Skip to content
Cloudflare Docs

Sumo Logic

Last reviewed: almost 2 years ago

When Email Security detects a phishing email, the metadata of the detection can be sent directly into your instance of Sumo Logic. This document outlines the steps required to integrate Email Security with Sumo Logic.

A diagram outlining what happens when Email Security detects a phishing email and sends it to Sumo Logic.

1. Configure the Sumologic Collector

  1. Log in to Sumo Logic with an administrator account.

  2. Go to Manage Data > Collection to open the collector configuration pane.

  3. Select Add Collector.

    Add collector.

  4. In Select Collector Type, select Hosted Collector.

    Select Hosted Collector.

  5. In Add Hosted Collector, enter the following settings:

    • Name: Email Security Collector
    • Description: Email Security Security Collectors
    • Category: Anti-Phishing

    Enter the settings above to configure your collector.

  6. Select Save > OK to confirm the addition of the new Collector.

  7. In Cloud APIs, select HTTP Logs and Metrics to start the configuration of the data source.

    Select HTTP Logs and Metrics.

  8. Enter a descriptive Name and Description, and select Save.

    Enter a name and description.

  9. The system will present you a dialog box with the HTTP endpoint. Save it, as this will be required to configure Email Security later.

    Take note of the endpoint to use it later.

2. Configure Email Security

The next step is to configure Email Security to push the Email Detection Events to the Sumologic HTTP Collector.

  1. Log in to the Email Security dashboard.
  2. Go to Email Configuration > Alert Webhooks, and select New Webhook.
  3. In the Add Webhooks page, enter the following settings:
    • App type: Select SIEM > Splunk. In Auth code, enter Sumologic.
    • Target: Enter the HTTP endpoint you saved in the previous section.
    • For the dispositions (MALICIOUS, SUSPICIOUS, SPOOF, SPAM, BULK) choose which (if any) you want to send to the webhook. Sending SPAM and BULK dispositions will generate a high number of events.
  4. Select Publish Webhook.

Your Sumo Logic integration will now show up in the All Webhooks panel.

Your Sumo Logic webhook will display in the All Webhooks panel.

It will take about ten minutes for the configuration to fully propagate through the infrastructure of Email Security, and for events to start to appear in your searches. Once the configuration is propagated, events will start to appear in your instance of Sumo Logic.

To view logs, hover your mouse over the Email Security Collector, and select Open in Log Search.

View logs in Sumo Logic.

Once events start to flow, select New > Log search to search for the detection events with your search criteria (for example, _collector="Email Security Collector").

Search for events.
Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal
Cookie Settings