Test the AWS CloudTrail integration for XDR for Cloud

Procedure

1. Sign in to the AWS account you want to use to test Cloud Detections for AWS CloudTrail.
2. Configure your CloudTrail settings.
   For full steps, see Configure AWS CloudTrail settings.
3. Add your AWS account to Trend Vision One cloud accounts app.
   Follow the steps in Connect an AWS account using CloudFormation and enable the following features and permissions:

   • Core Features
   • Cloud Detections for AWS CloudTrail
   • Cloud Response for AWS

   Note If you want to test integration with Control Tower, see Connect an AWS account with CloudTrail and Control Tower.

4. After your account successfully connects, use XDR Data Explorer to verify data is being sent.
5. Use one of the following demo models to trigger a Workbench alert.

   Important Make sure to use an IAM user in AWS when using a demo model to enable testing the Revoke Access Permission response task.

   • Demo: Model - AWS Bedrock Successful Guardrail Deletion Detected
   • Demo: Model - AWS Bedrock Model Invocation Logs Successful Deletion Detected
   • Demo: Model - AWS IAM Login MFA Deactivated for a User
   • Demo: Model - AWS EC2 EBS Snapshot Shared Publicly or to an External Account
   • Demo: Model - AWS IAM Administrator Access Policy Attached to a Role
6. Test response capabilities with the Revoke Access Permission task.