WebsiteTest Drive

Sumo Logic

The Dropzone AI Platform integrates with Sumo Logic, a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic.

Create an API Key

Sumo Logic requires an API key to enable.

To obtain an API Key, do the following:

  • Login as an administrator to the Sumo Logic at the appropriate URL, e.g. http://service.sumologic.com

  • In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security

Navigate to Administration

  • Click "Add Access Key"

Add access key

  • Name the Access Key something memorable, such as Dropzone AI, then click "Save"

Name and Save API

  • Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"

Copy API Key and Secret

Enable Sumo Logic

To enable the Alert Source integration, you'll need the following information:

Dropzone Field
Source

Access ID

The "Access ID" value you copied earlier

Access Key

The "Access Key" value you copied earlier

API Hostname

Your Sumo Logic API hostname, e.g. api.us2.sumologic.com

Sumo Logic UI Hostname

Your Sumo Logic Hostname, e.g. service.us2.sumologic.com

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > Integrations

Integrations Dropdown

  • Click "Available"

Click Available

  • In the Search bar, search Sumo Logic, then click "Configure"

The Sumo Logic Tile

  • Under the Alert Source header, input your Access ID, Access Key, API Domain, and Sumo Logic Hostname

The Sumo Logic alert source configuration (pt 1)

  • In the "Sumo Logic Alert Search Queries" section, you must input Sumo Logic-specific search query terms to select alerts to investigate. To do so, click "Add Item," then input the query details

    • For example, if your MS Defender alerts are sent to a source category named msgraph-security, you would add the following query: _sourceCategory=msgraph-security

The Sumo Logic Alert Source Configuration (pt 2)

  • If you wish to enable Sumo Logic's Cloud SIEM, check the box labeled "Enabled" in the Cloud SIEM section, then select the severity levels you wish Dropzone to investigate

  • If you wish to exclude incident statuses from investigation, click "Add Item" under "Excluded Statuses" and input each status by name

The Sumo Logic Alert Source Configuration (pt 3)

  • In the Data Tiers section, select which Sumo Logic data tiers you wish for Dropzone to be able to investigate. By default, only the Continuous tier is utilized

The Sumo Logic alert source configuration (pt 4)

  • Input your desired poll interval and lookback

The Sumo Logic alert source configuration (pt 5)

  • Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.

PreviousSplunkNextWiz

Last updated

Was this helpful?