You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ To ingest AWS GuardDuty data into Cloud SIEM:
11
11
1.[Configure an HTTP source for GuardDuty](/docs/integrations/amazon-aws/guardduty/#step-1-configure-an-http-source) on a collector. When you configure the source, do the following:
12
12
1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
13
13
1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/AWS/GuardDuty*. This ensures that the GuardDuty logs are parsed and normalized into structured records in Cloud SIEM.
14
-
1.[Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-guardduty-events-processor).
14
+
1.[Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-logic-guardduty-events-processor).
15
15
1. To verify that your logs are successfully making it into Cloud SIEM:
16
16
1.[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
17
17
1. On the **Log Mappings** tab search for "GuardDuty" and check the **Records** columns.
This configuration is defined in a [AWS Serverless Application Model (SAM) specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html) published in the [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/). You do not need to manually create the necessary AWS resources. You simply deploy the configuration, as described in Step 2 below.
186
+
### Method 1: Collecting Amazon GuardDuty logs using EventBridge
187
+
188
+
This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
189
+
190
+
#### Step 1: Create an HTTP source in Sumo Logic
191
+
192
+
To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
193
+
194
+
#### Step 2: Configure EventBridge API destination
195
+
196
+
Follow the steps below to configure the EventBridge API destination:
197
+
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
198
+
1. In the navigation bar, click **API destinations**.
199
+
1. Click **Create destination**.
200
+
1. Enter a name for the API Destination.
201
+
1. Provide the HTTP Source URL from Sumo Logic.
202
+
1. Click **Create a new connection** to create a connection for the API destination.
203
+
1. Provide a connection name.
204
+
1. Keep the API Type as **Public**.
205
+
1. Select **Basic (Username/Password)** in the **Authorization type**.
206
+
1. Add any value of your choice for **Username** and **Password**.
207
+
208
+
#### Step 3: Create the EventBridge rule
188
209
210
+
Follow the steps below to create the EventBridge rule:
211
+
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
212
+
1. In the navigation bar, click **Rules**.
213
+
1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
214
+
1. Select **All Events** in Event Type.
215
+
1. Under **Select targets**, choose **EventBridge API destination**.
216
+
1. Select the API Destination created in Step 2.
217
+
1. Select **Create a new role for this specific resource** in the **Execution role**.
This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
223
+
224
+
- Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
225
+
- A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo `CloudWatchEventFunction` Lambda function.
226
+
- The Lambda function sends the events to an HTTP source on a Sumo Logic hosted collector.
227
+
228
+
This configuration is defined in a [AWS Serverless Application Model (SAM) specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html) published in the [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/). You do not need to manually create the necessary AWS resources. You simply deploy the configuration, as described in Step 2 below.
229
+
230
+
#### Step 1: Configure an HTTP source
191
231
192
232
1. In Sumo Logic, configure a [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
193
233
2. In Sumo Logic, configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics). When you configure the source:
@@ -198,8 +238,7 @@ This configuration is defined in a [AWS Serverless Application Model (SAM) speci
198
238
199
239
When you configure the HTTP Source, make a note of the HTTP Source Address URL. You will need it in the next step.
In this step, you deploy the events processor. This will create the AWS resources described in [Collection overview](#collecting-logs-for-the-amazon-guardduty-app).
Copy file name to clipboardExpand all lines: docs/integrations/amazon-aws/inspector.md
+48-9Lines changed: 48 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,18 +16,55 @@ For information about integrating Amazon Inspector with Security Hub, see [Integ
16
16
17
17
## Collecting findings for the Amazon Inspector app
18
18
19
-
Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub.
19
+
You can collect Security Hub logs using three methods:
20
20
21
-
Findings from AWS services (AWS Security Hub) are delivered to CloudWatch Events as events in near real time. The Lambda function parses those events and sends them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda function setup is defined using Serverless Application Model (SAM) specifications and is published in AWS Serverless Application Repository.
21
+
-[Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge)
-[Method 2: Collect Security Hub logs using Amazon S3 source](#method-2-collect-security-hub-logs-using-amazon-s3-source)
27
+
This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
27
28
28
-
You do not have to manually create the AWS resources. Simply deploy the solution, as described in the [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector) for HTTP endpoint and [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector-1) for Amazon S3 source.
29
+
#### Step 1: Create an HTTP source in Sumo Logic
30
+
31
+
To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
32
+
33
+
#### Step 2: Configure EventBridge API destination
34
+
35
+
Follow the steps below to configure the EventBridge API destination:
36
+
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
37
+
1. In the navigation bar, click **API destinations**.
38
+
1. Click **Create destination**.
39
+
1. Enter a name for the API Destination.
40
+
1. Provide the HTTP Source URL from Sumo Logic.
41
+
1. Click **Create a new connection** to create a connection for the API destination.
42
+
1. Provide a connection name.
43
+
1. Keep the API Type as **Public**.
44
+
1. Select **Basic (Username/Password)** in the **Authorization type**.
45
+
1. Add any value of your choice for **Username** and **Password**.
46
+
47
+
#### Step 3: Create the EventBridge rule
48
+
49
+
Follow the steps below to create the EventBridge rule:
50
+
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
51
+
1. In the navigation bar, click **Rules**.
52
+
1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
53
+
1. Select **All Events** in Event Type.
54
+
1. Under **Select targets**, choose **EventBridge API destination**.
55
+
1. Select the API Destination created in Step 2.
56
+
1. Select **Create a new role for this specific resource** in the **Execution role**.
This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
62
+
63
+
Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub.
64
+
65
+
Findings from AWS services (AWS Security Hub) are delivered to CloudWatch Events as events in near real time. The Lambda function parses those events and sends them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda function setup is defined using Serverless Application Model (SAM) specifications and is published in AWS Serverless Application Repository.
66
+
67
+
You do not have to manually create the AWS resources. Simply deploy the solution, as described in the [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector) for HTTP endpoint and [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector-1) for Amazon S3 source.
31
68
32
69
#### Step 1: Add a hosted collector and Sumo Logic HTTP source
33
70
@@ -57,7 +94,9 @@ To deploy an AWS Security Hub app collector:
57
94
5. In the **AWS Lambda > Functions > Application Settings** panel, enter the endpoint **HTTP endpoint** of the source that you configured.
58
95
6. Scroll to the bottom of the window and click **Deploy**.
This method uses a Lambda function to process findings, store them in an S3 bucket, and retrieve them through Sumo Logic's S3 Source. It is ideal for scenarios that require data archiving.
61
100
62
101
#### Step 1: Add a hosted collector and Amazon S3 source
63
102
@@ -187,4 +226,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
187
226
188
227
import AppUninstall from '../../reuse/apps/app-uninstall.md';
0 commit comments