Sumo Logic

You can configure the Cisco Panoptica to send event information to Sumo Logic.

Configure Sumo Logic

On Sumo Logic, you will add and configure a Hosted Collector, and add HTTP data source to it. This will have an HTTP endpoint URL, which is used by Panoptica to send events.
You can configure the collector to accept one or more Panoptica event types (alerts, notifications, etc). You can also configure more than one collector, to send specific event types to different collectors.

  1. Sign in to the SumoLogic web app, navigate to Manage Data in the navigation pane on the left, and select Collection.
  1. Click Add Collector, on the right.
  1. Select Hosted Collector as the Collector Type.
  2. Enter a name and description for the collector, and click Save.
  1. Click OK to add a data source to the collector, and select HTTP Logs & Metrics
  1. Enter a name for the data source (e.g., Panoptica source). Leave the other fields unchanged from their default values.
  2. Click Save.
  3. Copy the HTTP Source Address URL (used in PS configuration).

Configure Panoptica

On Panoptica, Sumo Logic will be added as an external Event Forwarding Integration.

  1. Sign in to Panoptica, and then navigate to the Integrations page in System.
  2. Scroll to the Event Forwarding section, and then click New Events Forwarding.
  3. Select type Sumo Logic.
  1. Enter a name for the integration, as it will appear in Panoptica.
  2. Enter the HTTP Source Address, from above, as the URL.
  3. Select which type of events will be sent to Sumo Logic. as follows:
    • Alerts - blocked and detect events
    • Notifications - every other event (allowed event)
    • Administrative event - events from the Panoptica Audit, when a user creates \ deletes \ edits something in Panoptica
    • Vulnerability - When a vulnerability with higher severity level than the maximum permissible level is detected in a vulnerability scan
  4. Click Test connection to check the connection to Sumo Logic.
  1. Click FINISH.

Data structure

On Sumo Logic, you can create create field extraction rules to parse incoming events information, and search for for specific fields and values. You can use these in searches, and to generate real-time alerts on Sumu Logic.

The data block below is the information sent by Panoptica for an event.

  "statement":"Detected workload creation. Workload 'sleep' is running ",
  "creationTime":"2020-06-23 09:12:38.576",
  "ruleName":"Default rule",
  "environment":"no env",