Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Observability for Cloudtrail

Cloudtrail icon

Out-of-the-Box Observability For Cloudtrail Includes:

Dashboards - 3

Gain instantaneous visualization of all your Cloudtrail data.

Cloudtrail - ops
Cloudtrail - ops
Cloudtrail - sec
Cloudtrail - sec
Cloudtrail - s3
Cloudtrail - s3

Alerts - 15

Stay on top of Cloudtrail key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Ratio of S3 errors to S3 requests over 20% over 6 hours

Cloudtrail extension pack

Ratio of failed aws console login due to authentication to overall logins > 30% in 10 minutes

Cloudtrail extension pack Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation

Ratio of failed aws console logins to overall logins > 10% in 30 minutes

Cloudtrail extension pack

VPC change detected

Cloudtrail extension pack It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. Monitoring changes to VPCs helps ensure that all VPC traffic flows as expected

Route table changes detected

Cloudtrail extension pack Routing tables are used to route network traffic between subnets and to network gateways. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.

Changes to network gateways detected

Cloudtrail extension pack Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path

Changes to Network Access Control Lists detected

Cloudtrail extension pack Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed

IAM policy changes

Cloudtrail extension pack Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

Consol Login with no MFA

Cloudtrail extension pack Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA which is against company policy This alert is disabled by default. You should exclude in the query your SAML provider for preventing noise and finetuning, for instance, concatenate to the alert query: NOT additionalEventData.SamlProviderArn:"arn:aws:iam::123412341234:saml-provider/gsuite-coralogix.com"

Admin privileges granted

Cloudtrail extension pack SecOps will be alerted when admin privileges are granted. The security org needs to make sure that it is a legitimate operation.

New Admin added

Cloudtrail extension pack Triggers when a new admin has been added to the environment to verify legitimacy

Attempt to Create DB with the property "publicly accessible"

Cloudtrail extension pack It is against security policies to create "publicly accessible" DB

Access logging disabled or chanaged on S3 for Cloudtrail buckets

Cloudtrail extension pack

Disabled or scheduled deletion of customer created CMKs

Cloudtrail extension pack Data encrypted with disabled or deleted keys will no longer be accessible.

Cloudtrail config changes

Cloudtrail extension pack Monitoring changes to CloudTrails configuration will help ensure sustained visibility to activities performed in the AWS account


Learn more about Coralogix's out-of-the-box integration with Cloudtrail in our documentation.

Read More
Schedule Demo