Skip to main content
Sumo Logic

Install the Amazon GuardDuty App and view the Dashboards

Install the Sumo Logic App

Now that you have set up collection for Amazon GuardDuty, install the Sumo Logic App to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.

To install the app:

  1. Select App Catalog, search for and select the app, and click Add to Library. 
  2. Click Preview Dashboards if you'd like to see a preview of the dashboards included with the app before installing.
  3. In the Install Application dialog box, select the installation path (the default is the Personal folder in the library), or click New Folder to add a new folder.
  4. Select either of these options for the log data source.
  • Choose Select from Existing Source Categories, and select the Source Category from list.
  • Choose Enter a Custom Data Filter and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
  1. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.

Panels will start to fill automatically. It's important to note that each Panel slowly fills with data matching the time range query and received since the Panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboards

Amazon GuardDuty - Overview

See the overview of GuardDuty threats including the severity, threat purpose, resource type, threat name, account ID, and region.

Overview.png

GuardDuty Threat Map. See the count of threats on a world map in the last 24 hours.

High Severity Threats Table. See the details of high severity threats in the last 24 hours including the time, account ID, region, resource type, description, and link, displayed in a table.

Severity Trend. See the trend of the various severity levels in the last 24 hours on an area chart.

Threats by ThreatPurpose, ResourceType, ThreatName. See the details of threats in the last 24 hours including the threat purpose, resource type, threat name, and count displayed in a table.

Threats by IP. See the count of threats by IP addresses in the last 24 hours on a pie chart.

Severity and AccountID. See the count of severity levels in the last 24 hours by Account ID on a bar chart.

Severity and Region. See the count of severity levels in the last 24 hours by region on a bar chart.

Severity and ResourceType. See the count of severity levels in the last 24 hours by resource type on a bar chart.

Amazon GuardDuty - CloudTrail Details

See the details of GuardDuty CloudTrail threats including the count, title, the trend, and action type.

CloudTrailDetails.png

CloudTrail Threats. See the count of CloudTrail threats in the last 24 hours.

CloudTrail Threats by Title Trend. See the count of CloudTrail threats by title in the last 24 hours on a pie chart.

CloudTrail Threats by Title Trend. See the trend of CloudTrail threats by title in the last 24 hours on a column chart. 

CloudTrail Threats by Title Trend. See the details of CloudTrail threats by title in the last 24 hours including the threat purpose, resource type, threat name, accesskey ID, username, and count, displayed in a table. 

CloudTrail Threats by Title, ActionType. See the details of CloudTrail threats in the last 24 hours including the account ID, region, title, accesskey ID, principal ID,  action type, severity, and count, displayed in a table.

Amazon GuardDuty - Details

See the GuardDuty threat details including the count, account-region trend, threat purpose, severity, resource type, and security group.

Details.png

Outliers - All Threats. See the outliers in all threats in the last 24 hours on a line chart.

Threat Count by Account-Region Trend. See the trend of the count of threats by account-region in the last 24 hours on a column chart.

Threat Details Summary Table. See the details of threats in the last 24 hours including the title, account ID, resourcetype, organization, ISP, IP, link, and count, displayed in a table.

Threats by ThreatPurpose, Severity. See the count of threats in the last 24 hours by the severity and purpose on a bar chart.

Threats by ResourceType. See the count and percentage of threats in the last 24 hours by resource type on a pie chart.

Severity by LocalPort. See the count of severity by local port in the last 24 hours on a bar chart.

Threats by SecurityGroup. See the count and percentage of threats in the last 24 hours by security group on a pie chart.

Amazon GuardDuty - VPCs, Subnets, Security Group Details

See the details of GuardDuty threats by VPC, security group, and subnet ID.

VPCsSubnetsSecurityGroupDetails.png

Threat Type by VPC. See the count of threat type by VPC in the last 24 hours displayed on a bar chart. 

Threats by SecurityGroup. See the count of threats by security group in the last 24 hours displayed on a pie chart. 

Severity Count by SubnetID. See the count of severity in the last 24 hours by Subnet ID on a bar chart.

VPC, Subnet, and Security Group Threat Table.  See the details of severity in the last 24 hours including the account ID, severity, region, VPC ID, Subnet ID,  security group name and ID,  threat purpose, resource type, threat name, and count, displayed in a table.