Control Panel > Integration > Sumo Logic

The Evident.io Evident Security Platform (ESP) streamlines and optimizes vulnerability and risk management. It continuously monitors the AWS cloud, automatically identifies security misconfigurations, enables rapid mitigation of risk through guided remediation and provides visibility to their service through integrations with a central security analytics platform like Sumo Logic.

By combining the vulnerability and identified security misconfigurations from Evident and other data sources, you can reduce your security risk and improve your overall security posture.

Use the preconfigured searches and Dashboards in the Sumo Logic App for Evident.io ESP to investigate Evident-specific events and provide operational visibility to team members without logging into Evident.io.

Log Types

The Sumo Logic App for Evident.io ESP uses monitoring alerts. For details on the log format and definitions, refer to Evident.io documentation at https://docs.paloaltonetworks.com/evident.

Collect Logs for Evident.io

To collect logs for Evident.io, you will perform the following steps, detailed in the sections below:

  1. Configure an Evident.IO Integration with AWS SNS
  2. Add a Sumo Logic Hosted Collector and HTTP Source.
  3. Subscribe to SNS Notifications.

Configure an Evident.io Integration with AWS SNS

To configure an Evident.io Integration with AWS SNS:

  1. In Evident.io, add an Integration.
  2. Enable an AWS SNS integration.
  3. In the AWS SNS Topic you created, enable Raw Message Delivery:
    1. Select the AWS Topic.
    2. Click Other subscription actions.
    3. Click Edit subscription attributes.
    4. evident_app_edit_subscription.png

  1. Select the Raw message delivery check box.
  2. Click Set subscription attributes.
  3. evident_app_set_subscription.png

Add a Sumo Logic Collector and Source

  1. In Sumo Logic, configure a Hosted Collector.
  2. Configure an HTTP Source.
    1. Name.
      1. Enter Evident.io SNS Integration.
    2. Source Category.
      1. Enter security_evident.
  3. In the Advanced section, configure the following:
    1. Enable Timestamp Parsing.
      1. Activate the check box Extract timestamp information from log files.
    2. Time Zone.
      1. Select Ignore time zone from log file, and select (UTC) Etc/UTC
  4. Processing Rules. Create the following Mask Rule
    1. Name.
      1. Enable proper timestamp parsing
    2. Filter.
      1. \"(?:created_at|updated_at|ended_at)\":\"\d+-\d+-\d+(T)\d+:\d+:\d+.\d+Z\"
    3. Type.
      1. Mask messages that match
    4. Mask String.
      1. t

      2. evident_app_processing_rules.png
  5. Click Apply.
  6. Click Save.
  7. Copy the HTTP Source Address URL and use it in the following section.

Subscribe to SNS Notifications

Once the Hosted Collector and HTTP Source are configured, subscribe to Evident.io SNS Notifications:

  1. In the AWS Management Console, go to SNS > Topics, and find the topic you created in Configure an Evident.IO Integration with AWS SNS.
  2. Select the checkbox for the topic.
  3. Under Amazon SNS, in the Actions menu, select Subscribe to Topic.
  4. Under Protocol, select HTTPS, and paste the Sumo Logic HTTP Source URL into the Endpoint field.
  5. Click Create Subscription.
  6. In a few minutes, a confirmation message is sent to Sumo Logic.
  7. In Sumo Logic, search for the new message from your HTTP Source. For example, use the query _sourceCategory="security_evident".
  8. Then, in the Messages tab, parse the message for the JSON field SubscribeURL, and copy it to your clipboard, as shown.
  9. aws_config_app_example_700x317.png

  10. In the AWS Management Console, select SNS >Topics.
  11. Under Amazon SNS > Actions, select Confirm a subscription.
  12. Paste the SubscribeURL into the field Subscription confirmation URL, and click Confirm subscription.

Install the Evident.io App

To install the App:

  1. In the Library, click the Preview tab.
  2. Select Evident.io.
  3. Click Install.
  4. In the Install Application dialog box, select Select from _sourceCategory valuesand choose security_evident.
  5. Click Install.
  6. When the Confirm dialog displays, click Go to navigate to the installed app.