Skip to main content

Automation Service Bridge

Limited availability

The Automation Service is available on a limited availability (LA) basis. This means that while the feature is production-ready and fully supported, implementation is done by customer request only. If you'd like the Automation Service enabled in your Cloud SIEM Enterprise environment, contact your Sumo Logic account representative. For more information, see About the Automation Service.

You can only run custom actions or integrations outside of the Sumo Logic cloud in an "on-premise" environment. For on-premise environments, you need to install a bridge as described below.

Requirements

Hardware requirements

  • OS:
    • Ubuntu (18.04/20.04)
    • CentOS 7
    • RedHat 8
  • RAM: 8GB
  • CPU: 4 Core
  • DISK: 160GB
  • Network card: 1

Network requirements

The Bridge has to be able to resolve DNS hostnames and needs to reach the below destinations

DESTINATIONPROTOCOLPORT
sumo-logic-api-urlTCP443
siem-cloud-urlTCP443
926226587429.dkr.ecr.us-west-2.amazonaws.comTCP443
index.docker.io*TCP443
registry-1.docker.io*TCP443
auth.docker.io*TCP443
production.cloudflare.docker.com*TCP443
long-endpoint1-events.sumologic.netTCP443

* Needed only to connect to docker hub.

Install Docker

  1. Install Docker-CE following the installation instructions in Docker Docs. Install at least version 20.10 (do not use nightly build).
  2. As soon as the docker daemon is installed, start it with:
    systemctl start docker
  3. Enable it on boot:
    systemctl enable docker

Using a proxy

  1. If docker has to use a proxy to pull images, follow the below instructions:
    mkdir -p /etc/systemd/system/docker.service.d
  2. Create a file named /etc/systemd/system/docker.service.d/http-proxy.conf, and add:
    [Service]
    Environment="HTTP_PROXY=http://proxy.example.com:8080\"
    Environment="HTTPS_PROXY=http://proxy.example.com:8080\"
  3. Reload the systemd daemon with:
    systemctl daemon-reload
  4. And restart docker service with:
    systemctl restart docker

Get installation token

Login to Sumo Logic and create a new installation token with name prefix csoar-bridge-token.

Installation token

Automation bridge installation

Ubuntu

  1. Access the Automation Service:
    1. Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
    2. Under Integrations, select Automation.
    3. At the top of the screen, click Manage Playbooks.
  2. Click ? in the upper-right.
  3. In the Automation Bridge Manual box, click UBUNTU.
  4. Click Download to download the automation-bridge-X.X.deb file.
  5. Copy the file to the bridge virtual machine.
  6. To install the package run from ssh:
    sudo dpkg -i automation-bridge-X.X.deb

CentOS/RedHat

  1. Access the Automation Service:
    1. Click the Configuration button (gear icon) at the top of the Cloud SIEM UI.
    2. Under Integrations, select Automation.
    3. At the top of the screen, click Manage Playbooks.
  2. Click ? in the upper-right.
  3. In the Automation Bridge Manual box, click CENTOS/REDHAT.
  4. Click Download to download the automation-bridge-X.X.rpm file.
  5. Copy the file to the bridge virtual machine.
  6. To install the package run from ssh:
    sudo yum install automation-bridge-X.X.rpm

Installation configuration

  1. Edit the file /opt/automation-bridge/etc/user-configuration.conf and set the below mandatory parameters:
    • 1SOAR_URL1
    • 1SOAR_TOKEN1
  2. To determine which is the correct SOAR_URL, see Sumo Logic Endpoints by Deployment and Firewall Security and get the URL under the API Endpoint column. For example: https://api.eu.sumologic.com/api/

And you can set this optional parameter (do not include spaces): ALIAS

An example of a configuration file would be:

{
"SOAR_URL":"API_ENDPOINT_FROM_FIREWALL_DOC_FOR_YOUR_REGION",
"SOAR_TOKEN":"TOKEN_FROM_ADMINISTRATION_-->_SECURITY_-->_INSTALLATION TOKEN",
"SIEM_URL":"https://YOUR_CSE_URL/sec",
"ALIAS":"YOUR_ALIAS_NO_SPACES"
}

Bridge ALIAS

With bridge ALIAS, it is possible to distinguish which integration resources will be executed with this automation bridge. When a new integration resource is created or edited it is possible to select the default ALIAS or to create a new one. So every automatic action configured to use this resource will be performed with the Bridge that has the same ALIAS.

Create ALIAS bridgeUse default ALIAS bridge

Automation bridge update

For Ubuntu and CentOS/RedHat, the update process works as the installation process. Follow the same steps described in Automation bridge installation above.

note

If you are not using the SIEM:

  1. Set SIEM_URL to NONE.
  2. Restart the service with:
    systemctl restart automation-bridge
  3. If you need to allow automation-bridge communication through a proxy, edit the file /etc/opt/automation-bridge/automation-bridge.conf and set the correct value. Below is an example:
    HTTP_PROXY="http://proxy.example.com:8080\"
    HTTPS_PROXY="http://proxy.example.com:8080\"
  4. Restart the service with:
    systemctl restart automation-bridge

Configuring the automation bridge for high availability

You may elect to deploy and register multiple bridges to your CSE tenant for high availability. To cluster automation bridges together logically within the Automation Service and ensure high availability, you must set the same ALIAS for each bridge within the cluster in each respective user-configuration.conf file upon installation. When multiple bridges are registered with the same ALIAS, they will appear as active. If one or more bridges within the cluster go offline, playbooks will execute via the active nodes utilizing the same ALIAS. So long as there is parity between the nodes and there is at least one active node registered, there will be no disruption in playbook execution. It is important to note that integration actions within the playbook must have the appropriate bridge ALIAS assigned within the resource configuration and that connectivity can be established with the appropriate resources. Advanced playbooks may elect to utilize multiple bridge clusters leveraging multiple aliases.

Post-installation checks

To check if the bridge is running correctly, run the following command:

ps faux |grep automation-bridge

This is an example of running automation-bridge:
Example of running automation-bridge

On the SOAR instance, the Automation Bridge Monitoring panel under Settings > Audit and information > License information shows a list of live bridge agents:
Automation Bridge Monitoring panel

Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.