About the Automation Service and Cloud SIEM
This topic provides an overview of using the Automation Service to configure automations in Cloud SIEM.
The Automation Service allows you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in Cloud SIEM, helping you to quickly investigate, understand, and react to potential security threats.
You interact with the Automation Service through automations in Cloud SIEM. The automations execute playbooks in the Automation Service. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are included with integrations. The Automation Service provides a number of integrations, actions, and playbooks that you can customize. You can also create your own.
Before you can create automations in Cloud SIEM, you must first configure role capabilities.
The Automation Service is a subset of automation capabilities adapted from Cloud SOAR that is available to the entire Sumo Logic log analytics platform. For more information, see Cloud SOAR Compared to the Automation Service.
Benefits
- The Automation Service supports enrichment, notification, containment, user choice, and custom actions in Cloud SIEM.
- Enrichment actions can be used to gather additional information about an Entity or Insight, including threat indicators.
- Notification actions can be used to send notifications or update status in systems like Cloud SIEM, the Sumo Logic core platform, Slack, Microsoft Teams, Jira, email, and so on.
- Automations can be triggered automatically when an Insight is created or closed. For example, you could define a playbook that is executed automatically when an Insight is created that gathers enrichment data. And if the data returned includes a malicious threat indicator:
- Changes the Insight state to “In Progress”.
- Assigns the Insight.
- Sends a (customized) email with information about the Insight and indicator.
- Creates a Slack channel for the Insight.
- Invites certain people to the Slack channel.
- Cloud SIEM automation is intended to replace the legacy Cloud SIEM Actions and the Insight Enrichment Server. All of the actions and integrations provided with those capabilities are included in the Automation Service (though some may require “on-premise” deployment through the bridge). Those capabilities will be deprecated later in 2023. See Migrate from legacy actions and enrichments to the Automation Service.
- Actions can run directly from the Sumo Logic cloud or from other environments via a bridge. For security and performance reasons, only certified integrations and actions can run directly from the Sumo Logic cloud environment.
- The Automation Service is not available in FedRAMP environments at this time.
Access the Automation Service from Cloud SIEM
An automation in Cloud SIEM runs a playbook in the Automation Service, which runs actions that are provided by integrations. This section shows you how to access each of these elements in the Automation Service.
Before you can access the Automation Service from Cloud SIEM, you must first configure role capabilities.
- To access the Automation Service from Cloud SIEM:
- Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation. You can also click the Go To... menu at the top of the screen and select Automation.
The list of available Cloud SIEM automations appears. Each automation runs a playbook. - At the top of the screen, click Manage Playbooks.
The Automation Service screen displays:
noteYou can also launch the Automation Service by selecting Automation from the main menu:
If you also have Cloud SOAR installed, a Cloud SOAR option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM. - Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
- Now that you are in the Automation Service, let's explore a little to see how playbooks run actions that are provided by integrations. Open a playbook to see the actions it runs. Click an action to view the integration resource that provides it. In the example below, notice that in the Send Insight Slack Notification playbook, the Slack resource provides the Get User action.
- Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click Cloud SIEM > Integrations in the left navigation bar.
- If we open the Slack integration, we see the Get User action used in the Send Insight Slack Notification playbook. Now you know how integrations provide actions that are run in playbooks.
To learn how to create automations in Cloud SIEM that run playbooks from the Automation Service, see Automations in Cloud SIEM.
Prerequisites to run the Automation Service for Cloud SIEM
Configure role capabilities for Cloud SIEM automation
Access to the Automation Service is controlled by role capabilities in the Sumo Logic platform.
- In the left navigation bar of Sumo Logic, select Administration > Users and Roles.
- Click the Roles tab.
- Click Add Role to create a new role for users of Cloud SIEM automation. Alternatively, you can select an existing role in the Roles tab and click Edit.
- Add the following capabilities:
- Cloud SIEM
- Configuration
- View Automations
- Manage Automations
- Execute Automations
- Configuration
- Cloud SIEM
- Add Automation Service role capabilities.
- Follow the directions to access the Automation Service to verify that you can see the Automation option in the Configuration menu.
Support and compliance
API and Terraform support
The Cloud SIEM API supports automations. Endpoints include:
GET /automations
. Get the list of automationsPOST /automations
. Create an automationPOST /automations/execute
. Run one or more automations against one or more Entities/InsightsDELETE /automations/{id}
. Delete an automationGET /automations/{id}
. Get a specific automationPUT /automations/{id}
. Update a specific automation
The Sumo Logic Terraform provider also supports automation, but does not support the ability to create or modify integrations, playbooks, or actions. For more information about Terraform, see the Sumo Logic Terraform documentation.
The Automation Service uses the Cloud SOAR API.
Data retention
Cloud SIEM automation data is retained in accordance with Sumo Logic's policies. For more information, see Cloud SIEM Data Retention.