AWS CloudTrail
AWS CloudTrail is cloud audit log data that describes activity across your AWS accounts. This is one of the most valuable data sources for running detections in AWS. This guide walks through how to set up AWS CloudTrail as a log source in Scanner Collect, so that logs can be ingested from S3, normalized, and indexed for search and detection.
Step 1: Create a New Source
Navigate to the Collect tab in the Scanner UI.
Click Create New Source.
Click Select a Source Type.
In the AWS category, select AWS: CloudTrail.
You’ll see that:
Ingest Method is set to AWS S3
Destination is set to Scanner
Click Next.
Step 2: Configure the Source
Set a Display Name, such as
my-org-cloudtrail.Leave File Type as
CloudTrailJson.Leave Compression as
Gzip.
Click Next.
Step 3: Set the Origin (S3 Bucket)
Select the S3 bucket where your CloudTrail logs are stored.
(Optional) Enter a Bucket Prefix if logs are stored under a specific key path (e.g.,
AWSLogs/your-account-id/CloudTrail/).Keep the File Regex as the default, which helps Scanner filter out non-CloudTrail objects.
Click Next.
Step 4: Set the Destination
Choose the Scanner index where CloudTrail logs should be stored for search and detection.
Leave the Source Label set to
aws:cloudtrail.
Click Next.
Step 5: Transform and Enrich
Keep the default enrichment settings:
Normalize to ECS - AWS CloudTrail
Parse JSON Columns (automatically parses stringified JSON if present)
(Optional) Add additional transformation or enrichment steps if desired.
Click Next.
Step 6: Timestamp Extraction
Leave the default Timestamp Field as eventTime.
Click Next.
Step 7: Review and Create
Review your configuration.
(Optional) Use the preview feature to confirm how Scanner will match S3 keys and parse your log files.
When everything looks correct, click Create Source.
Once created, Scanner will begin monitoring your S3 bucket for new CloudTrail logs, index them into your selected destination, and make them available for search and detection.
Last updated
Was this helpful?