Sumo Logic Access Token
Service Name: Sumo Logic
Service Description: Sumo Logic is a cloud-based log management and analytics service that enables the collection and analysis of machine data from various sources for monitoring, troubleshooting, and security purposes.
Service Address: https://www.sumologic.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the account level through IP allowlisting in the security settings.
Secret Access Scope: Grants programmatic access to Sumo Logic APIs, allowing management of collectors, sources, dashboards, and the ability to query logs and metrics data.
Secret Revokement URL: https://help.sumologic.com/docs/manage/security/access-keys/#manage-access-keys
Secret Example: sumo1234abcdef567890ghijklmnopqrstuvwxyz1234567890abcdefghijklm
Suspicious Activity Investigation Instructions:
- Review the audit index in Sumo Logic for unauthorized API calls or unusual access patterns
- Check for unexpected collector or source creations or modifications
- Monitor for unusual query patterns or data exports
- Verify if there are any unexpected changes to dashboards, alerts, or scheduled searches
- Look for access from unusual IP addresses or locations
Mitigation Instructions:
- Log in to the Sumo Logic web interface
- Navigate to Administration > Security > Access Keys
- Locate the compromised access key
- Click the delete icon (trash can) next to the key
- Confirm deletion when prompted
- Create a new access key if needed
- Update any legitimate applications or services using the old key
- Review and update IP allowlisting settings if necessary
- Consider enabling multi-factor authentication for all users