Skip to main content

Overview

The Sumo Logic destination forwards Ocean events to a Sumo Logic HTTP Source endpoint. Events are POSTed as newline-delimited JSON, one event per line, so they ingest cleanly with Sumo Logic’s auto-parser. For an introduction to event types, payloads, and delivery semantics, see the SIEM Forwarding Overview.

Prerequisites

Before configuring the destination in Ocean, set up a Hosted HTTP Source in Sumo Logic:
  • A Sumo Logic HTTP Source URL — the full endpoint Sumo Logic gives you when you create the source. This URL contains the authentication token and is treated as a secret.
  • A Source Category on the Sumo Logic source so events are easy to find and route (e.g. ocean/siem).
In Sumo Logic, the HTTP Source URL itself is the credential — anyone with the URL can POST events to your source. Treat it as a secret.
For full details on setting up an HTTP Source, see Sumo Logic’s official guide: HTTP Source.

Create the HTTP Source in Sumo Logic

1

Open Collection settings

In Sumo Logic, go to Manage Data → Collection and either pick an existing Hosted Collector or create a new one.
2

Add an HTTP source

Click Add Source on the collector and pick HTTP Logs & Metrics.
3

Name the source

Give it a name (e.g. ocean-security) and set a Source Category (e.g. ocean/siem). The source category is how you’ll filter Ocean events in Sumo Logic. Click Save.
4

Copy the HTTP Source URL

Sumo Logic shows the HTTP Source URL once. Copy it — you will paste it into the Ocean Portal in the next section.The URL looks like: https://endpoint<n>.collection.sumologic.com/receiver/v1/http/<token>

Configure the destination in Ocean

1

Open the SIEM section

In the Ocean Portal, navigate to Integrations and find the SIEM section.
2

Connect Sumo Logic

Click Connect on the Sumo Logic HTTP Source card.
3

Fill in the basics

FieldValue
NameA friendly name (e.g. SOC Sumo Prod).
HTTP Source URLPaste the full URL you copied from Sumo Logic. Ocean stores this encrypted; the URL is never displayed again.
4

Pick events to forward

Under Events to forward, select at least one:
  • Inbound Protection — malicious cases
  • Inbound Protection — spam cases
  • AI Response — report phishing
  • AI Response — quarantine release
  • Audit Logs
5

Save

Click Create. The destination starts forwarding within a few minutes.

How events arrive in Sumo Logic

Each event arrives as one JSON document tagged with the Source Category you set on the HTTP Source. Every payload includes an event_type field (one of inbound_protection, report_phishing, quarantine_release, audit_log) you can filter on. See the event payload reference for the full schema of each payload.

Search examples

These searches filter by the event_type field inside the event payload. Replace _sourceCategory=ocean/siem with whatever source category you set on the HTTP Source. Find malicious inbound emails Ocean remediated in the last 24 hours: 
_sourceCategory=ocean/siem
| json field=_raw "event_type", "is_remediated", "verdict", "recipient.address", "sender.address", "subject", "remediation_action"
| where event_type = "inbound_protection" and is_remediated = "true" and verdict = "malicious"
| count by recipient.address, sender.address, subject, remediation_action
Count phishing reports by user: 
_sourceCategory=ocean/siem
| json field=_raw "event_type", "reporter.address"
| where event_type = "report_phishing"
| count by reporter.address
| sort -_count
Quarantine releases by reviewer: 
_sourceCategory=ocean/siem
| json field=_raw "event_type", "action.released", "review_details.reviewer_name"
| where event_type = "quarantine_release" and action.released = "true"
| count by review_details.reviewer_name

Troubleshooting

SymptomLikely causeResolution
Destination shows Authentication failedHTTP Source URL is wrong, regenerated, or the source was deleted.Re-copy the URL from Sumo Logic and update the destination.
Destination shows Endpoint unreachableURL is malformed or Sumo Logic’s collector endpoint isn’t reachable.Verify the URL matches the one shown on the source in Sumo Logic.
Events arrive but have no _sourceCategoryThe HTTP Source has no source category set.Set a Source Category on the source in Sumo Logic.
No events yetFirst export is still pending.Wait a few minutes after creating the destination.
For the full event schema, see the SIEM Forwarding Overview.