the horizontal arrows to move to another period, select a different period, or select Custom.
Only information found during the specified date range is reported. For example, if 9 days ago there was specific behavior and the specified range is latest week, this behavior is not listed.
The following visual graphs are displayed on the left:
- Unique UserNames
- Unique APIs
- Unique Accounts
- Unique Regions
- Unique Services
- Unique Errors
All data, including these graphs, correlates with the date range and parameters set in the global filter.
All CloudTrail alerts broken out by severity.
In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring. For CloudTrail, the Polygraph displays API behavior in the following order from left to right:
AWS Account > Region > CallType > User/Role > Region > AWS Service > Action > Resource
The logs listed in the CloudTrail Logs panel are similar to the logs you would see in the AWS Console (AWS > CloudTrail), however, in the Lacework Console you can search and utilize filters to identify and analyze actions within your AWS account(s).
For some values in this panel, you can click the funnel icon to add a filter, for example, click the funnel next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. You can use multiple filters, including includes and excludes, to isolate what you really want to view and inspect.
The User Details panel displays a list of CloudTrail user information in reference to User Name, Region, Account Number, Account Alias, Caller Account, City, State, and Country. This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and region a user engaged in an activity, as well as information such as whether or not MFA is enabled on a particular account.
The User Events panel displays Service, User Name, Event, Alert Count, and Event Count information. This panel is useful when looking into specific users or IAM service account roles to see what particular alert and events are being generated and how many (count).
API Error Events
The API Error Events panel displays Service, Error Code, User, API, and Error Count information. This panel can be helpful when attempting to isolate what API calls are being made to your AWS account(s), the associated errors that are occurring, and how many, for example, sort on the Error Count column in descending order to view a list of the API errors occurring within your AWS account. This can potentially raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.
AWS Anomaly Alerting
AWS anomaly-based alerting generates alerts when there are behavioral changes. For the list of AWS alerts, see Alert Types.