Sumo Logic
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Sumo Logic.
The Dropzone AI Platform integrates with Sumo Logic, a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic.
Create an API Key
Sumo Logic requires an API key to enable.
To obtain an API Key, do the following:
Login as an administrator to the Sumo Logic at the appropriate URL, e.g. http://service.sumologic.com
In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security
Click "Add Access Key"
Name the Access Key something memorable, such as Dropzone AI, then click "Save"
Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"
Enable the Dropzone Data Source Integration
Access ID
The "Access ID" value you copied earlier
Access Key
The "Access Key" value you copied earlier
API Hostname
Your Sumo Logic API hostname, e.g. api.us2.sumologic.com
Sumo Logic UI Hostname
Your Sumo Logic Hostname, e.g. service.us2.sumologic.com
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations
Click "Available"
In the Search bar, search Sumo Logic, then click "Configure"
Under the Data Source header, input your Access ID, Access Key, and API Hostname
If you wish, you may exclude specific data source categories from Dropzone investigations. To do so, in the "Ignored Source Categories" section, click "Add Item." Then input the source categories you wish for Dropzone to ignore
Under "Lookup Tables," you may input specific Sumo Logic lookup tables to provide added contextual information in Dropzone's analysis. See the "Configure Lookup Tables for Enhanced Enrichment" section of this documentation for further information
In the "Data Tiers" section, select which Sumo Logic data tiers you want Dropzone to be able to investigate. By default, only the Continuous tier is utilized
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable the Dropzone Alert Source Integration
In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Sumo Logic.
You'll need the following information:
Access ID
The "Access ID" value you copied earlier
Access Key
The "Access Key" value you copied earlier
API Hostname
Your Sumo Logic API hostname, e.g. api.us2.sumologic.com
Sumo Logic UI Hostname
Your Sumo Logic Hostname, e.g. service.us2.sumologic.com
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations
Click "Available"
In the Search bar, search Sumo Logic, then click "Configure"
Under the Alert Source header, input your Access ID, Access Key, API Domain, and Sumo Logic Hostname
In the "Sumo Logic Alert Search Queries" section, you must input Sumo Logic-specific search query terms to select alerts to investigate. To do so, click "Add Item," then input the query details
For example, if your MS Defender alerts are sent to a source category named msgraph-security, you would add the following query:
_sourceCategory=msgraph-security
If you wish to enable Sumo Logic's Cloud SIEM, check the box labeled "Enabled" in the Cloud SIEM section. Then select the severity levels you want Dropzone to investigate alerts for. If you wish to exclude incident statuses from investigation, click "Add Item" under "Excluded Statuses" and input each status by name
In the Data Tiers section, select which Sumo Logic data tiers you wish for Dropzone to be able to investigate. By default, only the Continuous tier is utilized
Input your desired poll interval and lookback
Click "Test & Save" to finish
If you have any errors or questions, engage your Dropzone AI support representative.
Configure Lookup Tables for Enhanced Enrichment
Dropzone can leverage your existing Sumo Logic lookup tables to enhance security investigations with contextual organizational data. This enrichment helps Dropzone to better understand whether activity is legitimate or suspicious.
Five types of lookup tables are supported for enrichment: IP addresses, user emails, domains, devices (id, hostname or ip), and file hashes.
Configure Lookup Tables in Dropzone
To configure lookup tables in your Sumo Logic Data Source integration, you'll need the following information:
Path
The Lookup Table Path in Sumo Logic - see below for instructions on how to locate it
Type
The type of data the Lookup Table contains
Primary Key Field
The field name used for lookups
To obtain your Lookup Table Path, do the following:
In your Sumo Logic instance, navigate to the Library
Navigate to your lookup table location
Right-click on your desired lookup table and select "Copy Path"
To configure lookup tables in your Sumo Logic Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations
Click "Connected"
In the Search bar, search Sumo Logic, then click on it
Scroll down to the "Lookup Tables" section
Click "Add Item"
For each lookup table you wish to include, input their Path, Type, and Primary Key Field
Click "Test & Save" to finish
During security investigations, Dropzone will automatically query your configured lookup tables to enrich entities it encounters to provide contextual information.
If you have any errors or questions, engage your Dropzone AI support representative.
Last updated
Was this helpful?