AWS CloudTrail
LAST UPDATED: DECEMBER 12, 2025
Overview
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
D3 SOAR is providing REST operations to function with AWS CloudTrail.
For example, you can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.
AWS CloudTrail is available for use in:
Known Limitations
AWS account has default quotas, formerly referred to as limits, for each AWS service. The following table describes quotas, or limits, within CloudTrail. CloudTrail has no adjustable quotas.
Resource | Default Limit | Comments |
Trails per region | 5 | This limit cannot be increased. |
Get, describe, and list APIs | 10 transactions per second (TPS) | The maximum number of operation requests you can make per second without being throttled. The LookupEvents API is not included in this category. This limit cannot be increased. |
LookupEvents API | 2 transactions per second (TPS) | The maximum number of operation requests you can make per second without being throttled. This limit cannot be increased. |
All other APIs | 1 transaction per second (TPS) | The maximum number of operation requests you can make per second without being throttled. This limit cannot be increased. |
Event data stores in CloudTrail Lake | 5 per region | This limit cannot be increased. |
Event selectors | 5 per trail | This limit cannot be increased. |
Advanced event selectors | 500 conditions across all advanced event selectors | If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. Unless a trail logs data events on all resources, such as all S3 buckets or all Lambda functions, a trail is limited to 250 data resources. Data resources can be distributed across event selectors, but the overall total cannot exceed 250. This limit cannot be increased. |
Data resources in event selectors | 250 across all event selectors in a trail | If you choose to limit data events by using event selectors or advanced event selectors, the total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of a number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors. Examples: A trail with 5 event selectors, each configured with 50 data resources, is allowed. (5*50=250) A trail with 5 event selectors, 3 of which are configured with 50 data resources, 1 of which is configured with 99 data resources, and 1 of which is configured with 1 data resource, is also allowed. ((3*50)+1+99=250) A trail configured with 5 event selectors, all of which are configured with 100 data resources, is not allowed. (5*100=500) This limit cannot be increased. The limit does not apply if you choose to log data events on all resources, such as all S3 buckets or all Lambda functions. |
Event size | All event versions: events over 256 KB cannot be sent to CloudWatch Logs. Event version 1.05 and newer: total event size limit of 256 KB. | Amazon CloudWatch Logs and Amazon CloudWatch Events each allow a maximum event size of 256 KB. CloudTrail does not send events over 256 KB to CloudWatch Logs or CloudWatch Events. Starting with event version 1.05, events have a maximum size of 256 KB. This is to help prevent exploitation by malicious actors and allow events to be consumed by other AWS services, such as CloudWatch Logs and CloudWatch Events. |
CloudTrail file size sent to Amazon S3 | 50 MB ZIP file, after compression | For both management and data events, CloudTrail sends events to S3 in a maximum of 50 MB (compressed) ZIP files. If enabled on the trail, log delivery notifications are sent by Amazon SNS after CloudTrail sends ZIP files to S3. |
Refer to Quotas in AWS CloudTrail for detailed information.
Connection
Gather the following information to connect D3 SOAR to AWS CloudTrail.
Parameter | Description | Example |
Server URL | The AWS domain level server URL. | https://cloudtrail.<region_name>.amazonaws.com |
Access Key | The access key used for authentication. | ***** |
Access Secret | The secret key used for authentication. | ***** |
Permission Requirements
Each endpoint in the AWS CloudTrail API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Policy | |
Service | Access level (Actions) | |
Create Trails | CloudTrail | CreateTrail |
Delete Trails | CloudTrail | DeleteTrail |
Describe Trails | CloudTrail | DescribeTrails |
Get Event Selectors | CloudTrail | GetEventSelectors |
Get Insight Selectors | CloudTrail | GetInsightSelectors |
Get Trails | CloudTrail | GetTrail |
Get Trail Status | CloudTrail | GetTrailStatus |
List Tags | CloudTrail | ListTags |
List Trails | CloudTrail | ListTrails |
Lookup Events | CloudTrail | LookupEvents |
Put Event Selectors | CloudTrail | PutEventSelectors |
Put Insight Selectors | CloudTrail | PutInsightSelectors |
Remove Tags | CloudTrail | RemoveTags |
Start Logging | CloudTrail | StartLogging |
Stop Logging | CloudTrail | StopLogging |
Update Trails | CloudTrail | UpdateTrail |
Configuring AWS CloudTrail to Work with D3 SOAR
If your login user is ready to use (no policy configuration is needed), please follow the steps below to get your access key and secret key.
If you want to configure an account with limited API access, please follow the Create Policy > Create User > Access Key and Secret Key to get keys.
Sign in to the AWS console with your account credentials.
Click the account icon at the top right corner, then click Security Credentials.
On my security credentials page, under the AWS IAM credentials tab, click the button Create access key to create a new Access Key and Secret Key.
READER NOTE
If you do not have permission to read or create an access key, please ask your administrator for help.
Copy the Access key ID and the Secret access key to use to connect with D3 SOAR.
READER NOTE
The secret access key can only be viewed or downloaded at this time. It is recommended that you promptly download the .csv file and securely store it for future reference. If you lose or forget your secret key, you will not be able to recover it. If you have lost your secret key, you will need to create a new access key and deactivate the old key. You can have a maximum of two access keys (active or inactive) at a time.
Creating Policy
Click on Services, which will expand the navigation menu. Then select IAM.
Select Access management, which will open a menu where you can select Policies. Then, click the Create Policy button.
In the Select a service section, click on Service to Choose a service. Please refer to Permission Requirements for the service you have selected. Then click Next.
Search and assign using the search box in the Actions allowed section. For example, search for ListTrails in the search box, and use the tick box underneath it to select this action. Please refer to Permission Requirements for the necessary Access level (Actions). It is possible to specify multiple permissions under the same policy. Then click Next.
Type a name in the text box under Policy name. Click Create policy.
Creating User
Locate the Users tab.
Type a user name into the User details field, then click Next.
Select your desired permissions under Permissions options. It is suggested to link directly to your created policy by selecting Attach policies directly. Please refer to Creating Policy for more detailed information. Then click Next.
Review the details you have entered, and click Create user.
Access Key and Secret Key
Find the user you have created, and click on your user to access the details.
Under the Security credentials tab, click on Create access key.
Create an access key and save the details. Click Done after saving these credentials.
READER NOTE
The secret access key can only be viewed or downloaded at this time. It is recommended that you promptly download the .csv file and securely store it for future reference. If you lose or forget your secret key, you will not be able to recover it. If you have lost your secret key, you will need to create a new access key and deactivate the old key. You can have a maximum of two access keys (active or inactive) at a time.
Configuring D3 SOAR to Work with AWS CloudTrail
Log in to D3 SOAR.
Find the AWS CloudTrail integration.
.png?inst-v=9d5c883f-2a14-4fb1-ad0d-a8ff2107ecd1)
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type AWS CloudTrail in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to AWS CloudTrail.
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: The checkbox that enables the connection to be used when selected.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
.png?inst-v=9d5c883f-2a14-4fb1-ad0d-a8ff2107ecd1)
1. Input the Server URL. The default value is https://cloudtrail.<region_name>.amazonaws.com.
2. Input the Access Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.
3. Input the Secret Access Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Test the connection.
.png?inst-v=9d5c883f-2a14-4fb1-ad0d-a8ff2107ecd1)
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
AWS CloudTrail includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the AWS CloudTrail API, refer to the AWS CloudTrail API reference.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring AWS CloudTrail to Work with D3 SOAR for details.
Create Trails
Creates trails that define the settings for delivering log data to an Amazon S3 bucket.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The names of the specified trails. The values must be between 3 and 128 characters and contain only ASCII letters (a–z, A–Z), numbers (0–9), periods (.), underscores (_), or dashes (-). The values must start and end with a letter or number. |
JSON
|
S3 Bucket Name | Required | The name of the Amazon S3 bucket for publishing log files. By default, S3 buckets and objects are private. Update the bucket policy to receive log files for an organization trail. Refer to Amazon S3 bucket policy for CloudTrail for details. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incorrect S3 bucket policy is detected for bucket: xxx. |
Error Sample Data Create Trails failed. Status Code: 400. Message: Incorrect S3 bucket policy is detected for bucket: xxx. |
Delete Trails
Deletes specified trails. The operation must be executed from the region in which the trails were created.
READER NOTE
Trail Name is a required parameter to run this command.
Run the List Trails command to obtain the Trail Name. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The names or CloudTrail ARNs of the trails to delete. Trail Names can be obtained using the List Trails command. Trails can be deleted only from the region in which they were created, which is their home region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Delete Trails failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Describe Trails
Retrieves settings for one or more trails associated with the current account region.
READER NOTE
Trail Names is an optional parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Optional | The trails to describe. The values can be trail names or ARNs. Trail Names can be obtained using the List Trails command. By default, settings for all trails in the current region will be returned. Do not include shadow trail names, as a shadow trail replicates a trail that was created in a different region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Describe Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Describe Trails failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Get Event Selectors
Describes the event selector settings configured for specified trails.
READER NOTE
Trail Names is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or trail ARNs used to retrieve event selectors. Trail Names can be obtained using the List Trails command. Event selectors can be retrieved only from the region in which the trails were created, which is their home region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Event Selectors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Get Event Selectors failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Get Insight Selectors
Describes the insight event selector settings configured for specified trails.
READER NOTE
Trail Names is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or trail ARNs used to retrieve insight selectors. Trail Names can be obtained using the List Trails command. Insight selectors can be retrieved only from the region in which the trails were created, which is their home region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Insight Selectors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Get Insight Selectors failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Get Trails
Retrieves settings for specified trails associated with the current account region.
READER NOTE
Trail Names is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trails to retrieve. The values can be trail names or ARNs. Trail Names can be obtained using the List Trails command. By default, settings for all trails in the current region will be returned. Do not include shadow trail names, as a shadow trail replicates a trail that was created in a different region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Get Trails failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Get Trail Status
Returns status information for specified trails. The response includes details about delivery errors, Amazon SNS and Amazon S3 errors, and logging start and stop times. Trail status is retrieved from a single region. Retrieving status from all regions requires running the command for each region.
READER NOTE
Trail Names is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trails for which to retrieve status. The values can be trail names or ARNs. Trail Names can be obtained using the List Trails command. By default, settings for all trails in the current region will be returned. Do not include shadow trail names, as a shadow trail replicates a trail that was created in a different region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Trail Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Get Trail Status failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
List Tags
Lists the tags associated with specified trails in the current region.
READER NOTE
Trail ARNs is a required parameter to run this command.
Run the List Trails command to obtain Trail ARNs. Trail ARNs can be found in the raw data at $.Trails[*].TrailARN.
Input
Input Parameter | Required/Optional | Description | Example |
Trail ARNs | Required | The trail ARNs whose tags will be listed. Trail ARNs can be obtained using the List Trails command. Up to a maximum of 20 ARNs can be listed. Tags can be retrieved only from the region in which the trails were created, which is their home region. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The ARN lll is invalid. |
Error Sample Data List Tags failed. Status Code: 400. Message: The ARN lll is invalid. |
List Trails
Returns all trails in the current region. The list will include any associated shadow trails in other regions.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: N/A. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: N/A |
Error Sample Data List Trails failed. Status Code: N/A. Message: N/A |
Lookup Events
Checks management events and CloudTrail Insights events captured by CloudTrail.
Input
Input Parameter | Required/Optional | Description | Example |
Attribute Key | Optional | The key of the lookup attribute. | EventId |
Attribute Value | Optional | The value of the lookup attribute. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Lookup Events failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: EventId must be a valid UUID. |
Error Sample Data Lookup Events failed. Status Code: 400. Message: EventId must be a valid UUID. |
Put Event Selectors
Configures event selectors for specified trails. Event selectors control which management and data events CloudTrail logs. By default, trails without configured event selectors log all read and write management events and no data events. Each event selector can include up to 250 data resources, and the total number of data resources across all event selectors in a trail cannot exceed 250.
READER NOTE
Trail Names is an optional parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].TrailARN.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Optional | The trail names or CloudTrail ARNs for which to configure event selectors. Trail Names can be obtained using the List Trails command. Event selectors can be configured only from the region in which the trails were created, which is their home region. |
JSON
|
Read Write Type | Optional | The management event types to log. Valid options are:
By default, the value is set to Read And Write. | All |
Include Management Events | Optional | The option to include management events for the specified trails. When True, management events will be logged for the specified trails. By default, the value is set to True. | True |
Data Events S3 | Optional | The Amazon S3 bucket ARNs or partial ARN prefixes for which data events will be logged. |
JSON
|
Data Events Lambda | Optional | The AWS Lambda function ARNs for which data events will be logged. Lambda ARNs must be exact and do not support pattern matching. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Put Event Selectors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Put Event Selectors failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Put Insight Selectors
Configures insight selectors for specified trails. CloudTrail Insights can be enabled only for trails that log management events. Insights detect unusual activity based on a seven-day baseline.
READER NOTE
Trail Names is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].TrailARN.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or trail ARNs for which to configure insight selectors. Trail Names can be obtained using the List Trails command. Insight selectors can be configured only from the region in which the trails were created, which is their home region. |
JSON
|
Insight Type | Optional | The type of insight. | ApiCallRateInsight |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Put Insight Selectors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Put Insight Selectors failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Remove Tags
Removes specified tags from a trail.
READER NOTE
Trail ARN and Tag Key are required parameters to run this command.
Run the List Trails command to obtain the Trail ARN. Trail ARNs can be found in the raw data at $.Trails[*].TrailARN.
Run the List Tags command to obtain the Tag Key. Tag Keys can be found in the raw data at $.ResourceTagList[*].TagsList[*].Key.
Input
Input Parameter | Required/Optional | Description | Example |
Trail ARN | Required | The ARN of the trail from which tags will be removed. Trail ARN can be obtained using the List Trails command. Tags can be removed only from the region in which the trail was created, which is its home region. |
JSON
|
Tag Key | Required | The tag keys to remove from the trail. Tag Keys can be obtained using the List Tags command. If a specified tag key does not exist on the trail, no error will be returned. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The ARN lll is invalid. |
Error Sample Data Remove Tags failed. Status Code: 400. Message: The ARN lll is invalid. |
Start Logging
Starts recording AWS API calls and delivering log files for specified trails. For trails enabled in all regions, the operation must be invoked from the home region in which the trail was created. The operation cannot be performed on shadow trails replicated in other regions.
READER NOTE
Trail Name is a required parameter to run this command.
Run the List Trails command to obtain the Trail Name. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or CloudTrail ARNs for which logging will be started. Trail Names can be obtained using the List Trails command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Start Logging failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Start Logging failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Stop Logging
Suspends recording AWS API calls and log file delivery for specified trails. Trails usually do not need to be stopped to apply updates. This operation is the only way to pause logging. For trails enabled in all regions, the operation must be called from the home region in which the trail was created and cannot be performed on shadow trails in other regions.
READER NOTE
Trail Name is a required parameter to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or CloudTrail ARNs for which logging will be stopped. Trail Names can be obtained using the List Trails command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Stop Logging failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Stop Logging failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |
Update Trails
Updates log file delivery settings for specified trails. Updating trails does not require stopping CloudTrail. The operation must be called from the region in which the trails were created.
READER NOTE
Trail Names and S3 Bucket Name are required parameters to run this command.
Run the List Trails command to obtain the Trail Names. Trail Names can be found in the raw data at $.Trails[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
Trail Names | Required | The trail names or ARNs of the trails to update. Trail Names can be obtained using the List Trails command. |
JSON
|
S3 Bucket Name | Required | The name of the Amazon S3 bucket designated for publishing log files. By default, S3 buckets and objects are private. Receiving log files for an organization trail requires updating the bucket policy. Refer to Amazon S3 bucket policy for CloudTrail for details. | ***** |
Include Global Service Events | Optional | The option to publish events from global services (e.g., IAM) to the log files. When True, events from global services are included in the log files. By default, the value is set to True. | True |
Apply Trail to All Regions | Optional | The option to apply the trail to the current region only or to all regions. When True, the trail applies to all regions. By default, the value is set to false. | True |
Organization Trail | Optional | The option to apply the trail to all accounts in the organization. When True, the trail applies to all accounts in the organization. By default, the value is set to False. Creating an organization trail requires the DescribeOrganization, ListAWSServiceAccessForOrganization, GetRole, and CreateServiceLinkedRole permissions. | False |
Enable Log File Validation | Optional | The option to enable log file integrity validation. When True, log file integrity validation is enabled. By default, the value is set to False. | True |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Trails failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS CloudTrail portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unknown trail: *** for the user: ***. |
Error Sample Data Update Trails failed. Status Code: 400. Message: Unknown trail: *** for the user: ***. |