Integrate AWS CloudTrail with Google SecOps

This document explains how to integrate AWS CloudTrail with Google Security Operations (Google SecOps).

Integration version: 5.0

Prerequisites

This integration requires you to configure the read-only access policy. For more information about the policy, see Granting custom permissions for CloudTrail users on the AWS documentation website.

Integration inputs

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

To configure the integration, use the following parameters:

Parameters

Parameters
`AWS Access Key ID`	Required. AWS Access Key ID to use in integration.
`AWS Secret Key`	Required. AWS Secret Key to use in integration.
`AWS Default Region`	Required. AWS default region to use in integration, such as `us-west-2`.

AWS Access Key ID

Required.

AWS Access Key ID to use in integration.

AWS Secret Key

Required.

AWS Secret Key to use in integration.

AWS Default Region

Required.

AWS default region to use in integration, such as us-west-2.

Actions

You can run any integration action either automatically in a playbook or manually from the Case View.

Ping

Test connectivity to AWS CloudTrail.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Successfully connected to the AWS CloudTrail server with the provided connection parameters! Action succeeded.

Output message	Message description
`Successfully connected to the AWS CloudTrail server with the provided connection parameters!`	Action succeeded.
`Failed to connect to the AWS CloudTrail server! Error is ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Failed to connect to the AWS CloudTrail server! Error is
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Connectors

For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).

AWS CloudTrail - Insights Connector

Pull insights from AWS CloudTrail.

Connector inputs

To configure the connector, use the following parameters:

Parameters
`Product Field Name`	Required.
`Event Field Name`	Required. The name of the field that determines the event name (subtype). Default value is `CloudTrailEvent_insightDetails_insightType`.
`Environment Field Name`	Optional. The name of the field where the environment name is stored. If the environment field is missing, the connector uses the default value.
`Environment Regex Pattern`	Optional. A regular expression pattern to run on the value found in the `Environment Field Name` field. This parameter lets you manipulate the environment field using the regular expression logic. Use the default value `.*` to retrieve the required raw `Environment Field Name` value. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
`Script Timeout (Seconds)`	Required. The timeout limit, in seconds, for the Python process that runs the current script. Default value is 180 seconds.
`AWS Access Key ID`	Required. AWS Access Key ID to use in integration.
`AWS Secret Key`	Required. AWS Secret Key to use in integration.
`AWS Default Region`	Required. AWS default region to use in integration, such as `us-west-2`.
`Alert Severity`	Required. Severity level of the Google SecOps alerts created based on the insights. Possible values are: Informational Low Medium High Critical Default value is `Medium`.
`Fetch Max Hours Backwards`	Optional. The number of hours before the first connector iteration to retrieve the insights. This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp. Default value is 1 hour.
`Max Insights To Fetch`	Optional. Number of incidents to process per one connector iteration. Max value is 50. Default value is 50.
`Use whitelist as a blacklist`	Required. If selected, the dynamic list is used as a blocklist. Unchecked by default.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the AWS CloudTrail server. Not selected by default.
`Proxy Server Address`	Optional. Address of the proxy server to use.
`Proxy Username`	Optional. Proxy username to authenticate with.
`Proxy Password`	Optional. Proxy password to authenticate with.

Connector rules

The connector supports proxy.

Need more help? Get answers from Community members and Google SecOps professionals.