Skip to main content

Sumo Logic Cloud SIEM

This Integration is part of the Sumo Logic Cloud SIEM Pack.#

Freeing the analyst with autonomous decisions. This integration was integrated and tested with version 6.1.0 of SumoLogicSEC.

Prerequisites#

Only use this integration if your Cloud SIEM portal url ends with .sumologic.com - this can be verified via the url in your browser when logged into Cloud SIEM.

You'll need an access key in order to complete the instance setup. Instructions on how to generate access keys can be found here.

Configure SumoLogicSEC in Cortex#

ParameterDescriptionRequired
Sumo Logic API Endpointhttps://api.<deployment>.sumologic.com/api/True
Sumo Logic Instance EndpointFor the incident field sumoURL link to work, e.g: https://<yoursubdomain>.<deployment>.sumologic.comFalse
Fetch incidentsFalse
Incident typeFalse
Access IDTrue
Access KeyTrue
Incidents Fetch IntervalFalse
Fetch LimitFetch limit of Sumo Logic insightsFalse
Override default fetch queryDefault fetch query is status:in("new", "inprogress")False
First fetch timeFalse
Pull associated Sumo Logic signalsWhether to pull the Sumo Logic Signals associated with the Insights as Cortex XSOAR incidentsFalse
Incident Mirroring DirectionChoose the direction to mirror the incident: Incoming (from Sumo Logic SIEM to Cortex XSOAR), Outgoing (from Cortex XSOAR to Sumo Logic SIEM), or Incoming and Outgoing (from/to Cortex XSOAR and Sumo Logic SIEM).False
Close Mirrored Cortex XSOAR Incident (Incoming Mirroring)When selected, closing the Sumo Logic Insight with a "Closed" status will close the Cortex XSOAR incident.False
Close Mirrored Sumo Logic Insight (Outgoing Mirroring)When selected, closing the Cortex XSOAR incident will close the Sumo Logic Insight in SIEM.False
Override Record Summary FieldsRecord Summary Fields included when fetching Insights (override default)False

API documentation and query examples#

For commands with query parameter input the available fields and operators are documented in API docs. These docs are useful when executing queries using the following commands:

  • sumologic-sec-insight-search
  • sumologic-sec-signal-search
  • sumologic-sec-entity-search

To access the API documentation, select the link for your deployment from here. Add sec to the end of the url to access Cloud SIEM API docs - e.g. https://api.us2.sumologic.com/docs/sec/.

Example: Insight search query 'q' parameter:

The search query string in our custom DSL that is used to filter the results.

Operators:

  • exampleField:"bar": The value of the field is equal to "bar".
  • exampleField:in("bar", "baz", "qux"): The value of the field > is equal to either "bar", "baz", or "qux".
  • exampleTextField:contains("foo bar"): The value of the field > contains the phrase "foo bar".
  • exampleNumField:>5: The value of the field is greater than 5. There are similar <, <=, and >= operators.
  • exampleNumField:5..10: The value of the field is between 5 and 10 (inclusive).
  • exampleDateField:>2019-02-01T05:00:00+00:00: The value of the date field is after 5 a.m. UTC time on February 2, 2019.
  • exampleDateField:2019-02-01T05:00:00+00:00..2019-02-01T08:00:00+00:00: The value of the date field is between 5 a.m. and 8 a.m. UTC time on February 2, 2019.

Fields:

  • id
  • readableId
  • status
  • name
  • insightId
  • description
  • created
  • timestamp
  • closed
  • assignee
  • entity.ip
  • entity.hostname
  • entity.username
  • entity.type
  • enrichment
  • tag
  • severity
  • resolution
  • ruleId
  • records

Migrating from JASK content pack#

The table below shows differences between this integration and the legacy JASK integration:

JASK (legacy)Sumo Logic Cloud SIEMNotes
jask-get-insight-detailssumologic-sec-insight-get-details
jask-get-insight-commentssumologic-sec-insight-get-comments
jask-get-signal-detailssumologic-sec-signal-get-details
jask-get-entity-detailssumologic-sec-entity-get-details
jask-get-related-entitiesDeprecated
jask-get-whitelisted-entitiesDeprecated - use command sumologic-sec-entity-search with filter whitelisted:"true"
jask-search-insightssumologic-sec-insight-search
jask-search-entitiessumologic-sec-entity-search
jask-search-signalssumologic-sec-signal-search

New commands introduced in Sumo Logic Cloud SIEM pack#

  • sumologic-sec-insight-set-status
  • sumologic-sec-match-list-get
  • sumologic-sec-match-list-update
  • sumologic-sec-threat-intel-search-indicators
  • sumologic-sec-threat-intel-get-sources
  • sumologic-sec-threat-intel-update-source

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

sumologic-sec-insight-get-details#


Get Insight details for a specific Insight ID.

Base Command#

sumologic-sec-insight-get-details

Input#

Argument NameDescriptionRequired
insight_idThe insight to retrieve details for.Required
record_summary_fieldsRecord Summary Fields to include in the output (override default fields).Optional

Context Output#

PathTypeDescription
SumoLogicSec.Insight.AssigneestringUser or team assigned to the Insight
SumoLogicSec.Insight.ClosedDateClosed date
SumoLogicSec.Insight.ClosedByStringClosed by user
SumoLogicSec.Insight.CreatedDateCreated date
SumoLogicSec.Insight.DescriptionStringDescription of the Insight
SumoLogicSec.Insight.EntityStringEntity name associated with the Insight
SumoLogicSec.Insight.IdStringThe ID of the Insight
SumoLogicSec.Insight.LastUpdatedDateThe time the Insight was last updated
SumoLogicSec.Insight.LastUpdatedBystringThe last user to update the Insight
SumoLogicSec.Insight.NameStringThe name of the Insight
SumoLogicSec.Insight.ReadableIdStringThe ID of the Insight in readable form
SumoLogicSec.InsightList.RecordSummaryFieldsArrayRecord Summary Fields associated with the Insight
SumoLogicSec.Insight.ResolutionStringResolution for closed Insight
SumoLogicSec.Insight.SeverityStringThe severity of the Insight
SumoLogicSec.Insight.Signals.contentTypeStringType of content that triggered the Signal
SumoLogicSec.Insight.Signals.descriptionStringDescription of the Signal
SumoLogicSec.Insight.Signals.idStringThe ID of the Signal
SumoLogicSec.Insight.Signals.nameStringThe name of the Signal
SumoLogicSec.Insight.Signals.recordCountNumberNumber of records associated with the Signal
SumoLogicSec.Insight.Signals.ruleIdStringRule ID associated with the Signal
SumoLogicSec.Insight.Signals.severityNumberThe severity of the Signal
SumoLogicSec.Insight.Signals.stageStringThe stage of the Signal
SumoLogicSec.Insight.Signals.timestampDateSignal timestamp
SumoLogicSec.Insight.SourceStringThe source of the Insight
SumoLogicSec.Insight.StatusStringThe status of the Insight
SumoLogicSec.Insight.TimeToDetectionNumberInsight time to detection
SumoLogicSec.Insight.TimeToRemediationNumberInsight time to remediation
SumoLogicSec.Insight.TimeToResponseNumberInsight time to response
SumoLogicSec.Insight.TimestampDateInsight timestamp

Command Example#

!sumologic-sec-insight-get-details insight-id=INSIGHT-116

Human Readable Output#

Insight Details: |Id|Readable Id|Name|Action|Status|Assignee|Description|Last Updated|Last Updated By|Severity|Closed|Closed By|Timestamp|Entity|Resolution| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | c6c97d84-983d-303e-a03b-86f53d657fc8 | INSIGHT-116 | Lateral Movement with Discovery and Credential Access | | Closed | | Initial Access, Lateral Movement, Discovery, Initial Access, Credential Access | 2021-05-10T23:48:10.016204 | | HIGH | 2021-05-10T23:48:09.961023 | obfuscated@email.com | 2021-02-18T22:04:08.330000 | 1.2.3.4 | No Action |

sumologic-sec-insight-get-comments#


Get comments for a specific Insight ID. (Users can post and update comments on the Sumo Logic Cloud SIEM portal for any Insight ID.)

Base Command#

sumologic-sec-insight-add-comment

Input#

Argument NameDescriptionRequired
insight_idThe insight ID for which to add a comment.Required
commentThe comment to be added.Required

Context Output#

PathTypeDescription
SumoLogicSec.InsightComments.IdStringID of comment
SumoLogicSec.InsightComments.BodyStringComment contents
SumoLogicSec.InsightComments.AuthorStringUser that created the comment
SumoLogicSec.InsightComments.TimestampDateComment created timestamp
SumoLogicSec.InsightComments.InsightIdStringThe ID of the Insight

Command Example#

!sumologic-sec-insight-add-comment insight-id=INSIGHT-116 comment="This is an example comment"

Human Readable Output#

Insight Comment: |Id|Insight Id|Author|Body|Last Updated|Timestamp| |---|---|---|---|---|---| | 2 | INSIGHT-116 | obfuscated@email.com | This is an example comment | | 2021-04-23T00:38:43.977543 |

sumologic-sec-insight-get-comments#


Get comments for a specific Insight ID. (Users can post and update comments on the Sumo Logic Cloud SIEM portal for any Insight ID.)

Base Command#

sumologic-sec-insight-get-comments

Input#

Argument NameDescriptionRequired
insight_idThe insight ID for which to retrieve comments.Required

Context Output#

PathTypeDescription
SumoLogicSec.InsightComments.IdStringID of comment
SumoLogicSec.InsightComments.BodyStringComment contents
SumoLogicSec.InsightComments.AuthorStringUser that created the comment
SumoLogicSec.InsightComments.TimestampDateComment created timestamp
SumoLogicSec.InsightComments.InsightIdStringThe ID of the Insight

Command Example#

!sumologic-sec-insight-get-comments insight-id=INSIGHT-116

Human Readable Output#

Insight Comments: |Id|Insight Id|Author|Body|Last Updated|Timestamp| |---|---|---|---|---|---| | 2 | INSIGHT-116 | obfuscated@email.com | This is an example comment | | 2021-04-23T00:38:43.977543 |

sumologic-sec-signal-get-details#


Get Signal details for a specific Signal ID. Signal details command references signals in Sumo Logic Cloud SIEM which are created when records exhibit suspicious properties and mate with patterns or other detection logic.

Base Command#

sumologic-sec-signal-get-details

Input#

Argument NameDescriptionRequired
signal_idThe signal to retrieve details for.Required

Context Output#

PathTypeDescription
SumoLogicSec.Signal.ContentTypeStringType of content that triggered the Signal
SumoLogicSec.Signal.DescriptionStringDescription of the Signal
SumoLogicSec.Signal.EntityStringEntity name associated with the Signal
SumoLogicSec.Signal.IdStringThe ID of the Signal
SumoLogicSec.Signal.NameStringThe name of the Signal
SumoLogicSec.Signal.RecordCountNumberNumber of records associated with the Signal
SumoLogicSec.Signal.RuleIdStringRule ID associated with the Signal
SumoLogicSec.Signal.SeverityNumberThe severity of the Signal
SumoLogicSec.Signal.StageStringThe stage of the Signal
SumoLogicSec.Signal.SuppressedBooleanWhether or not the Signal was suppressed
SumoLogicSec.Signal.TimestampDateSignal timestamp

Command Example#

!sumologic-sec-signal-get-details signal-id=e0e7096b-2f91-5b72-b1a2-db48ce882dfc

Human Readable Output#

Signal Details: |Id|Name|Rule Id|Description|Severity|Content Type|Timestamp|Entity |---|---|---|---|---|---|---|---| | e0e7096b-2f91-5b72-b1a2-db48ce882dfc | Potential malicious JVM download | LEGACY-S00062 | A document was downloaded and opened followed by a file download using a Java user-agent. | 4 | RULE | 2021-02-18T22:04:08.230000 | 1.2.3.4

sumologic-sec-entity-get-details#


Get entity details for a specific entity ID

Base Command#

sumologic-sec-entity-get-details

Input#

Argument NameDescriptionRequired
entity-idThe entity to retrieve details for.Required

Context Output#

PathTypeDescription
SumoLogicSec.Entity.ActivityScoreNumberEntity Activity Score
SumoLogicSec.Entity.FirstSeenDateWhen the Entity was first seen
SumoLogicSec.Entity.HostnameStringEntity hostname
SumoLogicSec.Entity.IdStringEntity ID
SumoLogicSec.Entity.IsWhitelistedBooleanWhether or not the Entity is on allow list
SumoLogicSec.Entity.LastSeenDateWhen the Entity was last seen
SumoLogicSec.Entity.NameStringThe Entity name
SumoLogicSec.Entity.OperatingSystemStringEntity Operating System (observed or from inventory)
SumoLogicSec.Entity.InventoryDataBooleanWhether or not this Entity was ingested from inventory e.g. Active Directory

Command Example#

!sumologic-sec-entity-get-details entity-id=_hostname-win10--admin.obfuscated

Human Readable Output#

Entity Details:#

IdNameFirst SeenLast SeenActivity ScoreIs WhitelistedOperating SystemInventory Data
_hostname-win10--admin.obfuscatedwin10-admin.obfuscated2021-04-21T14:43:38.5260009falseWindows 10 Enterprisetrue

sumologic-sec-insight-search#


Search insights using available filters

Base Command#

sumologic-sec-insight-search

Input#

Argument NameDescriptionRequired
queryUse a query string to search, see API documentation for more details.Optional
createdWhen the insight was created. Defaults to 'All time' if no time arguments are specified. Possible values are: All time, Last week, Last 48 hours, Last 24 hours.Optional
statusComma separated list of values from the options: new,inprogress,closed.Optional
asigneeUser assigned to Insights.Optional
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitThe maximum number of items to return. Default is 10.Optional
record_summary_fieldsRecord Summary Fields to include in the output (override default fields).Optional

Context Output#

PathTypeDescription
SumoLogicSec.InsightList.AssigneeStringUser or team assigned to the Insight
SumoLogicSec.InsightList.ClosedDateClosed date
SumoLogicSec.InsightList.ClosedByStringClosed by user
SumoLogicSec.InsightList.CreatedDateCreated date
SumoLogicSec.InsightList.DescriptionStringDescription of the Insight
SumoLogicSec.InsightList.EntityStringEntity name associated with the Insight
SumoLogicSec.InsightList.IdStringThe ID of the Insight
SumoLogicSec.InsightList.LastUpdatedDateThe time the Insight was last updated
SumoLogicSec.InsightList.LastUpdatedByStringThe last user to update the Insight
SumoLogicSec.InsightList.NameStringThe name of the Insight
SumoLogicSec.InsightList.ReadableIdStringThe ID of the Insight in readable form
SumoLogicSec.InsightList.RecordSummaryFieldsArrayRecord Summary Fields associated with the Insight
SumoLogicSec.InsightList.ResolutionStringResolution for closed Insight
SumoLogicSec.InsightList.SeverityStringThe severity of the Insight
SumoLogicSec.InsightList.Signals.contentTypeStringType of content that triggered the Signal
SumoLogicSec.InsightList.Signals.descriptionStringDescription of the Signal
SumoLogicSec.InsightList.Signals.idStringThe ID of the Signal
SumoLogicSec.InsightList.Signals.nameStringThe name of the Signal
SumoLogicSec.InsightList.Signals.recordCountNumberNumber of records associated with the Signal
SumoLogicSec.InsightList.Signals.ruleIdStringRule ID associated with the Signal
SumoLogicSec.InsightList.Signals.severityNumberThe severity of the Signal
SumoLogicSec.InsightList.Signals.stageStringThe stage of the Signal
SumoLogicSec.InsightList.Signals.timestampDateSignal timestamp
SumoLogicSec.InsightList.SourceStringThe source of the Insight
SumoLogicSec.InsightList.StatusStringThe status of the Insight
SumoLogicSec.InsightList.TimeToDetectionNumberInsight time to detection
SumoLogicSec.InsightList.TimeToRemediationNumberInsight time to remediation
SumoLogicSec.InsightList.TimeToResponseNumberInsight time to response
SumoLogicSec.InsightList.TimestampDateInsight timestamp

Command Example#

!sumologic-sec-insight-search query="timestamp:>\"2021-02-01T05:00:00+00:00\" status:\"closed\" AND severity:>\"MEDIUM\"" limit=3

Human Readable Output#

Insights: |Id|Readable Id|Name|Action|Status|Assignee|Description|Last Updated|Last Updated By|Severity|Closed|Closed By|Timestamp|Entity|Resolution| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 00853cdd-763e-3e31-a2e4-f74277922f9f | INSIGHT-220 | Command and Control with Defense Evasion and Execution | | Closed | | Initial Access, Command and Control, Defense Evasion, Execution | 2021-03-23T20:06:51.565599 | | HIGH | 2021-03-23T20:06:51.511505 | obfuscated@email.com | 2021-02-22T16:27:51 | testcomputer.somedomain.net | No Action | | eefdff8d-7447-3b47-83e0-66a0b210d618 | INSIGHT-219 | Discovery with Credential Access and Execution | | Closed | | Initial Access, Credential Access, Initial Access, Execution, Discovery, Credential Access | 2021-03-23T21:21:55.029798 | | HIGH | 2021-03-23T21:21:54.914061 | obfuscated@email.com | 2021-02-22T16:24:07.959000 | 1.2.3.4 | No Action | | 8a77d12e-5905-3401-ae7c-2e17b1fd3060 | INSIGHT-221 | Privilege Escalation with Persistence and Execution | | Closed | obfuscated@email.com | Execution, Privilege Escalation, Persistence, Execution | 2021-05-12T21:47:08.297222 | | HIGH | 2021-05-12T21:47:08.132251 | obfuscated@email.com | 2021-02-22T16:24:07.959000 | 5.6.7.8 | No Action |

sumologic-sec-signal-search#


Search signals using available filters

Base Command#

sumologic-sec-signal-search

Input#

Argument NameDescriptionRequired
queryUse a query string to search, see API documentation for more details.Optional
createdWhen the Signal was created. Defaults to 'All time' if no time arguments are specified. Possible values are: All time, Last week, Last 48 hours, Last 24 hours. Default is All time.Optional
contentTypeContent type associated with the signals. Options: ANOMALY, DEFAULT, THREATINTEL, RULE. Possible values are: ANOMALY, DEFAULT, THREATINTEL, RULE.Optional
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitThe maximum number of items to return. Default is 10.Optional

Context Output#

PathTypeDescription
SumoLogicSec.SignalList.ContentTypeStringType of content that triggered the Signal
SumoLogicSec.SignalList.DescriptionStringDescription of the Signal
SumoLogicSec.SignalList.EntityStringEntity name associated with the Signal
SumoLogicSec.SignalList.IdStringThe ID of the Signal
SumoLogicSec.SignalList.NameStringThe name of the Signal
SumoLogicSec.SignalList.RecordCountNumberNumber of records associated with the Signal
SumoLogicSec.SignalList.RuleIdStringRule ID associated with the Signal
SumoLogicSec.SignalList.SeverityNumberThe severity of the Signal
SumoLogicSec.SignalList.StageStringThe stage of the Signal
SumoLogicSec.SignalList.SuppressedBooleanWhether or not the Signal was suppressed
SumoLogicSec.SignalList.TimestampDateSignal timestamp

Command Example#

!sumologic-sec-signal-search query="timestamp:NOW-7D.NOW name:contains(\"Internal\")"

Human Readable Output#

Signals: |Id|Name|Entity|Rule Id|Description|Severity|Stage|Timestamp|Content Type|Tags| |---|---|---|---|---|---|---|---|---|---| | b50fd570-341b-576d-85b5-8b5cd17c0aee | IP Address Scan - Internal | 1.2.3.4 | LEGACY-S00050 | A scan of IP addresses | 3 | Discovery | 2021-04-22T04:08:13.514000 | RULE | _mitreAttackTactic:TA0007,
_mitreAttackTactic:TA0043,
_mitreAttackTechnique:T1046,
_mitreAttackTechnique:T1595 |

sumologic-sec-entity-search#


Search entities using the available filters

Base Command#

sumologic-sec-entity-search

Input#

Argument NameDescriptionRequired
queryUse a query string to search, see API documentation for more details.Optional
ipIP Address to search for e.g. 1.2.3.4.Optional
hostnameHostname to search for e.g. host.example.com.Optional
usernameUsername to search for e.g. admin.Optional
typeEntity type to search for. Options: username, hostname, ip, mac. Possible values are: username, hostname, ip, mac.Optional
whitelistedIs the Entity whitelisted? true/false. Possible values are: true, false.Optional
tagTag contains value.Optional
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitThe maximum number of items to return. Default is 10.Optional

Context Output#

PathTypeDescription
SumoLogicSec.EntityList.ActivityScoreNumberEntity Activity Score
SumoLogicSec.EntityList.FirstSeenDateWhen the Entity was first seen
SumoLogicSec.EntityList.IdStringEntity ID
SumoLogicSec.EntityList.IpHostnameStringHostname associated with IP Entity
SumoLogicSec.EntityList.IsWhitelistedBooleanWhether or not the Entity is on allow list
SumoLogicSec.EntityList.LastSeenDateWhen the Entity was last seen
SumoLogicSec.EntityList.NameStringThe Entity name
SumoLogicSec.EntityList.OperatingSystemStringEntity Operating System (observed or from inventory)
SumoLogicSec.EntityList.InventoryDataBooleanWhether or not this Entity was ingested from inventory e.g. Active Directory
SumoLogicSec.EntityList.HostnameStringEntity hostname
SumoLogicSec.EntityList.DepartmentStringUsername Entity department
SumoLogicSec.EntityList.EmployeeIdStringUsername Entity employee ID

Command Example#

!sumologic-sec-entity-search query="type:\"ip\" activityScore:>=3"

Human Readable Output#

Entities: |Id|Name|First Seen|Last Seen|Activity Score|Is Whitelisted|Operating System|Inventory Data| |---|---|---|---|---|---|---|---| | _ip-specops_analysis_lab-1.2.3.4 | 1.2.3.4 | | 2021-04-22T04:08:13.514000 | 3 | false | | false |

sumologic-sec-insight-set-status#


Change status of Insight

Base Command#

sumologic-sec-insight-set-status

Input#

Argument NameDescriptionRequired
insight_idThe insight to change status for.Required
statusThe desired Insight status. Possible values are: new, inprogress, closed. Default is in-progress.Optional
resolutionResolution for closing Insight. Valid values are: "Resolved", "False Positive", "No Action", "Duplicate". Possible values are: Resolved, False Positive, No Action, Duplicate. Default is Resolved.Optional
sub_resolutionCustom sub resolution for closing Insight. If populated, it will override the resolution field. Please make sure the resolution matches exactly your Sumo ResolutionsOptional

Context Output#

PathTypeDescription
SumoLogicSec.Insight.AssigneeStringUser or team assigned to the Insight
SumoLogicSec.Insight.ClosedDateClosed date
SumoLogicSec.Insight.ClosedByStringClosed by user
SumoLogicSec.Insight.CreatedDateCreated date
SumoLogicSec.Insight.DescriptionStringDescription of the Insight
SumoLogicSec.Insight.EntityStringEntity name associated with the Insight
SumoLogicSec.Insight.IdStringThe ID of the Insight
SumoLogicSec.Insight.LastUpdatedDateThe time the Insight was last updated
SumoLogicSec.Insight.LastUpdatedByStringThe last user to update the Insight
SumoLogicSec.Insight.NameStringThe name of the Insight
SumoLogicSec.Insight.ReadableIdStringThe ID of the Insight in readable form
SumoLogicSec.Insight.ResolutionStringResolution for closed Insight
SumoLogicSec.Insight.SeverityStringThe severity of the Insight
SumoLogicSec.Insight.Signals.contentTypeStringType of content that triggered the Signal
SumoLogicSec.Insight.Signals.descriptionStringDescription of the Signal
SumoLogicSec.Insight.Signals.idStringThe ID of the Signal
SumoLogicSec.Insight.Signals.nameStringThe name of the Signal
SumoLogicSec.Insight.Signals.recordCountNumberNumber of records associated with the Signal
SumoLogicSec.Insight.Signals.ruleIdStringRule ID associated with the Signal
SumoLogicSec.Insight.Signals.severityNumberThe severity of the Signal
SumoLogicSec.Insight.Signals.stageStringThe stage of the Signal
SumoLogicSec.Insight.Signals.timestampDateSignal timestamp
SumoLogicSec.Insight.SourceStringThe source of the Insight
SumoLogicSec.Insight.StatusStringThe status of the Insight
SumoLogicSec.Insight.TimeToDetectionNumberInsight time to detection
SumoLogicSec.Insight.TimeToRemediationNumberInsight time to remediation
SumoLogicSec.Insight.TimeToResponseNumberInsight time to response
SumoLogicSec.Insight.TimestampDateInsight timestamp

Command Example#

!sumologic-sec-insight-set-status insight-id=INSIGHT-116 status=closed resolution="No Action"

Human Readable Output#

Insight Details: |Id|Readable Id|Name|Action|Status|Assignee|Description|Last Updated|Last Updated By|Severity|Closed|Closed By|Timestamp|Entity|Resolution| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | c6c97d84-983d-303e-a03b-86f53d657fc8 | INSIGHT-116 | Lateral Movement with Discovery and Credential Access | | Closed | | Initial Access, Lateral Movement, Discovery, Initial Access, Credential Access | 2021-05-13T01:28:32.648352 | | HIGH | 2021-05-13T01:28:32.580039 | obfuscated@email.com | 2021-02-18T22:04:08.330000 | 1.2.3.4 | No Action |

sumologic-sec-match-list-get#


Get match lists

Base Command#

sumologic-sec-match-list-get

Input#

Argument NameDescriptionRequired
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitNumber of match lists returned. Default is 10.Optional
sortSort expression. Default is name.Optional
sortDirSort direction. Possible values are: ASC, DESC. Default is ASC.Optional

Context Output#

PathTypeDescription
SumoLogicSec.MatchLists.CreatedStringWhen the Match List was created
SumoLogicSec.MatchLists.CreatedByStringUser that created the Match List
SumoLogicSec.MatchLists.DefaultTtlNumberDefault TTL for entries in the Match List
SumoLogicSec.MatchLists.DescriptionStringDescription of the Match List
SumoLogicSec.MatchLists.IdStringID of the Match List
SumoLogicSec.MatchLists.LastUpdatedStringWhen the Match List was last updated
SumoLogicSec.MatchLists.LastUpdatedByStringThe last user to update the Match List
SumoLogicSec.MatchLists.NameStringName of Match List
SumoLogicSec.MatchLists.TargetColumnStringMatch List Target Column

Command Example#

!sumologic-sec-match-list-get limit=3

Human Readable Output#

Match lists: |Id|Name|Target Column|Default Ttl| |---|---|---|---| | 173 | admin_ips | SrcIp | 0 | | 24 | auth_servers | Ip | | | 162 | auth_servers_dst | DstIp | |

sumologic-sec-match-list-update#


Add item to match list

Base Command#

sumologic-sec-match-list-update

Input#

Argument NameDescriptionRequired
match_list_idID of match list.Required
activeItem active or disabled.Required
descriptionDescription of match list item.Required
expirationExpiration of match list item, e.g. "2021-03-25T23:52:23.508Z".Required
valueValue of match list item.Required

Context Output#

PathTypeDescription
SumoLogicSec.UpdateResult.ResultStringResult (Success or Failed)
SumoLogicSec.UpdateResult.Server responseBooleanServer response (True or False)

Command Example#

!sumologic-sec-match-list-update match-list-id=166 description="My description" expiration=2021-04-25T22:36:10.925Z value="10.20.30.40" active=true

Human Readable Output#

Result: |Result|Server Response| |---|---| | Success | true |

sumologic-sec-threat-intel-search-indicators#


Search Threat Intel Indicators

Base Command#

sumologic-sec-threat-intel-search-indicators

Input#

Argument NameDescriptionRequired
qUse a query string to search, see API documentation for more details.Optional
valueThe value to search for.Required
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitThe numbers of items to return. Default is 10.Optional
sourceIdsComma separated list of threat intelligence source IDs to search, e.g. 1,2,3.Required

Context Output#

PathTypeDescription
SumoLogicSec.ThreatIntelIndicators.ActiveBooleanWhether or not the Threat Intel Indicator is Active
SumoLogicSec.ThreatIntelIndicators.ExpirationDateDate and time the Threat Intel Indicator is set to expire
SumoLogicSec.ThreatIntelIndicators.IdStringID of Threat Intel Indicator
SumoLogicSec.ThreatIntelIndicators.Meta.created.usernameStringUser that created the Threat Intel Indicator
SumoLogicSec.ThreatIntelIndicators.Meta.created.whenDateWhen the Threat Intel Indicator was created
SumoLogicSec.ThreatIntelIndicators.Meta.descriptionStringDescription of Threat Intel Indicator
SumoLogicSec.ThreatIntelIndicators.Meta.updatedDateWhen the Threat Intel Indicator was last updated
SumoLogicSec.ThreatIntelIndicators.ValueStringValue of Threat Intel Indicator

Command Example#

!sumologic-sec-threat-intel-search-indicators value=1.2.3.4 sourceIds=54

Human Readable Output#

Threat Intel Indicators: |Id|Value|Active|Expiration| |---|---|---|---| | f396ae69aa223c049ff639b3649ba1dd6465ec74397c3126916786bbcd6d76017468726561745f49705f44656d6973746f5f54657374 | 1.2.3.4 | true | 2021-04-29T00:00:00 |

sumologic-sec-threat-intel-get-sources#


Get Threat Intel Sources

Base Command#

sumologic-sec-threat-intel-get-sources

Input#

Argument NameDescriptionRequired
offsetThe number of items to skip before starting to collect the result set. Default is 0.Optional
limitThe numbers of items to return. Default is 10.Optional
sortSort expression. Default is name.Optional
sortDirSort direction. Possible values are: ASC, DESC. Default is ASC.Optional

Context Output#

PathTypeDescription
SumoLogicSec.ThreatIntelSources.CreatedStringWhen the Threat Intel Source was created
SumoLogicSec.ThreatIntelSources.CreatedByStringUser that created the Threat Intel Source
SumoLogicSec.ThreatIntelSources.DescriptionStringDescription of Threat Intel Source
SumoLogicSec.ThreatIntelSources.IdStringID of Threat Intel Source
SumoLogicSec.ThreatIntelSources.LastUpdatedStringWhen the Threat Intel Source was last updated
SumoLogicSec.ThreatIntelSources.LastUpdatedByStringUser that last updated the Threat Intel Source
SumoLogicSec.ThreatIntelSources.NameStringName of Threat Intel Source
SumoLogicSec.ThreatIntelSources.SourceTypeStringSource type of Threat Intel Source

Command Example#

!sumologic-sec-threat-intel-get-sources limit=3

Human Readable Output#

Threat intel sources: |Id|Name|Description|Source Type| |---|---|---|---| | 35 | abuse.ch | | CUSTOM | | 25 | Alienvault OTX | Alienvault | TAXII | | 24 | Anomali | | TAXII |

sumologic-sec-threat-intel-update-source#


Add Threat Intel Indicator to Threat Intel Source

Base Command#

sumologic-sec-threat-intel-update-source

Input#

Argument NameDescriptionRequired
threat-intel-source-idID of Threat Intel Source.Required
activeIndicator active or disabled. Default is true.Required
descriptionDescription of indicator.Required
expirationExpiration of match list item, e.g. "2021-03-25T23:52:23.508Z".Required
valueIndicator value.Required

Context Output#

PathTypeDescription
SumoLogicSec.UpdateResult.ResultStringResult (Success or Failed)
SumoLogicSec.UpdateResult.Server responseBooleanServer response (True or False)

Command Example#

!sumologic-sec-threat-intel-update-source threat-intel-source-id=54 active=true value=1.2.3.4 description=test expiration=2021-04-29T00:00:00.000Z

Human Readable Output#

Result: |Result|Server Response| |---|---| | Success | true |