Skip to main content

About the Automation Service and Cloud SIEM

This topic provides an overview of using the Automation Service to configure automations in Cloud SIEM.

The Automation Service allows you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in Cloud SIEM, helping you to quickly investigate, understand, and react to potential security threats.

You interact with the Automation Service through automations in Cloud SIEM. The automations execute playbooks in the Automation Service. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are included with integrations. The Automation Service provides a number of integrations, actions, and playbooks that you can customize. You can also create your own.

info

Before you can create automations in Cloud SIEM, you must first configure role capabilities.

The Automation Service is a subset of automation capabilities adapted from Cloud SOAR that is available to the entire Sumo Logic log analytics platform. For more information, see Cloud SOAR Compared to the Automation Service.

Benefits

  • The Automation Service supports enrichment, notification, containment, user choice, and custom actions in Cloud SIEM.
  • Enrichment actions can be used to gather additional information about an Entity or Insight, including threat indicators.
  • Notification actions can be used to send notifications or update status in systems like Cloud SIEM, the Sumo Logic core platform, Slack, Microsoft Teams, Jira, email, and so on.
  • Automations can be triggered automatically when an Insight is created or closed. For example, you could define a playbook that is executed automatically when an Insight is created that gathers enrichment data. And if the data returned includes a malicious threat indicator:
    1. Changes the Insight state to “In Progress”.
    2. Assigns the Insight.
    3. Sends a (customized) email with information about the Insight and indicator.
    4. Creates a Slack channel for the Insight.
    5. Invites certain people to the Slack channel.
note
  • Cloud SIEM automation is intended to replace the legacy Cloud SIEM Actions and the Insight Enrichment Server. All of the actions and integrations provided with those capabilities are included in the Automation Service (though some may require “on-premise” deployment through the bridge). Those capabilities will be deprecated later in 2023. See Migrate from legacy actions and enrichments to the Automation Service.
  • Actions can run directly from the Sumo Logic cloud or from other environments via a bridge. For security and performance reasons, only certified integrations and actions can run directly from the Sumo Logic cloud environment.
  • The Automation Service is not available in FedRAMP environments at this time.

Access the Automation Service from Cloud SIEM

An automation in Cloud SIEM runs a playbook in the Automation Service, which runs actions that are provided by integrations. This section shows you how to access each of these elements in the Automation Service.

info

Before you can access the Automation Service from Cloud SIEM, you must first configure role capabilities.

  1. To access the Automation Service from Cloud SIEM:
    1. In the top menu click Configuration, and then under Integrations select Automation.
      The list of available Cloud SIEM automations appears. Each automation runs a playbook.
      Automations list
    2. At the top of the screen, click Manage Playbooks.
      Manage Playbooks menu option
      The Automation Service screen displays:
      Automation Playbook list
    note

    You can also launch the Automation Service by selecting Automation from the main menu:
    Automation menu option in the nav bar
    If you also have Cloud SOAR installed, a Cloud SOAR option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM.

  2. Now that you are in the Automation Service, let's explore a little to see how playbooks run actions that are provided by integrations. Open a playbook to see the actions it runs. Click an action to view the integration resource that provides it. In the example below, notice that in the Send Insight Slack Notification playbook, the Slack resource provides the Get User action.
    Action example
  3. Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click Integrations in the left navigation bar.
    Integrations list
  4. If we open the Slack integration, we see the Get User action used in the Send Insight Slack Notification playbook. Now you know how integrations provide actions that are run in playbooks.
    Resource example

To learn how to create automations in Cloud SIEM that run playbooks from the Automation Service, see Automations in Cloud SIEM.

Prerequisites to run the Automation Service for Cloud SIEM

Configure role capabilities for Cloud SIEM automation

Access to the Automation Service is controlled by role capabilities in the Sumo Logic platform.

  1. In the left navigation bar of Sumo Logic, select Administration > Users and Roles.
  2. Click the Roles tab.
  3. Click Add Role to create a new role for users of Cloud SIEM automation. Alternatively, you can select an existing role in the Roles tab and click Edit.
  4. Add the following capabilities:
    • Cloud SIEM
      • Configuration
        • View Automations
        • Manage Automations
        • Execute Automations
  5. Add Automation Service role capabilities.
  6. Follow the directions to access the Automation Service to verify that you can see the Automation option in the Configuration menu.

Support and compliance

API and Terraform support

The Cloud SIEM API supports automations. Endpoints include:

  • GET /automations. Get the list of automations
  • POST /automations. Create an automation
  • POST /automations/execute. Run one or more automations against one or more Entities/Insights
  • DELETE /automations/{id}. Delete an automation
  • GET /automations/{id}. Get a specific automation
  • PUT /automations/{id}. Update a specific automation

The Sumo Logic Terraform provider also supports automation, but does not support the ability to create or modify integrations, playbooks, or actions. For more information about Terraform, see the Sumo Logic Terraform documentation.

note

The Automation Service uses the Cloud SOAR API.

Data retention

Cloud SIEM automation data is retained in accordance with Sumo Logic's policies. For more information, see Cloud SIEM Data Retention.

Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.