Overview

ARMO supports a native integration with Sumo Logic for forwarding security incidents, runtime events, and platform logs. This allows you to centralize your Kubernetes and cloud security data alongside existing infrastructure and application logs for unified monitoring, correlation, and incident response.

The integration uses a Sumo Logic HTTP Logs & Metrics Source as the ingestion endpoint.

Prerequisites

Before configuring the integration, ensure you have:

Access to your Sumo Logic account
Permission to create Hosted Collectors and HTTP Sources
Access to the ARMO Platform with Manager or Admin permissions

1. Create an HTTP Source in Sumo Logic

Follow the steps below to set up a Hosted Collector and generate the HTTP Source Address.

1.1 Log In

1.2 Navigate to Collection Settings

Go to:

Data Management → Collection

Click Add Collector.

1.3 Select Collector Type

In the collector type selection window:

Choose Hosted Collector

1.4 Configure the Hosted Collector

Provide a descriptive name such as:

ARMO_Events_Collector

Click Save.

1.5 Add an HTTP Source

Inside your newly created Hosted Collector:

Click Add Source
Choose HTTP Logs & Metrics

1.6 Configure the HTTP Logs & Metrics Source

Fill out the following fields:

Field	Value
Name	e.g., `Runtime_Events_Logs`

(Optional):

Advanced Options → Message Processing → Enable Multiline Processing

Click Save.

1.7 Copy the HTTP Source Address

After saving:

An HTTP Source Address is displayed
This is the unique URL that ARMO will send logs to

Example format:

https://endpoint1.collection.sumologic.com/receiver/v1/http/XYZ123abc==

Copy the URL and click OK.

2. Configure the Integration in the ARMO Platform

Once the HTTP Source Address is created, configure the integration in ARMO.

2.1 Open the Integrations Page

In the ARMO Platform, navigate to:

Settings → Integrations → SIEM Integrations

2.2 Add the Sumo Logic Integration

Click Connect on the Sumo Logic card
Click Add Integration
Fill in the required fields:

Field	Description
Name	Friendly name for your integration, e.g., `SumoLogic-Prod`
HTTP Source Address	The URL you copied from Sumo Logic

Click Save

ARMO will begin forwarding events to Sumo Logic.

3. Validate the Integration

Confirm that logs are being received by Sumo Logic.

3.1 Send a Test Event from ARMO

In the Sumo Logic integration table:

Click the Send Test Message icon
ARMO sends a sample event

3.2 Verify Log Ingestion in Sumo Logic

In Sumo Logic, run a query such as:

where (event_type = "IncidentCreated")
where (event_type = "IncidentUpdated")
where (event_type = "AlertCreated")

where (event_type = "RuntimePolicyUpdated")
where (event_type = "RuntimePolicyCreated")

Alternatively, use the Source field to find all ARMO events

| where (_source = "ARMOEvents")

Allow up to 10 minutes for ingestion.

What Events Are Streamed?

https://hub.armosec.io/docs/siem#/

Troubleshooting

Issue	Possible Cause	Resolution
No logs in Sumo Logic	Ingest delay	Wait up to 10 minutes
No logs in Sumo Logic	Integration disabled	Enable the integration
HTTP Source URL incorrect	Copy/paste error	Re-copy URL from Sumo Logic
Firewall/proxy blocking	Outbound traffic blocked	Allow HTTPS to Sumo ingestion endpoint

Summary

By completing this setup, you can:

Centralize ARMO alerts and runtime events in Sumo Logic
Correlate multi-layer signals with infrastructure logs
Build dashboards, alerts, and workflows
Strengthen incident investigation and response

The Sumo Logic integration provides unified, real-time visibility into your Kubernetes and cloud security operations powered by ARMO’s behavioral detection.