Sumo Logic
Integration version: 16.0
Configure Sumo Logic integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Ping
Description
Test connectivity to Sumo Logic.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A
Search
Description
Run a query and get the search results from Sumo Logic.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Query | String | N/A | Sumo Logic query to run. Example: _collector=* |
| Delete Search Job | Checkbox | Un-Checked | If checked, delete the jobs after a search is completed. |
| Since | String | N/A | Start date of the search, ISO-8601 or unixtime. Example: 1970-01-01T00:00:00. Default: 1 (unixtime). |
| To | String | N/A | End date of the search, ISO-8601 or unixtime. Example: 1970-01-01T00:00:00. Default: now (current utc unixtime). |
| Limit | String | N/A | Number of results to return. Example: 10. Default: 25. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| results | N/A | N/A |
JSON Result
[
{
"_messageid": "-9223372036854773772",
"_messagetime": "1359407049529",
"_blockid": "-9223372036854775674",
"_sourcecategory": "service",
"_format": "plain:atp:o:0:l:29:p:yyyy-MM-dd HH:mm:ss,SSS ZZZZ",
"_sourcename": "/Users/christian/Development/sumo/ops/assemblies/latest/service-20.1-SNAPSHOT/logs/service.log",
"_source": "service",
"_receipttime": "1359407051885",
"_collectorid": "1579",
"_sourceid": "1640",
"_raw": "2013-01-28 13:04:09,529 -0800 INFO
[module=SERVICE]
[logger=com.netflix.config.sources.DynamoDbConfigurationSource] [thread=pollingConfigurationSource] Successfully polled Dynamo for a new configuration based on table:raychaser-chiapetProperties",
"_size": "246",
"_collector": "local",
"_messagecount": "2035",
"_sourcehost": "Chiapet.local"
}
]
Connectors
Sumo Logic Connector
Description
Sumo Logic Connector.
Configure Sumo Logic Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| DeviceProductField | String | device_product | The field name used to determine the device product. Example: _type |
| EventClassId | String | name | The field name used to determine the event name (sub-type). Example: _source_match_event_id |
| PythonProcessTimeout | String | 60 | The timeout limit (in seconds) for the python process running current script. |
| API Root | String | null | The Sumo Logic Api root, for example: https://api.{region}.sumologic.com |
| Access ID | String | null | Sumo Logic access ID. |
| Access Key | Password | null | Sumo Logic access key. |
| Verify SSL | Checkbox | FALSE | Whether to use ssl on connection or not. |
| Alert Name Field | String | null | The name of the field where the alert name is located (flat field path). Example: _sourcecategory |
| Timestamp Field | String | null | The name of the field where the timestamp is located (flat field path). Example: _receipttime |
| Environment Field | String | null | The name of the field where the environment is located (flat field path). Example: _collector |
| Indexes | String | null | Indexes to get alerts in". |
| Alerts Count Limit | Integer | 10 | Max count of alerts to pull in one cycle. Example: 20 |
| Max Days Backwards | Integer | 1 | Max number of days to fetch alerts since. Example: 3 |
| Proxy Server Address | String | null | The address of the proxy server to use. |
| Proxy Username | String | null | The proxy username to authenticate with. |
| Proxy Password | Password | null | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.
Dynamic/whitelist rule support
This will run a single search job for each query added as a rule. If both were supplied: indexes and queries, queries have priority over the connector's 'indexes' parameter.