You can trigger an AWS Lambda function directly from a Sumo Logic alert by configuring a webhook connection.
For example, you can create a Scheduled Search that triggers a Lambda function when too many requests are received from a suspicious IP address. The Lambda function can shut down additional requests from that IP address, while simultaneously sending a notification to the security team for review.
Build an API in the API Gateway to expose a Lambda function
First, generate an Invoke URL, with a POST method for your Lambda function by creating an API in Amazon API Gateway. For information about exposing an HTTP endpoint, see Amazon's API Gateway documentation:
When you have created the Invoke URL, copy and paste it into a notepad. You will need it to configure the webhook connection in the next section.
Create a Webhook connection
Configure the webhook connection to trigger the AWS Lambda function.
- Go to Manage Data > Alerts > Connections.
- On the Connections page click Add.
- Click AWS Lambda.
- In the Create Connection dialog, enter:
- Name. Enter a name for the Connection.
- Description. Optional: Enter a Description for the Connection.
- URL. Enter the Invoke URL from the previous section.
- Access Key and Secret Key. Enter your AWS Access Key and Secret Key.
- Secure your API gateway method by selecting AWS_IAM for the authorization type.
- Create an IAM user who has basic API gateway invoke access. You can use the AWS managed policy AmazonAPIGatewayInvokeFullAccess.
- Region. Select your region.
- Service Name. Enter execute-api as the service name.
- (Optional) Custom Headers, enter up to five comma separated key-value pairs.
- Payload. Enter a JSON object in the format required. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables.
- Click Test Connection. If the connection is made, you will see a 200 OK response message.
- Click Save.
Create a scheduled search
Scheduled searches are saved searches that run automatically at specified intervals. When a scheduled search is configured to send an alert, it can be sent to a connection via a webhook.
You can create a brand new search, or you can base a search on an existing saved or scheduled search. If you'd like to use an existing search, you'll need to save the query as a new search to not override the current schedule of the search. For instructions, see Scheduled Searches for Webhook Connections.
Create a metrics monitor
To trigger the Webhook connection, you can also use a metrics monitor. For instructions, see Metrics Monitors and Alerts.