DocsAPI ReferenceRelease Notes
Docs
BigPanda AppRequest DemoBigPanda UniversityBigPanda Community

CloudTrail

Send change data from CloudTrail to suggest potential root cause for BigPanda incidents.

Suggest Edits
Supported VersionsTypeAuthentication Type
SaaSAPIUser API Key

CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Use this integration to track Shadow Changes from your AWS account in BigPanda.

The CloudTrail integration process starts by configuring an S3 bucket holding CloudTrail events with an SQS event notification to a BigPanda-owned queue for all new objects. Once BigPanda's SQS queue receives a message it will retrieve the new CloudTrail file from S3 using an IAM Role provided by the customer. Once it retrieves the file it will parse it for CloudTrail events, filter the events which represent actual changes, and finally normalize and make the changes available in BigPanda for correlation with alerts.

Key Features

  • Notifies BigPanda of CloudTrail events, capturing Shadow Changes in your AWS account.
  • Intelligently correlates changes in AWS with high-level incidents in BigPanda to expedite the Root Cause Analysis (RCA) process and reduce Mean Time To Repair (MTTR).
  • Automatically identifies which CloudTrail events correspond to actual changes in your environment

Data Models

BigPanda converts and organizes the change data from CloudTrail into tags.

Standard CloudTrail Event Properties

The Event fields below populate the Changes tags.

PropertyChange TagAttributes
eventIDidentifierGenerates the ticket_url tag.
eventTimestart / end
eventNamesummary
awsRegion & eventIDticket_urlHyperlink for the identifier tag
userIdentityuser_name, user_type, and user_arnThe userIdentity object is normalized to generate the user information tags
requestParametersrp_{{object_key}}This event property is an object. The keys are translated into Change tags with a prefix of rp_.
resourcesresources{{array position}}_{object_key}}This event property can be an array of Objects. The Change tag will always be resources + position number in the array + key

Install the Integration

Before You Start

  • Obtain permission to create IAM roles and modify S3 event notifications in your AWS account.
  • Ensure one or more CloudTrail trails are configured and saving events to S3.
  • Create and save a BigPanda API Key.
  • Create a Changes CloudTrail integration and save the app key.

Create a BigPanda API Key

  1. Follow the API Keys Management instructions on generating an API Key.
  2. Note the API Key for use later in the setup

Create an App Key

Create an app key in BigPanda.

👍

Integration Specific

You'll need a separate app key for each integrated system.

App Key Configuration in BigPanda

App Key Configuration in BigPanda

Create an AWS IAM Role for BigPanda

  1. In your AWS account, begin the creation of a new IAM role

  2. For Type of Trusted Entity select Another AWS Account and provide the account ID: 103749124141

  3. Select the checkbox for Require external ID and provide a random string for the External ID, noting the value for use later in these instructions

  4. Ensure the Require MFA box is NOT checked

  5. Click the Next button to move on to permissions

  6. Click the Create Policy button to create a new IAM policy for this role, a new browser tab should open

  7. In the JSON tab copy and paste the policy below, replacing BUCKET_NAME_HERE with the name of your S3 bucket which holds your CloudTrail events

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBigPandaGetObject",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
    }
  ]
}

  8. Click Review Policy and name your policy, then click Create Policy

  9. Once the policy is created, return to the role creation process and click the refresh button then search for and select your new role

  10. Proceed to the Review step of role creation and name your role, then click Create Role

  11. Locate your new role and note down its ARN

For more information please view AWS documentation here.

Subscribe to the Integration

  1. Construct JSON body with required properties

    {
  "apiKey": "*API Key Created Earlier*",
  "appKey": "<your app key>",
  "bucket_name": "S3_BUCKET_NAME",
  "bucket_region": "S3_BUCKET_REGION",
  "iam_role_arn": "CREATED_ROLE_ARN",
  "iam_role_external_id: "CREATED_EXTERNAL_ID"
}

  2. POST to the following CloudTrail API: https://integrations.bigpanda.io/cloudtrail/changes/subscribe

    // example POST cURL command
curl -X POST \
  https://integrations.bigpanda.io/cloudtrail/changes/subscribe \
  -H 'Content-Type: application/json' \
  -d '{
  "apiKey": "*API Key Created Earlier*",
  "appKey": "<your app key>",
  "bucket_name": "BUCKET_NAME",
  "bucket_region": "S3_BUCKET_REGION",
  "iam_role_arn": "CREATED_ROLE_ARN",
  "iam_role_external_id": "CREATED_EXTERNAL_ID"
}'

Add S3 Event Notification

  1. Go to the advanced settings in your the properties tab of your S3 bucket

  2. Select the Events widget and click on add Notification

  3. Add Name

  4. Select All object create events option for Events

  5. Add the following under path: AWSLogs/<YOUR_AWS_ACCOUNT_NUMBER>/CloudTrail

    Note: We do not need the CloudTrail Digest logs to be pushed to BigPanda’s Queue

  6. Select SNS topic for Destination

  7. Under Specify SNS topic, select Enter SNS topic ARN

  8. Add BigPanda’s SNS Topic ARN: arn:aws:sns:<S3_BUCKET_REGION>:103749124141:int-cloudtrail-prod-us-east-1

For more information please view our documentation here.

Delete the Integration

Deleting an integration requires that you remove the integration in both the integrated system and BigPanda. We recommend that you first uninstall the integration on the integrated system to prevent traffic from being sent and rejected by BigPanda, since the app key will not exist once you delete the integration in BigPanda.

❗️

Caution During Replacement

When replacing an existing integration with a new tool or system, we recommend configuring the new integration first to ensure no data is lost.

Deactivate Inbound Integration

If you want to stop sending data to BigPanda but don’t want to delete your integration, you can temporarily deactivate it.

To deactivate an inbound integration:

  1. In BigPanda, navigate to the Integrations tab and select the desired integration from the list. This will open integration details on the right side of the window.
  2. At the top of the integration details, click the Active/Inactive toggle next to the application name to change the status of the integration.

In the integrations list, inactive integrations will be marked with a gray bar.

Removing the Integration

The following are steps on removing the Integration

  1. Delete the S3 Event Notification on the desired Bucket
  2. Delete the IAM Role and Permissions associated to this integration
  3. Unsubscribe to the integration with the following cURL command
// example DELETE cURL command
curl -X DELETE \
https://integrations.bigpanda.io/cloudtrail/changes/subscribe \
-H 'Content-Type: application/json' \
-d '{
  "apiKey": "*API Key Created Earlier*",
  "bucket_name": "BUCKET_NAME"
}'

Stop Sending Data from BigPanda

In BigPanda, disable any settings that send data to the integrated system. This includes modifying or removing AutoShare rules or Environments that are tied to the integration.

Delete the Integration in BigPanda

Take the following steps to delete the integration from BigPanda:

  1. In BigPanda, navigate to the Integrations tab and select the desired integration from the list.
  2. In the integration details on the right of the page, click the trash icon, then confirm you want to delete the integration. The integration will be removed immediately.

❗️

Data Removal

This procedure does not remove any data from the integrated system.

Updated 3 months ago