Threat Detection based on CloudTrail
Every action taken in your infrastructure resources results in a registry in AWS CloudTrail. This includes all AWS account activity, actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history is extremely useful for detecting unwanted or unexpected activity involving your AWS resources, however, it’s quite noisy.
Sysdig Secure for cloud analyzes every CloudTrail entry in real time against a flexible set of security rules based on open source Falco language. This allows you to detect threats and raise notifications so you can address security threats as quickly as possible.
Sysdig Secure Event Feed
When you enable a security policy for CloudTrail, any detection triggered on its rules will appear on your Sysdig dashboard’s event feed, integrated with all the security events processed by the platform, as a single source of truth for all security incidents.
Events include details about the detection, resources affected, region, AWS account, the user that issued the command, source IP address, and compliance tags associated with the rule.
Falco rules for CloudTrail
CloudTrail library includes a very rich set of Falco rules out of the box. These were created taking into consideration several security standards and best practice references, including:
- NIST 800-53
- PCI DSS
- SOC 2
- CIS AWS
- AWS Foundational Security Best Practices
You can visit the bundled rules section for the complete list of Falco rules available out of the box.
You can also easily modify or create new Falco rules using the integrated editor in your Sysdig dashboard.
Using the Falco language reference that is easy to understand and has an active open source community, creation of this rules is not complicated.
Visit the AWS Workshop for hands-on training
For more information and hands-on training on this and other features of Sysdig Secure for cloud, visit the official AWS Workshop at:
Continue to next sections
Want to learn about policies and test detecting an event?
Do you want to check the full list of bundled CloudTrail Falco rues?
Do you want to set up integration with AWS Security Hub?
Ready to learn more about all of the security capabilities?
➡ Visit the Threat Detection based on CloudTrail section.
➡ Visit the Cloud Security Posture Management and Compliance section.
➡ Visit the ECR Image Registry Scanning section.
➡ Visit the Fargate Image Scanning section.
Please visit any of the following sections for more information: