Cloud SOAR Bridge
You can only run custom actions or integrations outside of the Sumo Logic cloud in an "on-premise" environment. For on-premise environments, you need to install a bridge as described below.
Requirements
Hardware requirements
- OS:
- Ubuntu (18.04/20.04)
- CentOS 7
- RedHat 8
- RAM: 8GB
- CPU: 4 Core
- DISK: 160GB
- Network card: 1
Network requirements
The Bridge must be able to resolve DNS hostnames and reach the below destinations.
DESTINATION | PROTOCOL | PORT |
---|---|---|
soar-cloud-url | TCP | 443 |
siem-cloud-url | TCP | 443 |
784093250948.dkr.ecr.eu-central-1.amazonaws.com | TCP | 443 |
index.docker.io* | TCP | 443 |
registry-1.docker.io* | TCP | 443 |
auth.docker.io* | TCP | 443 |
production.cloudflare.docker.com* | TCP | 443 |
long-endpoint1-events.sumologic.net | TCP | 443 |
* Needed only to connect to docker hub.
Install Docker
- Install Docker-CE following the installation instructions in Docker Docs. Install at least version 20.10 (do not use nightly build).
- As soon as the docker daemon is installed, start it with:
systemctl start docker
- Enable it on boot:
systemctl enable docker
Using a proxy
- If docker has to use a proxy to pull images, follow the below instructions:
mkdir -p /etc/systemd/system/docker.service.d
- Create a file named
/etc/systemd/system/docker.service.d/http-proxy.conf
, and add:[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080\"
Environment="HTTPS_PROXY=http://proxy.example.com:8080\" - Reload the systemd daemon with:
systemctl daemon-reload
- And restart docker service with:
systemctl restart docker
Get JWT token
- Click the gear icon at the top of the Cloud SOAR screen and select Settings.
- Add a new profile:
- Select User Management > Profiles.
- Click the + button to the left of Profiles.
- In the Add profile dialog, enter a Name for the new profile.
- Click the Settings box.
- In the API box select Use.
- Click CREATE.
- Add a new user:
- Select User Management > Users.
- Click the + button to the left of Users.
- In the Add user dialog, for Profile select the profile you created above. Fill out the rest of the fields.
- Click CREATE.
- Copy the JWT token for the new user:
- Log in to Cloud SOAR as the new user.
- Click the gear icon at the top of the Cloud SOAR screen and select Settings.
- Select User Management > Users.
- Select the new user.
- Scroll down to the JWT Token section.
- Copy the token. You will use this token later in the installation process.
Automation installation
Ubuntu
- Click ? in the upper-right of the Cloud SOAR UI.
- In the Automation Bridge box, click UBUNTU.
- Click Download to download the
automation-bridge-X.X.deb
file. - Copy the file to the bridge virtual machine.
- To install the package run from ssh:
sudo dpkg -i automation-bridge-X.X.deb
CentOS/RedHat
- Click ? in the upper-right of the Cloud SOAR UI.
- In the Automation Bridge box, click CENTOS/REDHAT.
- Click Download to download the
automation-bridge-X.X.rpm
file. - Copy the file to the bridge virtual machine.
- To install the package run from ssh:
sudo yum install automation-bridge-X.X.rpm
Installation configuration
- Edit the file
/opt/automation-bridge/etc/user-configuration.conf
and set the below mandatory parameters:SOAR_URL
SOAR_TOKEN
- To determine which is the correct SOAR_URL, see Sumo Logic Endpoints by Deployment and Firewall Security and get the URL under the API Endpoint column. For example:
https://api.eu.sumologic.com/api/
And you can set this optional parameter (do not include spaces): ALIAS
An example of a configuration file would be:
{
"SOAR_URL":"https://YOUR_DOMAIN/incmansuite_ng/api",
"SOAR_TOKEN":"YOUR_JWT_TOKEN",
"SIEM_URL":"https://YOUR_CSE_URL/sec",
"ALIAS": "YOUR_ALIAS_NO_SPACES"
}
Obtain the SOAR_URL
by clicking ? at the top of the Cloud SOAR UI and navigating to API Documentation. Note the Servers value and remove /v3/
from the end of the URL. The bridge cannot currently be registered to a Cloud SOAR instance with the /v3/
API.
Bridge ALIAS
With bridge ALIAS, it is possible to distinguish which integration resources will be executed with this automation bridge. When a new integration resource is created or edited, it is possible to select the default ALIAS or to create a new one. So every automatic action configured to use this resource will be performed with the Bridge that has the same ALIAS.


Automation bridge update
For Ubuntu and CentOS/RedHat, the update process works as the installation process. Follow the same steps described in Automation bridge installation above.
If you are not using the SIEM:
- Set
SIEM_URL
toNONE
. - Restart the service with:
systemctl restart automation-bridge
- If you need to allow automation-bridge communication through a proxy, edit the file
/etc/opt/automation-bridge/automation-bridge.conf
and set the correct value. Below is an example:HTTP_PROXY="http://proxy.example.com:8080\"
HTTPS_PROXY="http://proxy.example.com:8080\" - Restart the service with:
systemctl restart automation-bridge
Configuring the automation bridge for high availability
You may elect to deploy and register multiple bridges to your Cloud SOAR tenant for high availability. To cluster automation bridges together logically within Cloud SOAR and ensure high availability, you must set the same ALIAS for each bridge within the cluster in each respective user-configuration.conf
file upon installation. When multiple bridges are registered with the same ALIAS, they will appear as active. If one or more bridges within the cluster go offline, playbooks will execute via the active nodes utilizing the same ALIAS. So long as there is parity between the nodes and there is at least one active node registered, there will be no disruption in playbook execution. It is important to note that integration actions within the playbook must have the appropriate bridge ALIAS assigned within the resource configuration and that connectivity can be established with the appropriate resources. Advanced playbooks may elect to utilize multiple bridge clusters leveraging multiple aliases.
Post-installation checks
To check if the bridge is running correctly, run the following command:
ps faux |grep automation-bridge
This is an example of running automation-bridge
:
On the SOAR instance, the Automation Bridge Monitoring panel under Settings > Audit and information > License information shows a list of live bridge agents:
Configuring the automation bridge for CyberArk
If you are using CyberArk, you must add the following certificates provided by CyberArk to the /opt/automation-bridge/
directory:
RootCA_new.crt
client_new.crt
client_new.pem