Connecting AWS CloudTrail

Analyze your AWS CloudTrail logs and receive alerts about abnormal activity through integration with your connected Trend Micro Vision One environment.

Important:

This is a “Pre-release” feature and is not considered an official release. Please review the Pre-release Disclaimer before using the feature.

  1. Copy the enrollment token used in the Trend Micro Cloud One console to identify your Trend Micro Vision One console.
    1. In the Trend Micro Vision One console, go to Point Product Connection > Product Connector.
    2. Click Connect.
    3. Select Trend Micro Cloud One.
    4. Click the Click to generate the enrollment token link.
    5. Copy the enrollment token.
  2. Use the enrollment token to integrate your Trend Micro Cloud One environment with Trend Micro Vision One.
    1. Open your Trend Micro Cloud One console and click Integrations at the bottom of the screen.
    2. Click Trend Micro Vision One™ on the navigation bar.
    3. In the Enrollment Token section, click Register enrollment token.
    4. Paste the enrollment token and click Register.
    5. In the Connection Status list, verify that the Status of AWS CloudTrail is "Connected".
  3. In the Trend Micro Vision One console, enable the connections to your Trend Micro Cloud One services.
    1. Go to Point Product Connection > Product Connector.
    2. Click Trend Micro Cloud One.
    3. Verify that the AWS CloudTrail service is enabled.
    4. Click Save.
  4. Connect an AWS account to Trend Micro Cloud One in order to provide read-only access to your AWS CloudTrail data.
    Important:

    The following AWS instructions and screen captures were valid as of November 15, 2022. For further help, check your AWS documentation.

    1. Open your Trend Micro Cloud One console and click Integrations at the bottom of the screen.
    2. Click Cloud Accounts on the navigation bar and ensure that you are viewing the AWS tab..
    3. Click New.
    4. Open a new browser window and sign in to your AWS account.
    5. Back in the Connect AWS Account screen, select your AWS region and click Launch Stack to open the AWS management console in a new browser tab to run the IAM role creation template.
    6. In the Quick create stack screen, scroll down to the Capabilities section.
    7. Select I acknowledge that AWS CloudFormation might create IAM resources.
    8. Click Create stack.
  5. To connect CloudTrail to Trend Micro Cloud One, launch the CloudFormation template to your AWS account.
    1. Open your Trend Micro Cloud One console and click Integrations at the bottom of the screen.
    2. Click Cloud Accounts on the navigation bar and ensure that you are viewing the AWS tab.
    3. Click the AWS account that you want to use to manage the CloudTrail integration.
    4. Click Enable next to AWS CloudTrail integration to open the AWS CloudTrail Integration panel.
    5. Open a new browser window and sign in to the AWS account.
    6. Back in the AWS CloudTrail Integration panel, select the AWS region used in the CloudFormation template.
    7. Automatically launch the CloudFormation template into your AWS account by clicking Launch Stack.

      Your browser automatically opens a new tab and displays the Quick create stack screen for your AWS account.

    8. Specify the name of an existing bucket that you want to use for forwarding to Trend Micro Cloud One in the ExistingCloudtrailBucketName field in the Parameters section.
      Warning:

      For customers with a preexisting CloudTrail instance, specify an existing CloudTrail bucket resource or a new bucket will be created for you, which may incur additional AWS costs.

      For new customers without preexisting CloudTrail buckets, the first bucket is included without charge and you should leave this field empty.

    9. Acknowledge all access rights in the Capabilities and transforms section.
    10. Click Create stack.

    After creating the stack, allow at least 15 minutes for the data collection to begin.

  6. Verify that the CloudTrail data collection is working by searching for data in the Search app.
    1. In the Trend Micro Vision One console, go to XDR Threat Investigation > Search.
    2. Change the Search Method to Cloud Activity Data.
    3. Perform a quick search to locate CloudTrail data.

      For example, type the following search string and click Search:

      productCode:sct

    After verifying that the CloudTrail data collection is working, you can start receiving alerts on any CloudTrail events that trigger a detection model in the Workbench app (XDR Threat Investigation > Workbench).