It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda XDR
Overview Documentation Materials

Integrating AWS Cloudtrail with XDR Dashboard

  • Last updated on

The steps below outline integration between AWS CloudTrail and XDR Monitoring. AWS CloudTrail service helps monitor governances, compliance, and operational and risk auditing of AWS accounts. Customers who are looking to monitor their AWS environment should follow the implementation instructions listed below to enable XDR to monitor their AWS environment in real time.

To integrate AWS Cloudtrail

  1. If your Trail isn't set up, follow this link to set up a trail within cloudtrail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.htm
  2. Ensure the trail is logging to a S3 Bucket. If you edit the trail, you can see the name of the bucket it's writing log files to. Take note of the S3 Bucket Name:

    1.png
  3. Set up an SQS Queue and use this template for its access policy:
    Replace with the ARN of the SQS queue you just made
    Replace with the name of the S3 Bucket that your CloudTrail is writing logs to
    Afterwards hit save and then take note of the URL of the SQS Queue
    {
        "Version": "2012-10-17",
        "Id": "__default_policy_ID",
        "Statement": [
           {
               "Sid": "__owner_statement",
               "Effect": "Allow",
               "Principal": "*",
               "Action": "SQS:*",
               "Resource": "<SQS-queue-ARN>",
               "Condition": {
                    "ArnLike": {
                        "aws:SourceArn": "arn:aws:s3:*:*:<bucket-name>"
                    }
               }
           }
       ]
    }

    2.png
  4. Navigate to the S3 Bucket that your cloudtrail is writing logs to.
    Click Properties > Scroll down to Event Notifications and click Create event notification.
    Type a name for the event name.
    In Event Types, select everything to monitor all Cloudtrail updates.
    For the Destination, enter the SQS queue you made.

    3.png
  5. For XDR to receive AWS SQS messages, an access key id and secret access key will need to be generated. A user permissioned in IAM with a role only allowed to read access from SQS queues:
  6. Once completed, provide XDR the following information -