Sumo Logic is a cloud-based log management and analytics service that leverages machine-generated big data to deliver real-time IT insights.
This document provides information about the Sumo Logic connector, which facilitates automated interactions with a Sumo Logic server using FortiSOAR™ playbooks. Add the ProtectWise connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a search job on Sumo Logic, and retrieving the current status of a search job.
Connector Version: 1.1.1
Authored By: Community
Certified: No
Following enhancements have been made in the Sumo Logic connector in version 1.1.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sumo-logic
For the procedure to configure a connector, click here.
In FortiSOAR, on the Connectors page, click the Sumo Logic connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Sumo Logic API server to which you will connect and perform automated operations. |
| Access ID | ID required to access the Sumo Logic API. |
| Access Key | Key to access the Sumo Logic API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Search Job | Creates a search job based on the specified query and time range in Sumo Logic. | create_search_job Investigation |
| Get Search Job Status | Retrieves the current status of a search job from Sumo Logic based on the search job ID you have specified. | get_status Investigation |
| Get Messages Founded by Search Job | Retrieves messages found by a search job from Sumo Logic based on the search job ID, offset, and limit you have specified. | create_search_job Investigation |
| Get Records Founded by Search Job | Retrieves records found by a search job from Sumo Logic based on the search job ID, offset, and limit you have specified. | create_search_job Investigation |
| Delete Search Job | Deletes a search job from Sumo Logic based on the search job ID you have specified | create_search_job Investigation |
| Parameter | Description |
|---|---|
| Query | Query using which you want to create and execute a seach job in Sumo Logic. Note: You must add this query in a valid JSON format. |
| From | Start date and time from which you want to start the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| To | End date and time till when you want to end the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| Time Zone | Select the timezone in which you want to start the search in Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": "",
"link": {
"rel": "",
"href": ""
}
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose status you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"state": "",
"histogramBuckets": [
{
"startTimestamp": "",
"length": "",
"count": ""
}
],
"messageCount": "",
"recordCount": "",
"pendingWarnings": [],
"pendingErrors": [],
"usageDetails": ""
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose messages you want to retrieve from Sumo Logic. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"messages": [
{
"map": {
"_collector": "",
"eventtime": "",
"type": "",
"eventsource": "",
"_messageid": "",
"_size": "",
"accountid": "",
"category_string": "",
"event_type": "",
"action": "",
"awsaccountid": "",
"eventversion": "",
"groupid": "",
"_sourceid": "",
"cidr_block": "",
"requestid": "",
"_source": "",
"eventtype": "",
"from_port": "",
"eventid": "",
"_raw": "",
"_collectorid": "",
"useragent": "",
"_sourcehost": "",
"eventname": "",
"accesskeyid": "",
"egress": "",
"computer": "",
"logon_id": "",
"msg_summary": "",
"account_name": "",
"_format": "",
"arn": "",
"_blockid": "",
"sourceipaddress": "",
"account_domain": "",
"_messagetime": "",
"to_port": "",
"_messagecount": "",
"principalid": "",
"recipientaccountid": "",
"_sourcename": "",
"event_id": "",
"_view": "",
"_receipttime": "",
"_sourcecategory": "",
"category": "",
"responseelements": "",
"awsregion": "",
"username": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose records you want to retrieve from Sumo Logic. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say records starting from the 10th record. By default, this is set as 0. |
| Limit | Maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job that you want to delete from Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": ""
}
The Sample - Sumo Logic - 1.1.1 playbook collection comes bundled with the Sumo Logic connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sumo Logic connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Sumo Logic is a cloud-based log management and analytics service that leverages machine-generated big data to deliver real-time IT insights.
This document provides information about the Sumo Logic connector, which facilitates automated interactions with a Sumo Logic server using FortiSOAR™ playbooks. Add the ProtectWise connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating a search job on Sumo Logic, and retrieving the current status of a search job.
Connector Version: 1.1.1
Authored By: Community
Certified: No
Following enhancements have been made in the Sumo Logic connector in version 1.1.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sumo-logic
For the procedure to configure a connector, click here.
In FortiSOAR, on the Connectors page, click the Sumo Logic connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Sumo Logic API server to which you will connect and perform automated operations. |
| Access ID | ID required to access the Sumo Logic API. |
| Access Key | Key to access the Sumo Logic API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Create Search Job | Creates a search job based on the specified query and time range in Sumo Logic. | create_search_job Investigation |
| Get Search Job Status | Retrieves the current status of a search job from Sumo Logic based on the search job ID you have specified. | get_status Investigation |
| Get Messages Founded by Search Job | Retrieves messages found by a search job from Sumo Logic based on the search job ID, offset, and limit you have specified. | create_search_job Investigation |
| Get Records Founded by Search Job | Retrieves records found by a search job from Sumo Logic based on the search job ID, offset, and limit you have specified. | create_search_job Investigation |
| Delete Search Job | Deletes a search job from Sumo Logic based on the search job ID you have specified | create_search_job Investigation |
| Parameter | Description |
|---|---|
| Query | Query using which you want to create and execute a seach job in Sumo Logic. Note: You must add this query in a valid JSON format. |
| From | Start date and time from which you want to start the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| To | End date and time till when you want to end the search in Sumo Logic. The date must be in the YYYY-MM-DDTHH:mm:ss format. |
| Time Zone | Select the timezone in which you want to start the search in Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": "",
"link": {
"rel": "",
"href": ""
}
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose status you want to retrieve from Sumo Logic. |
The output contains the following populated JSON schema:
{
"state": "",
"histogramBuckets": [
{
"startTimestamp": "",
"length": "",
"count": ""
}
],
"messageCount": "",
"recordCount": "",
"pendingWarnings": [],
"pendingErrors": [],
"usageDetails": ""
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose messages you want to retrieve from Sumo Logic. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say messages starting from the 10th message. By default, this is set as 0. |
| Limit | Maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"messages": [
{
"map": {
"_collector": "",
"eventtime": "",
"type": "",
"eventsource": "",
"_messageid": "",
"_size": "",
"accountid": "",
"category_string": "",
"event_type": "",
"action": "",
"awsaccountid": "",
"eventversion": "",
"groupid": "",
"_sourceid": "",
"cidr_block": "",
"requestid": "",
"_source": "",
"eventtype": "",
"from_port": "",
"eventid": "",
"_raw": "",
"_collectorid": "",
"useragent": "",
"_sourcehost": "",
"eventname": "",
"accesskeyid": "",
"egress": "",
"computer": "",
"logon_id": "",
"msg_summary": "",
"account_name": "",
"_format": "",
"arn": "",
"_blockid": "",
"sourceipaddress": "",
"account_domain": "",
"_messagetime": "",
"to_port": "",
"_messagecount": "",
"principalid": "",
"recipientaccountid": "",
"_sourcename": "",
"event_id": "",
"_view": "",
"_receipttime": "",
"_sourcecategory": "",
"category": "",
"responseelements": "",
"awsregion": "",
"username": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job whose records you want to retrieve from Sumo Logic. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say records starting from the 10th record. By default, this is set as 0. |
| Limit | Maximum number of messages, per page, that this operation should return. |
The output contains the following populated JSON schema:
{
"fields": [
{
"name": "",
"fieldType": "",
"keyField": ""
}
],
"records": [
{
"map": {
"_count": "",
"_sourcecategory": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Search Job ID | ID of the search job that you want to delete from Sumo Logic. |
The output contains the following populated JSON schema:
{
"id": ""
}
The Sample - Sumo Logic - 1.1.1 playbook collection comes bundled with the Sumo Logic connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sumo Logic connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.