Skip to main content

Security Incident Response (SIR) Integration

This section has instructions for installing and configuring the integration between Sumo Logic Cloud SIEM and ServiceNow's Security Incident Response (SIR).

The screenshots in this topic were captured from SIR UI16. If you have a different UI enabled, your view may be different.

Overview

The integration polls for Cloud SIEM for Insights and creates a ServiceNow Incident for each Insight. It creates composite fields, CI items, and associated MITRE data in ServiceNow.

Once you have configured the integration, Insights that match the query you specify in the configuration, will be ingested by ServiceNow on the configured ingestion cycle, which by default is every five minutes.

Prerequisites

The following SIR plugins are required:

  • Threat Intelligence (com.snc.threat.intelligence) — This plugin is required if you want to enable SIR to add  MITRE information (stage, tactic, and technique) to Incidents it creates from Cloud SIEM Insights.
  • Security Incident Response (com.snc.security_incident)

The following SIR system table permissions are required:

  • Security Incident (sn_si_incident) – Read-only access is required. This table will be written to by ServiceNow mappers.
  • Threat intelligence/mitre tables – Read-only access is required
  • Configuration item tables – Read-write access is required.

Your Cloud SIEM role must allow you to use API keys and to retrieve and modify Insights. 

Step 1: Copy your API credentials

In this step, you make a copy of your API credentials, which you'll need to supply when you install the SIR-Cloud SIEM integration in Step 5 below. 

You’ll need to supply a Sumo Logic Access ID and Access Key. If necessary, you can create those on your Preferences page in the Sumo Logic UI. For more information, see Create an access key on Preferences page.

Step 2: Install ServiceNow plugins

In this step you install two ServiceNow plugins. 

note

Plugin installation can fail if another installation is running in the background. Make sure you complete one installation of one starting another.

  1. Install the Security Incident Response plugin from the ServiceNow store. 
    Security Incident Response plugin
  2. Install the Threat Intelligence add-on from the ServiceNow store. 
    Threat Intelligence add-on

Step 3: Configure MITRE ATT&CK threat feed data

This step is required only if you don’t already have MITRE ATT&CK threat feed data. To see if you do, Navigate to Threat Intelligence > MITRE ATT&CK Repository > Techniques, in ServiceNow. If you have MITRE data, the that page will contain data that looks like the table shown in substep 6 below, and you can proceed to Step 4: Configure CI Lookup Rules. If the table is empty perform the steps in this section.

  1. Navigate to Threat Intelligence in the navigation bar. 
  2. Under Threat Sources, select Sources
  3. From Threat Sources, select Enterprise ATT&CK .
  4. Click Execute Now to populate your MITRE framework data. 
  5. To verify the population succeeded,  in the navigation bar search for "MITRE ATT&CK Repository" and click Techniques.
    Techniques option
  6. You should see several pages of data similar to the screenshot below.
    Techniques table
  7. If the table is still empty, contact your ServiceNow administrator and review the integration runs logs to determine how the error occurred. Otherwise proceed to the next step.

Step 4: Configure CI Lookup Rules

CI Lookup Rules are required to enable discovery of configuration items and avoid duplicate CI item creation. If no rules, or no appropriate rules exist, follow the steps below to create appropriate rules.

  1. Navigate to CI Lookup Rules under Security Operations in the navigation bar. 
  2. Select New and create three rules shown in the screenshot below. For instructions, see Create a CI Lookup Rule in ServiceNow help.
    CI Lookup rules

Step 5: Install the SIR-Cloud SIEM integration

  1. Search for Integration Configurations under Security Operations in the navigation bar. 
  2. Locate Sumo Logic SIR and click Configure.
    SumoLogic SIR
  3. The Sumo Logic SIR Configuration popup appears.
    API credentials
  4. Host. Enter the API endpoint for your Sumo Logic deployment, but leave out the trailing path reference to /api/. To determine your endpoint, see Sumo Logic Endpoints by Deployment and Firewall Security. For example, if your API endpoint is https://api.au.sumologic.com/api/, enter https://api.au.sumologic.com as the value for the Host configuration setting.
  5. Access ID and Access Key. Enter the Sumo Logic Access ID and Key you copied in Step 1.
  6. Default Incident State. Enter the Incident State you want to assign to Incidents created by the integration. The value you enter must by a valid state in your ServiceNow account. To view available options in your environment, enter sys_choice.list in your Environments sidebar and filter for table=sn_si_incident, inactive=false. Alternatively, you can directly view the available options in the State dropdown in any Incident. This field is case-sensitive. If you supply an invalid value, it will be ignored. The  default state for your Incidents created by the integration will be set based on your business rules.  

Step 6: Test the configuration

To verify that the configuration is working, enter the following in the ServiceNow navigation bar.

x_579138_sumo_logi_sumo_logic_insights.list

Within five minutes data will appear if new Insights have been created. If no insights have been created, you can check Sumo Logic integration logs by searching for logs with the prefix: “Sumo Cloud SIEM ERROR”. You can also check the Sumo Status table from the navigation bar to see the last error message if any and the current integration health. If the value is healthy then the integration has run at least once with no error.

Configuration options

This section describes configuration changes you can make to the integration.

Update the mapping configuration

If desired, you can change the mapping between the fields in Cloud SIEM Insights and the fields in Incidents that the integration creates in ServiceNow.

  1. Navigate to the Table Transform Maps page in ServiceNow.
    Table Transform Maps
  2. Open the “Sumo Insight Mapper” for editing.
  3. Make your edits and save your changes. 

Configuration properties

This section describes the configuration properties for the integration. 

After navigating to sys_properties.list, search for the properties by entering “x_sul_sumo_logic_s.” in the Name field.

Double-click a property to edit it.

PropertyDescription
x_sul_sumo_logic_s.configuration_idAn arbitrary ID assigned by the integration. Do not modify this setting unless recommended by Sumo Logic support.
x_sul_sumo_logic_s.integration_idAn arbitrary ID assigned by the integration. Do not modify this setting unless recommended by Sumo Logic support.
x_sul_sumo_logic_s.sumo_debugControls what level of logging is enabled. If “true” both info and debug level messages are logged. If “false” only error level messages are logged.

View generated Incident URL in Cloud SIEM

The URL to the ServiceNow Incident generated for an Insight is shown on the details page for the Insight.

Generated incident

Example Incident created by integration

The screenshot below shows a ServiceNow Incident that was created for a Cloud SIEM Insight.

Incident draft

See closed Insight in Cloud SIEM

After an Incident created by the integration is closed in ServiceNow, the Insight from which it was generated will be closed in Cloud SIEM as well.

Insight Actions

View integration log messages

To view log messages written by the integration:

  1. Choose System Log > All in the ServiceNow left-nav pane.
  2. Search the messages for “Sumo Cloud SIEM”.
    Integration log messages
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.