CloudTrail FAQ & Troubleshooting Guide

This document can answer some frequently asked questions (FAQs) about the Threat Stack CloudTrail Monitoring feature. It can also provide some basic troubleshooting suggestions.

IMPORTANT: Access to CloudTrail information depends on the specific Threat Stack Plan that you use. If you use the Audit or Audit + Monitor Plan, you can easily view CloudTrail alert details on the ALERTS page. However, you do not have access to the EVENTS page.

Frequently Asked Questions

How do I know if CloudTrail Monitoring works?

When Threat Stack connects properly with CloudTrail, you can view events and alert details on either the ALERTS page or EVENTS page

  • If you have the Audit Plan or Audit + Monitor Plan, you can view CloudTrail alert details on the ALERTS page
  • If you have the Audit + Investigate Plan, you can view CloudTrail events on the EVENTS page by searching for 'event_type="CloudTrail"'

1_cloudtrail_in_alerts.png

What if I don't see CloudTrail alert details on the ALERTS page?

If you don't see an alert, wait 10 minutes. After 10 minutes if no alerts display, you can test CloudTrail alerts by triggering an event. Example event: Log in to the console.

Does the event you trigger display in CloudTrail but not Threat Stack? See these troubleshooting suggestions.

What does the clock icon (Status column on the Navigation SETTINGS page) mean?

The clock (clock_icon_only.png) icon indicates Threat Stack's attempt to connect to AWS. This connection can take 10+ minutes. Leave the SETTINGS page, in 10+ minutes navigate back. You will see a green checkmark (Green_checkmark_icon.png) icon or an error (red_bang_icon.png) icon indicating the success or failure of the connection attempt.

2_aws_profile_status.png

What if I see a green checkmark (Green_checkmark_icon.png) icon but I don't see CloudTrail events or alert details?

Threat Stack can connect to your AWS but cannot display data.

IMPORTANT: If you have the Audit or the Audit + Monitor feature package, you can only view CloudTrail alerts details on the ALERTS page.

Troubleshooting suggestions and best practices:

  • Ensure that no other application can read messages off this Queue

If another application can acknowledge messages off the same queue, it will interfere with Threat Stack's ability to read the messages.

  • Confirm that the message ticker indicates ≥1 messages in the SQS Queue
    1. Navigate to the SQS service in the AWS Console
    2. Choose the appropriate queue
    3. Review the Messages Available field

What if I can see one or more messages in the Message Available field?

  • Confirm that your Queue Name matches what you entered in Threat Stack
    • In Amazon, you can find your Queue Name in SQS Service area in the AWS Console
    • In Threat Stack, you can find the Queue Name on the Edit AWS Profile popup
      1. Navigate to the SETTINGS page
      2. Select the Integrations button
      3. In the AWS Profiles section, select the Edit (edit_icon.png)icon
      4. On the Edit AWS Profile popup, confirm the SQS Source field displays the correct Queue Name

3_sqs_source_TS.png

  • Confirm that the region selected on the Threat Stack Edit AWS Profile popup matches the region in the SQS ARN
    • In Amazon, on the AWS Console, open the Queue details and check the ARN or URL fields
    • In Threat Stack, you can find the region on the Edit AWS Profile popup
      1. Navigate to the SETTINGS page
      2. Select the Integrations button
      3. In the AWS Profiles section, select the Edit (edit_icon.png) icon
      4. On the Edit AWS Profile popup, verify the region in the Select Region field

4_select_regions_TS.png

  • In Amazon, check the policy on the 3rd Party Cross-Account IAM role to confirm that it gives Threat Stack permission to read the queue

What if I can't see any (0) messages in the Message Available field?

Best practice, redo the integration using the CloudFormation template.

Troubleshooting suggestions,

  • Confirm the Queue subscribes to the proper SNS topic
    1. Navigate to the SNS
    2. Confirm that the SNS topic displays the SQS Queue as a subscription endpoint
  • Confirm that CloudTrail delivers logs properly and sends notifications using the SNS topic

What if I see the error (red_bang_icon.png) icon?

Threat Stack cannot connect to this AWS Account.

Troubleshooting suggestions and best practices:

  • Confirm the Role ARNs match in Threat Stack and Amazon
    • In Threat Stack, you can find the Role ARN on the AWS Profiles section
      1. Navigate to the SETTINGS page
      2. Select the Integrations button
      3. In the AWS Profiles section, locate the ARN column and verify the Role ARN

5_arn_column.png

    • In Amazon, locate the 3rd Party Cross-Account and verify the Role ARN
  • Confirm the External IDs match in Threat Stack and Amazon
    • In Threat Stack, you can find the Role ARN on the AWS Profiles section
      1. Navigate to the SETTINGS page
      2. Select the Integrations button
      3. In the AWS Profiles section, locate the External ID column and verify the External ID

6_ext_id_column.png

    • In Amazon, locate the 3rd Party Cross-Account and verify the Role ARN
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.