Skip to main content
Sumo Logic

Configure Log Collection and Install the Amazon GuardDuty Benchmark App

availabilityTrialandEnterprise.png

This page explains the log collection process, and provides instructions for configuring log collection and installing the Amazon GuardDuty Benchmark App.

Process overview

Sumo Logic provides a SAM application based on  AWS Serverless Application Model (SAM) specification, and is published in the AWS Serverless Application Repository. This SAM deployment:

  1. Creates a Lambda function and it's associated components.
  2. Creates collector, and HTTP Source at Sumo Logic.
  3. Installs the Sumo Logic GuardDuty Benchmark App.

After completing this process, logs are ingested into Sumo Logic in the following way:

  1. Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
  2. A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo CloudWatchEventFunction Lambda function.
  3. The Lambda function sends the events to an HTTP source on a Sumo Logic hosted collector.

AGD_BM_Collection_Overview.png

Configure collection and deploy the App

This section shows you how to generate an access key and access ID for log collection, and then how to deploy the Amazon GuardDuty Bencharmark App.

Step 1: Generate an Access Key and Access ID

In this step, you need to generate access key and access ID from the Sumo Logic console.

To generate an access key and access ID, do the following:

  1. Follow the instructions as described in this Sumo Logic Access Key document.
  2. Copy down both the values as you’ll need them to deploy the Sumo Logic GuardDuty Benchmark SAM App.

AGD_BM_Access_Keys_dialog.png

Step 2: Deploy the Sumo Logic GuardDuty Benchmark SAM App

In this step, you deploy the SAM application, which creates the AWS resources described in the process overview.

To deploy the Sumo Logic GuardDuty Benchmark SAM App, do the following:

  1. Go to https://serverlessrepo.aws.amazon.com/applications.
  2. Search for sumologic-guardduty-benchmark and click the app link when it appears.

AGD_BM_Deploy_Benchmark_App_dialog.png

  1. When the page for the Sumo app appears, click Deploy.

AGD_BM_Deploy_App_dialog.png 

  1. In Configure application parameters panel
  2. In Configure application parameters panel, enter the following parameters:

    1. Access ID(Required): Sumo Logic Access ID generated from Step 1.

    2. Access Key(Required): Sumo Logic Access Key generated from Step 1.

    3. Deployment Name(Required): Deployment name (environment name in lower case as per docs).

    4. Collector Name: Enter the name of the Hosted Collector which will be created in Sumo Logic.

    5. Source Name: Enter the name of the HTTP Source which will be created within the collector.

    6. Source Category Name: Enter the name of the Source Category which will be used for writing search queries.

AGD_BM_App-Settings_dialog.png

  1. Click Deploy.
  2. When the deployment is successful, click View CloudFormation Stack.

AGD_BM_Deployment-status_dialog.png

  1. In the Outputs section, copy the app folder name to search your personal folder in the Sumo Logic console.

AGD_BM_Outputs_dialog.png 

Sample log message

{
   "schemaVersion":"2.0",
   "accountId":"012345678910",
   "region":"us-east-1",
   "partition":"aws",
   "id":"38af75470eced5f1c6e4ee9895961baa",
   "arn":"arn:aws:guardduty:us-east-1:012345678910:detector/aaaf7420746be13be119afd94e417684/finding/38af75470eced5f1c6e4ee9895961baa",
   "type":"Recon:EC2/PortProbeUnprotectedPort",
   "resource":{
      "resourceType":"Instance",
      "instanceDetails":{
         "imageId":"ami-06db9a11",
         "instanceId":"i-0d6c314027f74dc82",
         "instanceType":"m4.xlarge",
         "launchTime":1481719450000,
         "platform":null,
         "productCodes":[


         ],
         "iamInstanceProfile":{
            "arn":"arn:aws:iam::012345678910:instance-profile/nodes.k8s.travellogic.info",
            "id":"AIPAJQDPNZCGEVVUZ4FEW"
         },
         "networkInterfaces":[
            {
               "ipv6Addresses":[


               ],
               "privateDnsName":"ip-172-20-45-123.ec2.internal",
               "privateIpAddress":"172.20.45.123",
               "privateIpAddresses":[
                  {
                     "privateDnsName":"ip-172-20-45-123.ec2.internal",
                     "privateIpAddress":"172.20.45.123"
                  }
               ],
               "subnetId":"subnet-1637825f",
               "vpcId":"vpc-c9c4f0ae",
               "securityGroups":[
                  {
                     "groupName":"nodes.k8s.travellogic.info",
                     "groupId":"sg-67e3bb1d"
                  }
               ],
               "publicDnsName":"ec2-54-89-171-133.compute-1.amazonaws.com",
               "publicIp":"54.89.171.133"
            }
         ],
         "tags":[
            {
               "key":"KubernetesCluster",
               "value":"k8s.travellogic.info"
            },
            {
               "key":"Name",
               "value":"nodes.k8s.travellogic.info"
            },
            {
               "key":"k8s.io/role/node",
               "value":"1"
            },
            {
               "key":"aws:autoscaling:groupName",
               "value":"nodes.k8s.travellogic.info"
            }
         ],
         "instanceState":"running",
         "availabilityZone":"us-east-1a"
      }
   },
   "service":{
      "serviceName":"guardduty",
      "detectorId":"aaaf7420746be13be119afd94e417684",
      "action":{
         "actionType":"NETWORK_CONNECTION",
         "networkConnectionAction":{
            "connectionDirection":"INBOUND",
            "remoteIpDetails":{
               "ipAddressV4":"180.70.170.34",
               "organization":{
                  "asn":9318,
                  "asnOrg":"SK Broadband Co Ltd",
                  "isp":"SK Broadband",
                  "org":"SK Broadband"
               },
               "country":{
                  "countryCode":"KR",
                  "countryName":"South Korea"
               },
               "city":{
                  "cityName":"Uijeongbu-si"
               },
               "geoLocation":{
                  "lat":37.7415,
                  "lon":127.0474
               }
            },
            "remotePortDetails":{
               "port":59740,
               "portName":"Unknown"
            },
            "localPortDetails":{
               "port":22,
               "portName":"SSH"
            },
            "protocol":"TCP",
            "blocked":false
         }
      },
      "resourceRole":"TARGET",
      "additionalInfo":{
         "additionalPorts":[
            22
         ]
      },
      "eventFirstSeen":"2017-11-01T21:31:05.542+0000",
      "eventLastSeen":"2017-11-01T21:31:05.542+0000",
      "archived":false,
      "count":743
   },
   "severity":2,
   "createdAt":"2017-11-01T21:31:05.542+0000",
   "updatedAt":"2017-11-01T21:31:05.542+0000",
   "title":"Unprotected port in EC2 Instance i-0d6c314027f74dc82 is being probed.",
   "description":"EC2 Instance i-0d6c314027f74dc82 has an unprotected port 22 which is being probed by a known malicious host with IP address 180.70.170.34."
}

Query sample

The following query is from the Threats by Region panel of the Amazon GuardDuty - Threat Details dashboard:

_sourceCategory=*guardduty*
| json field=_raw "accountId", "region", "partition", "id", "arn", "type","service.serviceName","service.detectorId","service.action","severity","title","description" nodrop
| parse field=type "*:*/*" as ThreatPurpose,ResourceType,ThreatName
| json field=%service.action "networkConnectionAction.localPortDetails.port" as  localPort nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.ipAddressV4" as ip nodrop
| parse "\"vpcId\":\"*\"" as vpcId, "\"subnetId\":\"*\"" as subnetId,"\"groupId\":\"*\"" as securityGroupId,"\"tags\":[*]" as tags,"\"groupName\":\"*\"" as securityGroupName nodrop
| if(severity=0, "Info",if(severity=2, "Low", if(severity=5, "Medium", if(severity=8, "High",if(severity=9.5, "Critical",severity))))) as severity
| timeslice 15m
| count by _timeslice, region
| transpose row _timeslice column region