How To Search AWS CloudTrail Logs

If you're looking for an easy CloudTrail log analysis explainer, look no further. In this blog we'll show you where your CloudTrail logs are stored, how to search and analyze logs with JQ, and how to use Gigasheet to search your AWS CloudTrail logs without any coding or configuration.

On-premise infrastructure is slowly hitting a dead-break as cloud adoption continues. AWS, GCP, and Azure are at the forefront of this change. However, as organizations continue to make this move; one thing which still persists is the security of their cloud infrastructure.

Luckily, these three services do a tremendous job at logging user activity in the cloud. In this article, I’m going to focus on Amazon Web Services and the logs it generates for security analysts to review. In a later series, we might explore other cloud platforms as well.

With that said, let’s first discuss the service AWS uses to log user activities - CloudTrail.

What is AWS CloudTrail?

AWS CloudTrail is a service released by AWS to perform governance, risk management, and compliance (GRC) checks on the cloud. CloudTrail is enabled on all AWS accounts by default  to ensure operational security. The service logs all actions performed on the cloud as ‘events’.

CloudTrail can log all actions taken by:

• Users
• Roles
• AWS Services

These actions can further be taken on any one of these following modes of accessing cloud infrastructure on AWS:

• Management Console (the web)
• Command-line Interface (AWSCLI)
• AWS SDK (development kits)
• APIs

If you’re an incident responder performing root-cause analysis, CloudTrail logs can quickly help pinpoint the initial point of intrusion. By picking up a trail of abnormal API calls, you can quickly uncover compromised users or rogue insiders. These logs can be particularly helpful to threat hunters as well. By looking for known patterns of API calls, you can quickly identify suspicious activity and take swift action.

Interested in a more detailed overview of how CloudTrail works? Give this a read. Let’s switch our focus to accessing CloudTrail logs now.

View our other AWS articles:

• How to Analyze AWS VPC Flow Logs
• Incident Response in the AWS Cloud
• AWS Account Takeover via Log4shell

Where are AWS CloudTrail logs stored?

By default, CloudTrail is enabled for all AWS accounts and continues to log activities made through the management console, command-line interface, and SDKs. Head over to CloudTrail, open up the Event History tab and it’s going to pull up all activity on your AWS account from the last 90 days.

Event History in AWS CloudTrail

However, a trail still needs to be created if you wish to record events beyond 90-days worth of logs. Here’s an excellent article by Amazon itself on how to create trails on AWS CloudTrail.

Now that you’ve configured a trail, it’s time to access your CloudTrail logs. Head over to S3 and find the bucket configured against your trail. CloudTrail logs are nested under the bucket in the following order of folders:

• Bucket name and prefix of the trail (e.g. ‘cloudsecurity’)
• AWSLogs
• AccountID
• CloudTrail
• Region
• Year
• Month
• Day
• Logfile (.gzip archive)

CloudTrail Logs in S3

Once you’re at the end of the trail, you’ll see a gun-zipped log file with the filename conforming to the format;

{ACCOUNT_ID}_CloudTrail_{REGION}_{DATETIME}_{UNIQUESTRING}.json.gz.

Let’s download it and analyze CloudTrail logs with Gigasheet and JQ.

Analyzing CloudTrail Logs with JQ

CloudTrail log files store events in the JSON format. To easily view and perform analysis on JSON log files, we can use Gigasheet (more on that later), or more powerful command-line utilities like JQ. JQ is a lightweight command-line processor for JSON files using which we can view, modify, and transform our data as needed.

Looking for an easier method, with no-coding or install? Skip ahead

Here, I’ll be using the FLAWS2 dataset released by Scott Piper of Summit Route. You can access the exercises released by Scott and download the logs from the S3 service. Start by decompressing the recently acquired log files. Once done, you’ll have a few JSON files. Let’s run a simple JQ query to see what data is returned by the processor:

jq . *json

JQ works on the concept of filters which take an input and produce a JSON output. Here, the ‘.’ is the simplest filter available to JQ called the ‘identity filter’. This simply takes in a JSON-formatted string and pretty-prints the output to standard output (without modification).

CloudTrail logs are a collection of events which are stored in the parent ‘Records’ array. Let’s use JQ to process the ‘Records’ array and filter on the first record to see what fields are available in a single log.

jq ‘.Records[0]’ *.json

Here, we get the first record from the Records array. This log contains several key pointers to show what the user was attempting to do along with quick identifiers to hunt for a compromise. userName field states the name of the user on the AWS cloud which was used to perform the suspicious API calls (which in this case is a CreateVPC call). We also get the SourceIPAddress which can be used as a sound indicator of compromise (if it isn’t the typical IP address used by the same reported user).

What if you want to filter on the SourceIPAddress and see what other events are logged by the same IP? First, let’s view all IP addresses logged by CloudTrail:

jq ‘.Records | .sourceIPAddress’ *.json

Now that we have all reported IP addresses, let’s hunt for the activity from the IP address: 104.102.221.250.

jq '.Records[] | select(.sourceIPAddress="104.102.221.250")'  *.json

Whew, that’s a lot of logs. You can now see what activities were performed by the user behind the IP address and other analytics as well e.g. whether the username is the same or if the attacker has access to more users.

JQ is fairly easy to use. However, you still have to be a command-line kung fu to master the usage of JQ. With the added pressure of an incident, using tools on the command-line becomes a bit hectic. What’s the solution? Gigasheet!

Analyzing CloudTrail Logs with Gigasheet

Gigasheet requires zero configuration to get started with the analysis of CloudTrail logs. Not only can you avoid the configuration steps, you won’t be installing tools, dependencies, or have to remember long commands to process the JSON files. It’s all a click away (and it's free).

Sign Up For Gigasheet - Free

Let’s get started by ingesting our logs on Gigasheet. Once logged in, you should be at the Your Files page where you can import your logs. Simply click ‘Upload’ and upload your logs by either:

• Specifying the S3 bucket link where the CloudTrail logs are stored
• Uploading the logs from the local file system

Uploading Logs to Gigasheet

If you’ve noticed, you don’t have to decompress the logs as Gigasheet will take care of it for you. Neither from the S3 bucket, nor from your local system.

Once uploaded, your file should be processed in no time. Again, no input is required from your end. Click the recently uploaded file as soon as the status changes to processed. Here’s how the logs look on Gigasheet’s grid view:

Default View on Gigasheet

Now, let’s start with the same set of analysis we previously performed via JQ. The output’s already pretty-printed for us here. To view the first record, click the first row and press the Rows button on the right of your window to open the detailed view.

Detailed View of Row

Now, let’s use the Group the events together using the SourceIPAddress field. Open the Columns view from the right of your window and drag the SourceIPAddress column to the Row Groups section at the bottom. That’s it.

Grouping Data

You can also apply a filter to select the IP address. Head over to the Filters tab and select the SourceIPAddress column and specify the IP address you’d like to filter it against. Reducing noise becomes important as the data scales to over hundreds of logs.

Applying Filters on Gigasheet

Using Gigasheet, you can also perform enrichment on known bad indicators. Say you’re suspicious of the IP address, 104.102.221.250, and want to quickly check if others have scanned the IP on platforms like VirusTotal before. You can do so while being in Gigasheet’s own grid view!

Select the Enrichment tab from the top icon bar. Change the column to which you want to apply the enrichment to and specify the VirusTotal or Recorded Future's API key (you can acquire them from the platforms respectively). Click “Enrich Data” and you should have new columns with data enrichments from the platforms. See how just a few clicks can save you minutes worth of work.

What’s Next?

That’s it for our first article on analyzing CloudTrail logs with Gigasheet. In the next article, we’ll take a more detailed overview of the compromise covered by the FLAWS2 dataset and see how Gigasheet can be used for analysis of Cloud logs.

Do you frequently analyze CloudTrail logs to hunt for indicators of compromise? You’ve seen how Gigasheet can help you parse, process, and analyze logs from CloudTrail in an instant. It requires zero configuration and can be used for powerful analytics from the get-go.

Sign up for Gigasheet and upload your log files to get started for free today!