# Sumo Logic The Dropzone AI Platform integrates with [Sumo Logic](https://www.sumologic.com/), a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic. ## Create an API Key Sumo Logic requires an API key to enable. To obtain an API Key, do the following: * Login as an administrator to the Sumo Logic at the appropriate URL, e.g. * In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security

* Click "Add Access Key"

* Name the Access Key something memorable, such as Dropzone AI, then click "Save"

* Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"

## Enable Sumo Logic To enable the Alert Source integration, you'll need the following information: | Dropzone Field | Source | | ---------------------- | -------------------------------------------------------- | | Access ID | The "Access ID" value you copied earlier | | Access Key | The "Access Key" value you copied earlier | | API Hostname | Your Sumo Logic API hostname, e.g. api.us2.sumologic.com | | Sumo Logic UI Hostname | Your Sumo Logic Hostname, e.g. service.us2.sumologic.com | To enable the Alert Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search Sumo Logic, then click "Configure"

* Under the Alert Source header, input your Access ID, Access Key, API Domain, and Sumo Logic Hostname

The Sumo Logic alert source configuration (pt 1)

* In the "Sumo Logic Alert Search Queries" section, you must input [Sumo Logic-specific search query terms](https://help.sumologic.com/docs/search/get-started-with-search/build-search/search-syntax-overview/) to select alerts to investigate. To do so, click "Add Item," then input the query details * For example, if your MS Defender alerts are sent to a source category named msgraph-security, you would add the following query: `_sourceCategory=msgraph-security`

The Sumo Logic Alert Source Configuration (pt 2)

* If you wish to enable Sumo Logic's Cloud SIEM, check the box labeled "Enabled" in the Cloud SIEM section, then select the severity levels you wish Dropzone to investigate * If you wish to exclude [incident statuses](https://help.sumologic.com/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/#3-insights-by-status) from investigation, click "Add Item" under "Excluded Statuses" and input each status by name * If you wish to exclude any alerts that may be generated from a [Prelude Security](https://www.preludesecurity.com/platform/security-control-validation) attack simulations, check the box labeled "Exclude Prelude Security Alerts"

The Sumo Logic Alert Source Configuration (pt 3)

* In the "Alert Title Filtering" section, you may choose to include or exclude alerts in investigation. To do so, select whether to include or exclude the alert from the dropdown, then click "Add Item" and input a python regex pattern to filter the alerts by title. Continue clicking "Add Item" until down

The Sumo Logic Alert Source Configuration (pt 4)

* In the Data Tiers section, select which Sumo Logic [data tiers](https://help.sumologic.com/docs/manage/partitions/data-tiers/) you wish for Dropzone to be able to investigate. By default, only the Continuous tier is utilized

The Sumo Logic Alert Source Configuration (pt 5)

* Input your desired poll interval and lookback

The Sumo Logic Alert Source Configuration (pt 6)

* Click "Test & Save" to finish If you have any errors or questions, engage your Dropzone AI support representative.