Sumo Logic

This is a combined document for enabling the Sumo Logit AI Data Source and Alert Source.

The Dropzone AI Platform integrates with Sumo Logic, a cloud based machine data analytics product. Integrating Sumo Logic with Dropzone allows Dropzone to automatically investigate security incidents using the data within Sumo Logic.

Create an API Key

Sumo Logic requires an API key to enable.

To obtain an API Key, do the following:

  • Login as an administrator to the Sumo Logic at the appropriate URL, e.g. http://service.sumologic.com

  • In the bottom left hand corner of the Sumo Logic homepage, click on Administration > Security

  • Click "Add Access Key"

  • Name the Access Key something memorable, such as Dropzone AI, then click "Save"

  • Copy the Access ID and Access Key shown for use later in the Dropzone UI where they are called "Access ID" and "Access Key" respectively, then click "Done"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Data Sources" in the top left corner

  • In the SIEM section, find the Sumo Logic tile and click "Connect"

  • Input the API key and API Secret

  • Under "Ignored Source Categories" section, you may click "Add Item" and input source categories to ignore. Dropzone will not query source categories in the "Ignored Source Categories" section

  • Click "Test & Save"

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

In addition to data source integration, Dropzone can be configured to monitor and investigate specific incident types from Sumo Logic.

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Alert Sources"

  • In the SIEM section, find the Sumo Logic tile and click "Connect"

  • Input the Access ID and Access Key

  • Under "Sumo Logic Alert Search Queries", you may click "Add Item" and input Sumo Logic-specific search query terms to select alerts to investigate

    • For example, if your MS Defender alerts are sent to a source category named msgraph-security, you would add the following query: _sourceCategory=msgraph-security

  • Click "Test & Save"

If you have any errors or questions, engage your Dropzone AI support representative.

Last updated