This page provides instructions for installing the GI CloudTrail App, along with descriptions and examples of each of the dashboards.
- This application relies on 45 Scheduled Searches that Save to 2 different Indexes and 1 Lookup Table. As a result, they will consume the related quotas for your account.
- Global Intelligence baselines are computed by aggregating data for a given customer across all source categories defined for AWS CloudTrail. As result, to enable meaningful comparison, the app has to be provided all source categories associated with AWS CloudTrail in your Sumo Logic account. Follow the instructions on the Custom Data Filters page to set up your app with custom data filters, specifying multiple source categories for AWS CloudTrail.
- This app relies on scheduled searches that save to an index in order to update AWS CloudTrail events periodically. When you first install the app, these searches will take 24 hours to accumulate sufficient data for meaningful comparisons over a 24 hour duration. As a result, it is important that you wait for at least 24 hours after the app installation before using the insights from the app dashboards.
- Initially when the app is installed, the dashboards will have empty panels until the scheduled searches have run and the indices are populated.
- This app does not support filters.
- Do not modify the 24 hour time range in the dashboards as the benchmark data and comparisons are based on a prior 24 hour comparison only.
- Do not modify the schedule and time range of the scheduled searches.
- Do not modify the lookups in the dashboard search queries.
- The panel “Summary of Notable Events and Recommended Actions” on the dashboard “04 Action Plan” will not work until the scheduled search “Event Priority computation” populates the required lookup.
- The "infer" operator is not intended for direct customer use - modifying the queries will result in unexpected / incorrect results.
- For links to the CloudTrail events in the Action Plan dashboard watchlists to work, please make sure to set your Sumo Logic Region Code by clicking on the dashboard filter icon.
inferoperator is not intended for use outside of Sumo Logic Global Intelligence apps.
Installing the App
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
To install the app, do the following:
- From the App Catalog, search for and select the app.
- To install the app, click Add to Library and complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Select either of these options for the data source.
- Choose Source Category, and select a source category from the list.
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
This section provides descriptions and examples of the Global Intelligence for AWS CloudTrail App dashboards.
GI CloudTrail - 01 Attack Surface Benchmark
GI CloudTrail - 01 Attack Surface Benchmark dashboard provides insights into the volume, variety, and velocity of the AWS infrastructure that are correlated with greater breach risks. The number of distinct AWS services in use measures variety, the number of distinct AWS resources measures volume while CloudTrail events measure velocity. The volume dimension only counts resources from 7 services noted above while the variety dimension includes all services referenced in your AWS CloudTrail data. These factors are also used to cohort customers into peer groups. Configuration changes are baselined by peer group to compare the configuration changes of a company and their related breach risks.
Use this dashboard to understand how your company compares to peers with respect to the following:
- Variety: Number of distinct services in use among EC2, S3, KMS, IAM, Lambda, Redshift and RDS
- Volume: Number unique AWS resources within each service
- Velocity: The number of create, update, or delete events across all resources within the company
GI CloudTrail - 02 Tactics and Techniques: My Company v. Peers
GI CloudTrail - 02 Tactics and Techniques: My Company v. Peers dashboard uses ATT&CK to organize tactics implied by AWS CloudTrail events that appear in your infrastructure and shows the comparison to other AWS customers in your peer group. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Use this dashboard to:
- Understand how attack tactics & techniques in my company differ from peers.
- Analyze findings organized by the following ATT&CK techniques:
- Credential Access
- Defense Evasion
- Initial Access
- Lateral Movement
- Privilege Escalation
GI CloudTrail - 03 Tactics by Resource Type: My Company v. Peers
GI CloudTrail - 03 Tactics by Resource Type: My Company v. Peers dashboard utilizes ATT&CK tactics implied by AWS CloudTrail events and maps them to the resources they impact. It also presents data for comparisons of your company impacted resources against that of your peers.
Use this dashboard to:
- Understand tactics and techniques for my company versus peers.
- Analyze results organized by the following AWS services:
- Amazon EC2: count of compute instances, security groups, route tables and Amaon Machine Images
- Amazon S3: count of buckets
- Amazon RDS: count of database instances, DB security groups
- Amazon Redshift: count of database clusters and parameter groups
- AWS Lambda: count of function names
- AWS IAM: count of IAM users, roles and groups
- AWS CloudTrail: counts of trail instances
- S3 Tactics
GI CloudTrail - 04 Action Plan
GI CloudTrail - 04 Action Plan dashboard identifies the affected resources for every notable event. This data then enables you to create a proactive action plan for your environment.
Use this dashboard to:
- Create an action plan from the findings of Global Intelligence for AWS CloudTrail.
- Implement and then review the progress of the plan.