Skip to content
Find out how we support MDR.

AWS CloudTrail integration script

To integrate AWS CloudTrail logs with Sophos Central, you download a customized script and run it using AWS CLI or AWS CloudShell.

The script uses the following variables.

Variable Description Value
MANAGE_ACCOUNT_TOKEN Access token used to add or delete requests. Randomly generated for customer.
SEND_DATA_TOKEN Access token used to send data. Randomly generated for customer.
EXTERNAL_ID External ID for trust relationship between Sophos AWS account and SophosCloudtrailRole role created by Sophos in customer environment. Randomly generated for customer.
SETUP_TYPE Specifies whether customer is using AWS Organizations or an ordinary account. ORGANIZATION or ACCOUNT
CLOUDTRAIL_S3_RETENTION How long data in CloudTrail S3 bucket is kept. Default is 365 days.
AWS_DEFAULT_REGION Default region for creation and use of AWS resources. Variable only used if you don't select a region.
BASE_URL URL of data collector. Data from the customer's environment is pushed to this location. https://http-collector.cloudstation.eu-west-1.dev.hydra.sophos.com.
USE_EXISTING_TRAIL_SETUP Use existing trail bucket setup or create a new one. Variable only used if option selected. It is then set to true.
CLOUDTRAIL_BUCKET_NAME Name of S3 bucket if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
CLOUDTRAIL_BUCKET_FOLDER Name of S3 bucket folder if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
CLOUDTRAIL_SNS_TOPIC Name of SNS topic if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
TARGET_ACCOUNT Account ID of Sophos account that reads the CloudTrail S3 bucket. Used to set up trust relationship. Value created by Sophos.