Skip to main content
Sumo Logic

Security Incident Response (SIR) Integration

Install and configure the integration between Sumo Logic CSE and ServiceNow's Security Incident Response (SIR).

This page has instructions for installing and configuring the integration between Sumo Logic CSE and ServiceNow's Security Incident Response (SIR).

Overview

The integration polls for CSE for Insights and creates a ServiceNow Incident for each Insight. It creates composite fields, CI items, and associated MITRE data in ServiceNow.

Once you have configured the integration, Insights that match the query you specify in the configuration, will be ingested by ServiceNow on the configured ingestion cycle, which by default is every five minutes.

Prerequisites

The following SIR plugins are required:

  • Threat Intelligence (com.snc.threat.intelligence)—This plugin is required if you want to enable SIR to add  MITRE information (stage, tactic, and technique) to Incidents it creates from CSE Insights.
  • Security Incident Response (com.snc.security_incident)

The following SIR system table permissions are required:

  • Security Incident (sn_si_incident) – Read-only access is required. This table will be written to by ServiceNow mappers.
  • Threat intelligence/mitre tables – Read-only access is required
  • Configuration item tables – Read-write access is required.

Your CSE role must allow you to use API keys and to retrieve and modify Insights. 

Step 1: Copy your CSE API Key

In this step, you copy your CSE API key, which you'll need to supply in Step 5 below. 

  1. In the CSE UI, click the icon in the upper right of the page to display your account profile.
    profile-icon.png
  2. Click the copy icon next to Enabled to copy your API key. 
    copy-icon.png
  3. Save the key.

Step 2: Install ServiceNow plugins

In this step you install two ServiceNow plugins. 

  1. Install the Security Incident Response plugin from the ServiceNow store. 
    sir-plugin.png
  2. Install the Threat Intelligence add-on from the ServiceNow store. 
    threat-plugin.png

Step 3: Configure MITRE ATT&CK threat feed data

This step is required only if you don’t already have MITRE ATT&CK threat feed data. To see if you do, Navigate to Threat Intelligence > MITRE ATT&CK Repository > Techniques, in ServiceNow. If you have MITRE data, the that page will contain data that looks like the table shown in substep 6 below, and you can proceed to Step 4: Configure CI Lookup Rules. If the table is empty perform the steps in this section.

  1. Navigate to Threat Intelligence in the navigation bar. 
  2. Under Threat Sources, select Sources
  3. From Threat Sources, select Enterprise ATT&CK .
  4. Click Execute Now to populate your MITRE framework data. 
  5. To verify the population succeeded,  in the navigation bar search for "MITRE ATT&CK Repository" and click Techniques.
    techniques-option.png
  6. You should see several pages of data similar to the screenshot below.
    techniques-table.png
  7. If the table is still empty, contact your ServiceNow administrator and review the integration runs logs to determine how the error occurred. Otherwise proceed to the next step.

Step 4: Configure CI Lookup Rules

CI Lookup Rules are required to enable discovery of configuration items and avoid duplicate CI item creation. If no rules, or no appropriate rules exist, follow the steps below to create appropriate rules.

  1. Navigate to CI Lookup Rules under Security Operations in the navigation bar. 
  2. Select New and create three rules shown in the screenshot below. For instructions, see Create a CI Lookup Rule in ServiceNow help.
    rules.png

Step 5: Install the SIR-CSE integration

  1. Search for Integration Configurations under Security Operations in the navigation bar. 
  2. Locate Sumo Logic SIR and click Configure.
    config-button.png
  3. The Sumo Logic SIR Configuration popup appears.  
    config-page.png
  4. API Token. Enter the CSE API Key you copied in Step 1.
  5. Host. Enter the URL to your CSE portal.
  6. Default Incident State. Enter the Incident State you want to assign to Incidents created by the integration. The value you enter must by a valid state in your ServiceNow account. To view available options in your environment, enter sys_choice.list in your Environments sidebar and filter for table=sn_si_incident, inactive=false. Alternatively, you can directly view the available options in the State dropdown in any Incident. This field is case-sensitive. If you supply an invalid value, it will be ignored. The  default state for your Incidents created by the integration will be set based on your business rules.  

Step 6: Test the configuration

To verify that the configuration is working, enter the following in the ServiceNow navigation bar.

x_579138_sumo_logi_sumo_logic_insights.list 

Within five minutes data will appear if new Insights have been created. If no insights have been created, you can check Sumo Logic logs by searching for logs with the prefix: “Sumo CSE ERROR”. You can also check the Sumo Status table from the navigation bar to see the last error message if any and the current integration health. If the value is healthy then the integration has run at least once with no error.

Configuration options

This section describes configuration changes you can make to the integration.

Update the mapping configuration

If desired, you can change the mapping between the fields in CSE Insights and the fields in Incidents that the integration creates in ServiceNow.

  1. Navigate to the Table Transform Maps page in ServiceNow.
    table-transform-maps.png
  2. Open the “Sumo Insight Mapper” for editing.
  3. Make your edits and save your changes. 

Configuration properties

This section describes the configuration properties for the integration. 

After navigating to sys_properties.list, search for the properties by entering “x_sul_sumo_logic_s.” in the Name field.

Double-click a property to edit it.

Property Description
x_sul_sumo_logic_s.configuration_id An arbitrary ID assigned by the integration. 

Do not modify this setting unless recommended by Sumo Logic support.
x_sul_sumo_logic_s.integration_id An arbitrary ID assigned by the integration.

Do not modify this setting unless recommended by Sumo Logic support. 
x_sul_sumo_logic_s.sumo_debug Controls what level of logging is enabled.

If “true” both info and debug level messages are logged. 

If “false” only error level messages are logged.


View generated Incident URL in CSE

The URL to the ServiceNow Incident generated for an Insight is shown on the details page for the Insight.

incident-created-popup.png

Example Incident created by integration

The screenshot below shows a ServiceNow Incident that was created for a CSE Insight.

incident-draft-tab.png

See closed Insight in CSE

After an Incident created by the integration is closed in ServiceNow, the Insight from which it was generated will be closed in CSE as well.

insight-actions-icon.png

View integration log messages

To view log messages written by the integration

  1. Choose System Log > All in the ServiceNow left-nav pane.
  2. Search the messages for “Sumo CSE”.messages-sumo-cse.png