You can trigger an AWS Lambda function directly from a Scheduled Search or Metrics Monitor by configuring a Webhook Connection in Sumo Logic.
For example, you can create a Scheduled Search that triggers a Lambda function when too many requests are received from a suspicious IP address. The Lambda function can shut down additional requests from that IP address, while simultaneously sending a notification to the security team for review.
Build an API in the API Gateway to expose a Lambda function
First, generate an Invoke URL, with a POST method for your Lambda function by creating an API in Amazon API Gateway. For information about exposing an HTTP endpoint, see Amazon's API Gateway documentation:
When you have created the Invoke URL, copy and paste it into a notepad. You will need it in to configure the Webhook Connection in the next section.
Create a Webhook connection
Configure the Webhook Connection to trigger the AWS Lambda function.
- Go to Manage Data > Settings > Connections.
- On the Connections page click Add.
- Click AWS Lambda.
- In the Create Connection dialog, enter:
- Name. Enter a name for the Connection.
- Description. Optional: Enter a Description for the Connection.
- URL. Enter the Invoke URL from the previous section.
- Access Key and Secret Key. Enter your AWS Access Key and Secret Key.
- Secure your API gateway method by selecting AWS_IAM for the authorization type.
- Create an IAM user who has basic API gateway invoke access. You can use the AWS managed policy AmazonAPIGatewayInvokeFullAccess.
- Region. Select your region.
- Service Name. Enter execute-api as service name.
- (Optional) Custom Headers, enter up to five comma separated key-value pairs.
- Payload. Enter a JSON object in the format required. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables.
- Click Test Connection. If the connection is made, you will see a 200 OK response message.
- Click Save.
Create a scheduled search
To trigger the Webhook Connection, you can use a Scheduled Search. The following is an example configuration.
- Create a search query and click Save As below the search field.
- Click Schedule this search.
- Run Frequency. Select Hourly.
- Time range for scheduled search. Select Last 60 Minutes.
- Alert Condition. Select Send notification only if the condition below is satisfied.
- Number of results. Enter Greater than > 0.
- Alert Type. Select Webhook to upload search results to your Connection.
- Webhook. Select the Webhook you created in the previous section.
- Customize Payload. (Optional) If needed, select the check box and customize the Payload for this search. If you’d like to use the default payload, leave this as-is.
- Click Save.
Create a metrics monitor
Alternatively, to trigger the Webhook Connection, you can use a Metrics Monitor. For instructions, see Metrics Monitors and Alerts.