Skip to main content
Sumo Logic

Webhook Connection for AWS Lambda

You can trigger an AWS Lambda function directly from a Sumo Logic alert by configuring a webhook connection.

For example, you can create a Scheduled Search that triggers a Lambda function when too many requests are received from a suspicious IP address. The Lambda function can shut down additional requests from that IP address, while simultaneously sending a notification to the security team for review.

Build an API in the API Gateway to expose a Lambda function

First, generate an Invoke URL, with a POST method for your Lambda function by creating an API in Amazon API Gateway. For information about exposing an HTTP endpoint, see Amazon's API Gateway documentation:

http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html

When you have created the Invoke URL, copy and paste it into a notepad. You will need it to configure the webhook connection in the next section.

Create a Webhook connection

Configure the webhook connection to trigger the AWS Lambda function.

  1. Go to Manage Data > Alerts > Connections.
  2. On the Connections page click Add.
  3. Click AWS Lambda.
  4. In the Create Connection dialog, enter:
    1. Name. Enter a name for the Connection.
    2. Description. Optional: Enter a Description for the Connection.
    3. URL. Enter the Invoke URL from the previous section.
    4. Access Key and Secret Key. Enter your AWS Access Key and Secret Key.
      1. Secure your API gateway method by selecting AWS_IAM for the authorization type.
      2. Create an IAM user who has basic API gateway invoke access. You can use the AWS managed policy AmazonAPIGatewayInvokeFullAccess.
    5. Region. Select your region.
    6. Service Name. Enter execute-api as the service name.
    7. (Optional) Custom Headers, enter up to five comma separated key-value pairs.
    8. Payload. Enter a JSON object in the format required. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables
  5. Click Test Connection. If the connection is made, you will see a 200 OK response message.
  6. Click Save.

Create a scheduled search 

Scheduled searches are saved searches that run automatically at specified intervals. When a scheduled search is configured to send an alert, it can be sent to a connection via a webhook.

You can create a brand new search, or you can base a search on an existing saved or scheduled search. If you'd like to use an existing search, you'll need to save the query as a new search to not override the current schedule of the search. For instructions, see Scheduled Searches for Webhook Connections.

Create a metrics monitor

To trigger the Webhook connection, you can also use a metrics monitor. For instructions, see Metrics Monitors and Alerts