• Home
• App Integrations
• SIEM Integrations
• SumoLogic SIEM Integration

SumoLogic SIEM Integration Setup

---

SumoLogic SIEM is a cloud-based security solution that detects threats in real time, analyzes event and incident log data from all security tools. miniOrange provides secure access and full control to SumoLogic for enterprises and applications. With the help of the given guide you can configure SumoLogic easily.

1. Configure HTTP Collector Endpoint

• Classic UI. In the main SumoLogic menu, select Manage Data > Collection > Collection. New UI. In the SumoLogic top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection.



• In the Collectors page, click Add Source next to a Hosted Collector.
• Select HTTP Logs & Metrics.
• Enter a Name to display for the Source in the Sumo web application. Description is optional.
• Make sure to set Message Processing as Multiline Processing.
• Hit Save to save your Collector.



• Copy the endpoint by clicking on the Show URL link.

2. Configure SUMO Logic API Endpoint in miniOrange

• Login into miniOrange Admin Console.
• Go to SIEM Management and click on Configure button.



• Select Sumo Logic SIEM tool and click on next.



• Provide the name for the SIEM tool.
• Make sure to enter the Endpoint URL (Copied from step 1) .
• In order to save the Sumo Logic SIEM configuration click on save.



• Click on activate toggle button in oder to active the SIEM Tool.






Note:

Superadmin can also activate the SIEM tool for customers using the Manage activation options. Admin can either activate the SIEM tool for all the customers using Activate For all customers option or can activate for individual customers using manage activation option available under the actions menu by clicking on 3 dots.
Please follow this guide to know more.





• Select Activate For All Customers :
• Superadmin can toggle Activate For All Customers to enable the SIEM tool for all tenants in one action.



• Select Manage Activation :
• Superadmin can use Manage Activation to selectively enable the SIEM tool for individual customer accounts.

3. Sample Search Filters

1. Filter Query for MFA Audits

            
                _source=##name_of_your_source##
              | where audit.audittype = "MFA_AUDIT"
              | audit.target.identifier as Identifier
              | audit.status as Status
              | fromMillis(audit.createdDttm) as Time
              | formatDate(Time,"dd/MM/yyyy HH:mm:ss") as FormattedTime
              | count by Identifier, Status, FormattedTime
              | fields -_count
            
          

2. Filter Query for Admin Audits

            
                _source=##name_of_your_source##
              | where audit.auditType = "ADMIN_AUDIT"
              | audit.status as Status
              | audit.target.identifier as Identifier
              | audit.eventType as EventType
              | count by Identifier, EventType, Status
              | fields -_count
            
          

3. Filter Query for Password Reset Audits

            
                _source=##name_of_your_source##
              | where audit.auditType = "ADMIN_AUDIT"
              | where audit.eventType = "Password Reset"
              | audit.target.identifier as Identifier
              | auditValue as AuditMessage
              | audit.status as Status
              | fromMillis(audit.createdDttm) as temptime
              | formatDate(temptime,"dd/MM/yyyy HH:mm:ss") as FormattedTime
              | count by Identifier, AuditMessage, Status, FormattedTime
              | fields -_count