Explore and Analyze AWS CloudTrail Events
After Logpoint ingests your CloudTrail logs:
Use Search to access and examine events.
View events in real time through Dashboards.
Set up Reports to summarize and track events over time.
Configure Alerts to get notified of critical or suspicious activity.
Refer to Log Reference for log samples, field mappings, and labels, which provide essential context for understanding the structure and meaning of the CloudTrail events.
Search
Use the following queries to explore common CloudTrail events and analyze AWS activity in Logpoint.
Scenario
Search Query
All CloudTrail logs
col_type = cloudtrail
Failed logins
norm_id=CloudTrail responseelements_consolelogin=Failure
Root user activities
norm_id=CloudTrail identity_type=Root -caller_user event_type != AwsServiceEvent
MFA-related activities
norm_id=CloudTrail mfa_authenticated != true
Authorization failures
norm_id=CloudTrail (error="UnauthorizedOperation" or error="AccessDenied")
Console logins without MFA
norm_id=CloudTrail event=ConsoleLogin additionaleventdata_mfaused=No
IAM policy changes
norm_id=CloudTrail (event=DeleteGroupPolicy or event=PutGroupPolicy or event=CreatePolicy)
EC2 instance changes
norm_id=CloudTrail (event=RunInstances or event=RebootInstances or event=StartInstances or event=StopInstances)
Network changes
norm_id=CloudTrail (event=CreateVpc or event=DeleteVpc or event=ModifyVpcAttribute)
Dashboards
LP_CloudTrail Dashboard
The LP_CloudTrail dashboard provides real-time insights into AWS activity across your environment, showing patterns in user access, authentication attempts, API usage, and instance lifecycle events. It helps you detect unusual behavior, monitor compliance, and track resource changes. Geographic and source-based analyses highlight where activity originates, and trend visualizations make anomalies easier to spot. The dashboard consolidates key metrics for security monitoring and operational oversight, helping you make faster, informed decisions.
Adding the CloudTrail Dashboard
Navigate to Settings >> Knowledge Base >> Dashboard.
Select VENDOR DASHBOARD from the dropdown.
Click the Use icon under Actions.
Click Choose Repos.
Select the repository configured for CloudTrail logs and click Done.
In Ask Repos, select the dashboard and click Ok.
The dashboard will appear under Dashboards. You can view details about each widget by clicking the Info icon.
Important: The “Top 10 Countries in Cloud Activities” widget requires GEOIP to be installed in Logpoint, as it relies on the geoip process command.
Reports
LP_CloudTrail Report
The LP_CloudTrail report provides time-bound summaries of CloudTrail events, graphical visualizations of activity patterns, and trend analysis over selected periods. It helps users track console sign-ins, API calls, and access attempts, making it easier to detect failed logins, unusual activity, or potential security issues. Customizable time ranges and export options allow users to generate reports in PDF or HTML for further analysis or sharing.
Generating CloudTrail Reports
Access Report Templates
1.1. Go to Reports >> Reports Templates.
1.2. Select VENDOR REPORT TEMPLATES from the dropdown.
1.3. Click the action icon for CloudTrail.
Run Report
2.1. Click the Run This Report icon.
2.2. Configure report parameters:
2.1.1. Repos: Select CloudTrail log repositories.
2.1.2. Time Zone: Set appropriate timezone.
2.1.3. Time Range: Define the analysis period.
2.1.4. Export Type: Choose PDF or HTML format.
2.1.5. Email: Specify recipients.
Access Generated Reports
3.1. View report generation status under Report Jobs.
3.2. Download completed reports from Inbox in PDF or HTML format.
Alerts
Authentication & Access Alerts
Alert Name
Trigger
Query
LP_Console Sign In Without MFA
Console sign-in without multi-factor authentication
norm_id=CloudTrail event=ConsoleLogin additionaleventdata_mfaused=No
LP_AWSCloudTrail Failed Login
Failed login attempts
norm_id=CloudTrail responseelements_consolelogin=Failure user=*
LP_CloudTrail Root Credentials Used
Root account credential usage
norm_id=CloudTrail identity_type=Root -caller_user event_type != AwsServiceEvent user=*
LP_CloudTrail API Without MFA
API calls without multi-factor authentication
norm_id=CloudTrail mfa_authenticated != true user=*
Infrastructure Change Alerts
Alert Name
Trigger
Query
LP_Amazon EC2 Instance Changes
EC2 instance lifecycle operations
norm_id=CloudTrail (event=RunInstances or event=RebootInstances or event=StartInstances or event=StopInstances or event=TerminateInstances)
LP_Amazon Virtual Private Cloud Changes
VPC configuration modifications
norm_id=CloudTrail (event=CreateVpc or event=DeleteVpc or event=ModifyVpcAttribute or event=AcceptVpcPeeringConnection...)
LP_CloudTrail Network ACL Changes
Network ACL configuration changes
norm_id=CloudTrail (event=CreateNetworkAcl or event=CreateNetworkAclEntry or event=DeleteNetworkAcl...)
Security & Compliance Alerts
Alert Name
Trigger
Query
LP_CloudTrail Authorization Failures
Unauthorized API calls
norm_id=CloudTrail (error="*UnauthorizedOperation" or error="AccessDenied*") user=*
LP_CloudTrail IAM Policy Changes
IAM policy modifications
norm_id=CloudTrail (event=DeleteGroupPolicy or event=PutGroupPolicy or event=CreatePolicy...)
LP_AWSCloudTrail Amazon S3 Bucket Activity
Critical S3 bucket operations
norm_id=CloudTrail event_source="s3.amazonaws.com" (event=PutBucketAcl or event=PutBucketPolicy...)
Reconnaissance Detection Alerts
Alert Name
ATT&CK
Query
LP_AWS Cloudtrail Reconnaissance - Host Info
T1592, T1592.002
norm_id=CloudTrail event in ["ListAttachedUserPolicies","GetPolicy","GetBucketAcl"] -source_address in HOMENET
LP_AWS Cloudtrail Reconnaissance - Network Info
T1592
`norm_id=CloudTrail event in ["DescribeNetworkInterfaces"] -source_address in HOMENET
LP_AWS Cloudtrail Reconnaissance - User Info
T1589, T1589.001
`norm_id=CloudTrail event in ["ListAccountAliases","GetAccountPasswordPolicy","GetAccountSummary"...] -source_address in HOMENET
Persistence Detection Alerts
Alert Name
ATT&CK
Query
LP_AWS Cloudtrail - IAM User Creation
T1136, T1136.003
`norm_id=CloudTrail event="CreateUser" identity_type=IAMUser -source_address in HOMENET
Last updated
Was this helpful?