Sumo Logic provides best-in-class cloud monitoring, log management, Cloud SIEM tools, and real-time insights for web and SaaS based apps.
This document provides information about the Sumo Logic connector, which facilitates automated interactions, with a Sumo Logic server using FortiSOAR™ playbooks. Add the Sumo Logic connector as a step in FortiSOAR™ playbooks and perform automated operations with Sumo Logic.
Connector Version: 1.1.0
Authored By: SpryIQ.Co
Certified: No
Following enhancements have been made to the Sumo Logic connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-sumo-logic
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Sumo Logic connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Sumo Logic API server to which you will connect and perform automated operations. |
| Access ID | ID required to access the Sumo Logic API. |
| Access Key | Key to access the Sumo Logic API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Search Job | Creates a search job in Sumo Logic based on the specified query, time range, and other input parameters that you have specified. | create_search_job Investigation |
| Get Search Job Status | Retrieves the current status of a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_search_job_status Investigation |
| Get Messages Founded by Search Job | Retrieves messages found by a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_messages_founded_by_search_job Investigation |
| Get Records Founded by Search Job | Retrieves records found by a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_records_founded_by_search_job Investigation |
| Delete Search Job | Deletes a search job from Sumo Logic based on the search job ID you have specified. | delete_search_job Investigation |
| Get the List of All Insights | Retrieves a list of insights from the Sumo Logic Server.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_list_of_all_insights Investigation |
| Get Details By Insights ID | Retrieves details of an insight from the Sumo Logic based on the insight ID that you have specified.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_details_by_insights_id Investigation |
| Get the List of Insights By Query | Retrieves a list of insights from the Sumo Logic based on the query, pagination, and other input parameters that you have specified.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_list_of_insights_by_query Investigation |
| Parameter | Description |
|---|---|
| Query | Specify the query using which you want to create and execute a search job in Sumo Logic.
NOTE: You must add this query in a valid JSON format. |
| From | Specify the start date and time from which you want to start the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| To | Specify the end date and time till when you want to end the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| Time Zone | Select the timezone in which you want to start the search in Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": "",
"link": {
"rel": "",
"href": ""
}
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose status you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"state": "",
"histogramBuckets": [
{
"startTimestamp": "",
"length": "",
"count": ""
}
],
"messageCount": "",
"recordCount": "",
"pendingWarnings": [],
"pendingErrors": [],
"usageDetails": ""
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose messages you want to retrieve from Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"messages": [
{
"map": {
"_collector": "",
"eventtime": "",
"type": "",
"eventsource": "",
"_messageid": "",
"_size": "",
"accountid": "",
"category_string": "",
"event_type": "",
"action": "",
"awsaccountid": "",
"eventversion": "",
"groupid": "",
"_sourceid": "",
"cidr_block": "",
"requestid": "",
"_source": "",
"eventtype": "",
"from_port": "",
"eventid": "",
"_raw": "",
"_collectorid": "",
"useragent": "",
"_sourcehost": "",
"eventname": "",
"accesskeyid": "",
"egress": "",
"computer": "",
"logon_id": "",
"msg_summary": "",
"account_name": "",
"_format": "",
"arn": "",
"_blockid": "",
"sourceipaddress": "",
"account_domain": "",
"_messagetime": "",
"to_port": "",
"_messagecount": "",
"principalid": "",
"recipientaccountid": "",
"_sourcename": "",
"event_id": "",
"_view": "",
"_receipttime": "",
"_sourcecategory": "",
"category": "",
"responseelements": "",
"awsregion": "",
"username": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose records you want to retrieve from Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job that you want to delete from Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Insights ID | Specify the ID of the search insights that you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Query | Specify the query using which you want to search insights in Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
| Record Summary Fields | Specify the record summary field. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
The Sample - Sumo Logic - 1.1.0 playbook collection comes bundled with the Sumo Logic connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sumo Logic connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Sumo Logic provides best-in-class cloud monitoring, log management, Cloud SIEM tools, and real-time insights for web and SaaS based apps.
This document provides information about the Sumo Logic connector, which facilitates automated interactions, with a Sumo Logic server using FortiSOAR™ playbooks. Add the Sumo Logic connector as a step in FortiSOAR™ playbooks and perform automated operations with Sumo Logic.
Connector Version: 1.1.0
Authored By: SpryIQ.Co
Certified: No
Following enhancements have been made to the Sumo Logic connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-sumo-logic
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Sumo Logic connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Sumo Logic API server to which you will connect and perform automated operations. |
| Access ID | ID required to access the Sumo Logic API. |
| Access Key | Key to access the Sumo Logic API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Search Job | Creates a search job in Sumo Logic based on the specified query, time range, and other input parameters that you have specified. | create_search_job Investigation |
| Get Search Job Status | Retrieves the current status of a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_search_job_status Investigation |
| Get Messages Founded by Search Job | Retrieves messages found by a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_messages_founded_by_search_job Investigation |
| Get Records Founded by Search Job | Retrieves records found by a search job from Sumo Logic based on the search job ID and pagination parameters you have specified. | get_records_founded_by_search_job Investigation |
| Delete Search Job | Deletes a search job from Sumo Logic based on the search job ID you have specified. | delete_search_job Investigation |
| Get the List of All Insights | Retrieves a list of insights from the Sumo Logic Server.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_list_of_all_insights Investigation |
| Get Details By Insights ID | Retrieves details of an insight from the Sumo Logic based on the insight ID that you have specified.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_details_by_insights_id Investigation |
| Get the List of Insights By Query | Retrieves a list of insights from the Sumo Logic based on the query, pagination, and other input parameters that you have specified.
NOTE: This API does not return more than 10,000 Signals for a given query, even when split over many pages. To retrieve all Signals, use the |
get_list_of_insights_by_query Investigation |
| Parameter | Description |
|---|---|
| Query | Specify the query using which you want to create and execute a search job in Sumo Logic.
NOTE: You must add this query in a valid JSON format. |
| From | Specify the start date and time from which you want to start the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| To | Specify the end date and time till when you want to end the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| Time Zone | Select the timezone in which you want to start the search in Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": "",
"link": {
"rel": "",
"href": ""
}
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose status you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"state": "",
"histogramBuckets": [
{
"startTimestamp": "",
"length": "",
"count": ""
}
],
"messageCount": "",
"recordCount": "",
"pendingWarnings": [],
"pendingErrors": [],
"usageDetails": ""
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose messages you want to retrieve from Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"messages": [
{
"map": {
"_collector": "",
"eventtime": "",
"type": "",
"eventsource": "",
"_messageid": "",
"_size": "",
"accountid": "",
"category_string": "",
"event_type": "",
"action": "",
"awsaccountid": "",
"eventversion": "",
"groupid": "",
"_sourceid": "",
"cidr_block": "",
"requestid": "",
"_source": "",
"eventtype": "",
"from_port": "",
"eventid": "",
"_raw": "",
"_collectorid": "",
"useragent": "",
"_sourcehost": "",
"eventname": "",
"accesskeyid": "",
"egress": "",
"computer": "",
"logon_id": "",
"msg_summary": "",
"account_name": "",
"_format": "",
"arn": "",
"_blockid": "",
"sourceipaddress": "",
"account_domain": "",
"_messagetime": "",
"to_port": "",
"_messagecount": "",
"principalid": "",
"recipientaccountid": "",
"_sourcename": "",
"event_id": "",
"_view": "",
"_receipttime": "",
"_sourcecategory": "",
"category": "",
"responseelements": "",
"awsregion": "",
"username": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job whose records you want to retrieve from Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | Specify the ID of the search job that you want to delete from Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Insights ID | Specify the ID of the search insights that you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Query | Specify the query using which you want to search insights in Sumo Logic. |
| Offset | Specify the count of records to skip when retrieving results. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Specify the maximum number of messages, per page, that this operation should return. |
| Record Summary Fields | Specify the record summary field. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
The Sample - Sumo Logic - 1.1.0 playbook collection comes bundled with the Sumo Logic connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sumo Logic connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.