AWS CloudTrail
Integration version: 3.0
The AWS CloudTrail integration solves the following use cases:
- Ingest findings into Google Security Operations SOAR for investigation.
- Ingest insights for active actions.
Prerequisites
This integration requires configuring the read-only access policy. For more details about the policy, see Granting custom permissions for CloudTrail users on the AWS documentation website.
Integrate AWS CloudTrail with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
AWS Access Key ID |
Required AWS Access Key ID to use in integration. |
AWS Secret Key |
Required AWS Secret Key to use in integration. |
AWS Default Region |
Required AWS default region to use in integration, such as
|
Actions
You can run any integration action either automatically in a playbook or manually from the Case View.
Ping
Test connectivity to AWS CloudTrail.
Entities
This action doesn't run on entities.
Action inputs
N/A
Action outputs
| Action output type | |
|---|---|
| Case wall attachment | N/A |
| Case wall link | N/A |
| Case wall table | N/A |
| Enrichment table | N/A |
| JSON result | N/A |
| Script result | Available |
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the AWS CloudTrail server with the
provided connection parameters! |
Action succeeded. |
Failed to connect to the AWS CloudTrail server! Error is
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Connectors
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
AWS CloudTrail - Insights Connector
Pull insights from AWS CloudTrail.
Connector inputs
To configure the connector, use the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required
Input the source field name to retrieve the Default value is |
Event Field Name |
Required
Enter the source field name to retrieve the Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the environment field isn't found, the default environment is used. Default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
The default value The parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required Timeout limit for the python process running the current script. Default value is 180 seconds. |
AWS Access Key ID |
Required
AWS Access Key ID to use in integration. |
AWS Secret Key |
Required
AWS Secret Key to use in integration. |
AWS Default Region |
Required
AWS default region to use in integration, such as |
Alert Severity |
Required
Severity of the Google Security Operations SOAR Alerts created based on the insights. Possible values are:
Medium.
|
Fetch Max Hours Backwards |
Optional
Number of hours before now to retrieve incidents from. Default value is 1 hour. |
Max Insights To Fetch |
Optional
Number of incidents to process per one connector iteration. Max value is 50. Default value is 50. |
Use whitelist as a blacklist |
Required
If checked, the dynamic list is used as a blocklist. Unchecked by default. |
Verify SSL |
Required
If checked, verifies that the SSL certificate for the connection to the AWS CloudTrail server is valid. Unchecked by default. |
Proxy Server Address |
Optional
Address of the proxy server to use. |
Proxy Username |
Optional
Proxy username to authenticate with. |
Proxy Password |
Optional
Proxy password to authenticate with. |
Connector rules
The connector supports proxy.