Use Case: SumoLogic

In this example, we will send a webhook to a data lake on SumoLogic.

Suppose that every day, you want to send a list of newly found VMs, Servers, and Workstations to a dashboard running in SumoLogic.

You could create a query that specified:

  • show all the assets that are either VMs or servers or workstations

  • exclude all assets that are either Kubernetes instances (labeled as “SERVER.SEARCH”) or VM images (labeled as “VM_IMAGE” in Lucidum)

You could then:

  • specify that you want to use the query results in a webhook

  • select the fields to include in the payload of the webhook. For example, for each VM, server, or workstation, you could include fields for the Lucidum Asset Name, Department, Data Category, External Ports, External Services.

  • Specify how frequently to send the webhook

Generating a URL for SumoLogic #

  1. In SumoLogic, we created a hosted collector for Lucidum. For details on creating a hosted collector, see the SumoLogic documentation https://help.sumologic.com/docs/send-data/hosted-collectors/configure-hosted-collector .

    sumo_collector_properties.png
  2. In SumoLogic, we defined an HTTP source for our Lucidum demo system. For details on creating an http source, see the SumoLogic documentation https://help.sumologic.com/docs/send-data/hosted-collectors/http-source/logs-metrics

    sumo_collector_gemerate_url.png
  3. We generated a URL for our HTTP source. For details, see https://help.sumologic.com/docs/send-data/hosted-collectors/http-source/generate-new-url/ .

    sumo_url.png

Defining a Webhook Configuration for SumoLogic #

To define the Webhook Configuration for SumoLogic:

  1. Choose Action Center from the left pane.

  2. In the Action Center, choose the Webhook icon in the right pane.

    main_page2.png
  3. To create a configuration for the action, click the Configuration (gear) icon. A configuration provides the connection and authorization information to communicate with the external solution.manage_action_configurations2.png

  4. In the Manage Action Configurations page, you can either click the Add Configuration icon (plus sign) or edit the Default configuration by clicking the Edit icon (pencil).

  5. In the Manage Action Configurations page, we entered the following:

    configuration.png
    • Configuration Name. A name that describes the new Webhook configuration. We entered “Sumo Demo Dashboard Data”.

    • webhook_url. The URL on the solution or application that listens for webhooks from Lucidum. This is the URL that we generated in the section on Generating a URL for SumoLogic.

    • Header Key. We accepted the default value “Content-Type”.

    • Header Key Value. We accepted the default value “application/json”.

    • Max request payload records. You can specify a maximum size for the payload. We accepted the default value, 100 records.

Defining a Webhook Action for SumoLogic #

To define the Webhook Action for SumoLogic:

  1. In the Create a New Action page, in the General step, enter:

    webhook_new_action1.png
    • Action Type. This field was pre-populated with Send Webhook.

    • Configuration Name. We selected “Sumo Demo Dashboard Data”, the configuration we defined in the section Defining a Webhook Configuration for SumoLogic.

    • Action Name. Provide a name for the webhook action. We entered “Feed VMs, Servers & Workstations to demo dashboard in Sumo Logic”.

    • Description. Provide a description for the webhook action. This field is optional.

  2. Click the Next (>) icon.

  3. In the Filters page, click Configure Filters.

    filters_page.png
  4. The Configure Filters for Action page appears.

    configure_filters_for_action.png
  5. In the Configure Filters for Action page, you define the query for the assets or users that the action will act upon. For existing actions, the query is already loaded in this page.

  6. For details on creating and editing queries in Lucidum, see the section on Building Queries.

  7. In the Refine Scope page, you define the query for the assets or users that the action will act upon.

  8. We created the following query:

    sumo_examle_refine_scope.png
  9. This query specifies:

    • show all the assets that are either VMs or servers or workstations

    • exclude all assets that are either Kubernetes instances (labeled as “SERVER.SEARCH”) or VM images (labeled as “VM_IMAGE” in Lucidum)

  10. Click the Apply (page and pencil) icon.

  11. Click the Next (>) icon.

  12. In the Schedule step, enter:

    webhook_new_action3.png
    • Schedule Type. Define the schedule for the action. We chose “Recurrence” and specified that the action should run once a day at midnight.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action. We specified “greater than 0”.

  13. Click the Next (>) icon.

  14. In the Details step, enter the following:

    webhook_new_action4.png
    • Output Fields. We selected a custom list of fields to include in the webhook payload.

    • Payload template. This field formats the webhook payload before sending it. We accepted the default template.

    • Dedup previous jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). We specfieid “0” (zero), so Lucidum includes all the records from the query in each delivery of the webhook.

  15. Click the Save (disc) icon to save the Webhook Action.

Viewing Lucidum Data on SumoLogic #

We can see the following Lucidum data in the Messages tab in SumoLogic:

data_in_sumo.png

Using Lucidum Data in SumoLogic Dashboards #

The following SumoLogic dashboard uses data from Lucidum:

dashboard_in_sumo.png