Cloudflare Docs
Area 1 Email Security
Cloudflare Docs
Area 1 Email Security
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Area 1 Email Security
  3. ...
  4. SIEM integration
  5. Sumo Logic

Sumo Logic integration guide

When Area 1 detects a phishing email, the metadata of the detection can be sent directly into your instance of Sumo Logic. This document outlines the steps required to integrate Area 1 with Sumo Logic.

A diagram outlining what happens when Area 1 detects a phishing email and sends it to Sumo Logic.

​​ 1. Configure the Sumologic Collector

  1. Log in to Sumo Logic with an administrator account.

  2. Go to Manage Data > Collection to open the collector configuration pane.

  3. Select Add Collector.

    Add collector.

  4. In Select Collector Type, select Hosted Collector.

    Select Hosted Collector.

  5. In Add Hosted Collector, enter the following settings:

    • Name: Area 1 Collector
    • Description: Area 1 Security Collectors
    • Category: Anti-Phishing

    Enter the settings above to configure your collector.

  6. Select Save > OK to confirm the addition of the new Collector.

  7. In Cloud APIs, select HTTP Logs and Metrics to start the configuration of the data source.

    Select HTTP Logs and Metrics.

  8. Enter a descriptive Name and Description, and select Save.

    Enter a name and description.

  9. The system will present you a dialog box with the HTTP endpoint. Save it, as this will be required to configure Area 1 later.

    Take note of the endpoint to use it later.

​​ 2. Configure Area 1

The next step is to configure Area 1 to push the Email Detection Events to the Sumologic HTTP Collector.

  1. Log in to the Area 1 dashboard.
  2. Go to Email Configuration > Alert Webhooks, and select New Webhook.
  3. In the Add Webhooks page, enter the following settings:
    • App type: Select SIEM > Splunk. In Auth code, enter Sumologic.
    • Target: Enter the HTTP endpoint you saved in the previous section.
    • For the dispositions (MALICIOUS, SUSPICIOUS, SPOOF, SPAM, BULK) choose which (if any) you want to send to the webhook. Sending SPAM and BULK dispositions will generate a high number of events.
  4. Select Publish Webhook.

Your Sumo Logic integration will now show up in the All Webhooks panel.

Your Sumo Logic webhook will display in the All Webhooks panel.

It will take about ten minutes for the configuration to fully propagate through the infrastructure of Cloudflare Area 1, and for events to start to appear in your searches. Once the configuration is propagated, events will start to appear in your instance of Sumo Logic.

To view logs, hover your mouse over the Area 1 Collector, and select Open in Log Search.

View logs in Sumo Logic.

Once events start to flow, select New > Log search to search for the detection events with your search criteria (for example, _collector="Area 1 Collector").

Search for events.