Using Sensor Zones
This topic has information about how to use sensor zones to distinguish among Cloud SIEM entities that have the same IP address. For example, you might have two servers that are deployed in two different Cloud regions that use the same private IP address space.
A sensor zone is an attribute that Cloud SIEM adds to records at ingest time. You can set a sensor zone for a Sumo Logic Source by assigning a field named _siemSensorZone
to the Source.
You can set the field value to whatever you want, for example, us-west, europe, or aws. When Cloud SIEM creates a record or inventory data for a message from the Source, it will add an attribute named metadata_sensorZone
that contains the sensor zone assigned to the Source. (If _siemSensorZone
is not set for a Source, the value of the metadata_sensorZone
attribute in records from that Source will be default.) The sensor zone attribute will be attached to all records from the Source itβs assigned to but it will only be mapped toIP address entities that are the primary entities on a Signal or insight.
Wherever the Cloud SIEM UI displays a private IP address whose metadata_sensorZone
value is not equal to default in a record, Signal, or entity, it will append the sensor zone value to the IP address. This allows a security analyst to easily tell the difference between entities that have the same IP address, for example:
10.10.32.168 (us-west)
10.10.32.168 (europe)
In the insight generation process, Signals are correlated by the full IP address-sensor zone combination.
Set sensor zonesβ
You can assign a sensor zone to a Sumo Logic Source when you create a Source, or you can edit an existing Source to add a sensor zone to it.
Sensor zones will only apply to IP addresses in private address ranges.
To define a sensor zone for a Source:
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu click Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Navigate to the Source you want to update.
- In the Fields/Metadata area, define a Field named
_siemSensorZone
and set it to the desired value. - Click Save.
After you add the field, records and inventory data from the Source will have the attribute _siemSensorZone
set to the value you specified.
Sensor zones in Cloud SIEMβ
In the Cloud SIEM user interface, when viewing an entity or a record (or a Signal that is based on either one) that has _siemSensorZone
set, the sensor zone will also be displayed in the UI.
The following screenshot shows an insight whose primary entity has a sensor zone defined.
Sensor zones in Sumo Logicβ
The screenshot below shows a Cloud SIEM record returned by a search in Sumo Logic. In the example record, no sensor zone has been added to the record, so the value of metadata_sensorZone
is default.