|
| 1 | +--- |
| 2 | +id: zimperium |
| 3 | +title: Zimperium |
| 4 | +sidebar_label: Zimperium |
| 5 | +description: The Sumo Logic App for Zimperium provides visibility into mobile threats through centralized threat intelligence and device telemetry. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('/img/integrations/zimperium/zimperium-logo.png')} alt="Thumbnail icon" width="80" /> |
| 11 | + |
| 12 | +The Sumo Logic app for Zimperium equips security analysts with comprehensive visibility into mobile threat activity, enabling faster detection, investigation, and response to security incidents on mobile devices. Its dashboard centralizes Zimperium’s threat intelligence and device telemetry, helping identify high-risk users, compromised devices, and malicious activity targeting mobile endpoints. |
| 13 | + |
| 14 | +With this app, analysts can: |
| 15 | +- **Monitor threats by severity**. Track trends over time for critical, important, low, and hidden threats, helping prioritize investigations. |
| 16 | +- **Identify malicious network connections**. View domains and URLs flagged as malicious, with threat categorization for quick triage. |
| 17 | +- **Correlate threats to users**. Pinpoint employees associated with threats to streamline response and remediation. |
| 18 | +- **Review top actionable threats**. See prioritized detection details, including device IDs, risk scores, threat types, and impacted users. |
| 19 | +- **Analyze threat artifacts**. Drill into detected malicious URLs, file sources, and exploited vulnerabilities. |
| 20 | +- **Detect vulnerable OS versions**. Identify devices running outdated or insecure operating systems. |
| 21 | +- **Spot jailbroken devices**. Detect and monitor devices that have been rooted or jailbroken, increasing the attack surface. |
| 22 | +- **Investigate system tampering events**. Surface suspicious activities such as debugging, OS tampering, or configuration changes. |
| 23 | +- **Assess device risk posture**. Review aggregated risk scores, posture issues, and affected users for incident prioritization. |
| 24 | +- **Track threat mitigation events**. Confirm and audit mitigated threats to ensure timely response. |
| 25 | + |
| 26 | +Use cases for security analysts: |
| 27 | +- Proactively hunting for compromised mobile endpoints in the organization. |
| 28 | +- Detecting and investigating targeted phishing or malicious link-tapping events. |
| 29 | +- Monitoring users connecting to high-risk networks or malicious domains. |
| 30 | +- Enforcing mobile security policies by detecting non-compliant devices. |
| 31 | +- Supporting incident response with enriched device and user context. |
| 32 | + |
| 33 | + |
| 34 | +By integrating Zimperium’s advanced mobile threat defense data into Sumo Logic, security teams gain actionable, real-time insights to reduce mobile attack risk and protect enterprise data from compromise. |
| 35 | + |
| 36 | +:::info |
| 37 | +This app includes [built-in monitors](#zimperium-alerts). For details on creating custom monitors, refer to [Create monitors for Zimperium app](#create-monitors-for-the-zimperium-app). |
| 38 | +::: |
| 39 | + |
| 40 | +## Log types |
| 41 | + |
| 42 | +The Zimperium app leverages the threat events collected via Zimperium Webhook. |
| 43 | + |
| 44 | +### Sample log messages |
| 45 | + |
| 46 | +<details> |
| 47 | +<summary>Threat Event</summary> |
| 48 | + |
| 49 | +```json |
| 50 | +{ |
| 51 | + "system_token": null, |
| 52 | + "severity": 0, |
| 53 | + "risk_posture": 3, |
| 54 | + "event_id": "7bbe0be8-6a83-4bb0-95a9-5b0211f2077b", |
| 55 | + "forensics": { |
| 56 | + "severity": "HIDDEN", |
| 57 | + "process_list": [ |
| 58 | + |
| 59 | + ], |
| 60 | + "os": 1, |
| 61 | + "network_threat": { |
| 62 | + "my_ip": "109.248.151.179", |
| 63 | + "arp_tables": { |
| 64 | + "before": { |
| 65 | + |
| 66 | + } |
| 67 | + }, |
| 68 | + "net_stat": [ |
| 69 | + |
| 70 | + ] |
| 71 | + }, |
| 72 | + "threat_uuid": "e6d7b9b7-080c-c267-7598-5f37aa3aa19c", |
| 73 | + "type": 209, |
| 74 | + "time_interval": 0, |
| 75 | + "general": [ |
| 76 | + { |
| 77 | + "name": "Device IP", |
| 78 | + "val": "109.248.151.179" |
| 79 | + }, |
| 80 | + { |
| 81 | + "name": "Network", |
| 82 | + "val": "SnowCrash" |
| 83 | + }, |
| 84 | + { |
| 85 | + "name": "Network BSSID", |
| 86 | + "val": "94:83:c11:18:00:ee" |
| 87 | + }, |
| 88 | + { |
| 89 | + "name": "Device Time", |
| 90 | + "val": "06 18 2025 11:18:00 UTC" |
| 91 | + }, |
| 92 | + { |
| 93 | + "name": "Action Triggered", |
| 94 | + "val": "Silent Alert" |
| 95 | + }, |
| 96 | + { |
| 97 | + "name": "Time Interval", |
| 98 | + "val": 0 |
| 99 | + } |
| 100 | + ], |
| 101 | + "event_id": "7bbe0be8-6a83-4bb0-95a9-5b0211f2077b", |
| 102 | + "BSSID": "94:83:c11:18:00:ee", |
| 103 | + "attack_time": { |
| 104 | + "$date": 1755109080729 |
| 105 | + }, |
| 106 | + "responses": [ |
| 107 | + "SILENT_ALERT" |
| 108 | + ], |
| 109 | + "_id": { |
| 110 | + "$oid": "7bbe0be8-6a83-4bb0-95a9-5b0211f2077b" |
| 111 | + }, |
| 112 | + "zdid": "b21f3d31-5de6-4269-9788-1a5a35972303", |
| 113 | + "SSID": "Snow Crash" |
| 114 | + }, |
| 115 | + "mitigated": false, |
| 116 | + "location": { |
| 117 | + "gps_latitude": null, |
| 118 | + "gps_longitude": null, |
| 119 | + "location_accuracy": null |
| 120 | + }, |
| 121 | + "eventtimestamp": "06 18 2025 11:18:00 UTC", |
| 122 | + "user_info": { |
| 123 | + "employee_name": "", |
| 124 | + "user_id": null, |
| 125 | + "user_role": null, |
| 126 | + "user_email": "[email protected]", |
| 127 | + "first_name": null, |
| 128 | + "middle_name": null, |
| 129 | + "last_name": null |
| 130 | + }, |
| 131 | + "device_owner": { |
| 132 | + "id": null, |
| 133 | + |
| 134 | + "first_name": null, |
| 135 | + "middle_name": null, |
| 136 | + "last_name": null |
| 137 | + }, |
| 138 | + "device_info": { |
| 139 | + "device_time": "06 18 2025 11:18:00 UTC", |
| 140 | + "tag1": null, |
| 141 | + "tag2": null, |
| 142 | + "app": "MTD", |
| 143 | + "operator": null, |
| 144 | + "imei": "1E4002AE-B157-485E-AF01-38CE7E7B904F", |
| 145 | + "zdid": "b21f3d31-5de6-4269-9788-1a5a35972303", |
| 146 | + "app_version": "5.7.51", |
| 147 | + "zapp_instance_id": "53cb7994-c130-5b4c-9f5a-ab30cd393b60", |
| 148 | + "os": "ios", |
| 149 | + "jailbroken": false, |
| 150 | + "os_version": "15.8.3", |
| 151 | + "model": "iPhone8,2", |
| 152 | + "device_id": "1E4002AE-B157-485E-AF01-38CE7E7B904F", |
| 153 | + "type": null, |
| 154 | + "mdm_device_id": null, |
| 155 | + "mdm_alt_ids": null |
| 156 | + }, |
| 157 | + "threat": { |
| 158 | + "name": "TESTFLIGHT_INSTALLED", |
| 159 | + "category": "SINGULAR", |
| 160 | + "general": { |
| 161 | + "time_interval": "0", |
| 162 | + "device_time": "06 18 2025 11:18:00 UTC", |
| 163 | + "external_ip": "109.248.151.179", |
| 164 | + "threat_type": "TESTFLIGHT_INSTALLED", |
| 165 | + "device_ip": "109.248.151.179", |
| 166 | + "imei": "1E4002AE-B157-485E-AF01-38CE7E7B904F", |
| 167 | + "network": "SnowCrash", |
| 168 | + "network_bssid": "94:83:c11:18:00:ee", |
| 169 | + "gateway_ip": null, |
| 170 | + "gateway_mac": null, |
| 171 | + "external_network": null, |
| 172 | + "network_interface": null, |
| 173 | + "network_encryption": null, |
| 174 | + "subnet_mask": null, |
| 175 | + "action_triggered": "Silent Alert", |
| 176 | + "device_mac": null, |
| 177 | + "attacker_ip": null, |
| 178 | + "attacker_mac": null, |
| 179 | + "attacker_ssid": null, |
| 180 | + "attacker_bssid": null, |
| 181 | + "base_station": null, |
| 182 | + "certificate": null, |
| 183 | + "stagefright_vulnerability_report": null, |
| 184 | + "jailbreak_reasons": null, |
| 185 | + "process": null, |
| 186 | + "sideloaded_app_package": null, |
| 187 | + "sideloaded_app_name": null, |
| 188 | + "sideloaded_app_developer": null, |
| 189 | + "event": null, |
| 190 | + "file_name": null, |
| 191 | + "file_path": null, |
| 192 | + "file_hash": null, |
| 193 | + "suspected_url": null, |
| 194 | + "module": null, |
| 195 | + "profile_category": null, |
| 196 | + "profile_description": null, |
| 197 | + "profile_identifier": null, |
| 198 | + "profile_name": null, |
| 199 | + "profile_type": null, |
| 200 | + "profile_risk": null, |
| 201 | + "malware_list": null, |
| 202 | + "package_name": null, |
| 203 | + "installer_source": null, |
| 204 | + "malware_family": null, |
| 205 | + "vulnerable_os_version": null, |
| 206 | + "expected_os_version": null, |
| 207 | + "vulnerable_security_patch": null, |
| 208 | + "expected_security_patch": null, |
| 209 | + "device_manufacturer": null, |
| 210 | + "device_model": null, |
| 211 | + "build_information": null, |
| 212 | + "detected_url": "null", |
| 213 | + "ip_of_detected_url": null |
| 214 | + }, |
| 215 | + "threat_uuid": "e6d7b9b7-080c-c267-7598-5f37aa3aa19c", |
| 216 | + "display_name": "TestFlight App Installed", |
| 217 | + "mitre_tactics": [ |
| 218 | + |
| 219 | + ], |
| 220 | + "child_threat_uuids": [ |
| 221 | + |
| 222 | + ], |
| 223 | + "triggered_actions": [ |
| 224 | + |
| 225 | + ] |
| 226 | + }, |
| 227 | + "account_id": "b085f23c-4143-4751-ab66-cfb50b1257dd", |
| 228 | + "team_id": "acde6199-545b-4243-8634-eea8864bb1a3", |
| 229 | + "team_name": "Default", |
| 230 | + "additional_public_forensics": null |
| 231 | +} |
| 232 | +``` |
| 233 | +</details> |
| 234 | + |
| 235 | +### Sample queries |
| 236 | + |
| 237 | +```sql title="Threat Summary" |
| 238 | +_sourceCategory=*zimperium* system_token mitigated |
| 239 | +| json field=_raw "additional_public_forensics", "team_name", "account_id", "device_owner", "device_info", "user_info", "eventtimestamp", "location", "mitigated", "forensics", "event_id", "risk_posture", "severity" nodrop |
| 240 | +| json field=_raw "mitigated" |
| 241 | +| where mitigated = "true" |
| 242 | +| json field=_raw "forensics.severity" as severity nodrop |
| 243 | +| where isNull(severity) or severity matches "*" |
| 244 | +| json field=_raw "threat" |
| 245 | +| json field=threat "display_name", "mitre_tactics", "threat_uuid", "category" as threat_name, mitre_tactics, threat_uuid, threat_category |
| 246 | +| json field=device_info "imei", "app", "operator", "app_version", "jailbroken", "model", "device_id" |
| 247 | +| json field=user_info "user_email", "employee_name" |
| 248 | +| count by device_id, severity, threat_name, mitre_tactics, threat_uuid, threat_category, user_email, employee_name, imei, app, operator, app_version, model |
| 249 | +``` |
| 250 | + |
| 251 | +## Setup collection |
| 252 | + |
| 253 | +To set up integration for the Zimperium source, follow the steps below: |
| 254 | + |
| 255 | +1. Create a [Sumo Logic HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/). |
| 256 | +2. In the Zimperium app, navigate to **Account Management** > **Data Export**. |
| 257 | +:::note |
| 258 | +Administrator privileges are required to access the Account Management page. |
| 259 | +::: |
| 260 | +3. Add a new **Data Export Configuration** and set the **Destination Type** to **REST Endpoint**. |
| 261 | +4. Enter the required details as shown in the screenshot below, and use the **Sumo Logic HTTP Source URL** from step 1 as the **Endpoint**. |
| 262 | +<img src={useBaseUrl('/img/integrations/zimperium/add-data-export-config.png')} alt="Thumbnail icon" width="500"/> |
| 263 | + |
| 264 | +## Installing the Zimperium app |
| 265 | + |
| 266 | +This section provides instructions on how to install the Zimperium App for Sumo Logic. The app's pre-configured searches and dashboards provide easy-to-access visual insights into your data. |
| 267 | + |
| 268 | +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; |
| 269 | + |
| 270 | +<AppInstall2/> |
| 271 | + |
| 272 | +## Viewing Zimperium dashboards |
| 273 | + |
| 274 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 275 | + |
| 276 | +<ViewDashboards/> |
| 277 | + |
| 278 | +### Security |
| 279 | + |
| 280 | +The **Zimperium - Security** dashboard enables you to monitor mobile threats by severity, investigate malicious network connections, and correlate detections with specific users for targeted response. It highlights top actionable threats, vulnerable OS versions, jailbroken devices, and system tampering events, while providing visibility into device risk posture to prioritize high-risk assets and track mitigation efforts for compliance. The dashboard streamlines detection, investigation, and remediation of mobile security incidents.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/zimperium/Zimperium+-+Security.png' alt="Zimperium-Security" /> |
| 281 | + |
| 282 | +## Create monitors for the Zimperium app |
| 283 | + |
| 284 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 285 | + |
| 286 | +<CreateMonitors/> |
| 287 | + |
| 288 | +### Zimperium alerts |
| 289 | + |
| 290 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 291 | +|:--|:--|:--|:--| |
| 292 | +| `Zimperium - Important and Critical Detections` | This alert is triggered when a threat marked as Important or Critical is detected. It immediately notifies security analysts of high-risk threats on managed mobile devices, enabling rapid triage of incidents such as active exploits, malicious network connections, device tampering, or non-compliant configurations. By surfacing only the most critical detections, it helps prioritize response efforts and protect sensitive data from potential compromise. | Critical | Count > 0 | |
| 293 | + |
| 294 | +## Upgrade/Downgrade the Zimperium app (Optional) |
| 295 | + |
| 296 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 297 | + |
| 298 | +<AppUpdate/> |
| 299 | + |
| 300 | +## Uninstalling the Zimperium app (Optional) |
| 301 | + |
| 302 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 303 | + |
| 304 | +<AppUninstall/> |
0 commit comments