AWS GuardDuty is useful to detect twelve potential threats shown below. It monitors the security of your AWS environment by analyzing and processing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. This app for Amazon GuardDuty provides insights into the activities in your AWS account based on the findings from Amazon GuardDuty. The App includes preconfigured dashboards that allow you to detect unexpected and potentially malicious activities in your AWS account by providing details on threats by severity, VPC, IP, account ID, region, and resource type.
In this lab you will install the Amazon GuardDuty app. You will monitor the dashboards and investigate your highest count threats. Use our clickable links right from the dashboards, and instantly be routed to your AWS EC2 environment for rapid remediation efforts.
Install the AWS GuardDuty app
- The best way to see your ingested AWS environment is to install our Sumo Logic AWS GuardDuty app. Sumo Logic apps deliver out-of-the-box dashboards, saved searches, and field extraction for popular data sources. With an app, you can start exploring your data source within minutes. To view the AWS GuardDuty data from your source, let's install the AWS GuardDuty app. Click App Catalog in the left navigation panel.
- Enter GuardDuty in the search field, and press Return to show the matching apps
- Double-click Amazon GuardDuty to open its app page, and click Add to Library.
- The dialog box that opens includes options to choose the folder where you install the app and to select a category for your data source.
- Let's keep the folder as the default (Personal). You have the ability to alter the name of App, but let's name it Amazon GuardDuty<your intials ##> ending with your intials and any 2 numbers. This App name will be necessary to reference in the Using Sumo Logic Tutorial later, so by adding your intials you will be able to find the app you installed.
- For the log data source, select Source Categories, and select the source category Labs/AWS/GuardDuty_V8. This is how you map your Amazon GuardDuty data to the out-of-the-box Amazon GuardDuty app.
- Click Add to Library to confirm your selections and add the app to the library.
Investigate your findings
- Now that the app is created, let’s see what is happening. Click Personal on the left navigation panel or on the Library page, and double-click the Amazon GuardDuty<your intials>## folder.
- Notice that the app includes predefined dashboards.
- Let’s open two dashboards. In the left navigation pane, scroll down to the Amazon GuardDuty - Overview dashboard and double-click. The dashboard opens to show panels that are already created for you. Then scroll down to the Amazon GuardDuty - Details dashboard and double-click. First let's look at the Amazaon GuardDuty - Overview dashboard, click on it's tab. This dashboard allows you to gain rapid insights into the severity and frequency of GuardDuty findings for effective remediation efforts. Scroll to the Threats by ThreatPurpose, ResourceType, ThreatName panel. We can see Recon as our largest count in the last 24 hours. Click Show in Search icon to open the underlying query.
- You want to investigate your highest recon account activity. To detect this, add accountid to the count line as below and rerun the query.
| count as count by ThreatPurpose,ResourceType,ThreatName,accountid
- The results may look like this.
- Left of the highest count on the top line, copy the accountid. Highlight the account id and right mouse click.
- GuardDuty findings and raw log data can easily be filtered by metadata tags for more granular search and detailed analysis. Search metadata tags include User ID, Region, VPC, subnet, instance ID, ports, IPs, Principle ID, Access Key ID, etc. Now we will filter by and account the number copied above. At the top right corner of any panel, click on the blue filter icon, . Paste the copied account number.
- You will see all the dashboard panel pivot to display the information for that accountid. This is a useful technique of using the dashboard filters already provided for quick analysis on a particular aspect. Try hovering over the data in the Severity and AccountID panel below to observe the effect.
- Now click on the open tab for the other dashboard, Amazon GuardDuty - Details. In closer examination, this dashboard gives us the various ways to monitor the threats. In the Threat Details Summary Table you can examine your highest count threats. Simply click on the blue finding link and instantly be routed to your AWS EC2 environment for rapid remediation efforts.
In this training environment we don't have an AWS linked so it will take you to an AWS login page.
Quiz (True or False?)
The AWS GuardDuty app monitors threat findings that may be instantly routed to my AWS instances.
The dashboard and panel filter turns green if enabled.
I can modify a panel query to extract additional information.
Congratulations! You’ve completed these tasks:
Installed AWS GuardDuty app.
Filtered on accountID at the dashboard level.
Modified a panels query to obtain information.
Learned where to link to AWS for further investigation of any threat findings.