About the Automation Service
The Automation Service allows you to set up actions that run automatically when certain conditions are met in Sumo Logic. These automated actions help you to respond quickly to a wide arrange of events.
To use the Automation Service, execute playbooks to run actions in a workflow. Actions are provided by integrations with Sumo Logic and third-party vendors. The Automation Service has number of integrations, actions, and playbooks that you can customize. You can also create your own.
Where you can run automationsβ
You can use the Automation Service to run automations for the following:
- Cloud SIEM. Use the Automation Service with Cloud SIEM to respond to security incidents.
- Monitors. Use automated playbooks in monitors to run workflows in response to alerts.
Differences compared to Cloud SOARβ
The Automation Service is a subset of automation capabilities adapted from Cloud SOAR Automation that is available to the entire Sumo Logic log analytics platform. The Automation Service only has Cloud SOARβs playbook-related features, including App Central and the Automation Bridge. Like the Cloud SOAR action types, the Automation Service action types can perform automated responses to events, including run containment actions and manual user interaction steps.
The Automation Service differs from Cloud SOAR in the following ways:
- The Automation Service does not include the incident and case management features from Cloud SOAR.
- The Automation Service does not support daemon and trigger action types. The Automation Service can only use triggers built into Cloud SIEM and the Log Analytics platform.
- Playbooks, integrations, and actions in the Automation Service may differ from those in Cloud SOAR automation.
For more information, see Cloud SOAR Compared to the Automation Service.
Automation Service UIβ
The Automation Service UI is composed of the following tabs:
- App Central. Displays a central repository of integrations and playbooks you can install to your environment.
- Playbook. Shows playbooks, which are workflows you can run to perform automations.
- Integration. Lists integrations with Sumo Logic and third-party vendors that provide actions used in playbooks.
- Bridge. Shows connections between on-premises servers and the Sumo Logic cloud. A bridge allows you to create a custom integration in your own system and use it to for automation.
Themeβ
You can view the user interface in a dark theme or a light theme:
- Click your user name in the main Sumo Logic navigation menu.
- Select Preferences.
- Scroll down to Theme and select Dark theme or Light theme.
For more information, see Setting Account Preferences and Credentials.
Access the Automation Serviceβ
Before you can access the Automation Service, you must first configure role capabilities.
From the Sumo Logic screenβ
- Go to the main menu.
- Click Automation.
- The Automation Service screen opens on the Playbook tab.
From Cloud SIEMβ
- In the top menu click Configuration, and then under Integrations select Automation.
The list of available automations appears. Each automation runs a playbook. - At the top of the screen, click Manage Playbooks.
- The Automation Service screen opens on the Playbook tab.
Prerequisitesβ
Configure role capabilitiesβ
Access to the Automation Service is controlled by role capabilities in the Sumo Logic platform. To get access to the Automation Service:
- In the left navigation bar of Sumo Logic, select Administration > Users and Roles.
- Click the Roles tab.
- Click Add Role to create a new role for users of the Automation Service. Alternatively, you can select an existing role in the Roles tab and click Edit.
- Add the following capabilities:
- Automation Service
- Task View
- Task Access
- Task Access all
- Task Edit
- Task Reassign
- App Central Access
- App Central Export
- Integrations Access
- Integrations Configure
- Playbooks Access
- Playbooks Configure
- Bridge Monitoring Access
- Observability Access
- Observability Configure
- Automation Service
Configure the connection for an integration resourceβ
To use integrations, you must configure the connection for their resources.
- Click Integrations in the left navigation bar.
- Select the integration whose resource you want to configure the connection for.
- Hover over the resource name and click the Edit button that appears.
- Enter the connection configuration needed by the resource. (Find the integration in Integrations in App Central for configuration instructions.)
What you enter is specific to the resource you're using. Each resource's configuration screen may be different, but in most cases, you will need information such as IP addresses, API tokens, usernames, and passwords for the application you're integrating with. For example, in the following screen enter the API URL and API Key. - Click Save to save the configuration.
Actions limitβ
To prevent abuse of system resources or runaway processes, the Automation Service limits the number of playbook actions your organization can execute to 200 per hour by default. To see how many actions your organization has used in the current hour, see the Current hour actions count in the App Central UI. All actions running in the cloud or via the bridge are included in this limit.
Action events are provided to the audit index (_index=sumologic_audit
) or the system index (_index=sumologic_system_events
) in the OAR
source category (_sourceCategory=oar*
). Run the following query to find the actions count per hour:
(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=oar*
| json field=_raw "AutomationAction.name" as actionName nodrop
| json field=_raw "AutomationAction.playbook" as playbook nodrop
| where eventName = "AutomationActionStarted"
| timeslice 60m
| count by _timeslice | fillmissing timeslice
You can use a query like this to set up a scheduled search or a create a monitor to send an alert when the actions count exceeds the limit of 200 per hour, or when node failure occurs.