Skip to content

Edit configuration part for AWS security apps #5668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 8, 2025
Merged

Edit configuration part for AWS security apps #5668

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1800ba5
update AWS security docs
amee-sumo Aug 4, 2025
2bdcc4a
Edit the headings and minor indentation fixes
amee-sumo Aug 7, 2025
ad078d4
Update security-hub.md
amee-sumo Aug 8, 2025
7509c24
Merge branch 'main' into Edit-Configuration-part-for-AWS-security-apps
amee-sumo Aug 8, 2025
220b373
Update security-hub.md
amee-sumo Aug 8, 2025
9fe7a1c
Merge branch 'Edit-Configuration-part-for-AWS-security-apps' of https…
amee-sumo Aug 8, 2025
03a50b4
Merge branch 'main' into Edit-Configuration-part-for-AWS-security-apps
amee-sumo Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions docs/integrations/amazon-aws/guardduty.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,12 +178,14 @@ _sourceCategory=aws/guardduty

## Collecting logs for the Amazon GuardDuty app

You can collect the Amazon GuardDuty logs using two methods:
You can collect the Amazon GuardDuty logs using the following methods and send them to Sumo Logic via an HTTP endpoint:

- [Method 1: Collecting Amazon GuardDuty logs using EventBridge](#method-1-collecting-amazon-guardduty-logs-using-eventbridge)
- [Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint](#method-2-collecting-amazon-guardduty-logs-using-sumo-logic-http-endpoint)
- [Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP](#method-1-guardduty--eventbridge--sumo-logic-via-http-preferred)
- [Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP](#method-2-guardduty--lambda-function--sumo-logic-via-http-alternative)

### Method 1: Collecting Amazon GuardDuty logs using EventBridge
For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process.

### Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP (Preferred)

This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.

Expand All @@ -194,7 +196,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs
#### Step 2: Configure EventBridge API destination

Follow the steps below to configure the EventBridge API destination:
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
1. In the navigation bar, click **API destinations**.
1. Click **Create destination**.
1. Enter a name for the API Destination.
Expand All @@ -208,7 +210,7 @@ Follow the steps below to configure the EventBridge API destination:
#### Step 3: Create the EventBridge rule

Follow the steps below to create the EventBridge rule:
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
1. In the navigation bar, click **Rules**.
1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
1. Select **All Events** in Event Type.
Expand All @@ -217,9 +219,9 @@ Follow the steps below to create the EventBridge rule:
1. Select **Create a new role for this specific resource** in the **Execution role**.
1. Click **Create** to activate the rule.

### Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint
### Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP (Alternative)

This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic via an HTTP endpoint. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.

- Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
- A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo `CloudWatchEventFunction` Lambda function.
Expand Down
136 changes: 70 additions & 66 deletions docs/integrations/amazon-aws/inspector.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,75 @@ Amazon Inspector is an automated vulnerability management service that continual
For information about integrating Amazon Inspector with Security Hub, see [Integration with AWS Security Hub](https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html) in Amazon help.
:::

## Collecting findings for the Amazon Inspector app
## Log types

You can collect Security Hub logs using three methods:
### Sample log messages

```json title="AWS Security Hub log"
{
"SchemaVersion": "2018-10-08",
"ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default",
"AwsAccountId": "123456789012",
"Id": "test_finding_123456",
"GeneratorId": "TestDetector",
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"CreatedAt": "2018-11- 06T13:22:13.933Z",
"UpdatedAt": "2018-11-07T14:22:13.933Z",
"Severity": {
"Product": 10,
"Normalized": 30
},
"Title": "Unprotected port 22 found on instance i-01234567890abcefb",
"Description": "Test finding was found on instance i- 01234567890afbcefa",
"Resources": [
{
"Type": "AwsEc2::Instance",
"Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"
}
],
"SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them",
"Process": {
"Name": "My Process",
"Path": "/Process/Path"
},
"RecordState": "ACTIVE",
"Note": {
"Text": "User1 will address this finding",
"UpdatedBy": "User1",
"UpdatedAt": "2018-11-03T13:22:13.933Z"
}
}
```

### Sample queries

```sql title="Findings by resource type and severity query"
(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub")
| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources",
"Severity.Normalized", "SourceUrl",
"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at,
updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop
| parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi
| parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi
| parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi
| parse regex field=product_arn "product/(?<finding_provider>.*?)$"
| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75),
max(severity_normalized) by resource_type
```

## Collecting logs for the Amazon Inspector app

You can collect the Amazon Inspector logs using the following methods:

- [Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge)
- [Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-2-collect-security-hub-logs-using-sumo-logic-http-endpoint)
-[Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source)
- [Method 1: Inspector > EventBridge > Sumo Logic via HTTP](#method-1-inspector--eventbridge--sumo-logic-via-http-preferred)
- [Method 2: Inspector > Lambda Function > Sumo Logic via HTTP](#method-2-inspector--eventbridge--sumo-logic-via-http-alternative)
- [Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source](#method-3-inspector--lambda-function--amazon-s3--sumo-logic-via-s3-source-alternative)

### Method 1: Collecting Security Hub logs using EventBridge
For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process.

### Method 1: Inspector > EventBridge > Sumo Logic via HTTP (Preferred)

This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.

Expand All @@ -33,7 +93,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs
#### Step 2: Configure EventBridge API destination

Follow the steps below to configure the EventBridge API destination:
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
1. In the navigation bar, click **API destinations**.
1. Click **Create destination**.
1. Enter a name for the API Destination.
Expand All @@ -47,7 +107,7 @@ Follow the steps below to configure the EventBridge API destination:
#### Step 3: Create the EventBridge rule

Follow the steps below to create the EventBridge rule:
1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
1. In the navigation bar, click **Rules**.
1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
1. Select **All Events** in Event Type.
Expand All @@ -56,7 +116,7 @@ Follow the steps below to create the EventBridge rule:
1. Select **Create a new role for this specific resource** in the **Execution role**.
1. Click **Create** to activate the rule.

### Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint
### Method 2: Inspector > EventBridge > Sumo Logic via HTTP (Alternative)

This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.

Expand Down Expand Up @@ -94,7 +154,7 @@ To deploy an AWS Security Hub app collector:
5. In the **AWS Lambda > Functions > Application Settings** panel, enter the endpoint **HTTP endpoint** of the source that you configured.
6. Scroll to the bottom of the window and click **Deploy**.

### Method 3: Collect Security Hub logs using Amazon S3 source
### Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source (Alternative)

This method uses a Lambda function to process findings, store them in an S3 bucket, and retrieve them through Sumo Logic's S3 Source. It is ideal for scenarios that require data archiving.

Expand Down Expand Up @@ -127,62 +187,6 @@ To deploy an AWS Security Hub app collector:
5. In the **AWS Lambda > Functions > Application Settings** panel, enter the name of the **S3SourceBucketName** for the bucket you configured (when you defined the S3 source).
6. Scroll to the bottom of the window and click **Deploy**.

### Sample log messages

```json title="AWS Security Hub log"
{
"SchemaVersion": "2018-10-08",
"ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default",
"AwsAccountId": "123456789012",
"Id": "test_finding_123456",
"GeneratorId": "TestDetector",
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"CreatedAt": "2018-11- 06T13:22:13.933Z",
"UpdatedAt": "2018-11-07T14:22:13.933Z",
"Severity": {
"Product": 10,
"Normalized": 30
},
"Title": "Unprotected port 22 found on instance i-01234567890abcefb",
"Description": "Test finding was found on instance i- 01234567890afbcefa",
"Resources": [
{
"Type": "AwsEc2::Instance",
"Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"
}
],
"SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them",
"Process": {
"Name": "My Process",
"Path": "/Process/Path"
},
"RecordState": "ACTIVE",
"Note": {
"Text": "User1 will address this finding",
"UpdatedBy": "User1",
"UpdatedAt": "2018-11-03T13:22:13.933Z"
}
}
```

### Sample queries

```sql title="Findings by resource type and severity query"
(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub")
| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources",
"Severity.Normalized", "SourceUrl",
"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at,
updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop
| parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi
| parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi
| parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi
| parse regex field=product_arn "product/(?<finding_provider>.*?)$"
| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75),
max(severity_normalized) by resource_type
```

## Installing the Amazon Inspector app

Once you've set up ingestion of findings from AWS Security Hub, you can install the Sumo Logic app for Amazon Inspector and use the pre-configured searches and dashboards.
Expand Down
Loading