Skip to main content

AWS - CloudTrail

This Integration is part of the AWS - CloudTrail Pack.#

Amazon Web Services CloudTrail. This integration was integrated and tested with version 1.0.11 of AWS - CloudTrail.

Configure AWS - CloudTrail in Cortex#

ParameterRequired
AWS Default RegionFalse
Role ArnFalse
Role Session NameFalse
Role Session DurationFalse
Access KeyFalse
Secret KeyFalse
Access KeyFalse
Secret KeyFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-cloudtrail-create-trail#


Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket. A maximum of five trails can exist in a region, irrespective of the region in which they were created.

Base Command#

aws-cloudtrail-create-trail

Input#

Argument NameDescriptionRequired
nameSpecifies the name of the trail.Required
s3BucketNameSpecifies the name of the Amazon S3 bucket designated for publishing log files.Required
s3KeyPrefixSpecifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.Optional
snsTopicNameSpecifies the name of the Amazon SNS topic defined for notification of log file delivery.Optional
includeGlobalServiceEventsSpecifies whether the trail is publishing events from global services such as IAM to the log files. Possible values are: True, False.Optional
isMultiRegionTrailSpecifies whether the trail is created in the current region or in all regions. The default is false. Possible values are: True, False.Optional
enableLogFileValidationSpecifies whether log file integrity validation is enabled. The default is false. Possible values are: True, False.Optional
cloudWatchLogsLogGroupArnSpecifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered. Not required unless you specify CloudWatchLogsRoleArn.Optional
cloudWatchLogsRoleArnSpecifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.Optional
kmsKeyIdSpecifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.CloudTrail.Trails.NamestringSpecifies the name of the trail.
AWS.CloudTrail.Trails.S3BucketNamestringSpecifies the name of the Amazon S3 bucket designated for publishing log files.
AWS.CloudTrail.Trails.IncludeGlobalServiceEventsbooleanSpecifies whether the trail is publishing events from global services such as IAM to the log files.
AWS.CloudTrail.Trails.IsMultiRegionTrailbooleanSpecifies whether the trail exists in one region or in all regions.
AWS.CloudTrail.Trails.TrailARNstringSpecifies the ARN of the trail that was created.
AWS.CloudTrail.Trails.LogFileValidationEnabledbooleanSpecifies whether log file integrity validation is enabled.
AWS.CloudTrail.Trails.SnsTopicARNstringSpecifies the ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
AWS.CloudTrail.Trails.S3KeyPrefixstringpecifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
AWS.CloudTrail.Trails.CloudWatchLogsLogGroupArnstringSpecifies the Amazon Resource Name (ARN) of the log group to which CloudTrail logs will be delivered.
AWS.CloudTrail.Trails.CloudWatchLogsRoleArnstringSpecifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
AWS.CloudTrail.Trails.KmsKeyIdstringSpecifies the KMS key ID that encrypts the logs delivered by CloudTrail.
AWS.CloudTrail.Trails.HomeRegionstringThe region in which the trail was created.

aws-cloudtrail-delete-trail#


Deletes a trail. This operation must be called from the region in which the trail was created. DeleteTrail cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.

Base Command#

aws-cloudtrail-delete-trail

Input#

Argument NameDescriptionRequired
nameSpecifies the name or the CloudTrail ARN of the trail to be deleted. The format of a trail ARN is: arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail.Required

Context Output#

There is no context output for this command.

aws-cloudtrail-describe-trails#


Retrieves settings for the trail associated with the current region for your account.

Base Command#

aws-cloudtrail-describe-trails

Input#

Argument NameDescriptionRequired
trailNameListSpecifies a list of trail names, trail ARNs, or both, of the trails to describe. If an empty list is specified, information for the trail in the current region is returned.Optional
includeShadowTrailsSpecifies whether to include shadow trails in the response. A shadow trail is the replication in a region of a trail that was created in a different region. The default is true. Possible values are: True, False.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.CloudTrail.Trails.NamestringName of the trail set by calling CreateTrail.
AWS.CloudTrail.Trails.S3BucketNamestringName of the Amazon S3 bucket into which CloudTrail delivers your trail files.
AWS.CloudTrail.Trails.S3KeyPrefixstringSpecifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
AWS.CloudTrail.Trails.SnsTopicARNstringSpecifies the ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
AWS.CloudTrail.Trails.IncludeGlobalServiceEventsbooleanSet to True to include AWS API calls from AWS global services such as IAM. Otherwise, False.
AWS.CloudTrail.Trails.IsMultiRegionTrailbooleanSpecifies whether the trail belongs only to one region or exists in all regions.
AWS.CloudTrail.Trails.HomeRegionstringThe region in which the trail was created.
AWS.CloudTrail.Trails.TrailARNstringSpecifies the ARN of the trail.
AWS.CloudTrail.Trails.LogFileValidationEnabledbooleanSpecifies whether log file validation is enabled.
AWS.CloudTrail.Trails.CloudWatchLogsLogGroupArnstringSpecifies an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered.
AWS.CloudTrail.Trails.CloudWatchLogsRoleArnstringSpecifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
AWS.CloudTrail.KmsKeyIdstringSpecifies the KMS key ID that encrypts the logs delivered by CloudTrail.
AWS.CloudTrail.HasCustomEventSelectorsbooleanSpecifies if the trail has custom event selectors.

aws-cloudtrail-update-trail#


Updates the settings that specify delivery of log files. Changes to a trail do not require stopping the CloudTrail service.

Base Command#

aws-cloudtrail-update-trail

Input#

Argument NameDescriptionRequired
nameSpecifies the name of the trail or trail ARN.Required
s3BucketNameSpecifies the name of the Amazon S3 bucket designated for publishing log files.Optional
s3KeyPrefixSpecifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.Optional
snsTopicNameSpecifies the name of the Amazon SNS topic defined for notification of log file delivery.Optional
includeGlobalServiceEventsSpecifies whether the trail is publishing events from global services such as IAM to the log files.Optional
isMultiRegionTrailSpecifies whether the trail applies only to the current region or to all regions. The default is false. If the trail exists only in the current region and this value is set to true, shadow trails (replications of the trail) will be created in the other regions. If the trail exists in all regions and this value is set to false, the trail will remain in the region where it was created, and its shadow trails in other regions will be deleted.Optional
enableLogFileValidationSpecifies whether log file validation is enabled. The default is false.Optional
cloudWatchLogsLogGroupArnSpecifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered. Not required unless you specify CloudWatchLogsRoleArn.Optional
cloudWatchLogsRoleArnSpecifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.Optional
kmsKeyIdSpecifies the KMS key ID to use to encrypt the logs delivered by CloudTrail.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.CloudTrail.Trails.NamestringSpecifies the name of the trail.
AWS.CloudTrail.Trails.S3BucketNamestringSpecifies the name of the Amazon S3 bucket designated for publishing log files.
AWS.CloudTrail.Trails.IncludeGlobalServiceEventsbooleanSpecifies whether the trail is publishing events from global services such as IAM to the log files.
AWS.CloudTrail.Trails.IsMultiRegionTrailbooleanSpecifies whether the trail exists in one region or in all regions.
AWS.CloudTrail.Trails.TrailARNstringSpecifies the ARN of the trail that was created.
AWS.CloudTrail.Trails.LogFileValidationEnabledbooleanSpecifies whether log file integrity validation is enabled.
AWS.CloudTrail.Trails.SnsTopicARNstringSpecifies the ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
AWS.CloudTrail.Trails.S3KeyPrefixstringpecifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
AWS.CloudTrail.Trails.CloudWatchLogsLogGroupArnstringSpecifies the Amazon Resource Name (ARN) of the log group to which CloudTrail logs will be delivered.
AWS.CloudTrail.Trails.CloudWatchLogsRoleArnstringSpecifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
AWS.CloudTrail.Trails.KmsKeyIdstringSpecifies the KMS key ID that encrypts the logs delivered by CloudTrail.
AWS.CloudTrail.Trails.HomeRegionstringThe region in which the trail was created.

aws-cloudtrail-start-logging#


Starts the recording of AWS API calls and log file delivery for a trail. For a trail that is enabled in all regions, this operation must be called from the region in which the trail was created. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.

Base Command#

aws-cloudtrail-start-logging

Input#

Argument NameDescriptionRequired
nameSpecifies the name or the CloudTrail ARN of the trail for which CloudTrail logs AWS API calls.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

aws-cloudtrail-stop-logging#


Suspends the recording of AWS API calls and log file delivery for the specified trail. Under most circumstances, there is no need to use this action. You can update a trail without stopping it first. This action is the only way to stop recording. For a trail enabled in all regions, this operation must be called from the region in which the trail was created, or an InvalidHomeRegionException will occur. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail enabled in all regions.

Base Command#

aws-cloudtrail-stop-logging

Input#

Argument NameDescriptionRequired
nameSpecifies the name or the CloudTrail ARN of the trail for which CloudTrail logs AWS API calls.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

aws-cloudtrail-lookup-events#


Looks up API activity events captured by CloudTrail that create, update, or delete resources in your account. Events for a region can be looked up for the times in which you had CloudTrail turned on in that region during the last seven days.

Base Command#

aws-cloudtrail-lookup-events

Input#

Argument NameDescriptionRequired
attributeKeySpecifies an attribute on which to filter the events returned. Possible values are: AccessKeyId, EventId, EventName, Username, ResourceType, ResourceName, EventSource, ReadOnly.Required
attributeValueSpecifies a value for the specified AttributeKey.Required
startTimeSpecifies that only events that occur after or at the specified time are returned.Optional
endTimeSpecifies that only events that occur before or at the specified time are returned.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.CloudTrail.Events.EventIdstringThe CloudTrail ID of the event returned.
AWS.CloudTrail.Events.EventNamestringThe name of the event returned.
AWS.CloudTrail.Events.EventTimedateThe date and time of the event returned.
AWS.CloudTrail.Events.EventSourcestringThe AWS service that the request was made to.
AWS.CloudTrail.Events.UsernamestringA user name or role name of the requester that called the API in the event returned.
AWS.CloudTrail.Events.ResourceNamestringThe type of a resource referenced by the event returned. When the resource type cannot be determined, null is returned. Some examples of resource types are: Instance for EC2, Trail for CloudTrail, DBInstance for RDS, and AccessKey for IAM.
AWS.CloudTrail.Events.ResourceTypestringThe name of the resource referenced by the event returned. These are user-created names whose values will depend on the environment. For example, the resource name might be "auto-scaling-test-group" for an Auto Scaling Group or "i-1234567" for an EC2 Instance.
AWS.CloudTrail.Events.CloudTrailEventstringA JSON string that contains a representation of the event returned.

aws-cloudtrail-get-trail-status#


Returns a JSON-formatted list of information about the specified trail. Fields include information on delivery errors, Amazon SNS and Amazon S3 errors, and start and stop logging times for each trail.

Base Command#

aws-cloudtrail-get-trail-status

Input#

Argument NameDescriptionRequired
trailNameListSpecifies the names of multiple trails.Optional
regionSpecifies the region of the trail.Required
roleArnThe The Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
nameSpecifies the name of the trail.Required

Context Output#

PathTypeDescription
AWS.CloudTrail.TrailStatus.IsLoggingbooleanWhether the CloudTrail trail is currently logging Amazon Web Services API calls.
AWS.CloudTrail.TrailStatus.LatestDeliveryErrorstringDisplays any Amazon S3 error that CloudTrail encountered when attempting to deliver log files to the designated bucket.
AWS.CloudTrail.TrailStatus.LatestNotificationErrorstringDisplays any Amazon SNS error that CloudTrail encountered when attempting to send a notification.
AWS.CloudTrail.TrailStatus.LatestDeliveryTimedateSpecifies the date and time that CloudTrail last delivered log files to an account’s Amazon S3 bucket.
AWS.CloudTrail.TrailStatus.LatestNotificationTimedateSpecifies the date and time of the most recent Amazon SNS notification that CloudTrail has written a new log file to an account’s Amazon S3 bucket.
AWS.CloudTrail.TrailStatus.StartLoggingTimedateSpecifies the most recent date and time when CloudTrail started recording API calls for an Amazon Web Services account.
AWS.CloudTrail.TrailStatus.StopLoggingTimedateSpecifies the most recent date and time when CloudTrail stopped recording API calls for an Amazon Web Services account.
AWS.CloudTrail.TrailStatus.LatestCloudWatchLogsDeliveryErrorstringDisplays any CloudWatch Logs error that CloudTrail encountered when attempting to deliver logs to CloudWatch Logs.
AWS.CloudTrail.TrailStatus.LatestCloudWatchLogsDeliveryTimedateDisplays the most recent date and time when CloudTrail delivered logs to CloudWatch Logs.
AWS.CloudTrail.TrailStatus.LatestDigestDeliveryTimedateSpecifies the date and time that CloudTrail last delivered a digest file to an account’s Amazon S3 bucket.
AWS.CloudTrail.TrailStatus.LatestDigestDeliveryErrorstringDisplays any Amazon S3 error that CloudTrail encountered when attempting to deliver a digest file to the designated bucket.