Sumo Logic

The Dropzone AI Platform integrates with Sumo Logic, a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic.

Create an API Key

Sumo Logic requires an API key to enable.

To obtain an API Key, do the following:

  • Login as an administrator to the Sumo Logic at the appropriate URL, e.g. http://service.sumologic.com

  • In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security

Navigate to Administration
  • Click "Add Access Key"

Add access key
  • Name the Access Key something memorable, such as Dropzone AI, then click "Save"

Name and Save API
  • Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"

Copy API Key and Secret

Enable the Dropzone Data Source Integration

Dropzone Field
Source

Access ID

The "Access ID" value you copied earlier

Access Key

The "Access Key" value you copied earlier

API Hostname

Your Sumo Logic API hostname, e.g. api.us2.sumologic.com

Sumo Logic UI Hostname

Your Sumo Logic Hostname, e.g. service.us2.sumologic.com

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Sumo Logic, then click "Configure"

The Sumo Logic Tile
  • Under the Data Source header, input your Access ID, Access Key, and API Hostname

The Sumo Logic data source configuration (pt 1)
  • If you wish, you may exclude specific data source categories from Dropzone investigations. To do so, in the "Ignored Source Categories" section, click "Add Item." Then input the source categories you wish for Dropzone to ignore

  • Under "Lookup Tables," you may input specific Sumo Logic lookup tables to provide added contextual information in Dropzone's analysis. See the "Configure Lookup Tables for Enhanced Enrichment" section of this documentation for further information

The Sumo Logic data source configuration (pt 2)
  • In the "Data Tiers" section, select which Sumo Logic data tiers you want Dropzone to be able to investigate. By default, only the Continuous tier is utilized

The Sumo Logic data source configuration (pt 3)
  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Sumo Logic.

You'll need the following information:

Dropzone Field
Source

Access ID

The "Access ID" value you copied earlier

Access Key

The "Access Key" value you copied earlier

API Hostname

Your Sumo Logic API hostname, e.g. api.us2.sumologic.com

Sumo Logic UI Hostname

Your Sumo Logic Hostname, e.g. service.us2.sumologic.com

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Sumo Logic, then click "Configure"

The Sumo Logic Tile
  • Under the Alert Source header, input your Access ID, Access Key, API Domain, and Sumo Logic Hostname

The Sumo Logic alert source configuration (pt 1)
  • In the "Sumo Logic Alert Search Queries" section, you must input Sumo Logic-specific search query terms to select alerts to investigate. To do so, click "Add Item," then input the query details

    • For example, if your MS Defender alerts are sent to a source category named msgraph-security, you would add the following query: _sourceCategory=msgraph-security

The Sumo Logic Alert Source Configuration (pt 2)
  • If you wish to enable Sumo Logic's Cloud SIEM, check the box labeled "Enabled" in the Cloud SIEM section. Then select the severity levels you want Dropzone to investigate alerts for. If you wish to exclude incident statuses from investigation, click "Add Item" under "Excluded Statuses" and input each status by name

The Sumo Logic Alert Source Configuration (pt 3)
  • In the Data Tiers section, select which Sumo Logic data tiers you wish for Dropzone to be able to investigate. By default, only the Continuous tier is utilized

The Sumo Logic alert source configuration (pt 4)
  • Input your desired poll interval and lookback

The Sumo Logic alert source configuration (pt 5)
  • Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.

Configure Lookup Tables for Enhanced Enrichment

Dropzone can leverage your existing Sumo Logic lookup tables to enhance security investigations with contextual organizational data. This enrichment helps Dropzone to better understand whether activity is legitimate or suspicious.

Five types of lookup tables are supported for enrichment: IP addresses, user emails, domains, devices (id, hostname or ip), and file hashes.

Configure Lookup Tables in Dropzone

To configure lookup tables in your Sumo Logic Data Source integration, you'll need the following information:

Dropzone Field
Source

Path

The Lookup Table Path in Sumo Logic - see below for instructions on how to locate it

Type

The type of data the Lookup Table contains

Primary Key Field

The field name used for lookups

To obtain your Lookup Table Path, do the following:

  • In your Sumo Logic instance, navigate to the Library

  • Navigate to your lookup table location

  • Right-click on your desired lookup table and select "Copy Path"

Copy Path from Sumo Logic Library for Lookup Tables

To configure lookup tables in your Sumo Logic Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Connected"

Click Available
  • In the Search bar, search Sumo Logic, then click on it

Click on Sumo Logic
  • Scroll down to the "Lookup Tables" section

  • Click "Add Item"

  • For each lookup table you wish to include, input their Path, Type, and Primary Key Field

Sumo Logic Integration Configuration with Lookup Tables
  • Click "Test & Save" to finish

During security investigations, Dropzone will automatically query your configured lookup tables to enrich entities it encounters to provide contextual information.

If you have any errors or questions, engage your Dropzone AI support representative.

Last updated

Was this helpful?