Sumo Logic

The Dropzone AI Platform integrates with Sumo Logic, a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic.

Create an API Key

Sumo Logic requires an API key to enable.

To obtain an API Key, do the following:

• Log in as an administrator to the Sumo Logic at the appropriate URL, e.g. http://service.sumologic.com

• In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security

• Click "Add Access Key"

• Name the Access Key something memorable, such as Dropzone AI, then click "Save"

• Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"

Enable Sumo Logic

To enable the Data Source integration, you'll need the following information:

To enable the Data Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, navigate to Settings > Integrations

• Click "Available"

• In the Search bar, search Sumo Logic, then click "Configure"

• Under the Data Source header, input your Access ID, Access Key, and API Hostname

• If you wish, you may exclude specific data source categories from Dropzone investigations. To do so, in the "Ignored Source Categories" section, click "Add Item." Then input the source categories you wish for Dropzone to ignore

• Under "Lookup Tables," you may input specific Sumo Logic lookup tables to provide added contextual information in Dropzone's analysis. See the "Configure Lookup Tables for Enhanced Enrichment" section of this documentation for further information

• In the "Data Tiers" section, select which Sumo Logic data tiers you want Dropzone to be able to investigate. By default, only the Continuous tier is utilized

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Configure Lookup Tables for Enhanced Enrichment

Dropzone can leverage your existing Sumo Logic lookup tables to enhance security investigations with contextual organizational data. This enrichment helps Dropzone to better understand whether activity is legitimate or suspicious.

Five types of lookup tables are supported for enrichment: IP addresses, user emails, domains, devices (id, hostname or ip), and file hashes.

Configure Lookup Tables in Dropzone

To configure lookup tables in your Sumo Logic Data Source integration, you'll need the following information:

To obtain your Lookup Table Path, do the following:

• In your Sumo Logic instance, navigate to the Library

• Navigate to your lookup table location

• Right-click on your desired lookup table and select "Copy Path"

To configure lookup tables in your Sumo Logic Data Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, navigate to Settings > Integrations

• Click "Connected"

• In the Search bar, search Sumo Logic, then click on it

• Scroll down to the "Lookup Tables" section

• Click "Add Item"

• For each lookup table you wish to include, input their Path, Type, and Primary Key Field, then click "Add Item"

• Click "Test & Save" to finish

During security investigations, Dropzone will automatically query your configured lookup tables to enrich entities it encounters to provide contextual information.

If you have any errors or questions, engage your Dropzone AI support representative.