Sumo Logic alerting
runZero integrates with Sumo Logic to help you visualize your asset data. This helps you track your progress on reducing risk in your asset inventory over time.
Setting up the connection between Sumo Logic and runZero requires:
- Creating a Sumo Logic HTTP Source
- Creating a runZero alert template
- Creating a rule in runZero
- Handling runZero data in Sumo Logic
- Creating a Sumo Logic dashboard (optional)
Step 1: Create a Sumo Logic HTTP Source
- After logging in to Sumo Logic, navigate to Manage Data > Collection.
- Click Add Collector select Hosted Collector, provide a name, such as
runZero Collectorand click save. - If prompted to add a data source, click OK. Otherwise, find your Collector in the list and click Add Source.
- Select the HTTP Logs and Metrics source, provide a name, such as
runZero Alerts, and then click save. - Copy the URL provided to use in step 2.
Step 2: Create a runZero alert template
- Create an alert template in runZero and provide the following details:
- Name: Name for template
- Template type: JSON
- Subject line for message: Leave empty
- Body of message: The following JSON example will include the rule name and the search URL in the alert message body
{"rule_name":"{{rule.name}}","search_url":"{{search.url}}","found": "{{search.found}}","assets_new": "{{scan.assets_new}}"}
- Create an alert channel in runZero and provide the following details:
- Name: Name for alert channel
- Channel type: Webhook
- Webhook URL: The webhook URL you copied from Sumo Logic
Step 3: Create a rule in runZero
Now that you have your alert template and channel created, you will want to identify the triggers to alert on. Some common examples are:
- Asset query results - When there is a match on a query in runZero after a scan completes
- New assets found - When a scan completes with new assets
- Agent offline - When your runZero Explorer stops checking in to the console
- Task failed - When a task fails for any reason.
We will use the asset query results selection as an example for the rest of the steps. Review example queries for ideas on what queries you could create.
- Create a new alert rule.
- Select
asset-query-resultsand click Configure rule. - Input values for the rule:
- Name: name of the rule.
- Conditions: optional parameters that will trigger the alert when all conditions match.
- Query: The query the assets must match.
- Number of matches: The numeric comparison logic for the value.
- Value: The threshold of matches to trigger the rule.
- Limit to organization: Allows you to limit the alert to a specific organization.
- Limit to site: Allows you to limit the alert to a specific site.
- Action:
Notify- Notification channel: Name of the alert channel you created in step 2.
- Notification template: Name of the alert template you created in step 2.
Step 4: Handle runZero data in Sumo Logic
This search will display the raw runZero data
_source="runZero Alerts" and _collector="runZero"
This search will show alerts matching the runZero rule name
_source="runZero Alerts" and _collector="runZero"
| json field=_raw "found" nodrop
| json field=_raw "rule_name" nodrop
| where rule_name = "<RULE NAME>"
This search will create a graph of the data matching the runZero rule name
_source="runZero Alerts" and _collector="runZero"
| json field=_raw "assets_new" nodrop
| toLong(assets_new)
| json field=_raw "found" nodrop
| json field=_raw "search_url" nodrop
| json field=_raw "rule_name" nodrop
| where rule_name = "<RULE NAME>"
| timeslice 1m
| sum(found) by _timeslice
| order by _timeslice
Step 5: Create a dashboard in Sumo Logic (optional)
Now that you know how to look at the data in Sumo Logic and make a graph, you can follow these steps to create a dashboard. You will first create four rules in runZero, then you will import the Sample Sumo Logic Dashboard below.
Create the runZero rules
You will follow the same actions from step 3 to create each of these rules using the form inputs provided.
Assets running a TLS service
- Rule type: asset-query-results
- Name:
Assets running a TLS service - Sumo - Query:
alive:t protocol:tls - Number of matches: is greater than 0
- Notification channel: alert channel created in Step 2
- Notification template: alert template created in Step 2
Multihomed assets - Sumo
- Rule type: asset-query-results
- Name:
Multihomed assets - Sumo - Query:
alive:t AND multi_home:t - Number of matches: is greater than 0
- Notification channel: alert channel created in Step 2
- Notification template: alert template created in Step 2
Assets with OpenSSL - Sumo
- Rule type: asset-query-results
- Name:
Assets with OpenSSL - Sumo - Query:
alive:t product:openssl - Number of matches: is greater than 0
- Notification channel: alert channel created in Step 2
- Notification template: alert template created in Step 2
New assets to Sumo Logic
- Rule type: new-assets-found
- Name:
New assets to Sumo Logic - Number of matches: is greater than 0
- Notification channel: alert channel created in Step 2
- Notification template: alert template created in Step 2
Sample Sumo Logic Dashboard
- Navigate to the library in Sumo Logic.
- Click the options button on the folder you’d like to import to and click
Import.- Name: runZero Alert Metrics
- JSON: Copy from the sample below
- Click
Importto see this dashboard under the folder it was imported to.
{
"type": "DashboardV2SyncDefinition",
"name": "runZero Asset Metrics",
"description": "",
"title": "runZero Asset Metrics",
"theme": "Dark",
"topologyLabelMap": {
"data": {}
},
"refreshInterval": 0,
"timeRange": {
"type": "BeginBoundedTimeRange",
"from": {
"type": "RelativeTimeRangeBoundary",
"relativeTime": "-3d"
},
"to": null
},
"layout": {
"layoutType": "Grid",
"layoutStructures": [
{
"key": "panelPANE-AC8FB3DCBD32DA48",
"structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":0}"
},
{
"key": "panel3D084A3284252A4E",
"structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":0}"
},
{
"key": "panelPANE-4389DBF794B13B44",
"structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":6}"
},
{
"key": "panelPANE-FBE08549B2123A4A",
"structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":6}"
}
]
},
"panels": [
{
"id": null,
"key": "panelPANE-AC8FB3DCBD32DA48",
"title": "New assets found",
"visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}",
"keepVisualSettingsConsistentWithParent": true,
"panelType": "SumoSearchPanel",
"queries": [
{
"transient": false,
"queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"New Assets to Sumo Logic\"\n| timeslice 1m\n| sum(assets_new) by _timeslice\n| order by _timeslice",
"queryType": "Logs",
"queryKey": "A",
"metricsQueryMode": null,
"metricsQueryData": null,
"tracesQueryData": null,
"spansQueryData": null,
"parseMode": "Auto",
"timeSource": "Message",
"outputCardinalityLimit": 1000
}
],
"description": "",
"timeRange": null,
"coloringRules": null,
"linkedDashboards": []
},
{
"id": null,
"key": "panel3D084A3284252A4E",
"title": "Multihomed assets found",
"visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}",
"keepVisualSettingsConsistentWithParent": true,
"panelType": "SumoSearchPanel",
"queries": [
{
"transient": false,
"queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Multihomed Assets\" or rule_name = \"Multihomed Assets - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice",
"queryType": "Logs",
"queryKey": "A",
"metricsQueryMode": null,
"metricsQueryData": null,
"tracesQueryData": null,
"spansQueryData": null,
"parseMode": "Auto",
"timeSource": "Message",
"outputCardinalityLimit": 1000
}
],
"description": "",
"timeRange": null,
"coloringRules": null,
"linkedDashboards": []
},
{
"id": null,
"key": "panelPANE-4389DBF794B13B44",
"title": "Assets with a TLS service",
"visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}",
"keepVisualSettingsConsistentWithParent": true,
"panelType": "SumoSearchPanel",
"queries": [
{
"transient": false,
"queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Assets running a TLS service\" or rule_name = \"Assets running a TLS service - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice",
"queryType": "Logs",
"queryKey": "A",
"metricsQueryMode": null,
"metricsQueryData": null,
"tracesQueryData": null,
"spansQueryData": null,
"parseMode": "Auto",
"timeSource": "Message",
"outputCardinalityLimit": 1000
}
],
"description": "",
"timeRange": null,
"coloringRules": null,
"linkedDashboards": []
},
{
"id": null,
"key": "panelPANE-FBE08549B2123A4A",
"title": "Assets running OpenSSL",
"visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}",
"keepVisualSettingsConsistentWithParent": true,
"panelType": "SumoSearchPanel",
"queries": [
{
"transient": false,
"queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Assets with OpenSSL\" or rule_name = \"Assets with OpenSSL - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice",
"queryType": "Logs",
"queryKey": "A",
"metricsQueryMode": null,
"metricsQueryData": null,
"tracesQueryData": null,
"spansQueryData": null,
"parseMode": "Auto",
"timeSource": "Message",
"outputCardinalityLimit": 1000
}
],
"description": "",
"timeRange": null,
"coloringRules": null,
"linkedDashboards": []
}
],
"variables": [],
"coloringRules": []
}
Updated