About the Automation Service

The Automation Service allows you to set up actions that run automatically when certain conditions are met in Sumo Logic. These automated actions help you to respond quickly to a wide arrange of events.

To use the Automation Service, execute playbooks to run actions in a workflow. Actions are provided by integrations with Sumo Logic and third-party vendors. The Automation Service has number of integrations, actions, and playbooks that you can customize. You can also create your own.

Where you can run automations

You can use the Automation Service to run automations for the following:

• Monitors. Use automated playbooks in monitors to run workflows in response to alerts.
• Cloud SIEM. Use the Automation Service with Cloud SIEM to respond to security incidents.
• Cloud SOAR. Use automation for incident management and triage.

Differences compared to Cloud SOAR

The Automation Service is a subset of automation capabilities adapted from Cloud SOAR Automation that is available to the entire Sumo Logic log analytics platform. The Automation Service only has Cloud SOAR’s playbook-related features, including App Central and the Automation Bridge. Like the Cloud SOAR action types, the Automation Service action types can perform automated responses to events, including run containment actions and manual user interaction steps.

The Automation Service differs from Cloud SOAR in the following ways:

• The Automation Service does not include the incident and case management features from Cloud SOAR.
• The Automation Service does not support daemon and trigger action types. The Automation Service can only use triggers built into Cloud SIEM and the Log Analytics platform.
• Playbooks, integrations, and actions in the Automation Service may differ from those in Cloud SOAR automation.

For more information, see Cloud SOAR Compared to the Automation Service.

Automation Service UI

The Automation Service UI is composed of the following tabs:

• App Central. Displays a central repository of integrations and playbooks you can install to your environment.
  
• Playbook. Shows playbooks, which are workflows you can run to perform automations.
  
• Integration. Lists integrations with Sumo Logic and third-party vendors that provide actions used in playbooks.
  
• Bridge. Shows connections between on-premises servers and the Sumo Logic cloud. A bridge allows you to create a custom integration in your own system and use it to for automation.
  

Theme

You can view the user interface in a dark theme or a light theme:

1. Classic UI.Click your user name in the main Sumo Logic navigation menu and select Preferences.
   New UI. Click your user icon in the upper right corner of the screen and select Preferences.
2. Scroll down to Theme and select Dark theme or Light theme.

For more information, see Setting Account Preferences and Credentials.

Access the Automation Service

info

Before you can access the Automation Service, you must first configure role capabilities.

From the Sumo Logic screen

1. Classic UI. In the main Sumo Logic menu, select Automation.
   New UI. In the main Sumo Logic menu, select Automation > Playbooks. You can also click the Go To... menu at the top of the screen and select Playbooks.
2. The Playbook screen is displayed.
   

From Cloud SIEM

1. Classic UI. In the Cloud SIEM top menu select Configuration, and then under Integrations select Automation.
   New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Automation. You can also click the Go To... menu at the top of the screen and select Automation.
   The list of available automations appears. Each automation runs a playbook.
   
2. At the top of the screen, click Manage Playbooks.
   
3. The Automation Service screen opens on the Playbook tab.
   

Prerequisites

Configure role capabilities

Access to the Automation Service is controlled by role capabilities in the Sumo Logic platform. To get access to the Automation Service:

1. Classic UI. In the main Sumo Logic menu, select Administration > Users and Roles and select the Roles tab.
   New UI. In the top menu select Administration, and then under Users and Roles select Roles. You can also click the Go To... menu at the top of the screen and select Roles.
2. Click Add Role to create a new role for users of the Automation Service. Alternatively, you can select an existing role in the Roles tab and click Edit.
3. Add the following capabilities:
   • Automation Service
     • Task View
     • Task Access
     • Task Access all
     • Task Edit
     • Task Reassign
     • App Central Access
     • App Central Export
     • Integrations Access
     • Integrations Configure
     • Playbooks Access
     • Playbooks Configure
     • Bridge Monitoring Access
     • Observability Access
     • Observability Configure

Configure the connection for an integration resource

To use integrations, you must configure the connection for their resources.

1. Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
   New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
2. Select the integration whose resource you want to configure the connection for.
3. Hover over the resource name and click the Edit button that appears.
   
4. Enter the connection configuration needed by the resource. (Find the integration in Integrations in App Central for configuration instructions.)
   What you enter is specific to the resource you're using. Each resource's configuration screen may be different, but in most cases, you will need information such as IP addresses, API tokens, usernames, and passwords for the application you're integrating with. For example, in the following screen enter the API URL and API Key.
   
5. Click Save to save the configuration.

Actions limit

To prevent abuse of system resources or runaway processes, the Automation Service limits the number of playbook actions your organization can execute to 350 per hour by default. To see how many actions your organization has used in the current hour, see the Current hour actions count in the App Central UI. All actions running in the cloud or via the bridge are included in this limit.

Automation action events are provided to the audit index (_index=sumologic_audit) or the system index (_index=sumologic_system_events) in the OAR source category (_sourceCategory=oar*). For more information about using these indexes to query for automation action events as well as other events, see Audit Logging for the Automation Service and Cloud SOAR.

Run the following query to find the actions count per hour:

(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=oar*
| json field=_raw "AutomationAction.name" as actionName nodrop
| json field=_raw "AutomationAction.playbook" as playbook nodrop 
| where eventName = "AutomationActionStarted"
| timeslice 60m
| count by _timeslice | fillmissing timeslice

You can use a query like this to set up a scheduled search or a create a monitor to send an alert when the actions count exceeds the limit per hour, or when node failure occurs.

Each execution of Custom, Notification, Enrichment, Daemon, Scheduled, and Trigger Actions counts toward the actions limit. User Choice, IF, and Task actions do not count toward the actions limit.