AWS CloudTrail integration script
You must have the Public Cloud integrations license pack to use this feature.
To integrate AWS CloudTrail logs with Sophos Central, you download a customized script and run it using AWS CLI or AWS CloudShell.
The script uses the following variables.
| Variable | Description | Value |
|---|---|---|
MANAGE_ACCOUNT_TOKEN | Access token used to add or delete requests. | Randomly generated for customer. |
SEND_DATA_TOKEN | Access token used to send data. | Randomly generated for customer. |
EXTERNAL_ID | External ID for trust relationship between Sophos AWS account and SophosCloudtrailRole role created by Sophos in customer environment. | Randomly generated for customer. |
SETUP_TYPE | Specifies whether customer is using AWS Organizations or an ordinary account. | ORGANIZATION or ACCOUNT |
CLOUDTRAIL_S3_RETENTION | How long data in CloudTrail S3 bucket is kept. | Default is 365 days. |
AWS_DEFAULT_REGION | Default region for creation and use of AWS resources. | Variable only used if you don't select a region. |
BASE_URL | URL of appliance. Data from the customer's environment is pushed to this location. | https://http-collector.cloudstation.eu-west-1.dev.hydra.sophos.com. |
USE_EXISTING_TRAIL_SETUP | Use existing trail bucket setup or create a new one. | Variable only used if option selected. It is then set to true. |
CLOUDTRAIL_BUCKET_NAME | Name of S3 bucket if an existing setup is used. | Variable only used if USE_EXISTING_TRAIL_SETUP=true. |
CLOUDTRAIL_BUCKET_FOLDER | Name of S3 bucket folder if an existing setup is used. | Variable only used if USE_EXISTING_TRAIL_SETUP=true. |
CLOUDTRAIL_SNS_TOPIC | Name of SNS topic if an existing setup is used. | Variable only used if USE_EXISTING_TRAIL_SETUP=true. |
TARGET_ACCOUNT | Account ID of Sophos account that reads the CloudTrail S3 bucket. Used to set up trust relationship. | Value created by Sophos. |