SumoLogic · jpipkin1 · Jun 16, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025
diff --git a/blog-service/2025-06-17-apps.md b/blog-service/2025-06-17-apps.md
@@ -0,0 +1,70 @@
+---
+title: AWS CloudTrail (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - aws-cloudtrail
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+AWS is streamlining [CloudTrail](https://aws.amazon.com/cloudtrail/) events for [IAM Identity Center](https://aws.amazon.com/iam/identity-center/) by keeping only the essential fields needed for workflows like audit and incident response. These changes make it easier to identify users in IAM Identity Center CloudTrail events, based on customer feedback. They also improve the ability to match users between IAM Identity Center and external directories like Okta Universal Directory or Microsoft Active Directory. These updates do not impact CloudTrail events from other AWS services.
+
+To learn more, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/).
+
+### Impact and required actions for Sumo Logic users following AWS CloudTrail updates
+
+#### Overview of required updates
+
+AWS is updating CloudTrail events for IAM Identity Center, affecting how user identity data is structured. So, if you are using the updated fields in your Cloud SIEM content or across the Sumo Logic platform, you need to update any saved queries, dashboards, or detection rules to reflect these changes and ensure continued functionality.
+
+**Key updates**:
+- Sumo Logic-provided apps must be manually reinstalled to incorporate the updated event field mappings.
+- Cloud SIEM parsers have already been automatically updated and require no customer intervention.
+
+#### Action plan for Sumo Logic users
+
+**Step 1: Reinstall relevant Sumo Logic apps**
+
+To reinstall the apps, follow the steps below:
+
+1. Navigate to the **App Catalog**.
+1. Search for the relevant app.
+
+    If you're using any of the following apps that consume CloudTrail data, you must reinstall them:
+    - Amazon CloudTrail – Cloud Security Monitoring and Analytics
+    - AWS CloudTrail
+    - CIS AWS Foundations Benchmark
+    - PCI Compliance for AWS CloudTrail
+    - Threat Intel for AWS
+    - Cloud Infrastructure Security for AWS
+    :::info
+    These are v1 apps, and reinstalling them will create a new folder in your Content Library with updated dashboards that reflect the field structure changes.
+    :::
+3. Install to deploy updated content under a new folder.
+
+**Step 2: Update custom saved searches and dashboards**
+
+If you’ve created custom content based on CloudTrail fields, manual updates will be necessary to accommodate the new schema.
+
+**Field mapping changes**
+| Fields | New Location |
+|:--|:--|
+| `UserName` | Added under `additionalEventData` |
+| `principalId` | Removed |
+| `userId`<br/>`identityStoreArn`<br/>`credentialId` | Added under `userIdentity` |
+
+For more information on field changes, see [AWS Security Blog](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=How%20to%20prepare%20your%20workflows%20for%20the%20upcoming%20changes%20to%20IAM%20Identity%20Center%20user%20identification%20in%20CloudTrail)
+
+#### Timeline for implementation
+
+AWS plans to implement these changes on [July 14, 2025](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=Effective%20July%2014%2C%202025).
+
+Sumo Logic apps are backward-compatible, so you can safely reinstall updated apps before the AWS changes go live.
+
+For any custom content outside of Sumo Logic’s managed apps or parsers, ensure your changes are backward compatible and deploy updates before July 14, 2025.
+
+#### Consequences of not updating
+
+Failure to update your apps, saved searches, or dashboards will result in user-related fields not being parsed correctly. Consequently, visualizations and panels relying on those fields will appear empty or display inaccurate data.