CloudTrail

The CloudTrail source requires that you've done the following:

Created an s3 bucket that cloudtrail streams to.
Provide RunReveal with access to a role
Set up an event notification from your s3 bucket receiving CloudTrail logs that notifies RunReveal.

This source supports two different kinds of setups.

Cloudformation Setup

If you don't yet have a trail setup, you'll need to either set up an Organization trail, or a non-organization trail. If you'd like RunReveal to create the trail, and fully set-up the the event notification, and access to the bucket, you can use these cloudformation templates.

RunReveal can help with this setup process using these two Cloudformation templates.

Organization Trail (opens in a new tab) (this will fail if you've not created an organization).
Non-organization Trail (opens in a new tab)

Once the cloudformation runs successfully, provide RunReveal with the name of the bucket, ensure the Role ARN is blank, and click "Connect".

Manual Setup

Consult the docs on setting up a role and how to provide RunReveal with access to that role on the S3 Sources page.

Event Notifications

Ensure that your event notifications are being forwarded to this sns topic in your region.

arn:aws:sns:<REGION>:253602268883:runreveal_cloudtrail

Dashboard setup

Create a CloudTrail source in the dashboard, and provide RunReveal with your bucket-name, IAM role name, and IAM external ID.

Alb Logs Guardduty