CloudTrail
Send change data from CloudTrail to suggest potential root cause for BigPanda incidents.
| Supported Versions | Type | Authentication Type |
|---|---|---|
| SaaS | API | User API Key |
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Use this integration to track Shadow Changes from your AWS account in BigPanda.
The CloudTrail integration process starts by configuring an S3 bucket holding CloudTrail events with an SQS event notification to a BigPanda-owned queue for all new objects. Once BigPanda's SQS queue receives a message it will retrieve the new CloudTrail file from S3 using an IAM Role provided by the customer. Once it retrieves the file it will parse it for CloudTrail events, filter the events which represent actual changes, and finally normalize and make the changes available in BigPanda for correlation with alerts.
Key Features
- Notifies BigPanda of CloudTrail events, capturing Shadow Changes in your AWS account.
- Intelligently correlates changes in AWS with high-level incidents in BigPanda to expedite the Root Cause Analysis (RCA) process and reduce Mean Time To Repair (MTTR).
- Automatically identifies which CloudTrail events correspond to actual changes in your environment
Data Models
BigPanda converts and organizes the change data from CloudTrail into tags.
Standard CloudTrail Event Properties
The Event fields below populate the Changes tags.
| Property | Change Tag | Attributes |
|---|---|---|
eventID | identifier | Generates the ticket_url tag. |
eventTime | start / end | |
eventName | summary | |
awsRegion & eventID | ticket_url | Hyperlink for the identifier tag |
userIdentity | user_name, user_type, and user_arn | The userIdentity object is normalized to generate the user information tags |
requestParameters | rp_{{object_key}} | This event property is an object. The keys are translated into Change tags with a prefix of rp_. |
resources | resources{{array position}}_{object_key}} | This event property can be an array of Objects. The Change tag will always be resources + position number in the array + key |
Install the Integration
Administrators can install the integration by following the on-screen instructions in BigPanda.
Before You Start
- Obtain permission to create IAM roles and modify S3 event notifications in your AWS account.
- Ensure one or more CloudTrail trails are configured and saving events to S3.
- Create and save a BigPanda API Key.
- Create a Changes CloudTrail integration and save the app key.
Uninstall the Integration
Deleting an integration requires changes to both the integrated system and BigPanda. You must uninstall the integration on the integrated system and then delete the integration from BigPanda.
When replacing an existing integration with a new tool or system, we recommend configuring the new integration first to ensure no data is lost.
Stop Sending Data to BigPanda
On the integrated system, disable any settings that send data to BigPanda.
Manually resolve any open alerts sent from the integration to remove the associated incidents from your incident feed. These incidents will not automatically resolve without an ok status from the original sending integration.
Delete the Integration from BigPanda
- In BigPanda, navigate to the Integrations tab and select the desired integration from the list.
- In the integration details on the right, click Delete Integration. A support message opens, pre-populated with a request to delete the selected integration.
- Press Enter to send the request.
- The BigPanda support team will remove the integration from the UI.
️
This procedure does not remove any data from BigPanda or the integrated system. As needed, remove data from each system before deleting the integration.
Updated 4 months ago