Skip to main content
Sumo Logic

Collect Logs for Amazon GuardDuty

This page has instructions for collecting logs for the Amazon GuardDuty app.

Collection overview

  1. Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
  2. A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo CloudWatchEventFunction Lambda function.
  3. The Lambda function sends the events to an HTTP source on a Sumo hosted collector.

This configuration is defined in a AWS Serverless Application Model (SAM) specification published in the AWS Serverless Application Repository. You don't need to manually create the necessary AWS resources. You simply deploy the configuration, as described in Step 2 below.

Step 1: Configure an HTTP source

  1. In Sumo Logic, configure a Hosted Collector.
  2. In Sumo Logic, configure an HTTP Source.  When you configure the source, in the Advanced Options for Logs section of the page:
    1. Specify Format as yyyy-MM-dd'T'HH:mm:ss.SSS'Z' 
    2. Specify Timestamp locator as .*"updatedAt":"(.*)".*
      timestamp-format.png

Step 2: Deploy Sumo GuardDuty events processor

In this step, you deploy the events processor. This will create the AWS resources described in Collection overview.

  1. Go to https://serverlessrepo.aws.amazon.com/applications.
  2. Search for “sumologic-guardduty-events-processor”. 
    repo.png
  3. When the page for the Sumo app appears, click Deploy.
    deploy.png
  4. In Configure application parameters panel, paste the URL for the HTTP source you created above.
    app-params.png
  5. Click Deploy.

Configure optional environment variables

  1. Go to the AWS Lambda console.
  2. Search for the "aws-serverless-repository-CloudWatchEventFunction-<suffix>" function and click it.
  3. Scroll down to the Environment variables section.
    lambda6.png

    You can set any of the following optional variables:
    • ENCODING (Optional). Encoding to use when decoding CloudWatch log events. Default is utf-8.
    • SOURCE_CATEGORY_OVERRIDE (Optional). Override _sourceCategory value configured for the HTTP source.
    • SOURCE_HOST_OVERRIDE (Optional). Override _sourceHost value configured for the HTTP source.
    • SOURCE_NAME_OVERRIDE (Optional). Override _sourceName value configured for the HTTP source.

Sample log message


{
   "schemaVersion":"2.0",
   "accountId":"012345678910",
   "region":"us-east-1",
   "partition":"aws",
   "id":"38af75470eced5f1c6e4ee9895961baa",
   "arn":"arn:aws:guardduty:us-east-1:012345678910:detector/aaaf7420746be13be119afd94e417684/finding/38af75470eced5f1c6e4ee9895961baa",
   "type":"Recon:EC2/PortProbeUnprotectedPort",
   "resource":{
      "resourceType":"Instance",
      "instanceDetails":{
         "imageId":"ami-06db9a11",
         "instanceId":"i-0d6c314027f74dc82",
         "instanceType":"m4.xlarge",
         "launchTime":1481719450000,
         "platform":null,
         "productCodes":[


         ],
         "iamInstanceProfile":{
            "arn":"arn:aws:iam::012345678910:instance-profile/nodes.k8s.travellogic.info",
            "id":"AIPAJQDPNZCGEVVUZ4FEW"
         },
         "networkInterfaces":[
            {
               "ipv6Addresses":[


               ],
               "privateDnsName":"ip-172-20-45-123.ec2.internal",
               "privateIpAddress":"172.20.45.123",
               "privateIpAddresses":[
                  {
                     "privateDnsName":"ip-172-20-45-123.ec2.internal",
                     "privateIpAddress":"172.20.45.123"
                  }
               ],
               "subnetId":"subnet-1637825f",
               "vpcId":"vpc-c9c4f0ae",
               "securityGroups":[
                  {
                     "groupName":"nodes.k8s.travellogic.info",
                     "groupId":"sg-67e3bb1d"
                  }
               ],
               "publicDnsName":"ec2-54-89-171-133.compute-1.amazonaws.com",
               "publicIp":"54.89.171.133"
            }
         ],
         "tags":[
            {
               "key":"KubernetesCluster",
               "value":"k8s.travellogic.info"
            },
            {
               "key":"Name",
               "value":"nodes.k8s.travellogic.info"
            },
            {
               "key":"k8s.io/role/node",
               "value":"1"
            },
            {
               "key":"aws:autoscaling:groupName",
               "value":"nodes.k8s.travellogic.info"
            }
         ],
         "instanceState":"running",
         "availabilityZone":"us-east-1a"
      }
   },
   "service":{
      "serviceName":"guardduty",
      "detectorId":"aaaf7420746be13be119afd94e417684",
      "action":{
         "actionType":"NETWORK_CONNECTION",
         "networkConnectionAction":{
            "connectionDirection":"INBOUND",
            "remoteIpDetails":{
               "ipAddressV4":"180.70.170.34",
               "organization":{
                  "asn":9318,
                  "asnOrg":"SK Broadband Co Ltd",
                  "isp":"SK Broadband",
                  "org":"SK Broadband"
               },
               "country":{
                  "countryCode":"KR",
                  "countryName":"South Korea"
               },
               "city":{
                  "cityName":"Uijeongbu-si"
               },
               "geoLocation":{
                  "lat":37.7415,
                  "lon":127.0474
               }
            },
            "remotePortDetails":{
               "port":59740,
               "portName":"Unknown"
            },
            "localPortDetails":{
               "port":22,
               "portName":"SSH"
            },
            "protocol":"TCP",
            "blocked":false
         }
      },
      "resourceRole":"TARGET",
      "additionalInfo":{
         "additionalPorts":[
            22
         ]
      },
      "eventFirstSeen":"2017-11-01T21:31:05.542+0000",
      "eventLastSeen":"2017-11-01T21:31:05.542+0000",
      "archived":false,
      "count":743
   },
   "severity":2,
   "createdAt":"2017-11-01T21:31:05.542+0000",
   "updatedAt":"2017-11-01T21:31:05.542+0000",
   "title":"Unprotected port in EC2 Instance i-0d6c314027f74dc82 is being probed.",
   "description":"EC2 Instance i-0d6c314027f74dc82 has an unprotected port 22 which is being probed by a known malicious host with IP address 180.70.170.34."
}

Query Sample

Threat details

_sourceCategory=aws/guardduty
| json field=_raw "accountId", "region", "partition", "id", "arn", "type","service.serviceName","service.detectorId","service.action","severity","title","description" nodrop
| json field=_raw "resource.resourceType" as resourceType nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.ipAddressV4" as ip nodrop
| json field=%service.action "networkConnectionAction.localPortDetails.port" as localPort nodrop
| parse "\"vpcId\": \"*\"" as vpcId, "\"subnetId\": \"*\"" as subnetId,"\"groupId\": \"*\"" as securityGroupId,"\"tags\": [*]" as tags,"\"groupName\": \"*\"" as securityGroupName nodrop
| json field=_raw "resource.instanceDetails.instanceId" as instanceid nodrop
| if(severity=2, "Low", if(severity=5, "Medium", if(severity=8, "High",severity))) as severity
| if(!isNull(instanceid),concat ("https://",region,".console.aws.amazon.com/ec2/v2/home?region=",region,"#Instances:search=",instanceid),"") as link
| json field=%service.action "networkConnectionAction.remoteIpDetails.geoLocation.lon" as longitude nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.geoLocation.lat" as latitude nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.asnOrg" as asnOrg nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.org" as organization nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.isp" as isp nodrop
| count as count by title, accountId, resourceType, organization, isp, ip, link
| sort count