About the Automation Service
This topic describes the Automation Service for Cloud SIEM Enterprise (CSE).
The Automation Service for Cloud SIEM Enterprise (CSE) uses Cloud SOAR automation capabilities to allow you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in CSE, helping you to quickly investigate, understand, and react to potential security threats.
You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are included with integrations. Sumo Logic provides a number of integrations, actions, and playbooks with the service that you can customize. You can also create your own.
The Automation Service is available on a limited availability (LA) basis. This means the feature is fully implemented and supported, and is available to all customers, but is only deployed in customer environments upon request. If you would like the Automation Service enabled in your Cloud SIEM Enterprise environment, contact your Sumo Logic account representative.
Cloud SOAR automation App Central, where you can browse the full integration and playbook catalog, is not yet connected to the Automation Service. A selection of popular integrations have been added to your environment automatically, but the full list of available integrations is included. Contact your Sumo Logic account representative if you would like to have one of these integrations added to your environment, if you would like documentation for a specific integration, or if you're interested in an integration that's not listed.
Differences compared to Cloud SOAR
The Automation Service differs from Cloud SOAR in the following ways:
- The Automation Service only supports automated enrichment, notification, and custom action types.
- Automation Service playbooks can only be triggered from CSE.
- The Automation Service does not allow you to execute an unlimited number of actions per day.
- The Automation Service does not include the incident and case management features from Cloud SOAR.
- Playbooks, integrations, and actions in this version may differ from those in Cloud SOAR automation.
Benefits
- The Automation Service supports enrichment, notification, and custom actions:
- Enrichment actions can be used to gather additional information about an Entity or Insight, including threat indicators.
- Notification actions can be used to send notifications or update status in systems like Cloud SIEM, the Sumo Logic core platform, Slack, Microsoft Teams, Jira, email, and so on.
- Automations can be triggered automatically when an Insight is created or closed. Automations can also be executed manually via the Cloud SIEM UI and API.
- Playbooks can contain both enrichment and notification actions. Playbooks can also be nested. So, for example, you could define a playbook that is executed automatically when an Insight is created that gathers enrichment data. And if the data returned includes a malicious threat indicator:
- Changes the Insight state to “In Progress”.
- Assigns the Insight.
- Sends a (customized) email with information about the Insight and indicator.
- Creates a Slack channel for the Insight.
- Invites certain people to the Slack channel.
- The Automation Service is intended to replace the legacy Insight Actions and the Insight Enrichment Server. All of the actions and integrations provided with those capabilities are included in the Automation Service (though some may require “on-premise” deployment through the bridge). Those capabilities will be deprecated later in 2023.
- Actions can run directly from the Sumo Logic cloud or from other environments via a bridge. For security and performance reasons, only certified integrations and actions can run directly from the Sumo Logic cloud environment.
- The Automation Service is not available in FedRAMP environments at this time.
Access the Automation Service
An automation runs a playbook, which runs actions that are provided by integrations. This section shows you how to access each of these elements.
- Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
- Under Integrations, select Automation.
The list of available automations appears. Each automation runs a playbook. - To view playbooks, at the top of the screen click Manage Playbooks.
.
The list of available playbooks displays. Playbooks run actions provided by integrations. - Open a playbook to see the actions it runs. Click an action to view the integration resource that provides it.
- To view integrations, click Integrations in the left navigation bar.
- Open an integration to see its actions.
- After an automation runs, click the Automations tab in Insights or Entities to view results of the automation.
Overview: Configure an automation
This section gives you an overview of how to set up an automation. This process assumes you want to create your own playbook to use in an automation.
Before you can configure an automation, you must configure the connection for the integration resources you want the automation to use.
Step 1: Get actions for the playbook
The first thing you need to do is decide what actions you want to use in your playbook.
- Open the integration that has actions you want the playbook to run.
- Note the names of the actions you want to use, including their resource name. You'll need these to add the actions to your playbook.
- If you want to customize an action:
- Click the duplication button on the integration to create a customizable integration. The name of the duplicated integration will end in (1).
- To customize the action in the duplicated integration, click the Edit button on the action.
Step 2: Add the actions to the playbook
Now that you have the names of the actions you want to use, you can add them to your playbook.
- Create a new playbook.
- Click Add Node.
- Choose Action as the type of node to add.
- In the Action field, select the name an action you identified in Step 1.
- As soon as you choose the action, the Resource field displays the name of the resource. Verify that the name of the resource matches what you noted in Step 1.
- Fill out the rest of the fields in the Add Node dialog to configure the action to behave the way you want.
- Click Create. The node is added to the playbook.
- Repeat to add more actions to the playbook. If desired, add conditions.
- Click Save to save your changes.
- When you're ready to let the playbook be used in automations, click Publish.
Step 3: Add the playbook to an automation
Now that the playbook is configured, you can add it to an automation.
- Create a new automation.
- Select the playbook you created in Step 2.
- In Expects attributes for, select Entity or Insight.
- Select whether you want to automatically run the automation when an Insight is created or closed, or to run it manually. (For the purposes of this overview, select Manually Done.)
- Select Enabled.
- Click Add to List.
Step 4: Run the automation
Now that you've created the automation, it is ready to run. If you set the automation to run when an Insight is created or closed, it runs automatically.
If you configured the automation to run manually, you can run it from an Insight or an Entity:
- Insights
- Open an Insight.
- Click Actions.
- Select the automation from one of the following, depending on whether the automation expects attributes for Insights or Entities:
- Insight Automation. Displays a list of all enabled Insight automations configured to run manually.
- Entity Automation. Displays a Run Automations option. Click Run Automations to open a dialog enabling you to select one or more Entity automations to run.
- Entities
- Open an Entity.
- Click Automations under the Entity's name.
- Select an option under Entity Automation.
Prerequisites
Configure role capabilities
After the Automation Service is enabled for your organization, access to the Automation Service is controlled by role capabilities in the Sumo Logic platform. To get access to the Automation Service:
- In the left navigation bar of Sumo Logic, select Administration > Users and Roles.
- Click the Roles tab.
- Click Add Role to create a new role for users of the Automation Service. Alternatively, you can select an existing role in the Roles tab and click Edit.
- Add the following capabilities:
- Cloud SIEM Enterprise
- Configuration
- View Automations
- Manage Automations
- Execute Automations
- Configuration
- Cloud SOAR
- View Cloud SOAR
- Automation Playbooks
- Access
- Configure
- Cloud SIEM Enterprise
- Follow the directions to access the Automation Service to verify that you can see the Automation option in the Configuration menu.
To interact with most of the Automation Service features, you must have at least View Automations, View Cloud SOAR, and Access Playbooks permissions.
Configure the connection for an integration resource
To use integrations, you must configure the connection for their resources.
- Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
- Under Integrations, select Automation.
- Click Manage Playbooks.
- Click Integrations in the left navigation bar.
- Select the integration whose resource you want to configure the connection for.
- Hover over the resource name and click the Edit button that appears.
- Enter the connection configuration needed by the resource. What you enter is specific to the resource you're using. Each resource's configuration screen may be different, but in most cases, you will need information such as IP addresses, API tokens, usernames, and passwords for the application you're integrating with. For example, in the following screen enter the API URL and API Key.
- Click Save to save the configuration.
Support and compliance
API and Terraform support
The CSE API supports automations. Endpoints include:
GET /automations
. Get the list of automationsPOST /automations
. Create an automationPOST /automations/execute
. Run one or more automations against one or more Entities/InsightsDELETE /automations/{id}
. Delete an automationGET /automations/{id}
. Get a specific automationPUT /automations/{id}
. Update a specific automation
The Sumo Logic Terraform provider also supports automations. For more information, see the Sumo Logic Terraform documentation.
Data retention
This section lists the retention period for each type of data generated.
Default retention periods by data type
We automatically delete the following customer data according to the table retention period below, except for those that need to ensure HIPAA compliance.
Data type | Retention period |
---|---|
Incidents | 2 years |
Triage | 2 years |
Entities | 2 years |
Playbook and action executions | 2 years |
For those that need to ensure HIPAA compliance, we delete data following the retention periods below. Please keep in mind that if a customer needs to follow HIPAA compliance, it is important to explicitly communicate this when requesting Automation Service activation.
Data type | Retention period |
---|---|
Incidents | 7 years |
Triage | 7 years |
Entities | 7 years |
Playbook and action executions | 7 years |
CSE Records | Records (normalized logs) are stored in the partitions whose names begin with the string sec_records . There is one partition for each Record type. There is no additional charge for storage of Records. |
CSE Signals | Stored in the sec_signal partition.There is no additional charge for storage of Signals. |
CSE Insights | The sumologic_system_events partition contains Insights and Insight-related events that result from system actions. The sumologic_audit_events partition contains Insights and Insight-related events that result from user actions.There is a charge for storage of Insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. |
Custom retention periods
You can request retention periods different from those declared in the tables above, as long as the retention period requested is greater than 1 day and less than 5000 days.
In order to do that, please open a Support ticket with your request.