What does a SIEM platform do? #
A SIEM (Security Information and Event Management) platform aggregates security data from various sources, normalizes it for analysis, and correlates events to detect potential threats or breaches in real-time. SIEMs are fantastic for data aggregation, analysis, and reporting among other security use cases.
Sumo Logic is a widely recognized SIEM platform, renowned for its extensive adoption across diverse customer bases. It stands out as a prevalent choice within our own customer base, reflecting its widespread usage and trusted reputation in the industry. Today, I will be highlighting how to leverage a SIEM platform like Sumo Logic to do more with your runZero data.
How does runZero compliment SIEM data? #
runZero shines when it comes to asset discovery and exposure management. Oftentimes, customers will want to track trends in their asset data though. While runZero provides the most recent snapshot of your asset inventory, using a daily export to a SIEM allows you to create a history as well. We can merge these two tools together using a GCP Cloud Function to leverage the power of both.
Key benefits of this integration #
Bringing a SIEM platform into runZero not only streamlines processes internally but also gives us a deeper understanding of our data, helping us make better decisions together as a team. From optimizing resource allocation to pinpointing areas for improvement and addressing potential security risks, here are the key benefits that you can take away from this integration:
Make data visual: By visualizing the runZero data with custom dashboards in the SIEM, we can effortlessly gain actionable insights into our asset landscape. We can display a wide range of trends related to asset inventory, such as usage patterns, resource allocation, and potentially vulnerable assets. This holistic view enables us to identify patterns, anomalies, and correlations that may not be apparent when examining data sets separately.
Make data digestible: Custom dashboards allow us to rollup the data in a way that is easy for anyone on the team to digest. By offering intuitive visualizations and summaries, we can bridge knowledge gaps and ensure that insights are accessible to a broader audience within our organization, especially those that may not be familiar with runZero.
Make data actionable: With enhanced clarity on our asset inventory, we can collaborate more effectively on strategic decisions and actions. We can foster a shared understanding of asset-related challenges and opportunities, enabling cross-functional teams to align their efforts towards common goals.
Low cost: After letting this run for over a month, our GCP bill was $0.02… we have a feeling most people can get that budget approved.
Outcome #
Steps to implement #
- Get runZero Export Token to export asset data from runZero
- Use your runZero export API token, which can be obtained in your runZero console on an organization detail page.
- Select the organization you wish to export data from, then click Edit organization to view the export API token.
- Create Sumo Logic HTTP Endpoint to POST data to
- After logging in to Sumo Logic, navigate to Manage Data > Collection.
- Click Add Collector then select Hosted Collector.
- Provide a name, such as runZero Collector and click Save.
- If prompted to add a data source, click OK. Otherwise, find your Collector in the list and click Add Source.
- Select the HTTP Logs and Metrics source.
- Provide a name, such as runZero Metrics, then click Save.
- You will use the URL in step 4.
- Create your GCP Cloud Scheduler job:
- Define your schedule
- Provide name.
- Pick your frequency.
- Configure the execution
- Target type is Pub/Sub.
- Create a new Topic.
- Click Create to finish creating the job.
- Define your schedule
- Create your Cloud Function
- Basics
- Trigger type is Cloud Pub/Sub
- Select the Topic created in the last step
- Click Next
- Code
- Runtime: Python 3.10
- Entry point: main
- Files
- main.py
- Update the SEARCHES object to change the searches you create metrics for
- requirements.txt
- config.py
- Update with Export Token and Sumo Logic HTTP Endpoint
- main.py
- Basics
We’d love to hear about your experience with this integration. Reach out to us on our social accounts or send us a message here.