|
| 1 | +--- |
| 2 | +id: automox |
| 3 | +title: Automox |
| 4 | +sidebar_label: Automox |
| 5 | +description: The Sumo Logic app for Automox provides security and IT teams visibility into endpoint management and security. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/send-data/automox-logo.png')} alt="Automox-icon" width="50" /> |
| 11 | + |
| 12 | +Automox is a cloud-native endpoint management solution that automates patching, configuration, and security enforcement across various operating systems. This app helps you monitor security events, audit system activity, and track patch compliance to reduce vulnerabilities and enhance endpoint security. The Sumo Logic app for Automox helps security and IT teams with visibility into endpoint management and security. |
| 13 | + |
| 14 | +Key features and benefits of the Automox app include: |
| 15 | + |
| 16 | +- **Patch Compliance and Version Tracking**. Gain insights into patch compliance by tracking applied and pending patches across different OS versions. |
| 17 | +- **Security Event Monitoring and Anomaly Detection**. Monitor security events, including policy actions, system modifications, and user activity to detect anomalies. |
| 18 | +- **Audit and Compliance for Administrative Actions**. Audit administrative actions, authentication logs, and system configuration changes for compliance and forensic investigations. |
| 19 | +- **Trend Analysis for Risk Identification and Security Optimization**. Analyze trends over time to identify potential risks and optimize endpoint security strategies. |
| 20 | +- **Real-Time Alerts for Security and Compliance Response**. Leverage real-time alerts to respond quickly to critical security issues and compliance gaps. |
| 21 | + |
| 22 | +Integrating Automox data with Sumo Logic helps organizations enhance security monitoring, streamline endpoint management, and boost operational resilience. |
| 23 | + |
| 24 | +:::info |
| 25 | +This app includes [built-in monitors](#automox-alerts). For details on creating custom monitors, refer to the [Create monitors for Automox app](#create-monitors-for-the-automox-app). |
| 26 | +::: |
| 27 | + |
| 28 | +## Log types |
| 29 | + |
| 30 | +This app uses Sumo Logic’s [Automox Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/automox-source/) to collect [audit logs](https://developer.automox.com/openapi/audit-trail/operation/getAuditEvents/) and [events logs](https://developer.automox.com/openapi/axconsole/operation/getEvents/) from the Automox platform. |
| 31 | + |
| 32 | +## Sample log message |
| 33 | + |
| 34 | +<details> |
| 35 | +<summary>Event Log</summary> |
| 36 | + |
| 37 | +```json |
| 38 | +{ |
| 39 | + "id": 1245817905, |
| 40 | + "name": "user.create", |
| 41 | + "user_id": 93789, |
| 42 | + "server_id": null, |
| 43 | + "organization_id": 114830, |
| 44 | + "policy_id": null, |
| 45 | + "data": { |
| 46 | + |
| 47 | + "orgname": "Sumo Logic", |
| 48 | + "lastname": "Raval", |
| 49 | + "trialend": null, |
| 50 | + "firstname": "abc", |
| 51 | + "trialstart": null |
| 52 | + }, |
| 53 | + "server_name": null, |
| 54 | + "policy_name": null, |
| 55 | + "policy_type_name": null, |
| 56 | + "create_time": "2024-09-26 07:30:19.223963" |
| 57 | +} |
| 58 | +``` |
| 59 | +</details> |
| 60 | + |
| 61 | +<details> |
| 62 | +<summary>Audit Log</summary> |
| 63 | + |
| 64 | +```json |
| 65 | +{ |
| 66 | + "id": "66f50ffd8be0f28b7ba2f05a7a", |
| 67 | + "activity": "Attach Policy", |
| 68 | + "activity_id": 7, |
| 69 | + "actor": { |
| 70 | + "user": { |
| 71 | + "email_addr": null, |
| 72 | + "org": { |
| 73 | + "uid": "dfffdf9c-0844-4302-80fb-31f9c27d5f74", |
| 74 | + "name": "Sumo Logic" |
| 75 | + }, |
| 76 | + "uid": null |
| 77 | + } |
| 78 | + }, |
| 79 | + "category_uid": 3, |
| 80 | + "class_uid": 3001, |
| 81 | + "count": 1, |
| 82 | + "message": "User Zone Role Assignment", |
| 83 | + "metadata": { |
| 84 | + "tenant_uid": null, |
| 85 | + "uid": "7f4bf345-a188-42de-83rc6-84872a79828f", |
| 86 | + "correlation_uid": "dfffdf9c-0844-4302-80fb-31f9c27d5f74", |
| 87 | + "version": "1.1.0", |
| 88 | + "product": { |
| 89 | + "version": "1.0.0-dev", |
| 90 | + "vendor_name": "Automox" |
| 91 | + } |
| 92 | + }, |
| 93 | + "severity": "Informational", |
| 94 | + "severity_id": 1, |
| 95 | + "status_code": 201, |
| 96 | + "status_id": 1, |
| 97 | + "time": 1727335819520, |
| 98 | + "timezone_offset": 0, |
| 99 | + "type_name": "Account Change: Attach Policy", |
| 100 | + "type_uid": 300107, |
| 101 | + "user": { |
| 102 | + "uid": "93789", |
| 103 | + |
| 104 | + }, |
| 105 | + "user_result": { |
| 106 | + "uid": "93789", |
| 107 | + "email_addr": "[email protected]", |
| 108 | + "groups": [ |
| 109 | + { |
| 110 | + "type": "organization", |
| 111 | + "privileges": [ |
| 112 | + "No Global Access" |
| 113 | + ], |
| 114 | + "uid": "5ca5de57-4f69-42fd-b8ec-b838f1a37475", |
| 115 | + "name": "Sumo Logic" |
| 116 | + }, |
| 117 | + { |
| 118 | + "type": "organization", |
| 119 | + "privileges": [ |
| 120 | + "Zone Administrator" |
| 121 | + ], |
| 122 | + "uid": "dfffdf9c-0844-4302-80fb-31f9c27d5f74", |
| 123 | + "name": "Sumo Logic" |
| 124 | + } |
| 125 | + ] |
| 126 | + } |
| 127 | +} |
| 128 | + |
| 129 | +``` |
| 130 | +</details> |
| 131 | + |
| 132 | +## Sample queries |
| 133 | + |
| 134 | +```sql title="Recent Access Activities" |
| 135 | +_sourceCategory="Labs/automox" activity_id |
| 136 | +| json "id", "activity_id", "activity", "severity", "type_name", "entity.name", "entity.type", "actor.user.email_addr", "actor.user.org.name", "auth_protocol_id", "category_uid", "count", "message", "metadata.correlation_uid", "metadata.tenant_uid", "metadata.product.vendor_name", "status_code", "status_id", "status_details", "time", "user.email", "user_result.email_addr", "user_result.groups[*].type", "user_result.groups[*].name", "user_result.groups[*].privileges[*]", "observables[*].type", "observables[*].value", "observables[*].name", "web_resources[*].name", "web_resources[*].type", "web_resources[*].url_string" as id, activity_id, activity, severity, type_name, entity_name, entity_type, actor_email, actor_org, auth_protocol_id, category_uid, event_count, message, correlation_uid, tenant_uid, vendor_name, status_code, status, status_details, event_time, target_user_email, result_user_email, group_type, group_name, group_privileges, observables_type, observables_value, observables_name, web_resource_name, web_resource_type, url_string nodrop |
| 137 | + |
| 138 | +| If (status matches "0", "Unknown", if (status matches "1", "Success", if (status matches "2", "Failure", "Other"))) as status |
| 139 | + |
| 140 | +// global filters |
| 141 | +| where activity matches "{{activity_type}}" |
| 142 | +| where severity matches "{{severity}}" |
| 143 | +| where status matches "{{status}}" |
| 144 | +| where status_code matches "{{status_code}}" |
| 145 | + |
| 146 | +| count by id |
| 147 | +| count |
| 148 | +``` |
| 149 | + |
| 150 | +## Collection configuration and app installation |
| 151 | + |
| 152 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 153 | + |
| 154 | +<CollectionConfiguration/> |
| 155 | + |
| 156 | +:::important |
| 157 | +Use the [Cloud-to-Cloud Integration for Automox](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/automox-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Automox app is properly integrated and configured to collect and analyze your Automox data. |
| 158 | +::: |
| 159 | + |
| 160 | +### Create a new collector and install the app |
| 161 | + |
| 162 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 163 | + |
| 164 | +<AppCollectionOPtion1/> |
| 165 | + |
| 166 | +### Use an existing collector and install the app |
| 167 | + |
| 168 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 169 | + |
| 170 | +<AppCollectionOPtion2/> |
| 171 | + |
| 172 | +### Use an existing source and install the app |
| 173 | + |
| 174 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 175 | + |
| 176 | +<AppCollectionOPtion3/> |
| 177 | + |
| 178 | +## Viewing the Automox dashboards |
| 179 | + |
| 180 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 181 | + |
| 182 | +<ViewDashboards/> |
| 183 | + |
| 184 | +### Events |
| 185 | + |
| 186 | +The **Automox - Events** dashboard provides a centralized view of the security and system events across managed endpoints. It highlights key metrics such as total events, user activities, policy actions, and notifications. Events are categorized by Operating System (OS) and event type, enabling administrators to track patches, policies, and system deletions. Geolocation heatmaps identify the event origins, which aids in threat analysis, while time-series visualizations display trends to help detect anomalies. Detailed event logs offer insights into user actions, policy executions, and patch deployments for auditing and compliance. This dashboard assists security teams in monitoring security, enforcing policies, and maintaining system integrity.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Automox/Automox+-+Events.png' alt="Automox-Events-Overview" /> |
| 187 | + |
| 188 | +### Audit Security |
| 189 | + |
| 190 | +The **Automox - Audit Security** dashboard provides a comprehensive overview of the audit events, enabling security teams to monitor system activity and potential risks. Events are categorized by severity (fatal, critical, high, medium, and low) for quick identification of critical issues. The dashboard also includes a breakdown of statuses (success, failure, and unknown) to evaluate the effectiveness of security measures. Events are further classified by type, entity, and web resource, offering insights into account changes, authentication logs, and entity management. Time-series charts track trends, making it easier to identify anomalies. User activity data highlights key individuals involved in security events, supporting investigations and compliance. Furthermore, detailed event summaries provide visibility into authentication attempts, account modifications, and resource deletions, ensuring thorough auditing.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Automox/Automox+-+Audit+Security.png' alt="Automox-Audit-Security-Overview" /> |
| 191 | + |
| 192 | +## Create monitors for the Automox app |
| 193 | + |
| 194 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 195 | + |
| 196 | +<CreateMonitors/> |
| 197 | + |
| 198 | +### Automox alerts |
| 199 | + |
| 200 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 201 | +|:--|:--|:--|:--| |
| 202 | +| `Automox - Critical Severity Events` | This alert is triggered when critical severity events are detected in Automox, such as security risks, failed patches, or policy violations. It helps IT and security teams quickly identify and address high-impact incidents before they escalate. | Critical | Count > 0 | |
| 203 | +| `Automox - Events from Embargoed Geo Locations` | This alert is triggered when events originate from restricted or embargoed geographic locations, indicating possible unauthorized access or compliance violations. Security teams can use it to enforce geo-based access policies and mitigate potential threats. | Critical | Count > 0| |
| 204 | + |
| 205 | +## Upgrading/Downgrading the Automox app (Optional) |
| 206 | + |
| 207 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 208 | + |
| 209 | +<AppUpdate/> |
| 210 | + |
| 211 | +## Uninstalling the Automox app (Optional) |
| 212 | + |
| 213 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 214 | + |
| 215 | +<AppUninstall/> |
0 commit comments