Integrate AWS CloudTrail with Google SecOps
This document explains how to integrate AWS CloudTrail with Google Security Operations (Google SecOps).
Integration version: 5.0
Prerequisites
This integration requires you to configure the read-only access policy. For more information about the policy, see Granting custom permissions for CloudTrail users on the AWS documentation website.
Integration inputs
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
To configure the integration, use the following parameters:
AWS Access Key ID
Required.
AWS Access Key ID to use in integration.
AWS Secret Key
Required.
AWS Secret Key to use in integration.
AWS Default Region
Required.
AWS default region to use in integration, such as us-west-2
.
Actions
You can run any integration action either automatically in a playbook or manually from the Case View.
Ping
Test connectivity to AWS CloudTrail.
Entities
This action doesn't run on entities.
Action inputs
N/A
Action outputs
Script result
| Script result name | Value |
|---|---|
| is_success | True/False |
Case wall
The action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the AWS CloudTrail server with the
provided connection parameters!
|
Action succeeded. |
Failed to connect to the AWS CloudTrail server! Error is ERROR_REASON
|
Action failed. Check connection to the server, input parameters, or credentials. |
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors) .
AWS CloudTrail - Insights Connector
Pull insights from AWS CloudTrail.
Connector inputs
To configure the connector, use the following parameters:
Product Field Name
Required.
Event Field Name
Required.
The name of the field that determines the event name (subtype).
Default value is CloudTrailEvent_insightDetails_insightType
.
Environment Field Name
Optional.
The name of the field where the environment name is stored.
If the environment field is missing, the connector uses the default value.
Environment Regex Pattern
Optional.
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)
Required.
The timeout limit, in seconds, for the Python process that runs the current script.
Default value is 180 seconds.
AWS Access Key ID
Required.
AWS Access Key ID to use in integration.
AWS Secret Key
Required.
AWS Secret Key to use in integration.
AWS Default Region
Required.
AWS default region to use in integration, such as us-west-2
.
Alert Severity
Required.
Severity level of the Google SecOps alerts created based on the insights.
Possible values are:- Informational
- Low
- Medium
- High
- Critical
Medium
.Fetch Max Hours Backwards
Optional.
The number of hours before the first connector iteration to retrieve the insights.
This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp.
Default value is 1 hour.
Max Insights To Fetch
Optional.
Number of incidents to process per one connector iteration.
Max value is 50.
Default value is 50.
Use whitelist as a blacklist
Required.
If selected, the dynamic list is used as a blocklist.
Unchecked by default.
Verify SSL
Required.
If selected, the integration validates the SSL certificate when connecting to the AWS CloudTrail server.
Not selected by default.
Proxy Server Address
Optional.
Address of the proxy server to use.
Proxy Username
Optional.
Proxy username to authenticate with.
Proxy Password
Optional.
Proxy password to authenticate with.
Connector rules
The connector supports proxy.
Need more help? Get answers from Community members and Google SecOps professionals.
