Skip to main content

Cloud SIEM Automation Examples

Following are examples that show you how to create Cloud SIEM automations using the Automation Service. The examples, which are listed in order from simple (performing a basic automation using an out-of-the-box integration) to advanced (creating a custom integration), illustrate many of the tasks you’ll perform on a regular basis when you create your own automations.

note

The number of actions that can be run per hour is limited to prevent abuse of system resources or runaway processes. For more information, see Actions limit.

Simple example: Configure an enrichment

The following example shows how to add an enrichment to an Insight using the “IP Reputation V3” action from VirusTotal.

  1. Edit the VirusTotal OIF resource:
    1. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation. You can also click the Go To... menu at the top of the screen and select Automation..
    2. From the Automation screen, click Manage Playbooks. This opens the Automation Service UI.
    3. Click Integrations in the navigation menu.
    4. Select VirusTotal OIF.
    5. Hover your mouse over the resource name and click the Edit button that appears.
      Resource edit button
    6. In the Edit resource dialog, enter the API URL: https://www.virustotal.com.
    7. Enter the API Key. See the VirusTotal documentation to learn how to obtain the API key. If you do not already have a VirusTotal account, you need to create one to get an API key.
    8. Click Save.
      Edit resource
  2. Create the playbook:
    1. Click Playbook in the navigation menu.
    2. Click the + button to the left of Playbook.
      Add playbook button
    3. In the New playbook dialog, give your playbook a Name.
    4. For Type, enter CSE.
    5. Enter a Description.
    6. Click Create.
  3. Add the “IP Reputation V3” action to the playbook:
    1. Click the Edit button (pencil icon) at the bottom of the playbook view.
    2. Click the Edit button (pencil icon) on the START node.
    3. In the Edit node dialog, select Insight from the dropdown menu and click UPDATE.
    4. Click the Add Node button (+ icon) on the START node.
    5. Select Action.
    6. In the Add node dialog, for Integration select VirusTotal OIF.
    7. Ensure that Type is Enrichment.
    8. For Action, select IP reputation V3.
    9. To the right of the IPs field, click the gear icon.
    10. Click Playbook inputs and select input.entity.value.
    11. Click Create.
      Add node for IP Reputation V3
  4. Add an enrichment action to the playbook:
    1. Hover your mouse over the IP reputation V3 node and click the Add Node button (+ icon).
    2. Select Action.
    3. In the Add node dialog, for Integration, select Sumo Logic Cloud SIEM Internal.
    4. For Type, select Notification.
    5. For Action, select Add Insight Enrichment.
    6. To the right of the Insight ID field, click the gear icon.
    7. Click Playbook inputs and select input.readableId.
    8. In the Enrichment name field, type VirusTotal IP reputation.
    9. To the right of the Raw JSON field, click the gear icon.
    10. Click IP reputation V3 and select output.raw.
    11. Click Create.
      Add node for Insight enrichment
    12. Click and hold on the right semicircle of the new Add Insight Enrichment node and drag to the semicircle of the END node and release. The playbook is complete.
  5. Save the playbook:
    1. Click the Save button (floppy disk icon) at the bottom of the playbook view.
    2. To test the playbook, click the kebab button in the upper-right of the UI and select Run Test.
    3. Click the Publish button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
      Simple playbook for Insight enrichment
  6. Create an automation to run the playbook:
    1. Return to the main Cloud SIEM screen.
    2. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation. You can also click the Go To... menu at the top of the screen and select Automation.
    3. At the top of the automations screen, click New Automation.
    4. For Playbook, select the playbook you created in the previous steps.
    5. For Expects attributes for, select Insight.
    6. For Executes when, select Manually Done.
    7. Click Add to List.
  7. Run the automation:
    1. Select Insights from the main Cloud SIEM screen.
    2. Select an Insight.
    3. Click the Actions button.
    4. Under Insight Automation, select the automation you created in the previous step (it will have the same name as the playbook). The playbook runs.
    5. To see the results of the run, click the Automations tab at the top of the Insight.
    6. View the Status field to find out if the playbook has a status of Success or another status such as Completed with errors.
    7. Click View Playbook to see details of the playbook run. Each node in the playbook will show either Success or Failed.
    8. Click a node to download results of that node’s run.

Playbook inputs

Depending on the action, you may need to select a playbook input. The playbook inputs define the kind of input data needed for the action. For descriptions of the playbook inputs, see the responses on the Get an Insight API.

Playbook inputs

Intermediate example: Configure a notification

The following example shows how to configure a notification that sends an email upon completion of an action to perform a log search in Sumo Logic core platform.

  1. Edit the Sumo Logic resource:
    1. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    2. From the Automation screen, click Manage Playbooks. This opens the Automation Service UI.
    3. Click Integrations in the navigation menu.
    4. Select Sumo Logic.
    5. Hover your mouse over the resource name and click the Edit button that appears.
      Resource edit button
    6. In the Edit resource dialog, enter the API URL for your Sumo Logic core platform instance (for example, https://api.us2.sumologic.com). For the URL to use for your Sumo Logic instance, see Sumo Logic Endpoints by Deployment and Firewall Security.
    7. Create an access key and copy the resulting access ID and access key.
    8. Enter the Access ID and the Access Key.
    9. Select your Time Zone.
    10. Click Save.
      Edit a resource
  2. Create the playbook:
    1. Click Playbook in the navigation menu.
    2. Click the + button to the left of Playbook.
      Add playbook button
    3. In the New playbook dialog, give your playbook a Name, such as Notification for a log search.
    4. For Type, enter CSE.
    5. Enter a Description.
    6. Click Create.
  3. Add the "Search Sumo Logic" action to the playbook:
    1. Click the Edit button (pencil icon) at the bottom of the playbook view.
    2. Click the Edit button (pencil icon) on the START node.
    3. In the Edit node dialog, select Insight from the dropdown menu and click UPDATE.
    4. Click the Add Node button (+ icon) on START.
    5. In the Add node dialog, select Action.
    6. For Integration, select Sumo Logic.
    7. Ensure that Type is Enrichment.
    8. For Action, select Search Sumo Logic.
    9. In the Query box enter the search query you want to make in the Sumo Logic core platform. For help with queries, see General Search Examples Cheat Sheet.
    10. For Last Period select 1 Hour.
    11. Click Create.
      Add Search Sumo Logic node
  4. Add the "Send Email" action to the playbook:
    1. Hover your mouse over the new Search Sumo Logic node.
    2. Click the Add Node button (+ icon) at the bottom of the Search Sumo Logic node.
    3. Select Action.
    4. In the Add node dialog, ror Integration select Basic Tools.
    5. Ensure that Type is Notification.
    6. For Action select Send Email.
    7. In Recipients enter your email address and press Enter.
    8. For Subject type a subject line for the email (for example, "Results of Sumo Logic log search").
    9. In Plain text content enter the text you want to appear in the body of the email. For example, enter "Search in Sumo Logic was executed. Click the Automations tab at the top of the Insight for which the 'Notification for a log search' automation was run. Click 'View Playbook' to see the results."
    10. Copy the plain text content into HTML content and add formatting if desired.
    11. Click Create.
      Add Send Email node
    12. Click and hold on the right semicircle of the new Send Email node and drag to the semicircle of the END node and release. The playbook is complete.
  5. Save the playbook:
    1. Click the Save button (floppy disk icon) at the bottom of the playbook view.
    2. To test the playbook, click the kebab button in the upper-right of the UI and select Run Test.
    3. Click the Publish button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
      Playbook for notification
  6. Create an automation to run the playbook:
    1. Return to the main Cloud SIEM screen.
    2. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    3. At the top of the automations screen, click New Automation.
    4. For Playbook, select the playbook you created in the previous steps.
    5. For Expects attributes for, select Insight.
    6. For Executes when, select Manually Done.
    7. Click Add to List.
  7. Run the automation:
    1. Select Insights from the main Cloud SIEM screen.
    2. Select an Insight.
    3. Click the Actions button.
    4. Under Insight Automation, select the automation you created in the previous step (it will have the same name as the playbook). The playbook runs.
    5. To see the results of the run, click the Automations tab at the top of the Insight.
    6. View the Status field to find out if the playbook has a status of Success or another status such as Completed with errors.
    7. Click View Playbook to see details of the playbook run. Each node in the playbook will show either Success or Failed.
    8. Click a node to download results of that node’s run.

Advanced example: Configure a custom integration

The following example shows how to create a custom integration with an action that runs a script you provide. The custom integration and action are defined by YAML files. To learn how to build your own YAML files, see Integration framework file formats.

The action uses IP Quality Score to gather IP reputation information for enrichment. (This example shows how to add enrichment to an Insight. To use the same action to add enrichment to Entities, see Add Entity enrichment below.)

  1. Install the Automation Service Bridge. Because this example uses a custom integration, you must first install the Bridge before you proceed.
  2. Obtain an API key from IP Quality Score:
    1. Create a free account on IP Quality Score.
    2. Log in.
    3. Go to your account settings and copy the API Key. You will use this key later.
  3. Create a new IP Quality Score integration:
    1. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    2. From the Automation screen, click Manage Playbooks. This opens the Automation Service UI.
    3. Click Integrations in the navigation menu.
    4. Click the + icon at the top of the screen to the left of Integrations.
      Add integration button
    5. Download this file: IP-Quality-Score-Test.yaml.
    6. In the New Integration dialog, drag the file into the Select File box.
    7. Click Upload. An IP Quality Score integration is created.
    8. Open the new IP Quality Score integration.
    9. Hover your mouse over the IP Quality Score name and click the Upload button that appears.
      Upload button
    10. In the Upload dialog, select Action in the kind field.
    11. Download this file: IP-Reputation.yaml.
    12. Drag the file into the Select File box.
    13. Click Upload. The IP Reputation action appears in the IP Quality Score integration.
  4. Add the IP Quality Score integration resource:
    1. Click the + button to the left of Resources.
      Add resource button
    2. Fill out the Add Resource dialog:
      • Label: Enter IP Quality Score Resource.
      • API URL: Enter https://www.ipqualityscore.com/.
      • API Key: Enter the API key you previously obtained from IP Quality Score.
      • Connection Timeout (s): Leave the default value at 120.
      • Automation engine: Select the Automation Bridge you installed locally as described in the first step of this example.
      • Proxy options: Select Use no proxy.
    3. Click Save.
      Add resource for IP Quality Score
  5. Create the playbook:
    1. Click Playbook in the navigation menu.
    2. Click the + button to the left of Playbook.
      Add playbook button
    3. Give your playbook a Name, such as Custom Enrichment with IP Quality Score.
    4. For Type, select CSE.
    5. Enter a Description.
    6. Click Create.
  6. Select the input parameters for the playbook:
    1. Click the Edit button (pencil icon) at the bottom of the playbook view.
    2. On the Start node, click the Edit button (pencil icon).
    3. In the Edit node dialog, select Insight in the Add one or more params as a playbook input field. (If you want to create a playbook to add Entity enrichment instead, see Add Entity enrichment below.)
    4. Click Update.
  7. Add a condition to validate IP addresses:
    1. Click the Add Node button (+ icon) on the START node.
    2. In the Add node dialog, click Condition.
    3. Just below Condition #1, click the top Select a value in the dialog.
    4. Click Playbook inputs.
    5. Select input.entity.entityType.
    6. Click the bottom Select a value in the dialog.
    7. In Get value, type _ip and press Enter.
    8. Click Create.
      Add a condition
    9. Click and hold on the FAILURE (red) semicircle of the new condition node, and drag to the semicircle of the END node and release. This tells the playbook that if there are no valid IP addresses on entities, the playbook should end.
  8. Add the “IP Reputation” action to the playbook:
    1. Click the Add Node button (+ icon) on the CONDITION node.
    2. In the Add node dialog, click Action.
    3. In the Integration field, select IP Quality Score.
    4. In the Action field, select IP Reputation.
    5. To the right of the IP field, click the gear icon.
    6. Click Playbook inputs.
    7. Select input.entity.value.
    8. Click Create.
      Add the IP Reputation node
  9. Add the “Add Insight Enrichment” action to the playbook:
    1. Hover your mouse over the new IP Reputation node.
    2. Click the Add Node button (+ icon) at the bottom of the IP Reputation node.
    3. In the Add node dialog, click Action.
    4. In the Integration field, select Sumo Logic Cloud SIEM Internal.
    5. In the Type field, select Notification.
    6. In the Action field, select Add Insight Enrichment.
    7. To the right of the Insight ID field, click the gear icon.
    8. Click Playbook inputs.
    9. Select input.id.
    10. In the Enrichment name field, enter the name of your playbook, for example, Custom Enrichment with IP Quality Score.
    11. To the right of the Raw JSON field, click the gear icon.
    12. Click IP Reputation.
    13. Select output.raw.
    14. Click Create.
      Add Insight Enrichment node
    15. Click and hold on the right semicircle of the new Add Insight Enrichment node and drag to the semicircle of the END node and release. The playbook is complete.
  10. Save the playbook:
    1. Click the Save button (floppy disk icon) at the bottom of the playbook view.
    2. To test the playbook, click the kebab button in the upper-right of the UI and select Run Test.
    3. Click the Publish button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
      Custom playbook for Insight enrichment
  11. Create an automation to run the playbook:
    1. Return to the main Cloud SIEM screen.
    2. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    3. At the top of the automations screen, click New Automation.
    4. For Playbook, select the playbook you created in the previous steps.
    5. For Expects attributes for, select Insight.
    6. For Executes when, select Manually Done.
    7. Click Add to List.
  12. Run the automation:
    1. Select Insights from the main Cloud SIEM screen.
    2. Select an Insight.
    3. Click the Actions button.
    4. Under Insight Automation, select the automation you created in the previous step (it will have the same name as the playbook). The playbook runs.
    5. To see the results of the run, click the Automations tab at the top of the Insight.
    6. View the Status field to find out if the playbook has a status of Success or another status such as Completed with errors.
    7. Click View Playbook to see details of the playbook run. Each node in the playbook will show either Success or Failed.
    8. Click a node to download results of that node’s run.
    9. Go back to the Insight and click the Enrichments tab to view the enrichments added by the automation.

Add Entity enrichment

The preceding example shows how to use a custom integration to add enrichment to an Insight. To add enrichment to Entities instead, use the same steps but with the following changes:

  1. When you select the input parameters for the playbook, in the Edit node dialog, select Entity instead of Insight in the Add one or more params as a playbook input field.
  2. When you add a condition to validate IP addresses, for Playbook inputs select input.entityType instead of input.entity.entityType.
  3. When you add the “IP Reputation” action to the playbook, for Playbook inputs select input.value instead of input.entity.value.
  4. Instead of adding the “Add Insight Enrichment” action to the playbook, add the “Add Entity Enrichment” action.

The resulting playbook should look like this:
Custom playbook for Entity enrichment

Advanced example: Build a complex playbook

The following example pulls together elements of the Simple example and Intermediate example above. The resulting playbook runs an enrichment using VirusTotal, performs a Sumo Logic search, and sends an email notification.

  1. Edit the VirusTotal OIF resource:
    1. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    2. From the Automation screen, click Manage Playbooks. This opens the Automation Service UI.
    3. Click Integrations in the navigation menu.
    4. Select VirusTotal OIF.
    5. Hover your mouse over the resource name and click the Edit button that appears.
      Resource edit button
    6. In the Edit resource dialog, enter the API URL: https://www.virustotal.com.
    7. Enter the API Key. See the VirusTotal documentation to learn how to obtain the API key. If you do not already have a VirusTotal account, you need to create one to get an API key.
    8. Click Save.
      Edit resource
  2. Edit the Sumo Logic resource:
    1. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    2. From the Automation screen, click Manage Playbooks. This opens the Automation Service UI.
    3. Click Integrations in the navigation menu.
    4. Select Sumo Logic.
    5. Hover your mouse over the resource name and click the Edit button that appears.
      Resource edit button
    6. In the Edit resource dialog, enter the API URL for your Sumo Logic core platform instance (for example, https://api.us2.sumologic.com). For the URL to use for your Sumo Logic instance, see Sumo Logic Endpoints by Deployment and Firewall Security.
    7. Create an access key and copy the resulting access ID and access key.
    8. Enter the Access ID and the Access Key.
    9. Select your Time Zone.
    10. Click Save.
      Edit a resource
  3. Create the playbook:
    1. Click Playbook in the navigation menu.
    2. Click the + button to the left of Playbook.
      Add playbook button
    3. In the New playbook dialog, give your playbook a Name.
    4. For Type, enter CSE.
    5. Enter a Description.
    6. Click Create.
  4. Add the “IP Reputation V3” action to the playbook:
    1. Click the Edit button (pencil icon) at the bottom of the playbook view.
    2. Click the Edit button (pencil icon) on the START node.
    3. In the Edit node dialog, select Insight from the dropdown menu and click UPDATE.
    4. Click the Add Node button (+ icon) on the START node.
    5. Select Action.
    6. In the Add node dialog, for Integration select VirusTotal OIF.
    7. Ensure that Type is Enrichment.
    8. For Action, select IP reputation V3.
    9. To the right of the IPs field, click the gear icon.
    10. Click Playbook inputs and select input.entity.value.
    11. Click Create.
      Add node for IP Reputation V3
  5. Add an enrichment action to the playbook:
    1. Hover your mouse over the IP reputation V3 node and click the Add Node button (+ icon).
    2. Select Action.
    3. In the Add node dialog, for Integration, select Sumo Logic Cloud SIEM Internal.
    4. For Type, select Notification.
    5. For Action, select Add Insight Enrichment.
    6. To the right of the Insight ID field click the gear icon.
    7. Click Playbook inputs and select input.readableId.
    8. In the Enrichment name field type VirusTotal IP reputation.
    9. To the right of the Raw JSON field click the gear icon.
    10. Click IP reputation V3 and select output.raw.
    11. Click Create.
      Add node for Insight enrichment
    12. Click and hold on the right semicircle of the new Add Insight Enrichment node and drag to the semicircle of the END node and release.
  6. Add a condition to validate IP addresses:
    1. Click the Add Node button (+ icon) on the Add Insight Enrichment node.
    2. In the Add node dialog, click Condition.
    3. Just below Condition #1, click the top Select a value in the dialog.
    4. Under Get value from a previous action, select IP Reputation V3.
    5. Select output.total_reputation.
    6. Click the > (is greater than) operator.
    7. Click Select a value.
    8. In the Get value field, type 1 and press Enter.
    9. Click Create.
      Condition to validate IPs
  7. Add the "Search Sumo Logic" action to the playbook:
    1. Click the Edit button (pencil icon) at the bottom of the playbook view.
    2. Click the Edit button (pencil icon) on the START node.
    3. In the Edit node dialog, select Insight from the dropdown menu and click UPDATE.
    4. Click the Add Node button (+ icon) on START.
    5. In the Add node dialog, select Action.
    6. For Integration, select Sumo Logic.
    7. Ensure that Type is Enrichment.
    8. For Action, select Search Sumo Logic.
    9. In the Query box enter the search query you want to make in the Sumo Logic core platform. In the example below, a placeholder queries for a value obtained from the IP Reputation V3 node. For help with queries, see General Search Examples Cheat Sheet.
    10. For Last Period select 15 Minutes (or any time period you want).
    11. Click Create.
      Add Search Sumo Logic node
    12. Click and hold on the right semicircle of the new Search Sumo Logic node and drag to the semicircle of the END node and release.
  8. Add the “Send Email” action to the playbook, which will run if no value is returned from the IP Reputation V3 node:
    1. Click the Add Node button (+ icon) on the new Condition.
    2. In the Add node dialog, ensure Failure is selected under Select an exit port.
    3. Select Action.
    4. In the Add node dialog, for Integration select Basic Tools.
    5. Ensure that Type is Notification.
    6. For Action select Send Email.
    7. In Recipients enter your email address and press Enter.
    8. For Subject type a subject line for the email (for example, “Playbook completed”).
    9. In Plain text content enter the text you want to appear in the body of the email (for example, “Playbook completed. Click ‘View Playbook’ to see details”).
    10. Copy the plain text content into HTML content and add formatting if desired.
    11. Click Create.
      Send Email action
    12. Click and hold on the right semicircle of the new Send Email node and drag to the semicircle of the END node and release. The playbook is complete.
  9. Save the playbook:
    1. Click the Save button (floppy disk icon) at the bottom of the playbook view.
    2. To test the playbook, click the kebab button in the upper-right of the UI and select Run Test.
    3. Click the Publish button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
      Complex playbook
  10. Create an automation to run the playbook:
    1. Return to the main Cloud SIEM screen.
    2. Classic UI. In the top menu select Configuration, and then under Integrations select Automation.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation.
    3. For Playbook, select the playbook you created in the previous steps.
    4. For Expects attributes for, select Insight.
    5. For Executes when, select Manually Done.
    6. Click Add to List.
  11. Run the automation:
    1. Select Insights from the main Cloud SIEM screen.
    2. Select an Insight.
    3. Click the Actions button.
    4. Under Insight Automation, select the automation you created in the previous step (it will have the same name as the playbook). The playbook runs.
    5. To see the results of the run, click the Automations tab at the top of the Insight.
    6. View the Status field to find out if the playbook has a status of Success or another status such as Completed with errors.
    7. Click View Playbook to see details of the playbook run. Each node in the playbook will show either Success or Failed.
    8. Click a node to download results of that node’s run.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.