Skip to main content

About the Automation Service

This topic describes the Automation Service for Cloud SIEM Enterprise (CSE).

The Automation Service for Cloud SIEM Enterprise (CSE) uses Cloud SOAR automation capabilities to allow you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in CSE, helping you to quickly investigate, understand, and react to potential security threats.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are included with integrations. Sumo Logic provides a number of integrations, actions, and playbooks with the service that you can customize. You can also create your own.

info

Before you can access the Automation Service, you must first configure role capabilities.

Watch this micro lesson to learn more about the Automation Service.

Differences compared to Cloud SOAR

The Automation Service differs from Cloud SOAR in the following ways:

  • The Automation Service only supports automated enrichment, notification, and custom action types.
  • Automation Service playbooks can only be triggered from CSE.
  • The Automation Service does not include the incident and case management features from Cloud SOAR.
  • Playbooks, integrations, and actions in this version may differ from those in Cloud SOAR automation.

Benefits

  • The Automation Service supports enrichment, notification, and custom actions:
    • Enrichment actions can be used to gather additional information about an Entity or Insight, including threat indicators.
    • Notification actions can be used to send notifications or update status in systems like Cloud SIEM, the Sumo Logic core platform, Slack, Microsoft Teams, Jira, email, and so on.
  • Automations can be triggered automatically when an Insight is created or closed. Automations can also be executed manually via the Cloud SIEM UI and API.
  • Playbooks can contain both enrichment and notification actions. Playbooks can also be nested. So, for example, you could define a playbook that is executed automatically when an Insight is created that gathers enrichment data. And if the data returned includes a malicious threat indicator:
    1. Changes the Insight state to “In Progress”.
    2. Assigns the Insight.
    3. Sends a (customized) email with information about the Insight and indicator.
    4. Creates a Slack channel for the Insight.
    5. Invites certain people to the Slack channel.
note
  • The Automation Service is intended to replace the legacy Insight Actions and the Insight Enrichment Server. All of the actions and integrations provided with those capabilities are included in the Automation Service (though some may require “on-premise” deployment through the bridge). Those capabilities will be deprecated later in 2023.
  • Actions can run directly from the Sumo Logic cloud or from other environments via a bridge. For security and performance reasons, only certified integrations and actions can run directly from the Sumo Logic cloud environment.
  • The Automation Service is not available in FedRAMP environments at this time.

Access the Automation Service

An automation runs a playbook, which runs actions that are provided by integrations. This section shows you how to access each of these elements.

info

Before you can access the Automation Service, you must first configure role capabilities.

  1. Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
  2. Under Integrations, select Automation.
    Automation menu option
    The list of available automations appears. Each automation runs a playbook.
    Automations list
  3. To view playbooks, at the top of the screen click Manage Playbooks.
    Manage Playbooks menu option.
    The list of available playbooks displays. Playbooks run actions provided by integrations.
    Automation Playbook list
  4. Open a playbook to see the actions it runs. Click an action to view the integration resource that provides it.
    Action example
  5. To view integrations, click Integrations in the left navigation bar.
    Integrations list
  6. Open an integration to see its actions.
    Resource example
  7. After an automation runs, click the Automations tab in Insights or Entities to view results of the automation.
    Automations on an Insight

Overview: Configure an automation

This section gives you an overview of how to set up an automation. This process assumes you want to create your own playbook to use in an automation. For examples, see Automation examples.

info

Before you can configure an automation, you must configure the connection for the integration resources you want the automation to use.

Step 1: Get actions for the playbook

The first thing you need to do is decide what actions you want to use in your playbook.

  1. Open the integration that has actions you want the playbook to run.
  2. Note the names of the actions you want to use, including their resource name. You'll need these to add the actions to your playbook.
  3. If you want to customize an action:
    1. Click the duplication button on the integration to create a customizable integration. The name of the duplicated integration will end in (1).
    2. To customize the action in the duplicated integration, click the Edit button on the action.

Step 2: Add the actions to the playbook

Now that you have the names of the actions you want to use, you can add them to your playbook.

  1. Create a new playbook.
  2. Click Add Node.
  3. Choose Action as the type of node to add.
  4. In the Action field, select the name an action you identified in Step 1.
  5. As soon as you choose the action, the Resource field displays the name of the resource. Verify that the name of the resource matches what you noted in Step 1.
  6. Fill out the rest of the fields in the Add Node dialog to configure the action to behave the way you want.
  7. Click Create. The node is added to the playbook.
  8. Repeat to add more actions to the playbook. If desired, add conditions.
  9. Click Save to save your changes.
  10. When you're ready to let the playbook be used in automations, click Publish.

Step 3: Add the playbook to an automation

Now that the playbook is configured, you can add it to an automation.

  1. Create a new automation.
  2. Select the playbook you created in Step 2.
  3. In Expects attributes for, select Entity or Insight.
  4. Select whether you want to automatically run the automation when an Insight is created or closed, or to run it manually. (For the purposes of this overview, select Manually Done.)
  5. Select Enabled.
  6. Click Add to List.

Step 4: Run the automation

Now that you've created the automation, it is ready to run. If you set the automation to run when an Insight is created or closed, it runs automatically.

If you configured the automation to run manually, you can run it from an Insight or an Entity:

  • Insights
    1. Open an Insight.
    2. Click Actions.
    3. Select the automation from one of the following, depending on whether the automation expects attributes for Insights or Entities:
      • Insight Automation. Displays a list of all enabled Insight automations configured to run manually.
      • Entity Automation. Displays a Run Automations option. Click Run Automations to open a dialog enabling you to select one or more Entity automations to run.
  • Entities
    1. Open an Entity.
    2. Click Automations under the Entity's name.
    3. Select an option under Entity Automation.
note

By default, no more than 50 playbook actions can be executed per hour. For more information, see Actions limit.

Prerequisites

Configure role capabilities

Access to the Automation Service is controlled by role capabilities in the Sumo Logic platform. To get access to the Automation Service:

  1. In the left navigation bar of Sumo Logic, select Administration > Users and Roles.
  2. Click the Roles tab.
  3. Click Add Role to create a new role for users of the Automation Service. Alternatively, you can select an existing role in the Roles tab and click Edit.
  4. Add the following capabilities:
    • Cloud SIEM Enterprise
      • Configuration
        • View Automations
        • Manage Automations
        • Execute Automations
    • Cloud SOAR
      • View Cloud SOAR
      • Automation Playbooks
        • Access
        • Configure
  5. Follow the directions to access the Automation Service to verify that you can see the Automation option in the Configuration menu.
note

To interact with most of the Automation Service features, you must have at least View Automations, View Cloud SOAR, and Access Playbooks permissions.

Configure the connection for an integration resource

To use integrations, you must configure the connection for their resources.

  1. Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
  2. Under Integrations, select Automation.
    Automation menu option
  3. Click Manage Playbooks.
    Manage Playbooks menu option
  4. Click Integrations in the left navigation bar.
  5. Select the integration whose resource you want to configure the connection for.
  6. Hover over the resource name and click the Edit button that appears.
    Edit a resource
  7. Enter the connection configuration needed by the resource. What you enter is specific to the resource you're using. Each resource's configuration screen may be different, but in most cases, you will need information such as IP addresses, API tokens, usernames, and passwords for the application you're integrating with. For example, in the following screen enter the API URL and API Key.
    Edit a resource
  8. Click Save to save the configuration.

Support and compliance

API and Terraform support

The CSE API supports automations. Endpoints include:

  • GET /automations. Get the list of automations
  • POST /automations. Create an automation
  • POST /automations/execute. Run one or more automations against one or more Entities/Insights
  • DELETE /automations/{id}. Delete an automation
  • GET /automations/{id}. Get a specific automation
  • PUT /automations/{id}. Update a specific automation

The Sumo Logic Terraform provider also supports automation, but does not support the ability to create or modify integrations, playbooks, or actions. For more information about Terraform, see the Sumo Logic Terraform documentation.

note

The Automation Service uses the Cloud SOAR API.

Data retention

Automation Service data is retained in accordance with Sumo Logic's policies. For more information, see our Cloud SIEM data retention documentation.

Actions limit

To prevent abuse of system resources or runaway processes, the Automation Service limits the number of playbook actions your organization can execute to 50 per hour by default. To see how many actions your organization has used in the current hour, see the Current hour actions count in the App Central UI. All actions running in the cloud or via the bridge are included in this limit.

Edit this page
Last updated on by John Pipkin (Sumo Logic)
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.