Sumo Logic

Actions for Sumo Logic

• Send Webhook. Sends a custom set of Lucidum data to Sumo Logic.

Use Cases

Below are the possible use cases for the Send Data action:

• If you want to run Lucidum “headless”, you can send relevant data to Sumo Logic on a regular schedule.

• You can send data to Sumo Logic for storage, analysis, and threat response.

Prerequisites

A Jira account that has permissions to create tickets.

Workflows

• Creating a new Configuration and a new Action

• Creating a new Action from the Location Results page

• Editing a Configuration

• Editing an Action

• Viewing Information about an Action

Sumo Logic Configuration

• Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

• Sumo Logic Webhook URL. The URL that Sumo Logic will use to receive data from Lucidum. For example, https://endpoint4.collection.sumologic.com/receiver/v1/http/ZaVnC4dhaV15a9nyJDdZ--7dH0HuavO-DxK6U1fER03aXWS5VwSQHJWc6bsWZGkY9a73pPrWbYhNQtg7_AS33r_5qDniR_FRSTzcUEZ6dFdRfl2QKoJZGQ==. The endpoint includes a GUID called a “magic url”. For details on generating the webhook URL in Sumo Logic, see https://help.sumologic.com/docs/send-data/hosted-collectors/http-source/logs-metrics/

• Header Key. The “key” part of a key:value pair to include in the webhook header. The default value is Content-Type. This “key” tells Sumo Logic the format of the webhook..

• Header Key Value. The “value” part of a key:value pair to include in the webhook header. This “value” tells Sumo Logic the format of the webhook paylod. Thge default value is application/json.

• Max # of Records per Payload. The maximum number of records to send to Sumo Logic in each action. The default value is “100”.

Create or Edit an Action

To create an action for Jira Cloud:

1. In the Create a New Action page, in the General step, enter:

   

   • Action Type. Select Send Webhook from the pulldown options..

   • Configuration Name. Select an action configuration from the pulldown options.

   • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

   • Description. Description of the action.

2. Click the Next (>) icon.

3. In the Filters page, click Configure Filters.

4. In the Configure Filters for Action page, you define the query for the assets or users that the action will act upon.

   

    

   • For existing actions, these fields are populated with values from the query for this action.

   • For details on creating and editing queries in Lucidum, see the section on Building Queries.

5. Click the Apply (page and pencil) icon.

   

6. Click the Next (>) icon.

7. In the Schedule step, enter:

   

   • Schedule Type. Define the schedule for the action. Choices are:

     • Recurrence. Specify a frequency for the recurring schedule.

     • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

   • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

8. Click the Next (>) icon.

9. In the Details step, enter the following:

   

    

   • Output Fields. For the records selected with the Filters field, specify the columns to include in the payload. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

   • Sumo Logic Payload Template. The data to send to Sumo Logic, in Jinga format. The field includes a default Jinja template that you can edit. The default template creates a JSON list of each key:value pairn in the Output Fields field. For details on Jinja, see https://jinja.palletsprojects.com/en/3.1.x/templates/ .

   • De-dupe Previous Jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers between 0 and the number specified in Settings > System Settings > General > Data Settings > Action Result Retention in Days. This setting specifies the number of days that Lucidum stores action results.

     • If you specify “0” (zero), Lucidum includes all the records from the query in each delivery to Sumo Logic.

     • If you specify “1” (one), Lucidum examines the previous webhook payload and excludes records for asset IDs or user IDs that were sent in the delivery to Sumo Logic.

     • If you specify “2” (two), Lucidum examines the last two webhook payloads and excludes records for asset IDs or user IDs that were sent in the previous two deliveries to Sumo Logic.