Sumo Logic 2.0.0
App Vendor: Sumo Logic
App Category: Analytics & SIEM
Connector Version: 2.2.2
API Version: 1.0.0
About App
The Sumo Logic app allows security teams to integrate with the Sumo Logic enterprise application to create and retrieve search jobs.
The Sumo Logic app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Create a Search Job | This action creates a search job. |
Create Lookup Table | This action creates a new lookup table by providing a schema and specifying its configuration. |
Delete Lookup Table Row | This action deletes a row from the lookup table. |
Get Lookup Table Contents | This action retrieves the lookup table contents for the given identifier. |
Get Status of a Search Job | This action retrieves the status of a search job. |
Insert or Update Lookup Table Row | This action inserts or updates a row of a lookup table with the given identifier. |
List Search Records | This action retrieves the records for the given job ID. |
Generic Action | This is a generic action used to make requests to any Sumo Logic endpoint. |
Configuration Parameters
The following configuration parameters are required for the Sumo Logic app to communicate with the Sumo Logic enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Access ID | Enter the access ID to authenticate the API requests. Example: QWxhZGRpbjpPcGVuU2VzYW1l | Text | Required | |
Access Token | Enter the access token associated with the specified access ID. | Password | Required | |
Base URL | Enter the base URL to specify the regional API endpoint. Example: For regions au, ca, de, eu, fed, in, us2, and jp, use For us1 region use | Text | Required | Allowed format is For 'us2’ use https://api.us2.sumologic.com/api/. |
API Version | Enter the API version to specify which Sumo Logic API version the app uses for requests. Example: v2 | Text | Optional | Default value: v1 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is not enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds requests will wait to connect to Sumo Logic and read the response. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Create a Search Job
This action creates a search job in Sumo Logic to run a log search query for a specified time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the search expression to define the data to be retrieved. Ensure the query follows RFC 8259 format. Example: \"count _SourceCategory\ | Text | Required | |
From Time | Enter the start time for the search range in ISO 8601 format (YYYY-MM-DDTHH:mm:ss) or milliseconds since epoch. Example: 2017-07-16T00:00:00. | Text | Required | |
Auto Parsing Mode | Enter the value to define dynamic JSON log parsing. | Text | Optional | Allowed values: AutoParse, Manual Default value: Manual |
Until Time | Enter the end time for the search range in ISO 8601 format (YYYY-MM-DDTHH:mm:ss) or milliseconds since epoch. Example: 2017-07-26T00:00:00 | Text | Required | |
Time Zone | Enter the time zone code to be used if the From Time and Until Time parameters are not provided in milliseconds. Example: \"IST\ | Text | Required | |
Search by Receipt Time | Choose True if you want to run the search using receipt time. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Example Request
[
{
"query": "count _sourcecategory",
"time_from": "2017-07-26t00:00:00",
"time_until": "2017-07-26t00:00:00",
"timezone": "ist",
}
]Action: Create Lookup Table
This action creates a new lookup table by defining its schema and configuration.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Description | Enter the description of the lookup table to define its purpose. Example: Contains approved domain names used for allowlist validation | Text | Required | |
Fields | Enter the list of fields in the lookup table. Example: $JSON[{"fieldname": "fieldname1","fieldtype": "boolean"}] | List | Required | |
Primary Keys | Enter the names of the fields that make up the primary key for the lookup table. Example: $LIST[fieldname1, fieldname2, fieldname3] | List | Required | |
Parent Folder ID | Enter the parent folder identifier where the lookup table will be created in the Sumo Logic Library. Example: 0000000001c41EE4 | Text | Required | |
Name | Enter the name of the lookup table. Example: Allowed Domains | Text | Required | |
Time to Live | Enter the time in minutes for each entry to remain in the table before expiring. | Integer | Optional | Default Value: 0 (no automatic expiration) Allowed range: 0 to 525600 |
Size Limit Action | Enter the action that needs to be taken when the size limit is reached for the table. | Text | Optional | Default value:
Allowed values:
|
Example Request
[
{
"description":"Example Description",
"fields":[
{
"fieldname":"fieldname1",
"fieldtype":"boolean"
}
],
"primarykeys":[
fieldname1,
fieldname2,
fieldname3
],
"parentfolderid":"0000000001c41ee4",
"name":"Field Table",
"ttl":30,
"sizelimitaction":"stopincomingmessages"
}
]Action: Delete Lookup Table Row
This action deletes a row from the lookup table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup Table ID | Enter the unique identifier of the lookup table from which the row will be deleted. Example: 0000000001c41EE4 | Text | Required | |
Primary Keys | Enter the list of all primary key field identifiers and their corresponding values. Example: $JSON[{"columnname": "user_id","columnvalue": "user1"}] | List | Required |
Example Request
[
{
"id":"0000000001c41ee4",
"primarykeys":[
{
"columnname":"user_id",
"columnvalue":"user1"
}
]
}
]Action: Generic Action
This is a generic action used to make requests to any Sumo Logic endpoint
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the Sumo Logic endpoint to make the request to. Example: /devices/entities/devices/v1 | Text | Required | |
Method | Enter the HTTP method to make the request. Example: GET | Text | Required | Allowed values: POST, GET, PUT, DELETE, PATCH |
JSON Payload | Enter the payload in JSON format. Example: $JSON[{"description": "sample_description","name": "test_1"}] | Any | Optional | |
Query Params | Enter the query parameters in JSON format. Example: $JSON[{"offset": 0,"limit": 10}] | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, and response_type. |
Example Request
[
{
"endpoint":"0000000001c41ee4",
"http_method":"get",
"request_body":[
{
"description":"sample_description",
"name":"test_1"
}
],
"query_params":[
{
"offset":0,
"limit":10
}
]
}
]Action: Get Lookup Table Contents
This action retrieves the contents of a lookup table using the specified identifier.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup Table ID | Enter the identifier of the lookup table to retrieve its contents. Example: 0000000001c41ee4 | Text | Required |
Example Request
[
{
"id":"0000000001c41ee4"
}
]Action: Insert or Update Lookup Table Row
This action inserts a new row or updates an existing row in a Sumo Logic lookup table. If the specified primary key does not exist, a new row is created.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Lookup Table ID | Enter the unique identifier of the lookup table where the row will be inserted or updated Example: 0000000001c41EE4 | Text | Required | |
Fields | Enter the list of all the field identifiers and their corresponding values. Example: $JSON[{"columnname": "user_id","columnvalue": "user1"}] | List | Required |
Example Request
[
{
"id":"0000000001c41ee4",
"changes":[
{
"columnname":"user_id",
"columnvalue":"user1"
}
]
}
]Action: List Search Records
This action retrieves the records found or produced for the given job ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Job ID | Enter the search job ID to retrieve records for a specific search job. Example: 37589506F194FC80 | Text | Required | |
Offset | Enter the value from where you want the record to start. Example: 4 | Integer | Optional | Default value: 0 |
Limit | Enter the maximum number of search records to return starting from the offset. Example: 10 | Integer | Optional | Default value: 1 Allowed range: 1 to 10,000 |
Example Request
[
{
"id":"37589506F194FC80",
"offset":4,
"limit":10
}
]Action: Get Status of a Search Job
This action retrieves the current status of a search job using the specified search job ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Search Job ID | Enter the unique identifier of the search job to check its current status. Example: 37589506F194FC80 | Text | Required | You can retrieve the Search Job ID using the action Create a Search Job. |
Interval Time | Enter the time in seconds to wait between polling requests. Example: 30 | Integer | Optional | Default value: 25 |
Retry Count | Enter the number of polling attempts to retrieve the search job status before stopping. Example: 4 | Integer | Optional | Default value: 5 Maximum Allowed Value: 100 |
Example Request
[
{
"search_job_id":"37589506F194FC80",
"interval":30,
"retry_count":4
}
]