Cloud Trail

Overview

Cloud Trail ingests and normalizes AWS CloudTrail logs in Logpoint. Once ingested, you can use built-in dashboards, reports, and alerts to explore and analyze the data. This gives you clear visibility into user activity, resource changes, IAM modifications, network configurations, and other security events.

The integration includes:

• CloudTrailLogParser to extract key fields from raw CloudTrail logs.

• CloudTrailCompiledNormalizer to convert the parsed CloudTrail logs into a standardized format for consistent analysis across Logpoint.

• LP_CloudTrail dashboard, which provides a graphical and interactive overview of AWS activities, highlighting patterns including failed logins, root user activity, MFA usage, and changes to EC2 instances or network configurations. It allows you to quickly spot unusual behavior, monitor compliance, and track operational changes over time.

• LP_CloudTrail report that lets you generate time-bound summaries and trend analyses, offering detailed insights into authentication events, API usage, and resource changes. With customizable time periods and export options, you can share findings or use them for audits and incident investigations.

• Alert packages that notify you about critical security and operational events,including unauthorized access attempts, policy changes, or suspicious activity. They enable faster incident response and help you maintain compliance with internal or regulatory security requirements.

Supported Events

• AWS CloudTrail versions: All currently supported versions, including multi-region trails.

• CloudTrail log types:

  • Authentication events: Console sign-ins, API calls, MFA usage

  • API usage: Successful and failed calls across AWS services

  • Resource changes: EC2, VPC, S3, IAM, and other service modifications

  • IAM modifications: Policy changes, role creation/deletion, group modifications

  • Network and security activities: Security group modifications, VPC creation/deletion, network configuration changes