Integrating Red Canary & Sumo Logic

Keith McCammon

Share this Project

A key step in the Red Canary on-boarding process is understanding customers’ processes and tools so we can configure integrations that minimize the need for IT and security analysts to break workflow and access yet another system. When everything from our context-rich detections to raw endpoint telemetry is integrated with your existing systems, you get immediately useful context without needing to learn a new tool or workflow.

open-uri20140721-6209-1oxeexpWe are going to walk you through the process of integrating Red Canary data with analytics provider Sumo Logic. Sumo Logic is a platform we often hear our customers rave about and they’ve made it easy for customers to send any volume of machine data into their cloud-based analysis platform. Because endpoint log data is already being collected within Sumo Logic, it only makes sense to push Red Canary detection information–complete with event timeline and indicators of attack and/or compromise–into this platform as well.

Configuring this integration is easy. First, we configured a Sumo Logic Hosted Collector and corresponding HTTP data source:

  1. Select Manage -> Collectors and choose Hosted Collector.
  2. Name the detector and provide a category.
  3. Opt to add a data source and choose HTTP.
  4. Provide a name, optional source host and category, and Save.
  5. Record the collector URL that you will use when we send data from Red Canary into Sumo Logic.

Sending Red Canary detections to Sumo Logic is as simple as a Python script that uses the Red Canary API:

import requests
import redcanary
# Replace URL with the data source URL provided above.
SUMO_COLLECTOR = 'https://collectors.us2.sumologic.com/receiver/v1/http/...'
red_canary = redcanary.RedCanaryClient()
for detection in red_canary.detections:
r = requests.post(SUMO_COLLECTOR, data=detection.as_json)

Once detection data is processed by Sumo Logic, you have access to Red Canary analyst observations, threat classification, and details about the affected endpoint, user, and a timeline of related events. Each of these elements can be immediately correlated with data from other Sumo Logic data sources and accessed via their powerful dashboards, search (below), or API.

07

This is just one of many integrations that are possible and exemplifies the power of open, API-based platforms like Red Canary and Sumo Logic. It takes just minutes to get started with either Red Canary or Sumo Logic, and a few more to integrate the two together.