Skip to main content
Sumo Logic

Configure Log Collection and Install the GI GuardDuty App

Availability

This feature is available in the following account plans.

Account Type Account Level
CloudFlex Trial, Enterprise
Credits Trial, Enterprise Suite, Enterprise Security

This page explains the log collection process and provides instructions for configuring log collection and installing the GI GuardDuty App.

Process overview

Sumo Logic provides a SAM application based on  AWS Serverless Application Model (SAM) specification, and is published in the AWS Serverless Application Repository. This SAM deployment:

  1. Creates a Lambda function and it's associated components.
  2. Creates collector, and HTTP Source at Sumo Logic.
  3. Installs the Sumo Logic GI GuardDuty App.

After completing this process, logs are ingested into Sumo Logic in the following way:

  1. Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
  2. A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo CloudWatchEventFunction Lambda function.
  3. The Lambda function sends the events to an HTTP source on a Sumo Logic hosted collector.

AGD_BM_Collection_Overview.png

Configure collection and deploy the App

This section shows you how to generate an access key and access ID for log collection, and then how to deploy the Amazon GuardDuty Bencharmark App.

Step 1: Generate an Access Key and Access ID

In this step, you need to generate access key and access ID from the Sumo Logic console.

To generate an access key and access ID, do the following:

  1. Follow the instructions as described in this Sumo Logic Access Key document.
  2. Copy down both the values as you’ll need them to deploy the Sumo Logic GuardDuty Benchmark SAM App.

AGD_BM_Access_Keys_dialog.png

Step 2: Deploy the Sumo Logic GI GuardDuty SAM App

In this step, you deploy the SAM application, which creates the AWS resources described in the process overview.

To deploy the Sumo Logic GuardDuty Benchmark SAM App, do the following:

  1. Go to https://serverlessrepo.aws.amazon.com/applications.
  2. Search for sumologic-guardduty-benchmark and click the app link when it appears.

AGD_BM_Deploy_Benchmark_App_dialog.png

  1. When the page for the Sumo app appears, click Deploy.

AGD_BM_Deploy_App_dialog.png 

  1. In Configure application parameters panel
  2. In Configure application parameters panel, enter the following parameters:

    1. Access ID(Required): Sumo Logic Access ID generated from Step 1.

    2. Access Key(Required): Sumo Logic Access Key generated from Step 1.

    3. Deployment Name(Required): Deployment name (environment name in lower case as per docs).

    4. Collector Name: Enter the name of the Hosted Collector which will be created in Sumo Logic.

    5. Source Name: Enter the name of the HTTP Source which will be created within the collector.

    6. Source Category Name: Enter the name of the Source Category which will be used for writing search queries.

AGD_BM_App-Settings_dialog.png

  1. Click Deploy.
  2. When the deployment is successful, click View CloudFormation Stack.

AGD_BM_Deployment-status_dialog.png

  1. In the Outputs section, copy the app folder name to search your personal folder in the Sumo Logic console.

AGD_BM_Outputs_dialog.png 

Sample log message

{
"schemaVersion": "2.0",
"accountId": "656575676767",
"region": "us-east-1",
"partition": "aws",
"id": "1cb6b9059fa3c8cbb682a9a2501bfb13",
"arn": "arn:aws:guardduty:us-east-1:656575676767:detector/46554yhtu78yuhh5676777787hy06767/finding/1cb6b9059fa3c8cbb682a9a2501bfb13",
"type": "Trojan:EC2/BlackholeTraffic",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "m3.xlarge",
"launchTime": "2016-08-02T02:05:06Z",
"platform": null,
"productCodes": [
{
"productCodeId": "GeneratedFindingProductCodeId",
"productCodeType": "GeneratedFindingProductCodeType"
}
],
"iamInstanceProfile": {
"arn": "GeneratedFindingInstanceProfileArn",
"id": "GeneratedFindingInstanceProfileId"
},
"networkInterfaces": [
{
"networkInterfaceId": "eni-bfcffe88",
"privateIpAddresses": [
{
"privateDnsName": "GeneratedFindingPrivateName",
"privateIpAddress": "10.0.0.1"
}
],
"subnetId": "GeneratedFindingSubnetId",
"vpcId": "GeneratedFindingVPCId",
"privateDnsName": "GeneratedFindingPrivateDnsName",
"securityGroups": [
{
"groupName": "GeneratedFindingSecurityGroupName",
"groupId": "GeneratedFindingSecurityId"
}
],
"publicIp": "198.51.100.0",
"ipv6Addresses": [],
"publicDnsName": "GeneratedFindingPublicDNSName",
"privateIpAddress": "10.0.0.1"
}
],
"tags": [
{
"value": "GeneratedFindingInstaceValue1",
"key": "GeneratedFindingInstaceTag1"
},
{
"value": "GeneratedFindingInstaceTagValue2",
"key": "GeneratedFindingInstaceTag2"
},
{

Query sample

The following query is from the threat score trend line in the GI GuardDuty: Your Company v. Global Baseline dashboard.

_sourceCategory=GIS/test/guardduty
| json "accountId", "arn", "type","service.detectorId","service.action","severity","title","description","region" nodrop
| json "type", "severity"
| parse field=type "*:*/*" as threatpurpose, resource, threatname
| toInt(severity) as severity
| count by resource, threatname, severity
| infer _category=guardduty _model=trendline n=7
| (100.0 - (round(score * 10000) / 100)) as score
// Convert to time chart
| _timestamp as _timeslice
| fields - _timestamp
| max(score) as score by _timeslice
| sort by _timeslice asc