Sending data to Sumo Logic
If you use Sumo Logic for data aggregation and analysis, you may want to pass information from tCell to Sumo Logic to control alerting from Sumo Logic, to generate aggregate dashboards, or to correlate with other data sources. tCell alerts can send many kinds of high-profile information to Sumo Logic over webhooks, such as identified suspicious actors, new package vulnerabilities, and more. See the Alerts configuration page in the tCell application.
Transmitting data from tCell to Sumo Logic is straightforward:
- Add an HTTP Source configuration to your Sumo Logic environment
- Target that HTTP Source in a webook-based Alert Destination in your tCell app
- Set up one or more Alerts to send a category of potential messages to your new Alert Destination
Adding the HTTP Source
At tCell we don't have any firm guidance on how you should configure or manage your Sumo Logic HTTP Sources and Source Category names.
One option is to use the Setup Wizard in Sumo Logic. From the wizard, you can select All Other Sources, then HTTP Source. The most important thing is to select a Source Category name that will be match your other Source Category names in style and pattern. For example, in a test environment or as a test, you could use "tcell-alerts". All other settings can be left at their defaults. tCell will post a JSON object or objects, and Sumo Logic will slice these objects on the object boundaries, making coherent searchable events.
After you finish setting up the Source Category and click [ Continue ] you will see a magic url provided such as: https://endpoint2.collection.us2.sumologic.com/receiver/v1/http/ZaVnA4dhaV0nFJAEMuwFDGEEZUnDedm7hYhkdUJSAE44bmKKp1mp4LsYDCr2MzTA0C21czkqjz9UVjC1mk4lw512KQ7Usz3OAmNwCMWO09eK9r7h2VZT7B==
Record this in an editor or similar as you will need it soon.
Configuring the Alert Destination
In the tCell UI, in your chosen App, go to Settings > Alerts in the left-side list of sections. On the far right, click + Add Destination.
In the Create New Destination choose a Destination Type of Webhook, and paste in the large URL from step 1. If you like you can send the Test WebHook, Sumo Logic will process it and turn it into an event.
(Note that events may take some minutes to become available in general Sumo Logic search. )
Add Alerts which use this new Alert Destination
Click on the + Add Alert link. Select an alert type and the Sumo Logic webhook.
If you want to test alerts beyond the initial test, consider adding an alert for Config Changed, as it's very easy to change the configuration in an innocuous way to force such events. For example, in Policies > App Firewall you could add a rule that matches on a header name you will never receive such as "peanut-butter-sandwiches", and then delete the rule again.