Skip to main content

Integrate ContrastContrast Security ADR with Sumo Logic (NorthstarNorthstar)

The Contrast Security ADR integration with Sumo Logic® enables ADR to send incident details to your Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the ContrastContrast Security ADR sends detected attack events from the Contrast Security platform to your Sumo Logic instance over HTTPs.

The ContrastContrast Security ADR for Sumo Logic application enables Sumo Logic to:

  • Parse and normalize the data received over HTTPs

  • Display Contrast Security ADR attack events in Sumo Logic, for consumption in the provided Contrast Security ADR Dashboard in Sumo Logic, or search and correlation in Sumo Logic Cloud SIEM

Before you begin

Before you start, you must have:

  • Sumo Logic

  • Applications instrumented with a Contrast Security agent

Set up Sumo Logic

Set up Sumo Logic for Contrast Security ADR.

  1. Find the official Contrast Security ADR parser template by following the instructions icon-external-link-outline.svgon the relevant documentation page.

  2. Go to the Sumo Logic Parsers configuration page.

  3. Search for Contrast.

  4. Copy the parser template path by following steps 1-3 icon-external-link-outline.svgon the relevant documentation page.

    • Use the three-dot icon on the line for the Contrast ADR parser and select Copy Path.

  5. Continue with step 4 in the instructions if you have already set up an HTTP Logs and Metrics Collector you prefer to use; otherwise, continue with step 3 below. Continue with step 4 in the instructions if you have already set up an HTTP Logs and Metrics Collector you prefer to use; otherwise, continue with the following step.

  6. Set up an HTTP Logs and Metrics Source in a Hosted Collector by following the instructions on icon-external-link-outline.svgthe relevant documentation page.

  7. Select the Forward to SIEM option.

  8. Select +Add Field.

  9. When the two blank fields appear, under any fields that have already been defined for the source, enter _parser as the field name and the path to your parser as the value (as in this step).

  10. When the URL associated with the source is displayed, copy the URL so you can use it to configure Contrast Security in Configure Contrast Security ADR to send Attack Events to Sumo Logic.

Configure Contrast Security ADR to send events to Sumo Logic

Configure the integration in Northstar to send attack events, observations, and incidents to the Sumo Logic application.

  1. For Northstar, in the left navigation, select Administration > Integrations.

  2. Select the Sumo Logic option under the Integrations section.

  3. Under the Manage Credentials tab:

    1. Enter the Sumo Logic collector URL you copied in step 10 in the section above

    2. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.

  5. Under the Advanced tab, select from the modes of data to send to the app:

    1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.

    2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.

  6. Select Save.

See also

このセクションの内容: