SumoLogic
This Integration is part of the Sumo Logic Pack.#
Use the SumoLogic integration to search for and return SumoLogic records.
Configure SumoLogic on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for SumoLogic_copy.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- SumoLogic URL, in the format https://api.us2.sumologic.com/api/ . This is region specific.
- API Version
- The access ID - can be created under "Settings"
- The access key - can be created under "Settings"
- Use system proxy settings
- Trust any certificate (not secure)
- Escape URLs (add a \\ prefix to = chars when the value queried is a URL. Default is false.)
- Seconds to sleep between checking for results
- Default limit for the number of records to retrieve
- Fetch incidents
- Incident type
- Run this query to fetch new events as incidents
- Timeframe for first fetch (in seconds)
- Time between fetches (in seconds). The actual time will be the maximum between the selected value and the server configuration.
- Default max total wait for results
- Time Zone
- Fetch aggregate records (instead of messages)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Search for SumoLogic Records
Search SumoLogic for records that match the specified query.
Base Command
search
Input
| Argument Name | Description | Required |
|---|---|---|
| query | The search query to execute | Required |
| from | The ISO 8601 date of the time range to start the search (example - 2016-08-28T12:00:00). Can also be milliseconds since epoch. | Required |
| to | The ISO 8601 date of the time range to end the search (example - 2016-08-28T12:00:00). Can also be milliseconds since epoch. | Required |
| limit | Maximum number of results to return from query. Default is 100. The value specified overrides the default set in the limit parameter. | Optional |
| offset | Return results starting at this offset. should be int - by default is 0 | Optional |
| timezone | The time zone if from/to is not in milliseconds, default is UTC, See this ( https://en.wikipedia.org/wiki/List_of_tz_database_time_zones ) article for a list of time zone codes. | Optional |
| maxTimeToWaitForResults | Max amount of minutes to wait for search to end, default is 10 minutes | Optional |
| headers | A comma separated list of table headers that are displayed in order. For example, _blockid,_collector,_format. | Optional |
| byReceiptTime | Define as "true" to run the search using receipt time. By default, searches do not run by receipt time. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Search.Messages | unknown | The array of raw message objects |
| Search.Records | unknown | The array of aggregate records |
Command Example
!search query=_sourceCategory=macos/system from=2019-07-02T12:00:00 to=2019-07-04T16:00:00 using=SumoLogic_copy_instance_1 byReceiptTime=false limit=5
Context Example
{
"Search": {
"Messages": [
{
"_messageid": "-9223372036854375794",
"_collectorid": "162683374",
"_blockid": "-9223372036854745796",
"_source": "macOS System",
"_format": "t:cache:o:0:l:15:p:MMM dd HH:mm:ss",
"_sourcename": "/private/var/log/system.log",
"_sourcecategory": "macos/system",
"_sourcehost": "TLVMAC30YCJG5H",
"_messagetime": "1562255587000",
"_sourceid": "753908607",
"_raw": "Jul 4 15:53:07 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.mine.cnmaint): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.",
"_size": "142",
"_collector": "TLVMAC30YCJG5H",
"_messagecount": "2",
"_receipttime": "1562244826549",
"_view": ""
},
{
"_messageid": "-9223372036854375795",
"_collectorid": "162683374",
"_blockid": "-9223372036854745797",
"_source": "macOS System",
"_format": "t:cache:o:0:l:15:p:MMM dd HH:mm:ss",
"_sourcename": "/private/var/log/system.log",
"_sourcecategory": "macos/system",
"_sourcehost": "TLVMAC30YCJG5H",
"_messagetime": "1562255551000",
"_sourceid": "753908607",
"_raw": "Jul 4 15:52:31 TLVMAC30YCJG5H syslogd[46]: ASL Sender Statistics",
"_size": "65",
"_collector": "TLVMAC30YCJG5H",
"_messagecount": "1",
"_receipttime": "1562244789356",
"_view": ""
},
{
"_messageid": "-9223372036854375796",
"_collectorid": "162683374",
"_blockid": "-9223372036854745798",
"_source": "macOS System",
"_format": "t:cache:o:0:l:15:p:MMM dd HH:mm:ss",
"_sourcename": "/private/var/log/system.log",
"_sourcecategory": "macos/system",
"_sourcehost": "TLVMAC30YCJG5H",
"_messagetime": "1562255501000",
"_sourceid": "753908607",
"_raw": "Jul 4 15:51:41 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.mine.cnmaint): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.",
"_size": "142",
"_collector": "TLVMAC30YCJG5H",
"_messagecount": "0",
"_receipttime": "1562244754298",
"_view": ""
},
{
"_messageid": "-9223372036854425618",
"_collectorid": "162683374",
"_blockid": "-9223372036854750767",
"_source": "macOS System",
"_format": "t:cache:o:0:l:15:p:MMM dd HH:mm:ss",
"_sourcename": "/private/var/log/system.log",
"_sourcecategory": "macos/system",
"_sourcehost": "TLVMAC30YCJG5H",
"_messagetime": "1562255066000",
"_sourceid": "753908607",
"_raw": "Jul 4 15:44:26 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.apple.quicklook[57770]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
"_size": "210",
"_collector": "TLVMAC30YCJG5H",
"_messagecount": "2",
"_receipttime": "1562244306570",
"_view": ""
},
{
"_messageid": "-9223372036854375797",
"_collectorid": "162683374",
"_blockid": "-9223372036854745799",
"_source": "macOS System",
"_format": "t:cache:o:0:l:15:p:MMM dd HH:mm:ss",
"_sourcename": "/private/var/log/system.log",
"_sourcecategory": "macos/system",
"_sourcehost": "TLVMAC30YCJG5H",
"_messagetime": "1562254946000",
"_sourceid": "753908607",
"_raw": "Jul 4 15:42:26 TLVMAC30YCJG5H syslogd[46]: ASL Sender Statistics",
"_size": "65",
"_collector": "TLVMAC30YCJG5H",
"_messagecount": "1",
"_receipttime": "1562244217085",
"_view": ""
}
]
}
}
Human Readable Output
SumoLogic Search Messages
| blockid | collector | collectorid | format | messagecount | messageid | messagetime | raw | receipttime | size | source | sourcecategory | sourcehost | sourceid | sourcename | view |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| -9223372036854745796 | TLVMAC30YCJG5H | 162683374 | t:cache:0:l:15:p:MMM dd HH:mm:ss | 2 | -9223372036854375794 | 1562255587000 | Jul 4 15:53:07 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.mine.cnmaint): Service only ran for 0 seconds. Pushing respawn out by 10 seconds. | 1562244826549 | 142 | macOS System | macos/system | TLVMAC30YCJG5H | 753908607 | /private/var/log/system.log | |
| -9223372036854745797 | TLVMAC30YCJG5H | 162683374 | t:cache:0:l:15:p:MMM dd HH:mm:ss | 1 | -9223372036854375795 | 1562255551000 | Jul 4 15:52:31 TLVMAC30YCJG5H syslogd[46]: ASL Sender Statistics | 1562244789356 | 65 | macOS System | macos/system | TLVMAC30YCJG5H | 753908607 | /private/var/log/system.log | |
| -9223372036854745798 | TLVMAC30YCJG5H | 162683374 | t:cache:0:l:15:p:MMM dd HH:mm:ss | 0 | -9223372036854375796 | 1562255501000 | Jul 4 15:51:41 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.mine.cnmaint): Service only ran for 0 seconds. Pushing respawn out by 10 seconds. | 1562244754298 | 142 | macOS System | macos/system | TLVMAC30YCJG5H | 753908607 | /private/var/log/system.log | |
| -9223372036854750767 | TLVMAC30YCJG5H | 162683374 | t:cache:0:l:15:p:MMM dd HH:mm:ss | 2 | -9223372036854425618 | 1562255066000 | Jul 4 15:44:26 TLVMAC30YCJG5H com.apple.xpc.launchd[1] (com.apple.quicklook[57770]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): |