Create Cloud SIEM Actions
This topic has instructions for configuring Cloud SIEM Actions.
In the future, Cloud SIEM Actions will be deprecated because comparable behavior is available in the Automation Service. Although Cloud SIEM Actions are still supported, we recommend you use the Automation Service to perform actions. For more information, see Migrate from legacy actions and enrichments to the Automation Service.
About Cloud SIEM Actions
You can use Cloud SIEM Actions to issue a notification to another service when certain events occur in Cloud SIEM. The supported Action types are:
- AWS Simple Notification Service (SNS)
- Demisto (Cortex XSOAR)
- HTTP POST v2
- Microsoft Teams
- PagerDuty
- Recorded Future
- Slack
- Slack Webhook
An Action can be configured for Insight-related activity as described below in Insight Actions. You can also configure an Action to be run when a rule is automatically disabled, as described below in Rule Actions.
Watch this micro lesson to learn how to configure an Action.
Insight Actions
You can configure an Action to send information about an Insight to another system, automatically when the Insight is created or on-demand from the Insight's Actions menu, and in the case of an HTTP POST v2 Action, when an Insight is closed.
What gets sent to the target system depends on the Action type. For some types—Slack, Microsoft Teams, and PagerDuty—the notification contains a summary of the Insight with the following information:
- The Entity the Insight fired on.
- The MITRE tactic or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
- A link to the Insight in Cloud SIEM.
For the other Action types—AWS Simple Notification Service (SNS), Demisto (Cortex XSOAR), HTTP POST v2, and Slack Webhook—the notification includes the Insight itself in JSON format, and in some cases Signals or Records, depending on how you configure the Action.
Sensor Actions
You can configure an Action to send a notification when any Network Sensor goes offline.
Rule Actions
You can configure an Action to send a notification when a rule is automatically disabled. (Cloud SIEM automatically disables rules that generate too many Signals, more than 100K in an hour, or 1 million in 24 hours.)
A Rule Action doesn't fire when a rule is enabled, moved in or out of prototype mode, or manually disabled.
The notification sent by a Rule Action contains the name of the rule and the reason it was disabled.
Create an Action
- Classic UI. In the top menu select Configuration, and then under Integrations select Actions.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Actions. You can also click the Go To... menu at the top of the screen and select Actions. - On the Actions page, click Create.
- The Create Action popup appears.
- Name. Enter a name that communicates what the Action does.
- Type. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
- Notifications.
- Insight. Click When Created to automatically generate a notification when any Insight is created, When Closed to automatically generate a notification when any Insight is closed, or On Demand to add the Action as an option in the Actions menu on the Insight details page.
- Sensor. Click When Offline to to automatically generate notifications when any sensor goes offline.
- Rule. Click When Automatically Disabled to generate a notification when Cloud SIEM disables a rule.
- Active. Move the slider to the right if you’d like the Action to be enabled upon creation.
Continue filling out the dialog box depending on the type of action you are creating.
AWS Simple Notification Service (SNS)
When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to the AWS Simple Notification Service (SNS).
You can configure the action to authenticate with SNS using your AWS Access Key and Secret Access Key, or using the AssumeRole method.
- Access Key. Enter your AWS Access Key, if you're using AWS Access Keys to authenticate.
- Secret Key. Enter your AWS Secret Access Key, if you're using AWS Access Keys to authenticate.
- Assume Role ARN. Enter the AssumeRole ARN, if that's how you want to authenticate. Enter the Sumo Logic AWS account ID. For the Sumo Logic ID, see Create a role manually using the AWS console.
- Topic ARN. Enter the ARN of the SNS topic.
- Region. Enter the AWS region for the SNS topic.
- Click Create.
Demisto (Cortex XSOAR)
When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to Demisto.
- API Key. Enter your Demisto API Key.
- URL. Enter the URL of your Demisto API endpoint.
- Client Certificate. Upload your client certificate for accessing the Demisto API endpoint.
- Create Incident API Endpoint. Select
/incident/json
. - Extra Headers. Enter any additional headers you want to send, as line-delimited key:value pairs.
- Exclude Records. Move the slider to the right if you don’t want to include Records in the notification.
- Click Create.
Email
This Action type sends an email notification.
- Recipients. Enter a comma-separated list of the email addresses to send the notification to.
- Click Create.
When this Action runs on an Insight, the email notification contains:
- The Entity the Insight fired on.
- The MITRE tactic or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
- A link to the Insight in Cloud SIEM.
HTTP POST v2
This Action type sends a HTTP POST notification. For an Insight Action, the notification contains the full Insight in JSON format. You can optionally configure the Action to send the Signals and Records associated with the Insight as well.
The output of the HTTP POST notification is the same as the JSON output from the /insight/:id
API endpoint. For information about accessing API documentation, see Cloud SIEM APIs.
Once you select HTTP POST v2 in the Type field a new Notification option—When Closed—appears, as highlighted in the screenshot below. Choose this if you want to send a notification when an Insight is closed in Cloud SIEM.
- URL. The URL to send the POST to.
note
The allowed destination ports for the HTTP Post are: 80, 8080, 443, 8443, and 8000. You can specify the port in the URL, but if the default port on the destination server is an allowable port, you do not need to.
- Username. The username to use to access the URL.
- Password. The password to use to access the URL.
- Extra Headers. Additional HTTP headers to send with the POST.
- Include Signals. Move the slider to the right to send the Signals associated with the Insight in the POST.
- Include Records. Move the slider to the right to send the Records associated with the Signal in the POST.
- Record Fields to Include. If desired, provide a comma-delimited list of selected Record fields to include (instead of all Record fields).
- Click Create.
Microsoft Teams
This Action type sends a Webhook notification to Microsoft Teams.
Configure Webhook connection in Microsoft Teams
Create a Webhook connection for the Microsoft Teams channel to which emails should be sent. Follow the instructions in Create Incoming Webhooks in Microsoft help.
Configure Action in Cloud SIEM
- URL. Enter the URL for the Webhook connection you created above.
- Click Create.
PagerDuty
This Action types sends a notification to PagerDuty.
- Service Key. Enter your PagerDuty service key.
- Subdomain. Enter your PagerDuty account subdomain.
- Click Create.
The notification contains:
- The Entity the Insight fired on.
- The MITRE tactic or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
- A link to the Insight in Cloud SIEM.
Recorded Future
Recorded Future (RF) provides contextual Threat Intelligence through indicator lookups using a cloud-accessible API.
The Cloud SIEM Recorded Future Action runs lookups on Record fields that contain IP addresses, domains, and hashes encountered in Insights, Signals, or both, depending on how you configure the Action. The lookup result is added as an enrichment to Insights, Signals, or both.
Lookups will consume RF API credits.
Generate Recorded Future API token
- In Recorded Future, go to User Settings > API Access > Generate New API Token.
- On the Generate New Token page:
- Name. Enter a name for the token.
- Integration. Select “Sumologic” from the list of integrations.
- Click Generate.
- Copy and save the token.
Create Action in Cloud SIEM
- API Key. Enter the Recorded Future API token you generated for the Sumo Logic integration.
- Enrich Insights. Move the slider to the right to enrich Insights.
- Enrich Signals of Insights. Move the slider to the right to enrich Signals.
- Click Create.
View Recorded Future Enrichments
To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the Enrichments tab.
Slack
This Action type sends a message to a Slack channel.
- API Key. Enter your Slack API key.
- Channel. Enter the Slack Channel that messages should go to.
- Click Create.
If the Action was run on an Insight, the message contains:
- The Entity the Insight fired on.
- The MITRE tactic or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
- A link to the Insight in Cloud SIEM.
Slack Webhook
When you run this Action type on an Insight, Cloud SIEM sends the complete Insight in JSON format to a Slack channel.
Configure Webhook connection in Slack
Create a Webhook connection for the Slack channel to which Insights should be sent. Follow the instructions in Sending messages using Incoming Webhooks in Slack help.
Configure Action in Cloud SIEM
- Webhook URL. Enter the URL of the Webhook you created above.
- Click Create.