GRCLANKER / sumologic-sec-inspector

Sumo Logic Security Inspector

Sumo Logic · Monitoring, Logging & Observability

Download GitHub
VENDOR: Sumo Logic LANG: go UPDATED: 2026-03-29

Sumo Logic Security Inspector — Architecture Specification

1. Overview

sumologic-sec-inspector is a security compliance inspection tool for Sumo Logic environments. It audits authentication policies, access controls, data governance, and operational security settings across a Sumo Logic organization via the Management API. The tool produces structured findings mapped to major compliance frameworks, enabling security teams to identify misconfigurations, enforce least-privilege access, and maintain continuous compliance posture.

Written in Go with a hybrid CLI/TUI architecture, it supports both automated pipeline execution (JSON/SARIF output) and interactive exploration of findings.

2. APIs & SDKs

Sumo Logic Management API

Endpoint Purpose
GET /v1/users List all users, inspect roles and status
GET /v1/roles Enumerate roles and capability assignments
GET /v1/saml/identityProviders SAML SSO configuration and enforcement
GET /v1/saml/allowlistedUsers Users bypassing SAML enforcement
GET /v1/accessKeys List access keys, detect stale/unused keys
GET /v1/passwordPolicy Password complexity and rotation policy
GET /v1/account/audit Audit index configuration
GET /v1/collectors Installed/hosted collector inventory
GET /v1/connections Outbound connection/webhook destinations
GET /v1/content/folders/personal Content sharing and permission model
GET /v1/monitors Monitor and alert configurations
GET /v1/serviceAllowlist/addresses Service allowlist (IP restrictions)
GET /v1/lookupTables Lookup table access and configurations
GET /v1/ingestBudgets Ingest budget limits and assignments
GET /v1/scheduledViews Scheduled view configurations
GET /v1/partitions Data partition and retention settings

Base URL pattern: https://api.{deployment}.sumologic.com/api

  • US1: api.sumologic.com
  • US2: api.us2.sumologic.com
  • EU: api.eu.sumologic.com
  • AU: api.au.sumologic.com
  • JP: api.jp.sumologic.com
  • CA: api.ca.sumologic.com
  • IN: api.in.sumologic.com
  • FED: api.fed.sumologic.com

SDKs and Libraries

Name Language Notes
sumologic-sdk-python Python Community SDK, wraps REST API
Sumo Logic Terraform Provider HCL sumologic_* resources for IaC auditing
Sumo Logic CLI Go Official CLI tool
OpenAPI Spec Available at docs.sumologic.com for codegen

3. Authentication

Access ID + Access Key (HTTP Basic Auth)

Authorization: Basic base64(accessId:accessKey)
  • Access keys are created per-user in the Sumo Logic UI or via API
  • Keys inherit the RBAC permissions of the creating user
  • The inspector requires a key with Administrator role or equivalent read-only capabilities

Required Capabilities

Capability Purpose
viewUsers Enumerate users
viewRoles Enumerate roles and capabilities
viewCollectors List collector inventory
viewConnections Inspect outbound connections
managePasswordPolicy Read password policy (read implied)
viewAccountOverview Account-level settings
viewAuditLog Audit index status

Configuration

export SUMOLOGIC_ACCESS_ID="your-access-id"
export SUMOLOGIC_ACCESS_KEY="your-access-key"
export SUMOLOGIC_ENDPOINT="https://api.sumologic.com/api"

Alternatively, configure via ~/.sumologic-sec-inspector/config.yaml or pass --access-id / --access-key / --endpoint flags.

4. Security Controls

  1. SAML SSO Enforcement — Verify SAML identity provider is configured and SSO is enforced for all users (no local-only auth).
  2. SAML Allowlisted Users Minimized — Ensure the SAML bypass allowlist contains only break-glass accounts, not regular users.
  3. Password Policy Strength — Validate minimum length >= 12, complexity requirements enabled, lockout after failed attempts.
  4. Password Expiration Policy — Confirm password rotation is enforced with a maximum age <= 90 days.
  5. MFA Enforcement — Verify multi-factor authentication is required for all users (when not using SSO).
  6. Role-Based Access Control — Ensure roles follow least-privilege; detect overly permissive roles with admin capabilities.
  7. Access Key Rotation — Identify access keys older than 90 days without rotation.
  8. Inactive Access Keys — Detect access keys that have not been used in 90+ days.
  9. Audit Index Enabled — Confirm the audit index is enabled and actively receiving events.
  10. Data Forwarding Destinations Reviewed — Validate outbound connections (webhooks, S3, etc.) point to approved destinations.
  11. Content Sharing Permissions — Detect overly broad content sharing (dashboards, searches shared to "org" unnecessarily).
  12. Collector Management — Identify unmanaged, offline, or ephemeral collectors; verify collector versions are current.
  13. Service Allowlist Configured — Verify IP-based service allowlist restricts API and UI access to corporate networks.
  14. Session Timeout Policy — Confirm session timeout is set to <= 15 minutes of inactivity.
  15. Scheduled Search Permissions — Ensure scheduled searches run with appropriate role bindings, not shared admin credentials.
  16. Ingest Budget Controls — Verify ingest budgets are configured to prevent runaway data ingestion costs and DoS.
  17. Data Retention Policies — Confirm partition retention periods align with compliance requirements (e.g., 365 days for audit data).
  18. Lookup Table Access — Verify lookup tables containing sensitive data have restricted access permissions.
  19. Dashboard Sharing Restrictions — Detect dashboards shared externally or with overly broad audience.
  20. Monitor Alert Routing — Verify alert notifications route to approved channels (not personal emails or unapproved webhooks).

5. Compliance Framework Mappings

# Control FedRAMP CMMC SOC 2 CIS PCI-DSS STIG IRAP ISMAP
1 SAML SSO Enforcement IA-2 AC.L2-3.1.1 CC6.1 1.1 8.3.1 SRG-APP-000148 ISM-1557 CPS-04
2 SAML Allowlist Minimized IA-2(1) AC.L2-3.1.1 CC6.1 1.2 8.3.2 SRG-APP-000149 ISM-1558 CPS-04
3 Password Policy Strength IA-5(1) IA.L2-3.5.7 CC6.1 5.1 8.3.6 SRG-APP-000166 ISM-0421 CPS-05
4 Password Expiration IA-5(1) IA.L2-3.5.8 CC6.1 5.2 8.3.9 SRG-APP-000174 ISM-0422 CPS-05
5 MFA Enforcement IA-2(1) IA.L2-3.5.3 CC6.1 4.1 8.4.2 SRG-APP-000149 ISM-1401 CPS-06
6 Role-Based Access Control AC-2 AC.L2-3.1.1 CC6.3 6.1 7.2.1 SRG-APP-000033 ISM-0432 CPS-07
7 Access Key Rotation IA-5(1) IA.L2-3.5.8 CC6.1 5.3 8.6.3 SRG-APP-000175 ISM-1590 CPS-05
8 Inactive Access Keys AC-2(3) AC.L2-3.1.1 CC6.2 5.4 8.1.4 SRG-APP-000025 ISM-1404 CPS-07
9 Audit Index Enabled AU-2 AU.L2-3.3.1 CC7.2 8.1 10.2.1 SRG-APP-000089 ISM-0580 CPS-10
10 Data Forwarding Reviewed SC-7 SC.L2-3.13.1 CC6.6 9.1 1.3.1 SRG-APP-000383 ISM-1148 CPS-11
11 Content Sharing Permissions AC-3 AC.L2-3.1.2 CC6.3 6.2 7.2.2 SRG-APP-000033 ISM-0432 CPS-07
12 Collector Management CM-8 CM.L2-3.4.1 CC8.1 10.1 6.3.2 SRG-APP-000456 ISM-1490 CPS-12
13 Service Allowlist SC-7 SC.L2-3.13.1 CC6.6 9.2 1.3.2 SRG-APP-000383 ISM-1148 CPS-11
14 Session Timeout AC-11 AC.L2-3.1.10 CC6.1 7.1 8.2.8 SRG-APP-000190 ISM-0853 CPS-08
15 Scheduled Search Perms AC-6 AC.L2-3.1.5 CC6.3 6.3 7.2.2 SRG-APP-000340 ISM-0432 CPS-07
16 Ingest Budget Controls SC-5 SC.L2-3.13.6 CC7.2 9.3 6.5.10 SRG-APP-000246 ISM-1020 CPS-11
17 Data Retention Policies AU-11 AU.L2-3.3.1 CC7.4 8.2 3.1 SRG-APP-000515 ISM-0859 CPS-10
18 Lookup Table Access AC-3 AC.L2-3.1.2 CC6.3 6.4 7.2.3 SRG-APP-000033 ISM-0432 CPS-07
19 Dashboard Sharing AC-3 AC.L2-3.1.3 CC6.3 6.5 7.2.2 SRG-APP-000033 ISM-0432 CPS-07
20 Monitor Alert Routing AU-5 AU.L2-3.3.4 CC7.3 8.3 10.6.1 SRG-APP-000108 ISM-0580 CPS-10

6. Existing Tools

Tool Type Limitations
Sumo Logic Security Dashboard Built-in Focuses on ingested security data, not org config posture
Sumo Logic Terraform Provider IaC Can enforce config-as-code but no drift detection or reporting
Sumo Logic CSE (Cloud SIEM) SIEM Detects threats in log data, not org-level misconfigurations
Cloud Custodian (sumologic plugin) Policy Limited Sumo Logic resource coverage
Manual API scripts Custom No structured compliance mapping or reporting

Gap: No existing tool provides automated security posture assessment of Sumo Logic organization-level configurations mapped to compliance frameworks. sumologic-sec-inspector fills this gap.

7. Architecture

sumologic-sec-inspector/
├── cmd/
│   └── sumologic-sec-inspector/
│       └── main.go                 # Entrypoint, CLI bootstrap
├── internal/
│   ├── analyzers/
│   │   ├── analyzer.go             # Analyzer interface and registry
│   │   ├── saml.go                 # SAML SSO enforcement checks
│   │   ├── password.go             # Password policy strength/expiration
│   │   ├── mfa.go                  # MFA enforcement checks
│   │   ├── rbac.go                 # Role-based access control audit
│   │   ├── accesskeys.go           # Access key rotation and staleness
│   │   ├── audit.go                # Audit index enabled check
│   │   ├── collectors.go           # Collector management checks
│   │   ├── connections.go          # Data forwarding destination review
│   │   ├── content.go              # Content sharing permissions
│   │   ├── network.go              # Service allowlist, session timeout
│   │   ├── ingest.go               # Ingest budget controls
│   │   ├── retention.go            # Data retention policy checks
│   │   └── monitors.go             # Monitor alert routing checks
│   ├── client/
│   │   ├── client.go               # Sumo Logic API client
│   │   ├── auth.go                 # Basic auth with access ID/key
│   │   ├── ratelimit.go            # Rate limiter (4 req/sec default)
│   │   └── endpoints.go            # Regional endpoint resolution
│   ├── config/
│   │   ├── config.go               # Configuration loading and validation
│   │   └── redact.go               # Credential redaction for logging
│   ├── models/
│   │   ├── user.go                 # User, role, capability models
│   │   ├── saml.go                 # SAML provider model
│   │   ├── collector.go            # Collector model
│   │   ├── connection.go           # Connection/webhook model
│   │   └── finding.go              # Finding severity/status model
│   ├── reporters/
│   │   ├── reporter.go             # Reporter interface
│   │   ├── json.go                 # JSON output
│   │   ├── sarif.go                # SARIF 2.1.0 output
│   │   ├── csv.go                  # CSV output
│   │   ├── table.go                # Terminal table output
│   │   └── html.go                 # HTML report with charts
│   └── tui/
│       ├── app.go                  # Bubble Tea TUI application
│       ├── views.go                # Finding detail views
│       └── styles.go               # Lip Gloss styling
├── go.mod
├── go.sum
├── Makefile
├── Dockerfile
├── spec.md
└── README.md

Key Design Decisions

  • Regional endpoint resolution: Auto-detect deployment region from API endpoint or allow explicit configuration
  • Rate limiting: Sumo Logic enforces 4 requests/second; built-in token bucket rate limiter
  • Pagination: All list endpoints use token-based pagination; client handles transparently
  • Capability-aware: Pre-flight check validates the access key has required capabilities before running analyzers

8. CLI Interface

sumologic-sec-inspector [command] [flags]

Commands:
  scan        Run all or selected security analyzers
  list        List available analyzers and their descriptions
  version     Print version information

Scan Flags:
  --access-id string       Sumo Logic Access ID (env: SUMOLOGIC_ACCESS_ID)
  --access-key string      Sumo Logic Access Key (env: SUMOLOGIC_ACCESS_KEY)
  --endpoint string        API endpoint URL (env: SUMOLOGIC_ENDPOINT)
  --analyzers strings      Run specific analyzers (comma-separated)
  --exclude strings        Exclude specific analyzers
  --severity string        Minimum severity to report: critical,high,medium,low,info
  --format string          Output format: table,json,sarif,csv,html (default "table")
  --output string          Output file path (default: stdout)
  --tui                    Launch interactive TUI
  --no-color               Disable colored output
  --config string          Path to config file (default "~/.sumologic-sec-inspector/config.yaml")
  --timeout duration       API request timeout (default 30s)
  --verbose                Enable verbose logging

Usage Examples

# Full scan with table output
sumologic-sec-inspector scan

# Scan specific controls with JSON output
sumologic-sec-inspector scan --analyzers saml,password,mfa --format json

# Generate SARIF report for CI/CD integration
sumologic-sec-inspector scan --format sarif --output results.sarif

# Interactive TUI mode
sumologic-sec-inspector scan --tui

# List available analyzers
sumologic-sec-inspector list

9. Build Sequence

# Prerequisites
go 1.22+

# Clone and build
git clone https://github.com/ethanolivertroy/sumologic-sec-inspector.git
cd sumologic-sec-inspector
go mod download
go build -ldflags "-s -w -X main.version=$(git describe --tags --always)" \
  -o bin/sumologic-sec-inspector ./cmd/sumologic-sec-inspector/

# Run tests
go test ./...

# Build Docker image
docker build -t sumologic-sec-inspector .

# Run via Docker
docker run --rm \
  -e SUMOLOGIC_ACCESS_ID \
  -e SUMOLOGIC_ACCESS_KEY \
  -e SUMOLOGIC_ENDPOINT \
  sumologic-sec-inspector scan --format json

Makefile Targets

make build       # Build binary
make test        # Run tests
make lint        # Run golangci-lint
make docker      # Build Docker image
make release     # Build for all platforms (linux/darwin/windows, amd64/arm64)

10. Status

Not yet implemented. Spec only.

Download GitHub
URL copied to clipboard