CloudTrail

What is CloudTrail Logs?
Cloudtrail is an audit logs for the cloud tenant AWS API communication. It's created by default and retained for 90 Days. Each Log entry is an event. It only records the API Communication and it's also not a replacement of AV, EDR, MDR or XDR tools. For Instance,  CloudTrails logs can log the entry of another service accessing the EC2 but it will not log the other activity happened inside the EC2 Instance. All CloudTrail logs are recorded in UTC.

Default Log Retention Time?
90 Days (Free) - after 90 Days you should send/store it in S3 Bucket or Send it to your SIEM.

What can you do with CloudTrail?
The answer is a lot of things as far as Incident Investigation is concerned. Couple of common type answer you can find is:
 - What actions did a given user take over a specific time period?
​ - What is the source IP address for a particular activity?

Can you collect CloudTrail logs from all of your AWS Accounts and regions and put it in a centralized bucket?
Yes, you can do it while creating a new bucket for all your Cloudtrail Logs.

Detection Rules:
Disabled AWS CloudTrail logging

Splunk Queries:
index=aws-cloudtrail
| search NOT eventName in ("Des*", "List*","Get*")
| stats count values(eventName) by userIdentity.arn userIdentity.type userIdentity.accountId
| sort -count