Skip to main content

AWS GuardDuty - Cloud SIEM

This section has instructions for collecting AWS GuardDuty log messages and sending them to Sumo Logic to be ingested by CSE.

Step 1: Configure collection

In this step, you configure an HTTP Source to collect AWS GuardDuty log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure an HTTP Source below. Otherwise, create a new collector as described in Configure a Hosted Collector below, and then create the HTTP Source on the collector.

Configure a Hosted Collector

  1. In the Sumo Logic platform, select Manage Data > Collection > Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. The Add Hosted Collector popup appears.
    Add hosted collector
  5. Name. Provide a Name for the collector.
  6. Description. (Optional)
  7. Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory
  8. Fields
    1. If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to CSE.
    2. If all sources in this collector will be AWS VPC Flow sources, add an additional field with key _parser and value /Parsers/System/AWS/GuardDuty.
  9. Click Save.
note

It’s also possible to configure individual sources to forward to CSE, as described in the following section.

Configure an HTTP Source

  1. In Sumo Logic, select Manage Data > Collection > Collection
  2. Navigate to the Hosted Collector where you want to create the source.
  3. On the Collectors page, click Add Source next to a Hosted Collector.
  4. Select HTTP Logs & Metrics
  5. The page refreshes.
    HTTP logs and metrics
  6. Name. Enter a name for the source. 
  7. Description. (Optional) 
  8. Source Host. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called _sourceHost.
  9. Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory.
  10. SIEM Processing. Click the checkbox to configure the source to forward log messages to CSE.
  11. Fields. If you are not parsing all sources in the hosted collector with the same parser, +Add Field named _parser with value /Parsers/System/AWS/GuardDuty.
  12. Advanced Options for Logs.
    1. Specify Format as yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
    2. Specify Timestamp locator as *.*"updatedAt":"(.*)".**
      Timestamp format
  13. Click Save.
  14. Make a note of the HTTP Source URL that is displayed. You’ll supply it in Step 2 below.

Step 2: Deploy Sumo Logic GuardDuty events processor

In this step, you deploy the events processor. This will create the AWS resources described in the Collection overview section of the Collect Logs for the Amazon GuardDuty App topic.

  1. Go to https://serverlessrepo.aws.amazon.com/application.
  2. Search for “sumologic-guardduty-events-processor”.
    AWS repo
  3. When the page for the Sumo app appears, click Deploy.
    AWS deploy
  4. In  the Configure application parameters popup, paste the URL for the HTTP source you created above.
    Configure app parameters
  5. Click Deploy.

Step 3: Configure optional environment variables

  1. Go to the AWS Lambda console.
  2. Search for the "aws-serverless-repository-CloudWatchEventFunction-\<suffix>" function and click it.
  3. Scroll down to the Environment variables section.
    Environment variables You can set any of the following optional variables:
    • ENCODING (Optional). Encoding to use when decoding CloudWatch log events. Default is utf-8.
    • SOURCE_CATEGORY_OVERRIDE (Optional). Override the _sourceCategory value configured for the HTTP source.
    • SOURCE_HOST_OVERRIDE (Optional). Override the _sourceHost value configured for the HTTP source.
    • SOURCE_NAME_OVERRIDE (Optional). Override the _sourceName value configured for the HTTP source.

Step 4: Verify ingestion

In this step, you verify that your logs are successfully making it into CSE. 

  1. Click the gear icon at the top of the CSE UI, and select Log Mappings under Incoming Data.
    Log Mapping link
  2. On the Log Mappings page search for "GuardDuty" and check under Record Volume.
    GuardDuty record volume
  3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for GuardDuty security records..
    GuardDuty search
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.