CloudTrail FAQ & Troubleshooting Guide

This document can answer some frequently asked questions (FAQs) about the Threat Stack CloudTrail Monitoring feature. It can also provide some basic troubleshooting suggestions.

Important

Access to CloudTrail information will vary based on the Threat Stack Plan you purchased.

Frequently Asked Questions

How do I know if CloudTrail Monitoring works?

When Threat Stack connects properly with CloudTrail, you can view events and alert details on either the Alerts or Events page.

  • The example below shows a view of CloudTrail alerts.
  • Alternatively, you can view CloudTrail events on the Events page by entering event_type = “cloudtrail” into the search field.

CloudTrail_alerts_tab.png

Select the image to enlarge it.

What if I don't see CloudTrail alert details on the Alerts page?

If you don't see an alert, wait 10 minutes. If no alerts display after 10 minutes, you can test CloudTrail alerts by triggering an event. Event example: Log in to the console.

  • If the event you trigger displays in CloudTrail but not in the Threat Stack Cloud Security PlatformⓇ (CSP), please see the troubleshooting suggestions below.
What does the clock icon (Status column on the Settings page in the CSP) mean?

The clock (clock_icon_only.png) icon indicates Threat Stack's attempt to connect to Amazon Web Services (AWS). This connection can take upwards of 10 minutes. Navigate away from the Settings page and return after 10 minutes. You will see a green checkmark (Green_checkmark_icon.png) icon or an error (red_bang_icon.png) icon indicating the success or failure of the connection attempt.

AWS_profile_status.png

Note

Your EC2 Agent correlation status is displayed in the Threat Stack Cloud Security PlatformⓇ. Threat Stack does not currently display the connection status for CloudTrail.

What if I see a green checkmark (Green_checkmark_icon.png) icon but I don't see CloudTrail events or alert details?

If you experience this issue, it indicates Threat Stack can connect to your AWS account but cannot display data.

Important

Your feature plan will determine whether CloudTrail alert details are displayed on the Alerts page.

Please review the following troubleshooting suggestions and best practices:

  • Ensure no other application can read messages off this queue.
    • If another application can acknowledge messages off the same queue, it will interfere with Threat Stack's ability to read the messages.
  • Confirm the message ticker indicates ≥1 messages in the SQS Queue.
    1. Navigate to the SQS service in the AWS Console.
    2. Choose the appropriate queue.
    3. Review the Messages Available field.
What if I can see one or more messages in the Message Available field?
  • Confirm your Queue Name matches what you entered in Threat Stack.
    1. Navigate to the Settings page.
    2. Select the Integrations tab.
    3. In the AWS Integrations module, select the Edit (edit_icon.png)icon.
    4. Within the Edit AWS Integration screen, confirm the SQS Source field displays the correct Queue Name.
      • Within AWS, you can find your Queue Name in the SQS Service area within the AWS Console.
      • Within Threat Stack, you can find the Queue Name on the Edit AWS Integration screen.


        SQS_source_TS.png

  • Confirm the region selected in the Edit AWS Integration screen matches the region in the SQS ARN.
    1. Navigate to the Settings page.
    2. Select the Integrations tab.
    3. In the AWS Integrations module, select the Edit (edit_icon.png) icon.
    4. Within the Edit AWS Integration screen, verify the region in the Select Regions field.
      • Within the AWS Console, open the Queue details and check the ARN or URL fields.
      • Within Threat Stack, you can find the region on the Edit AWS Integration screen


        Select_regions_TS.png

  • In AWS, review the policy on the 3rd party cross-account IAM role to confirm Threat Stack has permission to read the queue.
What if I can't see any (0) messages in the Message Available field?

Note

Best practice: Redo the integration using the CloudFormation template.

Please review the following troubleshooting suggestions:

  • Confirm the queue subscribes to the proper SNS topic.
    1. Navigate to the SNS.
    2. Confirm that the SNS topic displays the SQS Queue as a subscription endpoint.
  • Confirm CloudTrail delivers logs properly and sends notifications using the SNS topic.
What if I see the error (red_bang_icon.png) icon?

If you experience this issue, it indicates Threat Stack cannot connect to your AWS Account.

Please review the following troubleshooting suggestions and best practices:

  • Confirm the Role ARN entries match in Threat Stack and AWS.
    1. Navigate to the Settings page.
    2. Select the Integrations tab.
    3. In the AWS Integrations module, locate the ARN column and verify the Role ARN value.
      • Within Threat Stack, you can find the Role ARN in the AWS Integrations module.


        ARN_column.png

      • Within AWS, locate the 3rd party cross-account and verify the Role ARN entry.
  • Confirm the External ID entries match in Threat Stack and AWS.
    1. Navigate to the Settings page.
    2. Select the Integrations tab.
    3. In the AWS Integrations module, locate the External ID column and verify the External ID.
      • Within Threat Stack, you can find the Role ARN in the AWS Integrations module.


        Ext_ID_column.png

      • Within AWS, locate the 3rd party cross-account and verify the Role ARN entry.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request