Skip to main content
Sumo Logic

Collect Logs for Amazon GuardDuty

Steps to collect logs for Amazon GuardDuty.

Collect Logs for Amazon GuardDuty

Add a Hosted Collector and HTTP Source

  1. In Sumo Logic, configure a Hosted Collector.
  2. In Sumo Logic, configure an HTTP Source.

Sumo provides a Lambda function for use with Amazon Web Services (AWS). It collects AWS Lambda logs using CloudWatch Logs and it extracts and adds a RequestId field to each log line to make correlation easier. 

To add an Amazon Lambda function:

  1. Sign into the AWS Management Console.
  2. Click Lambda in the Compute section.
  3. On the AWS Lambda page, click Create a Function
  4. On the Blueprints page, select Author from ScratchAuthorFromScratch.png
  5. In the Basic information section:
    • Name. Enter a name for the function.
    • Role. Choose one of the following options:
      • Choose an existing role. If you have any appropriate roles, you can select one.
      • Create new role from template(s). If you select this option, you can continue without choosing any policy templates—it will create a role with basic Lambda execution privileges by default.
    • Role Name. Enter a name for the role.
    • Policy templates. If you selected Create new role from template(s) above, you can leave this blank.
    Click Create Function.BasicInformation.png
  6. For the Function Code, use the code from this GitHub link.
  7. On the Environment Variables page, create a environment variable named SUMO_ENDPOINT. Set the value of the variable to the URL of the HTTP source to which your logs will be sent. lambda6.png
    In addition, you can set any of the following optional variables:
    • ENCODING (Optional). Encoding to use when decoding CloudWatch log events. Default is utf-8.
    • SOURCE_CATEGORY_OVERRIDE (Optional). Override _sourceCategory value configured for the HTTP source.
    • SOURCE_HOST_OVERRIDE (Optional). Override _sourceHost value configured for the HTTP source.
    • SOURCE_NAME_OVERRIDE (Optional). Override _sourceName value configured for the HTTP source.

Create a CloudWatch Events Rule and Target for GuardDuty

This procedure provides the steps to create a rule that enables CloudWatch to send events for all findings that GuardDuty generates, and to add the above AWS Lambda function as a target for the rule.

To create a rule and target:

  1. To create a rule that enables CloudWatch to send events for all findings that GuardDuty generates, run the following CloudWatch CLI command: 

    aws events put-rule --name Test --event-pattern '{"source":["aws.guardduty"]}' 


  2. To attach the Lambda function that you created in the previous section as a target for the rule that you created in step 1, run the following CloudWatch CLI command: 

    aws events put-targets --rule Test --targets Id=1,Arn=arn:aws:lambda:useast-1:111122223333:function:CWEFindingPublisherTest 


    Here, use the ARN of the AWS Lambda Function that you created in the previous section: ARN.png

  3. To add the permissions required to invoke the target, run the following Lambda CLI command:

    aws lambda add-permission --function-name CWEFindingPublisherTest --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com

    Here, use the name of the function that you created in the previous section in place of CWEFindingPublisherTest.

Sample Log Message


{
   "schemaVersion":"2.0",
   "accountId":"012345678910",
   "region":"us-east-1",
   "partition":"aws",
   "id":"38af75470eced5f1c6e4ee9895961baa",
   "arn":"arn:aws:guardduty:us-east-1:012345678910:detector/aaaf7420746be13be119afd94e417684/finding/38af75470eced5f1c6e4ee9895961baa",
   "type":"Recon:EC2/PortProbeUnprotectedPort",
   "resource":{
      "resourceType":"Instance",
      "instanceDetails":{
         "imageId":"ami-06db9a11",
         "instanceId":"i-0d6c314027f74dc82",
         "instanceType":"m4.xlarge",
         "launchTime":1481719450000,
         "platform":null,
         "productCodes":[


         ],
         "iamInstanceProfile":{
            "arn":"arn:aws:iam::012345678910:instance-profile/nodes.k8s.travellogic.info",
            "id":"AIPAJQDPNZCGEVVUZ4FEW"
         },
         "networkInterfaces":[
            {
               "ipv6Addresses":[


               ],
               "privateDnsName":"ip-172-20-45-123.ec2.internal",
               "privateIpAddress":"172.20.45.123",
               "privateIpAddresses":[
                  {
                     "privateDnsName":"ip-172-20-45-123.ec2.internal",
                     "privateIpAddress":"172.20.45.123"
                  }
               ],
               "subnetId":"subnet-1637825f",
               "vpcId":"vpc-c9c4f0ae",
               "securityGroups":[
                  {
                     "groupName":"nodes.k8s.travellogic.info",
                     "groupId":"sg-67e3bb1d"
                  }
               ],
               "publicDnsName":"ec2-54-89-171-133.compute-1.amazonaws.com",
               "publicIp":"54.89.171.133"
            }
         ],
         "tags":[
            {
               "key":"KubernetesCluster",
               "value":"k8s.travellogic.info"
            },
            {
               "key":"Name",
               "value":"nodes.k8s.travellogic.info"
            },
            {
               "key":"k8s.io/role/node",
               "value":"1"
            },
            {
               "key":"aws:autoscaling:groupName",
               "value":"nodes.k8s.travellogic.info"
            }
         ],
         "instanceState":"running",
         "availabilityZone":"us-east-1a"
      }
   },
   "service":{
      "serviceName":"guardduty",
      "detectorId":"aaaf7420746be13be119afd94e417684",
      "action":{
         "actionType":"NETWORK_CONNECTION",
         "networkConnectionAction":{
            "connectionDirection":"INBOUND",
            "remoteIpDetails":{
               "ipAddressV4":"180.70.170.34",
               "organization":{
                  "asn":9318,
                  "asnOrg":"SK Broadband Co Ltd",
                  "isp":"SK Broadband",
                  "org":"SK Broadband"
               },
               "country":{
                  "countryCode":"KR",
                  "countryName":"South Korea"
               },
               "city":{
                  "cityName":"Uijeongbu-si"
               },
               "geoLocation":{
                  "lat":37.7415,
                  "lon":127.0474
               }
            },
            "remotePortDetails":{
               "port":59740,
               "portName":"Unknown"
            },
            "localPortDetails":{
               "port":22,
               "portName":"SSH"
            },
            "protocol":"TCP",
            "blocked":false
         }
      },
      "resourceRole":"TARGET",
      "additionalInfo":{
         "additionalPorts":[
            22
         ]
      },
      "eventFirstSeen":"2017-11-01T21:31:05.542+0000",
      "eventLastSeen":"2017-11-01T21:31:05.542+0000",
      "archived":false,
      "count":743
   },
   "severity":2,
   "createdAt":"2017-11-01T21:31:05.542+0000",
   "updatedAt":"2017-11-01T21:31:05.542+0000",
   "title":"Unprotected port in EC2 Instance i-0d6c314027f74dc82 is being probed.",
   "description":"EC2 Instance i-0d6c314027f74dc82 has an unprotected port 22 which is being probed by a known malicious host with IP address 180.70.170.34."
}

Query Sample

Threat details

_sourceCategory=aws/guardduty
| json field=_raw "accountId", "region", "partition", "id", "arn", "type","service.serviceName","service.detectorId","service.action","severity","title","description" nodrop
| json field=_raw "resource.resourceType" as resourceType nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.ipAddressV4" as ip nodrop
| json field=%service.action "networkConnectionAction.localPortDetails.port" as localPort nodrop
| parse "\"vpcId\": \"*\"" as vpcId, "\"subnetId\": \"*\"" as subnetId,"\"groupId\": \"*\"" as securityGroupId,"\"tags\": [*]" as tags,"\"groupName\": \"*\"" as securityGroupName nodrop
| json field=_raw "resource.instanceDetails.instanceId" as instanceid nodrop
| if(severity=2, "Low", if(severity=5, "Medium", if(severity=8, "High",severity))) as severity
| if(!isNull(instanceid),concat ("https://",region,".console.aws.amazon.com/ec2/v2/home?region=",region,"#Instances:search=",instanceid),"") as link
| json field=%service.action "networkConnectionAction.remoteIpDetails.geoLocation.lon" as longitude nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.geoLocation.lat" as latitude nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.asnOrg" as asnOrg nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.org" as organization nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.organization.isp" as isp nodrop
| count as count by title, accountId, resourceType, organization, isp, ip, link
| sort count