Threat Detection based on CloudTrail

Every action taken in your infrastructure resources results in a registry in AWS CloudTrail. This includes all AWS account activity, actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history is extremely useful for detecting unwanted or unexpected activity involving your AWS resources, however, it’s quite noisy.

Sysdig Secure for cloud analyzes every CloudTrail entry in real time against a flexible set of security rules based on open source Falco language. This allows you to detect threats and raise notifications so you can address security threats as quickly as possible.

Sysdig Secure Event Feed

When you enable a security policy for CloudTrail, any detection triggered on its rules will appear on your Sysdig dashboard’s event feed, integrated with all the security events processed by the platform, as a single source of truth for all security incidents.

Cloud security events on Sysdig event feed

Events include details about the detection, resources affected, region, AWS account, the user that issued the command, source IP address, and compliance tags associated with the rule.

Cloud security event details

Falco rules for CloudTrail

CloudTrail library includes a very rich set of Falco rules out of the box. These were created taking into consideration several security standards and best practice references, including:

You can visit the bundled rules section for the complete list of Falco rules available out of the box.

Falco rules library in Sysdig dashboard

You can also easily modify or create new Falco rules using the integrated editor in your Sysdig dashboard.

Using the Falco language reference that is easy to understand and has an active open source community, creation of this rules is not complicated.

Falco rules editor in Sysdig dashboard

Visit the AWS Workshop for hands-on training

For more information and hands-on training on this and other features of Sysdig Secure for cloud, visit the official AWS Workshop at:

Continue to next sections

Want to learn about policies and test detecting an event?

Visit the Using policies and triggering events section.

Do you want to check the full list of bundled CloudTrail Falco rues?

Visit the Rules bundled section.

Do you want to set up integration with AWS Security Hub?

Visit the AWS Security Hub integration section

Ready to learn more about all of the security capabilities?

Visit the Threat Detection based on CloudTrail section.
Visit the Cloud Security Posture Management and Compliance section.
Visit the ECR Image Registry Scanning section.
Visit the Fargate Image Scanning section.

Please visit any of the following sections for more information: