AWSCloudTrailLog

Overview

AWS CloudTrail records event logs of actions taken by a user, role, or an AWS service. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details of activity in your AWS account.

Each activity or action will have a corresponding request to the AWS service, e.g. in Kinesis AWS Management Console, you update the shard count, a corresponding UpdateShardCount request (AwsApiCall) will be made to AWS Kinesis service and this will be recorded in a CloudTrail event log.

Collection

AWS CloudTrail service can be configured to publish event logs that match the trail settings to Amazon CloudWatch Logs log group.

While AWS CloudWatch Logs log group can be configured to have a subscription filter and have it deliver the published event logs received to Amazon Kinesis Data Stream.

Then Snare Central can be configured to periodically call AWS API to pull and get the log data stored in AWS Kinesis Data Stream.

 

Sample Log Event

{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "LCWMAIDA4R57123456789",
"arn": "arn:aws:iam::848848848848:user/alice",
"accountId": "848848848848",
"userName": "alice"
},
"eventTime": "2023-03-30T12:27:48Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-2",
"sourceIPAddress": "112.202.112.111",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://us-east-2.console.aws.amazon.com/cloudwatch/home?region=us-east-2&state=hashArgs%23logsV2%3Alog-groups%2Flog-group%2Fsample%2423subscription-filters&isauthcode=true",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "395be77f-42ec-40be-8d8c-9d032fc480a3",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "848848848848",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-2.signin.aws.amazon.com"
}
}

 

Table Fields

Field

Description

Field

Description

DATE

eventTime - Extracted date from eventTime in YYYY-MM-DD format.

This is the date the request was completed.

TIME

eventTime - Extracted time from eventTime in HH:MM:SS format.

This is the time the request was completed.

SYSTEM

eventSource - The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com

For example: AWS CloudFormation is cloudformation.amazonaws.com, Amazon EC2 is ec2.amazonaws.com, Amazon Simple Workflow Service is swf.amazonaws.com

TABLE

AWSCloudTrailLog

COLLECTIONDATETIME

Snare Central’s local date and time of the actual log collection from AWS Kinesis Data Stream in RFC3339Nano format

CWLDATETIME

AWS CloudWatch Log’s timestamp when it receives the event log from other AWS services in RFC3339Nano format

DATETIME

eventTime - The timestamp of the actual event log in RFC3339Nano format

AWSREGION

awsRegion - The AWS region that the request was made to e.g. us-east-2

EVENTCATEGORY

eventCategory - Shows the event category that is used in Lookup Events calls:
For management events, the value will be Management
For data events, the value will be Data
For Insights events, the value will be Insight

EVENTID

eventID - GUID generated by CloudTrail to uniquely identify each event.

EVENTNAME

eventName - The requested action that triggered the event.

EVENTTYPE

eventType - Identifies the type of event that generated the event record. This can be the one of the following values:

AwsApiCall – An API was called.
AwsServiceEvent – The service generated an event related to your trail, e.g. when another account made a call with a resource that you own.
AwsConsoleAction – An action was taken in the console that was not an API call.
AwsConsoleSignIn – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.
AwsCloudTrailInsight – If Insights events are enabled for the trail, CloudTrail generates Insights events when CloudTrail detects unusual operational activity such as spikes in resource provisioning or bursts of AWS Identity and Access Management (IAM) actions.

RECIPIENTACCOUNTID

recipientAccountId - Represents the account ID that received this event.

The recipient account ID may be different from the CloudTrail user Identity element account Id, this can occur in cross-account resource access.

REQUESTID

requestID - The value that identifies the request. The service being called generates this value.

REQUESTPARAMETERS

requestParameters - The parameters, if any, that were sent with the request.

This field has a maximum size of 100 KB; content exceeding that limit is truncated.

RESPONSEELEMENTS

responseElements - The response element for actions that make changes e.g. create, update, or delete actions.

If an action does not change state e.g. request to get or list objects, this element is omitted. This field has a maximum size of 100 KB; content exceeding that limit is truncated.

SRCADDR

sourceIPAddress - The IP address that the request was made from.

For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server.

For services in AWS, only the DNS name is displayed.

USERAGENT

userAgent - The agent through which the request was made.

This field has a maximum size of 1 KB; content exceeding that limit is truncated.

USERACCESSKEYID

accessKeyId - The access key ID that was used to sign the request.

If the request was made with temporary security credentials, this is the access key ID of the temporary credentials.

USERAID

accountId - The account that owns the entity that granted permissions for the request.

If the request was made with temporary security credentials, this is the account that owns the IAM user or role used to obtain credentials.

USERARN

arn - The Amazon Resource Name (ARN) of the principal that made the call.

USERNAME

userName - The friendly name of the identity that made the call.

USERPID

principalId - A unique identifier for the entity that made the call.

For requests made with temporary security credentials, this value includes the session name that is passed to the AssumeRole, AssumeRoleWithWebIdentity, or GetFederationToken API call.

USERTYPE

type - The type of the identity.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

 

Notes

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html