Skip to main content

Automations

Limited availability

The Automation Service is available on a limited availability (LA) basis. This means that while the feature is production-ready and fully supported, implementation is done by customer request only. If you'd like the Automation Service enabled in your Cloud SIEM Enterprise environment, contact your Sumo Logic account representative. For more information, see About the Automation Service.

Automations run playbooks to add enrichments and create notifications for either Insights or Entities. You can set automations to run automatically when Insights are created or closed, or you can run them manually.

View automations

  1. Click the Configuration button (gear icon) at the top of the UI.
  2. Under Integrations, select Automation.
  3. View the list of available automations. (If no automations display, you must first create an automation).
    Automations list

To view the automations that have run on Insights or Entities, see View results of an automation.

Create an automation

  1. Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
  2. Under Integrations, select Automation.
  3. At the top of the automations screen, click New Automation. (To modify an existing automation, click on the edit icon for the corresponding automation.)
    Automations list
  4. In the New Automation dialog, select a Playbook from the drop-down list. The playbook must be defined, and its type must be set to CSE before associating it with an automation. (You can set the type as CSE when you create a new playbook.)
    New Automation
  5. In Expects attributes for select whether the playbook will run on an Entity or Insight. This defines what data payload will be sent to the playbook from Cloud SIEM.
  6. If Entity is selected, in the Type field select one or more Entity types. The playbook will only execute on the Entity types selected.
  7. Select one or more Executes when Insight triggers: Insight Created, Insight Closed, or Manually Done. If Manually Done is not selected, the automation will not appear in any Actions menu on Insights or Automations menus on Entities.
  8. Set the Status. Disabled automations will not run automatically and will not appear in any Actions or Automations menus.
  9. Click Add to List (or Update if editing an existing automation).

Run an automation automatically

If an automation is set to run when an Insight is created or closed, it runs automatically provided that:

  • The automation is enabled,
  • The automation is configured to run on the trigger(s), and
  • The automation is an Insight automation, or
  • The automation is an Entity automation, and the Insight contains one or more Entities of the Entity types configured in the automation (this includes the primary and any related Entities).

Run an automation manually

Run an automation manually on Insights

Automations can be run manually from the Actions drop-down menu on Insight details pages:

Automations on the Actions menu

You will see three sections in the Actions menu:

  • Insight Automation. Displays a list of all enabled Insight automations configured to run manually.
  • Entity Automation. Displays a Run Automations option. Click Run Automations to open a dialog enabling you to select one or more Entity automations to run (see below).
  • Insight Actions. Displays a list of all valid legacy Insight Actions.

Run an automation manually on Entities

On Entity details pages, Entity Automations can be run manually from the Automations drop-down menu:

Automations menu on an Entity
tip

You can run the same automation more than once for a given Entity or Insight, but not at the same time. Additional attempts to run an automation while an instance is running will result in an error.

Select Entities to run the automation on

On an Insight, if you select Actions > Entity Automation > Run Automations, you will be prompted to select one or more of the Entities included in the Insight:

Entity Automation menu
  1. Select one or more of the Entities listed or select Select All Entities. The selected Entities don’t have to be the same type.
  2. Click Next. A list displays of all Entity automations that are enabled, configured to be run manually, and configured for at least one of the Entity types you selected on the previous screen.
  3. Select the automations you wish to run and click Run Automation. The automations will run. The system will automatically run the appropriate automations for the appropriate Entity Types.Entity Automation menu with selections

In this example:

  • The CarbonBlack automation is configured for IP Addresses, Email Addresses, and Domain Names, so it will run four times (once for the Email Address and once for each IP Address selected on the previous screen).
  • The nslookup automation is configured to only run on IP Addresses so it will run three times.
  • No automation will run on the Hostname.

View results of an automation

If an automation is set to run when an Insight is created or closed, it runs automatically. You can also run an automation manually.

View automations on Insights and Entities

When automations run, the results display on Insights and Entities.

  1. Open an Insight or Entity.
  2. Click Automations at the top of the screen. The example below shows automations that ran on an Insight. Each automation shows its result under Status. You can click View Playbook to see the playbook that the automation ran.
    Automations on an Insight

While viewing an Insight or Entity, you can run automations manually.

View enrichments provided by automations

When automations run, they can provide enrichments to Insights, Entities, and Signals.

  1. Open an Insight, Entity, or Signal with enrichments provided by an automation.
  2. Click Enrichments at the top of the screen.
  3. If threat indicators are set by the enrichment, they are displayed. The following example shows a Malicious threat indicator.
    Threat indicator example

View an automation's status

After running an automation, you can go to the Automations tab for the Insight or Entity to view the automation's status.

Automations execution status

On each card you will find:

  • The time and date when the automation was run.
  • The name and description of the associated playbook.
  • The playbook’s current status.
  • A link to View Playbook in the Automation Service UI.
note

You may have to manually refresh this screen to see the most current status.

If you click View Playbook, the Automation Service UI will open to the playbook status page:

Playbook status

You can switch to the graphical view by clicking Graph in the upper-right corner:

Playbook status graph
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.