Sumo Logic Cloud SIEM

Sumo Logic Cloud SIEM provides threat detection and incident response for modern IT environments. This content pack will allow you to apply automation to perform actual SOC analyst workflows. Using this content pack you will be able to fetch Incidents via Insights, update status of an Insight, add items to match list, add Threat Intel Indicators to Threat Intel Sources, and so on.

The integration in this pack enables interactions with Sumo Logic Cloud SIEM. It can be used to fetch Incidents via Insights, update status of an Insight, add items to match list, search Entities/Signals/Insights/Threat Intel indicators, and more.

What does this pack do?

This pack enables you to run commands that:

Fetch Incidents via Insights
Search Entities, Signals, Insights and Threat Intel indicators
Change status of Insight
Get Insight comments
Add items to match list
Add Threat Intel Indicators to Threat Intel Sources
Mirror IN and OUT Sumo Logic Insights and Signals to XSOAR incidents

Note: This pack replaces the legacy JASK pack. For further details about the migration from JASK, visit our reference docs.

What does this pack do?

This pack enables you to run commands that:

Fetch Incidents via Insights
Search Entities, Signals, Insights and Threat Intel indicators
Change status of Insight
Get Insight comments
Add items to match list
Add Threat Intel Indicators to Threat Intel Sources
Mirror IN and OUT Sumo Logic Insights and Signals to XSOAR incidents

Note: This pack replaces the legacy JASK pack. For further details about the migration from JASK, visit our reference docs.

Automations

Name	Description
SumoLogicCloseLinkSignalIncidents	Close the linked signal incidents when the main Insight incident is closed.
SumoLogicLinkSignalIncidents	Command to link associated Signal Incidents to the Insight Incident.

Classifiers

Name	Description
Sumo Logic Cloud SIEM Classifier	Classifier for Sumo Logic Insight and Signal
Sumo Logic Insight Classifier	Classifier for Sumo Logic Insight and Signal
Sumo Logic Insight - Mapper	Sumo Logic Cloud SIEM Mapper

Incident Fields

Name	Description
Sumo Logic Cloud SIEM Signal Records
Sumo Logic Cloud SIEM Insight Signals	List of Insight Signals
Sumo Logic Cloud SIEM Signal Entity	Entity associated with Signal
Sumo Logic Cloud SIEM Insight URL	Sumo URL for the Insight
Sumo Logic Cloud SIEM Insight Entity	Entity associated with Insight
Sumo Logic Cloud SIEM Record Fields	Deprecated. Please use Sumo Logic Cloud SIEM Record Fields JSON instead
Sumo Logic Cloud SIEM Insight Involved Entities	Entities involved with Insight
Sumo Logic Cloud SIEM Record Fields JSON	Sumo Logic Cloud SIEM Record Fields

Incident Types

Name	Description
Sumo Logic Signal
Sumo Logic Insight

Integrations

Name	Description
Sumo Logic Cloud SIEM (Partner Contribution)	Freeing the analyst with autonomous decisions.

Layouts

Name	Description
Sumo Logic Signal	Layout for Sumo Logic Signal Incident
Sumo Logic Insight	Layout for Sumo Logic Insight Incident

Playbooks

Name	Description
Sumo Logic Cloud SIEM - Link Signal Incidents	Playbook to link Sumo Logic Signal Incidents to the corresponding Insight Incident

Automations

Name	Description
SumoLogicLinkSignalIncidents	Command to link associated Signal Incidents to the Insight Incident.
SumoLogicLinkSignalAlerts	Command to link associated Signal Alerts to the Insight Alert.
SumoLogicCloseLinkSignalIncidents	Close the linked signal incidents when the main Insight incident is closed.
SumoLogicCloseLinkSignalAlerts	Close the linked signal alerts when the main Insight alert is closed.

Classifiers

Name	Description
Sumo Logic Insight Classifier	Classifier for Sumo Logic Insight and Signal
Sumo Logic Cloud SIEM Classifier	Classifier for Sumo Logic Insight and Signal
Sumo Logic Insight - Mapper	Sumo Logic Cloud SIEM Mapper

Incident Fields

Name	Description
Sumo Logic Cloud SIEM Signal Entity	Entity associated with Signal
Sumo Logic Cloud SIEM Record Fields	Deprecated. Please use Sumo Logic Cloud SIEM Record Fields JSON instead
Sumo Logic Cloud SIEM Signal Records
Sumo Logic Cloud SIEM Insight Entity	Entity associated with Insight
Sumo Logic Cloud SIEM Insight Involved Entities	Entities involved with Insight
Sumo Logic Cloud SIEM Record Fields JSON	Sumo Logic Cloud SIEM Record Fields
Sumo Logic Cloud SIEM Insight URL	Sumo URL for the Insight
Sumo Logic Cloud SIEM Insight Signals	List of Insight Signals

Incident Types

Name	Description
Sumo Logic Signal
Sumo Logic Insight

Integrations

Name	Description
Sumo Logic Cloud SIEM (Partner Contribution)	Freeing the analyst with autonomous decisions.

Playbooks

Name	Description
Sumo Logic Cloud SIEM - Link Signal Alerts	Playbook to link Sumo Logic Signal Alerts to the corresponding Insight Alert

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.1.25 - 1647729 (November 14, 2024)

Integrations

Sumo Logic Cloud SIEM

Added the ability to enter custom resolutions when setting the insight status to closed when calling sumologic-sec-insight-set-status command.

Related pull requests:
- 37133
- 37196

Download

1.1.24 - 998827 (May 6, 2024)

Incident Fields

Sumo Logic Cloud SIEM Record Fields
Deprecated. Please use new Sumo Logic Cloud SIEM Record Fields JSON for better visibility.
Sumo Logic Cloud SIEM Record Fields JSON
Updated to be of type markdown for better visibility.

Integrations

Sumo Logic Cloud SIEM

Updated fields and the view of the signal associated records for better visibility and usability.
Updated the Docker image to: demisto/python3:3.10.14.91134.

Layouts

Sumo Logic Signal
Added formatted view of the records associated with a signal.

Mappers

Sumo Logic Insight - Mapper

Updated to map the fields of "Sumo Logic Cloud SIEM Record Fields JSON" based on JSON mapping for better usability.

Scripts

SumoLogicCloseLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.14.91134.

SumoLogicLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.14.91134.

Related pull requests:
- 34202
- 33635

Download

1.1.23 - 938811 (April 7, 2024)

Scripts

SumoLogicLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.14.90585.

SumoLogicCloseLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.1.22 - 870683 (March 5, 2024)

Incident Fields

Sumo Logic Cloud SIEM Insight Signals
- Fixed a bug when sumourl column has invalid value.

Related pull requests:
- 33219

Download

1.1.21 - 762016 (January 14, 2024)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32183

Download

1.1.20 - 733853 (January 2, 2024)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31878

Download

1.1.19 - 6608983 (October 15, 2023)

Integrations

Sumo Logic Cloud SIEM

For each 'signals' object retrieved from the fetch-incidents command, remove fields that begin with the 'bro' prefix and have values that are either empty lists [], empty strings "", empty tuples (), or empty objects {}.
Updated the Docker image to: demisto/python3:3.10.13.75921.

Related pull requests:
- 30079
- 30149

Download

1.1.18 - R6592021 (October 13, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29341

Download

1.1.17 - 6069807 (August 16, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29000

Download

1.1.16 - 5914533 (July 31, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28612

Download

1.1.15 - R5866730 (July 25, 2023)

Scripts

SumoLogicCloseLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28182

Download

1.1.14 - 5746599 (July 12, 2023)

Scripts

SumoLogicLinkSignalIncidents

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28088

Download

1.1.13 - R5692327 (July 5, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27709

Download

1.1.12 - 5456534 (June 6, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27243

Download

1.1.11 - 5318720 (May 21, 2023)

Scripts

SumoLogicCloseLinkSignalIncidents

Transform automation names from "incident" to "alert" in XSIAM.
Updated the Docker image to: demisto/python3:3.10.11.58677.

SumoLogicLinkSignalIncidents

Transform automation names from "incident" to "alert" in XSIAM.
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26365

Download

1.1.10 - 5277943 (May 16, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26476

Download

1.1.9 - R5170573 (May 2, 2023)

Classifiers

Sumo Logic Insight Classifier

Updated to include Sumo Logic Cloud SIEM Signal Incident type

Sumo Logic Cloud SIEM Classifier

New: Added a classifier called Sumo Logic Cloud SIEM classifier for future deprecation of the current classifier Sumo Logic Insight Classifier. It is, however, identical to the classifier Sumo Logic Insight Classifier

Incident Fields

New: Added the field Sumo Logic Cloud SIEM Record Fields to contain the field fields of the first record associated with a Sumo Logic SIEM Signal
Sumo Logic Cloud SIEM Insight Signals
New: Added the field Sumo Logic Cloud SIEM Signal Entity for the Entity element of a Sumo Logic SIEM Signal
New: Added the field Sumo Logic Cloud SIEM Signal Records to contain all records associated with a Sumo Logic SIEM Signal
The field Sumo Logic Cloud SIEM Insight URL is being deprecated. Use the standard XSOAR field External Link instead
Sumo Logic Cloud SIEM Insight Entity
Sumo Logic Cloud SIEM Insight Involved Entities

Incident Types

Sumo Logic Insight
New: Added a new Incident Type called Sumo Logic Signal that will be linked to the corresponding Insight incident for easier analysis and investigation

Integrations

Sumo Logic Cloud SIEM

Updated to support the new Sumo Logic Signal incident type
New: Added a command sumologic-sec-insight-add-comment to add a comment to an existing Sumo Logic Insight:
The integration now supports MIRROR IN and OUT between XSOAR and Sumo Logic Cloud SIEM. Note: The mirror works for Sumo Logic Insight incidents only, as Sumo Logic Signals are immutable by their nature
For Mirror IN, the resolution mappings are: Duplicate -> Duplicate; False Positive -> False Positive; Resolved, No Action -> Resolved; Any custom Sumo Logic Cloud SIEM resolution -> Same custom close reason in XSOAR
For Mirror OUT, the resolution mappings are: Duplicate -> Duplicate; False Positive -> False Positive; Resolved, Other -> Resolved; Any custom XSOAR close reason -> Same custom resolution in Sumo Logic Cloud SIEM
Updated the Docker image to: demisto/python3:3.10.11.54132.

Layouts

New: Sumo Logic Signal
New layout for the new Sumo Logic Signal incident type (Available from Cortex XSOAR 6.5.0).
Sumo Logic Insight
The layout for the Sumo Logic Insight incident type has been updated to better show data around the Insight

Mappers

Sumo Logic Insight - Mapper

The mapper has been updated to map more standard XSOAR fields (e.g External Url, AlertID, Destination IP, etc.) for both the existing Sumo Logic Insight and new Sumo Logic Signal incident type

Playbooks

New: Sumo Logic Cloud SIEM - Link Signal Incidents

Playbook to link Sumo Logic Signal Incidents to the corresponding Insight Incident (Available from Cortex XSOAR 6.8.0).

Scripts

New: SumoLogicLinkSignalIncidents

Command to link associated Signal Incidents to the Insight Incident (Available from Cortex XSOAR 6.5.0).

New: SumoLogicCloseLinkSignalIncidents

Close the linked signal incidents when the main Insight incident is closed (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 25414
- 25818

Download

1.1.8 - 4760018 (March 7, 2023)

Incident Fields

Sumo Logic Cloud SIEM Insight Signals

Related pull requests:
- 25093

Download

1.1.7 - 4718798 (March 1, 2023)

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24958

Download

1.1.6 - R4646022 (February 19, 2023)

Layouts

Sumo Logic Insight
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.1.5 - 3305407 (July 21, 2022)

Classifiers

New: Sumo Logic Insight Classifier

Added the classifier for Sumo Logic Insight.

Incident Fields

New: Sumo Logic Cloud SIEM Insight Signals
Added the new Sumo Logic Cloud SIEM Insight Signals field corresponding to all Sumo Logic Cloud SIEM Signals contributing to the Insight.
New: Sumo Logic Cloud SIEM Insight Entity
Added the new Sumo Logic Cloud SIEM Insight Entity field corresponding to the Sumo Logic Cloud SIEM Entity associated with the Insight.
New: Sumo Logic Cloud SIEM Insight Involved Entities
Added the new Sumo Logic Cloud SIEM Insight Involved Entities field corresponding to all entities involved in the Insight.

Integrations

Sumo Logic Cloud SIEM

Updated the Docker image to: demisto/python3:3.10.5.31928.
Added the new property called SumoUrl to fetched incidents which contains the link to the corresponding Sumo Logic Insight.
Added the new property called SumoUrl to each fetched signal which contains the link to the corresponding Sumo Logic Signal.