AWS CloudTrail

Integration version: 5.0

The AWS CloudTrail integration solves the following use cases:

  1. Ingest findings into Google Security Operations SOAR for investigation.
  2. Ingest insights for active actions.

Prerequisites

This integration requires configuring the read-only access policy. For more details about the policy, see Granting custom permissions for CloudTrail users on the AWS documentation website.

Integrate AWS CloudTrail with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration inputs

To configure the integration, use the following parameters:

Parameters
AWS Access Key ID Required

AWS Access Key ID to use in integration.

AWS Secret Key Required

AWS Secret Key to use in integration.

AWS Default Region Required

AWS default region to use in integration, such as us-west-2.

Actions

You can run any integration action either automatically in a playbook or manually from the Case View.

Ping

Test connectivity to AWS CloudTrail.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result N/A
Script result Available
Script result
Script result name Value
is_success True/False
Case wall

The action provides the following output messages:

Output message Message description
Successfully connected to the AWS CloudTrail server with the provided connection parameters! Action succeeded.
Failed to connect to the AWS CloudTrail server! Error is ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Connectors

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

AWS CloudTrail - Insights Connector

Pull insights from AWS CloudTrail.

Connector inputs

To configure the connector, use the following parameters:

Parameters
Product Field Name Required

Input the source field name to retrieve the Product Field name.

Default value is Product Name.

Event Field Name Required

Enter the source field name to retrieve the Event Field name.

Default value is CloudTrailEvent_insightDetails_insightType.

Environment Field Name Optional

Name of the field where the environment name is stored.

If the environment field isn't found, the default environment is used.

Default value is "".

Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field.

The default value .* catches all and returns the value unchanged.

The parameter lets you manipulate the environment field using the regular expression logic.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Required

Timeout limit for the python process running the current script.

Default value is 180 seconds.

AWS Access Key ID Required

AWS Access Key ID to use in integration.

AWS Secret Key Required

AWS Secret Key to use in integration.

AWS Default Region Required

AWS default region to use in integration, such as us-west-2.

Alert Severity Required

Severity of the Google Security Operations SOAR Alerts created based on the insights.

Possible values are:
  • Informational
  • Low
  • Medium
  • High
  • Critical
Default value is Medium.
Fetch Max Hours Backwards Optional

Number of hours before now to retrieve incidents from.

Default value is 1 hour.

Max Insights To Fetch Optional

Number of incidents to process per one connector iteration.

Max value is 50.

Default value is 50.

Use whitelist as a blacklist Required

If checked, the dynamic list is used as a blocklist.

Unchecked by default.

Verify SSL Required

If checked, verifies that the SSL certificate for the connection to the AWS CloudTrail server is valid.

Unchecked by default.

Proxy Server Address Optional

Address of the proxy server to use.

Proxy Username Optional

Proxy username to authenticate with.

Proxy Password Optional

Proxy password to authenticate with.

Connector rules

The connector supports proxy.