Quick Start Observability for Cloudtrail
Talk to you soon!
Coralogix Extension For Cloudtrail Includes:
Dashboards - 3
Gain instantaneous visualization of all your Cloudtrail data.
Alerts - 15
Stay on top of Cloudtrail key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Ratio of S3 errors to S3 requests over 20% over 6 hours
Cloudtrail extension pack
Ratio of failed aws console login due to authentication to overall logins > 30% in 10 minutes
Cloudtrail extension pack Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation
Ratio of failed aws console logins to overall logins > 10% in 30 minutes
Cloudtrail extension pack
VPC change detected
Cloudtrail extension pack It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. Monitoring changes to VPCs helps ensure that all VPC traffic flows as expected
Route table changes detected
Cloudtrail extension pack Routing tables are used to route network traffic between subnets and to network gateways. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.
Changes to network gateways detected
Cloudtrail extension pack Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path
Changes to Network Access Control Lists detected
Cloudtrail extension pack Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed
IAM policy changes
Cloudtrail extension pack Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.
Consol Login with no MFA
Cloudtrail extension pack Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA which is against company policy This alert is disabled by default. You should exclude in the query your SAML provider for preventing noise and finetuning, for instance, concatenate to the alert query: NOT additionalEventData.SamlProviderArn:"arn:aws:iam::123412341234:saml-provider/gsuite-coralogix.com"
Admin privileges granted
Cloudtrail extension pack SecOps will be alerted when admin privileges are granted. The security org needs to make sure that it is a legitimate operation.
New Admin added
Cloudtrail extension pack Triggers when a new admin has been added to the environment to verify legitimacy
Attempt to Create DB with the property "publicly accessible"
Cloudtrail extension pack It is against security policies to create "publicly accessible" DB
Access logging disabled or chanaged on S3 for Cloudtrail buckets
Cloudtrail extension pack
Disabled or scheduled deletion of customer created CMKs
Cloudtrail extension pack Data encrypted with disabled or deleted keys will no longer be accessible.
Cloudtrail config changes
Cloudtrail extension pack Monitoring changes to CloudTrails configuration will help ensure sustained visibility to activities performed in the AWS account
Integration
Learn more about Coralogix's out-of-the-box integration with Cloudtrail in our documentation.
