Skip to main content
Sumo Logic

Install the Amazon Route 53 Resolver Security App and View the Dashboards

Learn about the dashboards in the Amazon Route 53 Resolver Security app.

This page provides instructions on how to install the Amazon Route 53 Resolver Security app, and examples of each of the dashboards. The app's pre-configured searches and Dashboards provide easy-to-access visual insights into your data. 

Install the app

Locate and install the app from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. In the App Catalog, search for and select the app. 
  2. Click Add to Library.
  3. To install the app, complete the following fields.                    
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.
 
      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
  4. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

Query Logging Overview 

The Query Logging Overview Dashboard provides insights into DNS activities such as DNS queries by location, VPC and instance ID. Additional security information is provided, including blocked and alerted DNS queries from the Route 53 DNS Resolver Firewall, and Threat Intel matches from Sumo Logic's CrowdStrike integration.

Use this dashboard to:

  • Identify unusual or changes in DNS activity.
  • Identify possible malicious or anomalous behavior by reviewing high entropy domains, most and least queried domains.
  • Analyze DNS requests violating your Route 53 DNS Resolver Firewall policies.
  • Review Threat Intel matches.

Amazon-Route-53-Resolver-Security-Query-Logging-Overview.png

Panels include:

  • IPv4 Resolution by Geo Location
  • Top 10 Queried Domains
  • Least 10 Queried Domains
  • DNS Queries Over 24H by Type and VPC-ID
  • DNS Queries by Instance ID and Source Address
  • Top 50 Highest Entropy Domains
  • Total Hits from Threat Intel Source
  • Threats Over Time
  • Threat Outlier
  • Anomalies within Alerted DNS Queries
  • Anomalies within Blocked DNS Queries
  • Alerted DNS Queries by Instance ID Over Time
  • Top 10 Alerted Domains
  • Top 10 Blocked Domains
  • Blocked DNS Queries by Instance ID Over Time

Resolver DNS Firewall

The Resolver DNS Firewall Dashboard provides monitoring and insights into DNS Firewall activity. 

Use this Dashboard to:

  • Analyze Blocked and Alerted DNS Queries by Domain, Instance ID, Rule Group ID, Domain List ID
  • Help identify possible DNS exfiltration attempts
  • Identify communications to known bad domains

Amazon-Route-53-Resolver-Security-Resolver-DNS-Firewall.png

Panels include:

  • Alerted Queries IPv4 Resolution by GeoLocation
  • Alerted DNS Queries by Rule Group ID & Domain List ID
  • Alerted Queries by Instance ID and Source Address
  • Anomalies within Alerted DNS Queries
  • Alerted DNS Queries by Instance ID Over Time
  • Top 10 Alerted Domains
  • Blocked DNS Queries by Rule Group ID & Domain List ID
  • Blocked Queries by Instance ID and Source Address
  • Anomalies within Blocked DNS Queries
  • Blocked DNS Queries by Instance ID Over Time
  • Top 10 Blocked Domains

Security Detail Dashboard

Security Detail Dashboard provides insights into DNS activities such as number of DNS requests and data throughput by VPC and instance ID. The Dashboard also provides a detailed drill down per request, displaying information such as the request, request type, ASN Number and ASN Org Name and DNS Resolver Firewall Actions.

Use this Dashboard to identify:

  • Possible data exfiltration over DNS
  • Communication to possible DGA Domains 
  • Beaconing behavior
  • Potential Network Footprinting/Discovery Activity
  • Communication to known Malicious Domains using Threat Intelligence

Amazon-Route-53-Resolver-Security-Security-Details.png

Panels include:

  • DNS Queries Over 24H by Type and VPC-ID
  • DNS Queries by Instance ID and Source Address
  • Bytes Sent Over DNS Requests by Instance ID
  • Bytes Sent Over DNS Requests by VPC
  • Top 50 Highest Entropy Domains
  • Top 50 Domains by Query Length and InstanceID
  • DNS Queries by Instance ID and Source Address
  • Resolver Query Logs Detail
  • Reverse DNS Query to Non-Existent Domain by Query Name & Instance ID
  • Reverse DNS Query to Non-Existent Domain by Query Name
  • Reverse DNS Query to Non-Existent Domain by Instance ID
  • Successful Reverse DNS Query by Query Name & Instance ID
  • Successful Reverse DNS Query by nstance ID
  • Successful Reverse DNS Query by Query Name
  • Total Hits from Threat Intel Source
  • Threats Over Time
  • Threat Outlier

Threat Intel Dashboard

The Threat Intel Dashboard provides details of AWS DNS Resolver Queries that matches the built-in CrowdStrike threat intelligence data with known malicious IP addresses and Domains, allowing for real-time security analytics to help detect threats in your environment and protect against cyber attacks.

Amazon-Route-53-Resolver-Security-Threat-Intel.png

Panels include:

  • Threat Count
  • Threat by Malicious Confidence
  • Threat by Actor
  • Threats by Instance ID
  • Threats Over Time
  • Threats Over Time by Instance ID
  • Threat Table
  • Malicious URIs
  • Malicious IPs