Skip to content

Releases: CiscoSecurity/tr-05-serverless-sumo-logic-log-management

Version 1.0.5

08 Apr 09:21
@mstoro mstoro
v1.0.5
0436973
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 1.0.5 Latest
Latest
  • Remove traceback from logs in case of 404 error
Assets 2
Loading

Version 1.0.4

13 Dec 09:50
@oshynk oshynk
v1.0.4
f17a88b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 1.0.4
  • Logging improvement
  • Make human-readable error messages
Assets 2
Loading

Version 1.0.3

08 Nov 11:38
@oshynk oshynk
v1.0.3
5b44ea4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 1.0.3
  • Remove unused endpoints
Assets 2
Loading

Version 1.0.2

25 Aug 08:39
@mstoro mstoro
v1.0.2
e04a476
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 1.0.2
  • Update dependencies management
Assets 2
Loading

Version 1.0.1

04 Aug 15:07
@oshynk oshynk
v1.0.1
a656549
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 1.0.1
  • Fixed bug when host is empty
Assets 2
Loading

Cisco Hosted Relay

20 Jul 11:59
@oshynk oshynk
v1.0.0
cbd4866
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Cisco Hosted Relay

v1.0.0

Sumo Logic Log Management

The new Sumo Logic Log Management integration indicates to users that the observable in an investigation is contained in a log message within Sumo Logic. It provides users with the date and time the observable was seen in the log, the collector that received the log, and the log source that provided the message.

This integration allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, and URL data types and it returns verdicts and judgements from Sumo Logic's query to CrowdStrike Intelligence. Additionally, each log message returns sightings of an observable.

Implementation Details

This application was developed and tested under Python version 3.9.

Implemented Relay Endpoints

  • POST /health

    • Verifies the Authorization Bearer JWT and decodes it to restore the
      original credentials.
    • Authenticates to the underlying external service to check that the provided
      credentials are valid and the service is available at the moment.

  • POST /deliberate/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Verifies the Authorization Bearer JWT and decodes it to restore the
      original credentials.
    • Makes a series of requests to the underlying external service to query for
      some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Verdict.

  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Verifies the Authorization Bearer JWT and decodes it to restore the
      original credentials.
    • Makes a series of requests to the underlying external service to query for
      some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Verdict,
      • Judgment,
      • Sighting.

  • POST /refer/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Builds a search link per each supported observable to pivot back to the
      underlying external service and look up events with the observable there.
    • Returns a list of those links.

  • POST /version

    • Returns the current version of the application.

Supported Types of Observables

All types allowed in CTIM

CTIM Mapping Specifics

Each response from the Sumo Logic API for the supported observables generates the following CTIM entities:

  • Sightings are taken from each message in Sumo Logic response.

  • Verdicts and Judgements are taken from separate request to Sumo Logic with query to CrowdStrike Intelligence.

  • severity of Judgement is mapped from malicious_confidence in message from Sumo Logic/CrowdStrike:

    malicious_confidence Severity
    high High
    medium Medium
    low Low
    unverified Unknown

  • disposition of Judgement is mapped from malicious_confidence in message from Sumo Logic/CrowdStrike:

    malicious_confidence Disposition Disposition Name
    high 2 Malicious
    medium 2 Malicious
    low 3 Suspicious
    unverified 5 Unknown
Assets 2
Loading