|
| 1 | +--- |
| 2 | +id: zendesk |
| 3 | +title: Zendesk |
| 4 | +sidebar_label: Zendesk |
| 5 | +description: The Zendesk app for Sumo Logic provides security analysts with critical visibility into their Zendesk environment. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/send-data/zendesk-icon.png')} alt="Zendesk-icon" width="50" /> |
| 11 | + |
| 12 | +The Sumo Logic app for Zendesk is designed to provide security analysts with critical visibility into their organization's Zendesk environment. It offers real-time monitoring of audit events, user activity, and security-related changes such as logins, user provisioning, and configuration updates. The app includes dashboards that track the actions of users, groups, and organizations, highlighting potential risks like audits from risky locations or impossible login attempts. |
| 13 | + |
| 14 | +Security analysts can quickly identify anomalous behavior, unauthorized access, and suspicious activities through detailed visualizations of audit trails and geographic trends. The app's integration with Zendesk ensures seamless tracking of key security metrics, empowering analysts to detect, investigate, and respond to threats promptly. This makes it an essential tool for securing Zendesk environments and ensuring compliance with security policies. |
| 15 | + |
| 16 | +:::info |
| 17 | +This app includes [built-in monitors](#zendesk-monitors). For details on creating custom monitors, refer to [Create monitors for Zendesk app](#create-monitors-for-zendesk-app). |
| 18 | +::: |
| 19 | + |
| 20 | +## Log types |
| 21 | + |
| 22 | +This app uses Sumo Logic’s Zendesk Source to collect [audit logs](https://developer.zendesk.com/api-reference/ticketing/account-configuration/audit_logs/) from Zendesk platform. |
| 23 | + |
| 24 | +## Sample log messages |
| 25 | + |
| 26 | +```json title="Event Log" |
| 27 | + { |
| 28 | + "url": "https://unity/api/v2/audit_logs/17296759404950.json", |
| 29 | + "id": 1729675940, |
| 30 | + "action_label": "Updated", |
| 31 | + "actor_id": 1729675940, |
| 32 | + "source_id": 44991493, |
| 33 | + "source_type": "organization", |
| 34 | + "source_label": "Organization: NCSOFT Corporation", |
| 35 | + "action": "update", |
| 36 | + "change_description": "Group changed from Premium Support to Premium Support Korea", |
| 37 | + "ip_address": "77.105.132.70", |
| 38 | + "created_at": "2024-10-23T15:02:20Z", |
| 39 | + "actor_name": "****** Langalia" |
| 40 | +} |
| 41 | +``` |
| 42 | +## Sample queries |
| 43 | + |
| 44 | +```sql title="Total Audits" |
| 45 | +_sourceCategory="Labs/Zendesk" |
| 46 | +| json "url","id","action_label","actor_id","source_id","source_type","source_label","action","change_description","ip_address","created_at","actor_name" as url, id, action_label, actor_id, source_id, source_type, source_label, action, change_description, ip_address, created_at, actor_name nodrop |
| 47 | + |
| 48 | +// Global filters |
| 49 | +| where action matches "{{action}}" |
| 50 | +| where actor_name matches "{{actor_name}}" |
| 51 | +| where source_type matches "{{source_type}}" |
| 52 | +| count by id |
| 53 | +| count |
| 54 | +``` |
| 55 | + |
| 56 | +## Set up collection |
| 57 | + |
| 58 | +To set up the [Zendesk Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zendesk-source) for the Zendesk app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Zendesk Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Zendesk app is properly integrated and configured to collect and analyze your Zendesk data. |
| 59 | + |
| 60 | +## Installing the Zendesk app |
| 61 | + |
| 62 | +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; |
| 63 | + |
| 64 | +<AppInstall2/> |
| 65 | + |
| 66 | +## Viewing Zendesk dashboards |
| 67 | + |
| 68 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 69 | + |
| 70 | +<ViewDashboards/> |
| 71 | + |
| 72 | +### Overview |
| 73 | + |
| 74 | +The **Zendesk - Overview** dashboard provides a high-level summary of key security metrics. It tracks total audit events, newly created users, groups, and organizations, helping security analysts monitor real-time activity. The dashboard breaks down audit actions by type, source, and geography, allowing for quick identification of suspicious activity or trends, such as logins or audits from risky locations. Top actors and recent audits are displayed to show who is making changes. Analysts can also track sign-in events over time to spot unusual login patterns, ensuring timely detection of potential threats. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Zendesk/Zendesk-Overview.png' alt="Zendesk-Overview" /> |
| 75 | + |
| 76 | +## Create monitors for Zendesk app |
| 77 | + |
| 78 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 79 | + |
| 80 | +<CreateMonitors/> |
| 81 | + |
| 82 | +### Zendesk monitors |
| 83 | + |
| 84 | +The Zendesk Monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Zendesk Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches. |
| 85 | + |
| 86 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 87 | +|:--|:--|:--|:--| |
| 88 | +| `Zendesk - Audits from Risky Locations` | This alert is triggered when audit events, such as user actions or configuration changes are performed from geographical locations identified as high-risk. These risky locations may correlate with regions known for cyberattacks or unauthorized activity, making it crucial to investigate these events for potential security risks. | Critical | Count > 0 | |
| 89 | +| `Zendesk - Impossible Login Events` | This alert notifies you of login attempts that are classified as *impossible*. This could mean logins from multiple geographically distant locations within a short time frame or logins from suspicious devices. Impossible login events often signal a compromise in account security, warranting immediate investigation to ensure no unauthorized access has occurred | Critical | Count > 0| |
| 90 | + |
| 91 | + |
| 92 | +## Upgrading the Zendesk app (Optional) |
| 93 | + |
| 94 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 95 | + |
| 96 | +<AppUpdate/> |
| 97 | + |
| 98 | +## Uninstalling the Zendesk app (Optional) |
| 99 | + |
| 100 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 101 | + |
| 102 | +<AppUninstall/> |
0 commit comments