• Home
• App Integrations
• SIEM Integrations
• SumoLogic SIEM Integration

SumoLogic SIEM Integration Setup

---

SumoLogic SIEM is a cloud-based security solution that detects threats in real time, analyzes event and incident log data from all security tools. miniOrange provides secure access and full control to SumoLogic for enterprises and applications. With the help of the given guide you can configure SumoLogic easily.

Create HTTP Collector Endpoint

To configure an HTTP Logs and Metrics Source:

• Classic UI. In the main SumoLogic menu, select Manage Data > Collection > Collection. New UI. In the SumoLogic top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.



• In the Collectors page, click Add Source next to a Hosted Collector.
• Select HTTP Logs & Metrics.
• Enter a Name to display for the Source in the Sumo web application. Description is optional.
• Make sure to set Message Processing as Multiline Processing.
• Hit Save to save your Collector.



• Copy the endpoint by clicking on the Show URL link.

  Note: You need to provide this link to the miniOrange representative to enable logging.

Filter Query for SSO Audits

            
                _source=##name_of_your_source##
              | where audit.auditType = "SSO_AUDIT"
              | applicationname as AppName
              | enduseremail as Identifier
              | loginstatus as Status
              | appType as AppType
              | formatDate(appLoginDttm, "dd/MM/yyyy HH:mm:ss") as Time
              | count by Identifier, AppName, AppType, Status, Time
              | fields -_count
            
          

Filter Query for SLO Audits

            
                _source=##name_of_your_source##
              | where audit.auditType = "SLO_AUDIT"
              | applicationname as AppName
              | enduseremail as Identifier
              | loginstatus as Status
              | appType as AppType
              | formatDate(appLogoutDttm, "dd/MM/yyyy HH:mm:ss") as Time
              | count by Identifier, AppName, AppType, Status, Time
              | fields -_count
            
          

Filter Query for MFA Audits

            
                _source=##name_of_your_source##
              | where audit.audittype = "MFA_AUDIT"
              | audit.target.identifier as Identifier
              | audit.status as Status
              | parseDate(audit.createdDttm, "yyyy-MM-dd'T'HH:mm:ss.SSSXXX") as Time
              | formatDate(Time,"dd/MM/yyyy HH:mm:ss") as FormattedTime
              | count by Identifier, Status, FormattedTime
              | fields -_count
            
          

Filter Query for Admin Audits

            
                _source=##name_of_your_source##
              | where audit.auditType = "ADMIN_AUDIT"
              | audit.status as Status
              | audit.target.identifier as Identifier
              | audit.eventType as EventType
              | count by Identifier, EventType, Status
              | fields -_count
            
          

Filter Query for Password Reset Audits

            
                _source=##name_of_your_source##
              | where audit.audittype = "ADMIN_AUDIT"
              | where audit.eventtype = "Password Reset"
              | audit.target.identifier as Identifier
              | auditValue as AuditMessage
              | audit.status as Status
              | parseDate(audit.createdDttm, "yyyy-MM-dd'T'HH:mm:ss.SSSXXX") as temptime
              | formatDate(temptime,"dd/MM/yyyy HH:mm:ss") as FormattedTime
              | count by Identifier, AuditMessage, Status, FormattedTime
              | fields -_count