Skip to main content

Cloud Infrastructure Security for AWS

Cloud Infrastructure Security for AWS logo

Cloud Infrastructure Security for AWS provides a unified view of threats, misconfigurations, and threats in your AWS infrastructure spanning multiple AWS accounts and regions. The solution leverages native AWS tools and telemetry to accelerate cloud security outcomes.

Key features of the solution include:

  • Risk overview. See a summary of all resources that pose risks, and get an action plan for addressing the most important areas of concern.
  • Active threats. See threats in resources and AWS API calls.
  • Security control failures. See misconfigurations in your environment that may leave you vulnerable to attackers.
  • Suspicious activity. See activity identified by anomaly detection across users, web interactions, networks, and Identity Access Management (IAM).

Entities presented in the dashboards are normalized from log sources into AWS Elastic Common Schema (ECS), to provide seamless pivots between dashboards during threat investigations.

Use Sumo Logic’s monitoring to receive alerts from the solution. To see monitors for the solution, go to Manage Data > Monitoring and open the Cloud Infrastructure Security for AWS folder.

note
  • After initial installation, data collection may be delayed.
  • If you have already installed the Amazon Security Quickstart, collectors may be duplicated to collect from the same sources. To prevent this, use the existing source category for collection.

Watch the following micro lesson to learn about Cloud Infrastructure Security for AWS.

Log types

Cloud Infrastructure Security for AWS utilizes the following log types:

Sample log messages

{
"eventVersion":"1.01",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDA4XQZKIVURYEOA",
"arn":"arn:aws:iam::95619384238:user/Olaf",
"accountId":"95238468",
"userName":"system"
},
"eventTime":"2017-09-27T20:00:10Z",
"eventSource":"signin.amazonaws.com",
"eventName":"ConsoleLogin",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36",
"requestParameters":null,
"responseElements":{
"ConsoleLogin":"Failure"
},
"additionalEventData":{
"MobileVersion":"No",
"LoginTo":"https://console.aws.amazon.com/console/home?state\u003dhashArgs%23\u0026isauthcode\u003dtrue",
"MFAUsed":"No"
},
"eventID":"f36c1d07-73cf-4ab8-84b1-04c93ad3aaeb"
}

Sample queries

Failed Console Logins
_sourceCategory=Labs/AWS/CloudTrail ("ConsoleLogin" and "Failed authentication")
| json "eventName","sourceIPAddress","userIdentity.userName","userIdentity.principalId","responseElements.ConsoleLogin","additionalEventData.MFAUsed" ,"eventSource","awsRegion","eventType","eventCategory","userIdentity.type","eventTime","requestParameters.AccessControlPolicy.AccessControlList.Grant[*].Permission","errorCode","userIdentity.accountId","errorMessage" as event.action,server.ip,user.name,user_principal, login_result,mfa_used,event_source,cloud.region,event_type,event_category,user_identity_type,event_time,permission,error_code,cloud.account.id,error_message nodrop
| if(isEmpty(user.name), if(isEmpty(user_principal),"NA",user_principal), user.name) as user.name
// global filters
| where if ("*" = "*", true,user.name matches "*") AND if ("*" = "*", true, cloud.region matches "*") AND if ("*" = "*", true, cloud.account.id matches "*") AND if ("*" = "*", true, server.ip matches "*")
| where (event.action matches "ConsoleLogin" and error_message matches "Failed authentication")
// z-score calculation
| timeslice 3h
| count as eventCount by user.name, event.action, event_source, cloud.account.id, cloud.region, _timeslice
| sort + _timeslice
| rollingstd eventCount as eventCount_std by user.name, event.action, event_source, cloud.account.id, cloud.region
| smooth eventCount as eventCount_mean by user.name, event.action, event_source, cloud.account.id, cloud.region
| eventCount_std + 0.1 as eventCount_std
| (eventCount - eventCount_mean) / eventCount_std as zscore
| sort + _timeslice
| max(zscore) as max_zscore by user.name, event.action, event_source, cloud.account.id, cloud.region
| round(max_zscore, 2) as max_zscore
| where max_zscore > "1"
| sort - max_zscore

Collecting logs for Cloud Infrastructure Security for AWS

Cloud Infrastructure Security for AWS collects logs from different AWS sources to produce data in the dashboards. When you install the solution, data will be collected from sources, including:

Install Cloud Infrastructure Security for AWS

Before you deploy

This section describes prerequisites and guidelines for deploying Sumo Logic’s Cloud Infrastructure Security for AWS solution. 

Prerequisites

  • AWS data. You must have access to data from the following AWS products, since Cloud Infrastructure Security for AWS uses data from these sources in its dashboards:
  • Sumo Logic console. Make sure you have access to the Sumo Logic console and as a user that is associated with Sumo Logic role and required role capabilities.
  • Role capabilities. Make sure you have a Sumo Logic role that have the following role capabilities:
    • Data Management
      • View Collectors
      • Manage Collectors
      • Manage Content
    • Security
      • Create access keys
    • Alerting
      • View Monitors
      • Manage Monitors
  • Sumo Logic Access ID and Key. When you deploy the solution, you’ll need to supply a Sumo Logic Access ID and Access Key, which enable you to use Sumo Logic APIs. Make sure you have the role capabilities listed above before generating the Access ID and Key.
  • AWS credentials. To deploy the solution, you will need to log onto the AWS Console. For the CloudFormation template deployment, your AWS role must have the permissions described by this JSON file. As necessary, you may add JSON text to an existing or a new policy associated with an AWS IAM role as described in the AWS documentation
  • Monitors. The Cloud Infrastructure Security for AWS solution comes with pre-packaged alerts in the form of Sumo Logic Monitors. To learn more about their capabilities, visit the Monitors page.

AWS regions supported

You can deploy Cloud Security Infrastructure for AWS to a single AWS account and region or multiple accounts and regions. Typically you would first deploy the solution to a single AWS account and region, kick the tires, and then expand the deployment.

The Sumo Logic Cloud Infrastructure Security solution supports the following AWS regions:

  • Asia Pacific (Hong Kong)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Seoul)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)
  • Canada (Central)
  • Europe (Frankfurt)
  • Europe (Stockholm)
  • Europe (Ireland)
  • Europe (London)
  • Europe (Paris)
  • Middle East (Bahrain)
  • South America (São Paulo)
  • US East (N. Virginia)
  • US East (Ohio)
  • US West (N. California)
  • US West (Oregon)

Deployment considerations  

When you deploy the solution, consider the following.

Do you already have the required sources? 

When you deploy, you are given the option to create the Sumo Logic sources that the solution applications rely upon. If you have already configured those sources, you do not have to create new ones. You can just provide the URLs of the relevant Sumo Logic sources as part of the configuration.

note

If you use existing sources rather than create new ones, it is not necessary to modify the existing metadata and source categories associated with the sources. The metadata that the solution depends on will be added to the sources at deployment time. 

Bucket considerations

In the sections of the CloudFormation template that relate to creating Sumo Logic sources, you can specify an existing S3 bucket to store the logs that the source collects. If you don’t supply a bucket name, the template will create a new one. We recommend you use an existing bucket if possible. 

Install from the App Catalog

You can install Cloud Infrastructure Security for AWS from the App Catalog to use the pre-configured dashboards that provide visibility into your environment for real-time analysis of usage.

  1. From the App Catalog, search for and select Cloud Infrastructure Security for AWS.
  2. Click Install App.
  3. In the Deploy Cloud Infrastructure for AWS screen, perform the following steps:
    1. Select Region. Select the AWS region where you want to deploy the solution.
    info

    This step is critical. If you do not select the correct region, you will deploy the solution in the wrong region.

    1. Deploy AWS. Click the Deploy AWS Security button.
      Deploy Cloud Infrastructure for AWS screen
  4. Sign in the AWS Console.
  5. In Quick Create Stack, fill out the fields to create the stack from the CloudFormation template.
    1. In Stack Name, enter a name for the stack. The stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).
      Create stack

    2. Scroll down to the Parameters section.

    3. In 1. Sumo Logic Configuration, fill out the following:

      • Sumo Logic deployment location. Choose the geographic location of the deployment: au, ca, de, eu, jp, us2, us1, in, or fed.
      • Sumo Logic access ID. Enter the Sumo Logic console access ID, which you received when you created the access key.
      • Sumo Logic access key. Enter your Sumo Logic access key. Retrieve this from your Sumo Logic account.
      • Sumo Logic organization ID. Enter your Sumo Logic organization ID, which you can find in the Sumo Logic console, under Account.
      • Delete Sumo Logic resources when stack is deleted. Choose false if you do not want to remove the collector and sources when the stack is deleted.
        Sumo Logic configuration
    4. In 2. AWS Organization configuration, fill out the following:

      • Security-tooling account ID. Enter your security-tooling account ID. This is used to set up the AWS CloudWatch, Lambda, Kinesis, S3 bucket, and SNS topic for collecting AWS GuardDuty, Security Hub, WAF, and Network Firewall data.
      • Log-archiving account ID. Enter your log-archiving account ID. This is used to set up an S3 bucket and SNS topic for collecting the AWS CloudTrail data.
      • Security-tooling and log-archiving account Region. Enter your security-tooling and log-archiving account Region if it's different from the default.
      • AWS Organization root ID. Enter the ID for your organization root. This string requires r- followed by from 4 to 32 lowercase letters or digits.
        AWS organization configuration

      You can find the values in the Organizational structure section of your AWS accounts page. Sign in to the AWS console, click on your profile in the top-right corner, and select Organization. For more information about organizations, see AWS documentation.
      AWS organizational structure

    5. In 3. AWS Service configuration, fill out the following:

      • Publish AWS GuardDuty data to Sumo. Ensure AWS GuardDuty Service is enabled.
      • Publish AWS CloudTrail data to Sumo. Ensure AWS CloudTrail Service is enabled.
      • Publish AWS Security Hub data to Sumo. Ensure AWS Security Hub Service is enabled.
      • Publish AWS WAF data to Sumo. Ensure AWS WAF Service is enabled.
      • Publish AWS Network Firewall data to Sumo. Ensure AWS Network Firewall Service is enabled.
        AWS service configuration
    6. For GuardDuty configuration:

      • Under 4.1 GuardDuty service configuration, for GuardDuty Regions enter regions from which GuardDuty Data should be sent.
      • Under 4.2 GuardDuty Sumo log source configuration, in Create Sumo Logic HTTP logs source, select Yes if you do not already have an HTTP logs source to collect GuardDuty logs. Select No if you already have a source.
      • Sumo Logic HTTP logs source category name. If you selected No above in the field for creating a logs source, provide an existing source category name for the GuardDuty logs.
        GuardDuty configuration
    7. For CloudTrail configuration:

      • Under 5.1 CloudTrail service configuration, in CloudTrail Regions, enter regions from which CloudTrail Data should be sent. On the AWS side, configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account, and use that S3 bucket in 5.3 CloudTrail S3 bucket configuration.
      • Under 5.2 CloudTrail Sumo log source configuration, under Create Sumo Logic S3 logs source for CloudTrail, select Yes if you do not already have a Sumo Logic S3 log source to collect CloudTrail logs. Select No if you already have a source.
      • Path expression for logs. The path expression must match the folder structure for CloudTrail logs (for example, AWSLogs/*/CloudTrail/*).
      • Sumo Logic CloudTrail logs source category name. If you selected No in the preceding field for creating an S3 log source, provide the name of an existing Sumo Logic source category that's collecting CloudTrail logs. (Note that the path provided is a placeholder only. If you already have a CloudTrail source, enter it here.)
      • Under 5.3 CloudTrail S3 bucket configuration, in Create an S3 bucket for CloudTrail logs, select Yes if you do not already have an S3 bucket for CloudTrail logs. Select No if you already have a bucket. (We recommend you use an existing bucket if possible.)
      • Name of existing S3 bucket that contains the CloudTrail logs. If you selected No in the preceding field for creating an S3 bucket, provide the name of an existing S3 bucket that contains CloudTrail logs. The existing bucket must be in same AWS Region as the log-archiving account.
      • Delivery bucket prefix. Enter the log delivery S3 bucket prefix.
        CloudTrail configuration
    8. For Security Hub configuration:

      • Under 6.1 Security Hub Service Configuration, in Security Hub Regions, enter regions from which Security Hub data should be sent.
      • Under 6.2 Security Hub Sumo Log Source configuration, in Create Sumo Logic HTTP logs source, select Yes if you do not already have a Sumo Logic HTTP logs source to collect Security Hub logs. Select No if you already have a logs source.
      • Sumo Logic HTTP logs source category name. If you selected No in the preceding field for creating a logs source, provide an existing source category name from the Security Hub logs.
        Security Hub configuration
    9. For firewall configuration:

      • Under 7.1 AWS Firewall Manager Policy Regions Configuration, in AWS WAF Policy Regions, enter regions from which AWS WAF data should be sent. On the AWS side, configure Network Firewall to deliver log files from multiple Regions to a single S3 bucket for a single account, and use that S3 bucket in section 7.4 Firewall Manager - S3 Bucket Configuration.
      • AWS Network Firewall Policy Regions. Enter regions from which AWS Network Firewall data should be sent.
      • Under 7.2 Firewall Manager Details - Kinesis Firehose Delivery Stream Source WAF Configuration, in Create a Kinesis Firehose Delivery Stream Source for WAF, select Yes if you do not already have a Kinesis Delivery Stream Source for WAF. Select No if you already have a source. Configure WAF in each region to send logs to Kinesis data firehose destination, and from there, use the same Sumo Logic Kinesis HTTP URL in Firehose configuration to send logs to Sumo Logic as shown below in the Kinesis Firehose configuration:
        Firehose URL
        Firehose URL
      • Sumo Logic AWS Kinesis Firehose Logs WAF Source Category Name. Enter the name if a source category from Sumo Logic if it already exists. To create a new source category, use the default name provided.
      • Amazon Kinesis Data Firehose delivery stream name. Enter the Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivery stream name.
      • Under 7.3 Firewall Manager Details - S3 Source Network Firewall Configuration, in Create Sumo Logic Amazon S3 Logs Source for Network Firewall, select Yes if you do not already have a Sumo Logic Amazon S3 Log Source with the provided bucket name. Select No if you already have a source.
      • Sumo Logic Amazon S3 Logs Source Category Name for Network Firewall. Enter the name of a source category from Sumo Logic if it already exists. To create a new source category, use the default name provided.
      • Under 7.4 Firewall Manager - S3 Bucket Configuration, in Create AWS S3 Bucket, select Yes if you do not already have an S3 bucket in AWS S3. Select No to use an existing S3 bucket from AWS S3 which has Network Firewall Logs. (If the S3 bucket is created by the Cloud Infrastructure Security solution, then make sure on the AWS side that it's a central bucket for Network Firewall for all regions.)
      • Network Firewall Delivery Bucket Prefix. Enter the Network Firewall Log Delivery S3 bucket prefix.
      • Name of existing S3 Bucket which contains the Network Firewall Logs. If you selected No in the preceding field for creating an S3 bucket, provide an existing S3 Bucket name which contains Network Firewall Logs.
        Firewall configuration
    10. Under Permissions, in IAM role - optional, choose the IAM role for CloudFormation to use for all operations performed on the stack. The role must have permissions to set up the necessary Lambdas, S3 buckets, Kenesis streams, and other objects needed in the CloudFormation template, as well as access to the appropriate logs. If your AWS role does not have the necessary permissions, see the AWS documentation for information on configuring a policy to provide permissions.
      Create Stack button

    11. Under Capabilities and transforms, select the acknowledgement boxes.

    12. Click Create Stack. The stack is created, and the solution is installed.

  6. Click Start Using Sumo.
    Start Using Sumo button
  7. Select an option to start using the solution.
    App hub page

Troubleshoot installation

Installation of Cloud Infrastructure Security for AWS uses an AWS CloudFormation template. While deploying using the template, you may receive error messages such as CREATE_FAILED status or ROLLBACK_COMPLETE status for various reasons. This section provides information on how to troubleshoot such AWS CloudFormation installation failures.

Determine the cause of a CloudFormation installation failure

This section walks you through the process of troubleshooting an AWS CloudFormation installation failure.

To debug an AWS CloudFormation installation failure, do the following:

  1. After the stack rollback is complete and the status is ROLLBACK_COMPLETE, go to the parent stack. In the parent stack, look for the first failure as shown in the following example. The failure can be a direct reason or can point to a nested stack.
    Troubleshooting 1
  2. Look for direct reasons for the failure that is available in the parent stack, as shown in the following example.
    Troubleshooting 2
  3. To find indirect reasons for the failure, go to the nested stack mentioned in the status reason, as shown in the following example. Take a note of the resources mentioned in the reason.
    Troubleshooting 3
  4. Select the deleted option to find the nested stacks, as shown in the following example.
    Troubleshooting 4
  5. Go to the nested stack and look for the resource mentioned in the previous step to identify the reason, as shown in the following example.
    Troubleshooting 5

Optimize CloudTrail log ingest

By default, the Cloud Infrastructure Security for AWS solution collects AWS CloudTrail logs for all AWS services. To reduce ingestion volume, you can define processing rules that limit log collection to only the logs that are relevant to dashboards provided by the solution.

Define the processing rules for the Sumo Logic AWS CloudTrail Source that was created when you ran the CloudFormation template.

For instructions, see Create a Processing Rule. Create the following rules, selecting Include messages that match as the rule type, using these regular expressions:

.*\"eventSource\":\"elasticloadbalancing\.amazonaws\.com\".*
.*\"eventSource\":\"dynamodb\.amazonaws\.com\".*
.*\"eventSource\":\"ec2\.amazonaws\.com\".*
.*\"eventSource\":\"rds\.amazonaws\.com\".*
.*\"eventSource\":\"lambda\.amazonaws\.com\".*
.*\"eventSource\":\"apigateway\.amazonaws\.com\".*
.*\"eventSource\":\"ecs\.amazonaws\.com\".*
.*\"eventSource\":\"elasticache\.amazonaws\.com\".*
.*\"eventsource\":\"sns\.amazonaws\.com\".*
.*\"eventsource\":\"sqs\.amazonaws\.com\".*

Common errors

Below are some common errors that can occur while using the CloudFormation template. 

ErrorDescriptionResolution
The API rate limit for this user has been exceeded.This error indicates that AWS CloudFormation execution has exceeded the API rate limit set on the Sumo Logic side. It can occur if you install the AWS CloudFormation template in multiple regions or accounts using the same Access Key and Access ID.Do not install the AWS CloudFormation template in multiple regions or accounts with the same Access Key and Access ID.
S3 Bucket already exists.The error can occur if:
- An S3 bucket with the same name exists in S3, or
- The S3 Bucket is not present in S3 but is referenced by some other AWS CloudFormation stack which created it.
- Remove the S3 bucket from S3 or select “No” in the AWS Cloudformation template for S3 bucket creation.
- Remove the AWS CloudFormation Stack which references the S3 bucket.
The S3 bucket you tried to delete is not empty.The error can occur when deleting the stack with a non-empty S3 bucket.Delete the S3 bucket manually if you do not need the bucket or its content in the future.

Roll back the Cloud Infrastructure Security for AWS Solution

When you roll back the solution, all the resources that were created with the AWS CloudFormation stack are deleted. The resources deleted with a rollback include dashboards, collectors, sources, S3 buckets, Lambda functions, IAM roles, bucket policy, SNS topic, and SNS subscriptions. 

Rolling back the solution deletes the main AWS CloudFormation stack, including the nested stack and associated Sumo Logic and AWS resources. The following rollback guidelines apply:

  • Sumo Logic resources are deleted based on the “Delete Sumo Logic Resources when the stack is deleted” flag provided during the AWS CloudFormation configuration. These resources include dashboards, collectors, and sources.
  • AWS resources are deleted by default, regardless of the flag provided. These resources include S3 buckets, Lambda functions, IAM roles, bucket policy, SNS topic, and SNS subscription.

To uninstall the Cloud Infrastructure Security solution:

  1. Log in to your AWS account and go to CloudFormation.
  2. Select the main stack you want to delete.
  3. Select Delete.
    Delete stack

Cloud Infrastructure Security for AWS dashboards​

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • If required, configure the refresh interval rate for a dashboard or panel by clicking the drop-down arrow next to the refresh icon.
  • Click the funnel icon in the dashboard top menu bar to filter dashboard with Template Variables.
    filter-dashboards

Risk Overview dashboard

The Risk Overview dashboard provides a summary of all resources that pose risks in a single dashboard that rolls up the findings from other dashboards. It also shows AWS API events by time, and has an Action Plan panel so you can access resources that need attention.

You can also use this dashboard to show details of a single resource. See View resource risk details below.

Risk Overview dashboard

View resource risk details

You can click a resource on any dashboard to view details about its risk in the Risk Overview dashboard:

  1. Click a resource in a dashboard. A summary of that resource’s data appears in a panel.
  2. In the panel under Linked Dashboards, select Risk Overview.
    Linked dashboard
  3. The selected resource’s data appears in the Risk Overview dashboard, broken down by the types of data collected. This lets you see at a glance all the different risks presented by the resource. Note at the top of the dashboard that the filters specify the resource.

Active threats dashboards

The Active Threats dashboards show data on threats that require attention. Review these dashboards to see threats identified in AWS APIs, resources, and storage.

Active Threats: AWS APIs

The Active Threats: AWS APIs dashboard shows threats identified from AWS APIs by correlating it with threat intelligence data. It shows threats count and trend, and threats by resource, actor, events, and geo location.

Active Threats: AWS APIs dashboard

Active Threats: AWS Resources

The Active Threats: AWS Resources dashboard shows threats identified in AWS resources such as EC2 and IAMUser as reported by Amazon GuardDuty. It shows findings by resource, trend, resource type, category, and country. This dashboard has an Action Plan panel so you can access suggested resources that need attention through the AWS console.

Active Threats: AWS APIs dashboard

Security Control Failures dashboard

The Security Control Failures dashboard shows resources that need to be addressed because they are vulnerable as reported by AWS Security Hub. It shows findings by resource, trend, type, and category. By default, the compliance_status filter at the top of the dashboard is set to FAILED to show resources that fail compliance. Set the risk.calculated_level filter to high or critical to see the most important failures.

Security Control Failures dashboard

Suspicious Activity dashboards

The Suspicious Activity dashboards show data on events identified by anomaly detection that indicate out-of-the ordinary patterns that may require attention. Review these dashboards to see activity identified in configurations, Identity and Access Management (IAM), networks, users, and on the Web. It prioritizes activity by z-score threshold, labeled risk.calculated_level, which measures how unusual it is.

Suspicious Config and IAM Activity

The Suspicious Config and IAM Activity dashboard shows suspicious changes for configurations and Identity Access Management (IAM). It shows suspicious changes in IAM policies, security groups, VPCs, network ACLs, route tables, gateways, S3 bucket permissions, deletion of CMK, and configurations.

Suspicious Config and IAM Activity dashboard

Suspicious Network Activity

The Suspicious Network Activity dashboard shows suspicious activity on networks. It shows suspicious blocked source-destination pairs, suspicious traffic, trends for blocked activity and traffic, and geo locations for suspicious blocked destinations and traffic.

Suspicious Network Activity dashboard

Suspicious User Activity

The Suspicious User Activity dashboard shows suspicious activity that users perform in the cloud. It shows failed console logins, console logins without MFA, console logins from risky geo locations, root account logins, unauthorized AWS API requests, and impossible travel events.

To see all events a particular user has been involved with, click a user on a panel (a honeycomb cell), and then on the resulting panel under Linked Dashboards click Risk Overview. For details, see View resource risk details.

Suspicious User Activity dashboard

Suspicious Web Activity

The Suspicious Web Activity dashboard shows suspicious activity on the Web. It shows suspicious blocked requests, including by trend and geo location.

Suspicious Web Activity dashboard

To most efficiently use the solution to address security concerns, we recommend the following workflow:

  1. Look at the Risk Overview dashboard to get an overall picture of the security posture of your environment. Pivot or browse to other dashboards to see details in each area.
  2. Look at activity displayed in the Active Threats dashboards to find issues that need immediate attention.
  3. View the Security Control Failures dashboard to find areas that are identified as failing to meet compliance requirements, and therefore possibly pose a security risk.
  4. Review the Suspicious Activity dashboards to uncover suspicious activity that may need investigation.
  5. Pivot into the Risk Overview dashboard for specific resources that have issues to see any related activity. Review the action plan presented at the bottom of the dashboard to work through the items identified as needing attention.
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.