aws-cloudtrail Configuration

Parser for cloudtrail logs with type aws-cloudtrail.

As cloudtrail logs that are sent to s3 are stored in a json array object called Records, you may want to use the transform feature of crowdsec with the following configuration: map(JsonExtractSlice(evt.Line.Raw, "Records"), ToJsonString(#)).

Example of acquis.yaml using s3 s3notifications through sqs:

source: s3
polling_method: sqs
sqs_name: <sqs_queue>
sqs_format: s3notification 
polling_interval: 30
aws_region: eu-west-1
transform: map(JsonExtractSlice(evt.Line.Raw, "Records"), ToJsonString(#))
max_buffer_size: 10000000
use_time_machine: true
labels:
  type: aws-cloudtrail

A direct acquisition method is supported using s3 by directly listing new object in the bucket. In case of high cloudtrail traffic, this is discouraged, because it will require some significant compute resources.

Cloudtrail logs are arriving every few minutes, thus, we can't use the real time feature of crowdsec. That's the reason we are suggesting to use the time machine feature, to take into account the time when they occurred and not when they are sent to CrowdSec.

Please have a look at the documentation https://docs.crowdsec.net/docs/next/data_sources/s3

Cloudtrail logs can be sent to kinesis as well, and crowdsec supports such a source for cloudtrail logs:

source: kinesis
stream_name: cloutrail_stream
aws_region: eu-west-1
from_subscription: true
labels:
  type: aws-cloudtrail

1onsuccess: next_stage

2#debug: true

3filter: "evt.Parsed.program == 'aws-cloudtrail'"

4name: crowdsecurity/aws-cloudtrail

5description: "Parse AWS Cloudtrail logs"

6statics:

7 - parsed: cloudtrail_parsed

8 expression: UnmarshalJSON(evt.Line.Raw, evt.Unmarshaled, 'cloudtrail')

9 - target: evt.StrTime

10 expression: evt.Unmarshaled.cloudtrail.eventTime

11 - meta: user_type

12 expression: evt.Unmarshaled.cloudtrail.userIdentity.type

13 # see : https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md#nil-coalescing

14 - meta: user_arn

15 expression: |

16 evt.Unmarshaled.cloudtrail.userIdentity?.arn ?? evt.Unmarshaled.cloudtrail.userIdentity.userName

17 - meta: event_name

18 expression: evt.Unmarshaled.cloudtrail.eventName

19 - meta: event_source

20 expression: evt.Unmarshaled.cloudtrail.eventSource

21 - meta: region

22 expression: evt.Unmarshaled.cloudtrail.awsRegion

23 - meta: source_ip

24 expression: |

25 IsIP(evt.Unmarshaled.cloudtrail.sourceIPAddress) ? evt.Unmarshaled.cloudtrail.sourceIPAddress : ""

26 - meta: user_agent

27 expression: evt.Unmarshaled.cloudtrail.userAgent

28 - meta: error_code

29 expression: evt.Unmarshaled.cloudtrail.errorCode

30 - meta: event_id

31 expression: evt.Unmarshaled.cloudtrail.eventID

32 - meta: account_id

33 expression: evt.Unmarshaled.cloudtrail.userIdentity.accountId

34 - meta: log_type

35 value: aws-cloudtrail

Hub configuration

« aws-cloudtrail »
v0.4 by crowdsecurity
Log parser

Hub configuration

« aws-cloudtrail »v0.4 by crowdsecurityLog parser

« aws-cloudtrail »
v0.4 by crowdsecurity
Log parser