AlienVault® USM Anywhere™

Collecting AWS CloudTrail Logs

Amazon Web Services (AWS) CloudTrail provides a complete audit log for all actions taken with the Amazon API, either through the web user interface (UI), the AWS command line interface (CLIASCII text-based interface to an operating system or device, that allows execution of commands to perform operations such as administration, configuration, or other maintenance operations.), or an AWS software development kit (SDK). Ongoing monitoring of this log gives you visibility of end-user and automated actions in your environment. This helps you quickly detect abuse cases and security incidents, such as a user trying to make changes to an AWS account that are inconsistent with their privileges.

USM Anywhere automatically detects AWS CloudTrail, and retrieves your AWS CloudTrail logs across all regions within a single AWS account. USM Anywhere also provides you the credentials to securely access your AWS CloudTrail logs.

As the AWS sensor collects this raw log data, USM Anywhere uses its AWS CloudTrail plugin to normalizeNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. the data and generate meaningful events. Depending on the size and activity in your AWS account, this log collection can produce an excessive number of events. See Managing Collected CloudTrail Event Logs for a list of possible CloudTrail events.

Important: USM Anywhere does not currently support the AWS Organizations feature, so AT&T Cybersecurity advises against using organization trails at this time.

Note: If you choose not to enable AWS CloudTrail, USM Anywhere processes all stored logs at initial startup. See the Amazon documentation for information about enabling AWS CloudTrail.