Documentation Center
AlienVault® USM Anywhere™

Managing Collected CloudTrail Event Logs

Depending on the size and activity in your AWS account, the CloudTrail log collection can produce an excessive number of events. Some of these events reflect normal activity and you will most likely want to create suppression rules to eliminate these events in the future. For other event types that are important and require attention, you may want to generate USM Anywhere alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. or send notificationsCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms..

CloudTrail produces log data for numerous AWS cloud services. As the AWS sensor collects this raw log data, USM Anywhere uses its CloudTrail plugin to normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the data and generate meaningful events. During the normalization process, it uses the logged action to populate the name for the event. You can use the Event Name field to specify a match condition for the events you want to manage using a rule.

Use the Event Name field to match a logged CloudTrail action

Important: The order of the conditions is significant because USM Anywhere follows a specific order when it evaluates the rule conditions, reading them from left to right. If your rule includes the packet_type and/or plugin_device fields, these should always occur first in the order.

For more information about creating rules, see Orchestration Rules.

CloudTrail Event Names by Type