Sumo Logic Cloud SIEM
Integration version: 3.0
Configure Sumo Logic Cloud SIEM integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://{instance} | Yes | API root of the Sumo Logic Cloud SIEM instance. |
| API Key | String | N/A | No | API Key of the Sumo Logic Cloud SIEM account. Note: API key has priority over other authentication method. |
| Access ID | String | N/A | No | Access ID of the Sumo Logic Cloud SIEM account. Note: Both Access ID and Access Key are required for this type of authentication. |
| Access Key | String | N/A | No | Access Key of the Sumo Logic Cloud SIEM account. Note: Both Access ID and Access Key are required for this type of authentication. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify that the SSL certificate for the connection to the Sumo Logic Cloud SIEM server is valid. |
Use Cases
Ingest alerts.
Actions
Ping
Description
Test connectivity to Sumo Logic Cloud SIEM with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Sumo Logic Cloud SIEM server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Sumo Logic Cloud SIEM server! Error is {0}".format(exception.stacktrace) |
General |
Search Entity Signals
Description
Search signals related to entities in Sumo Logic Cloud SIEM. Supported entities: IP Address, Hostname, Username.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Lowest Severity To Return | Integer | 5 | No | Specify the lowest severity number that is used to return signals. Maximum: 10 |
| Time Frame | DDL | Last Hour Possible Values:
|
No | Specify a time frame for the results. If "Custom" is selected, you also need to provide "Start Time". If "Alert Time Till Now" is selected, the action uses start time of the alert as start time for the search and end time is current time. If "30 Minutes Around Alert Time" is selected, the action searches the alerts 30 minutes before the alert happened till the 30 minutes after the alert has happened. Same idea applies to "1 Hour Around Alert Time" and "5 Minutes Around Alert Time" |
| Start Time | String | N/A | No | Specify the start time for the results. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 |
| End Time | String | N/A | No | Specify the end time for the results. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time. Format: ISO 8601 |
| Max Signals To Return | Integer | 50 | No | Specify the number of signals to return per entity. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
- Username
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
[
{
"allRecords": [
{
"action": "failed password attempt",
"bro_dns_answers": [],
"bro_file_bytes": {},
"bro_file_connUids": [],
"bro_flow_service": [],
"bro_ftp_pendingCommands": [],
"bro_http_cookieVars": [],
"bro_http_origFuids": [],
"bro_http_origMimeTypes": [],
"bro_http_request_headers": {},
"bro_http_request_proxied": [],
"bro_http_response_headers": {},
"bro_http_response_respFuids": [],
"bro_http_response_respMimeTypes": [],
"bro_http_tags": [],
"bro_http_uriVars": [],
"bro_kerberos_clientCert": {},
"bro_kerberos_serverCert": {},
"bro_sip_headers": {},
"bro_sip_requestPath": [],
"bro_sip_responsePath": [],
"bro_ssl_certChainFuids": [],
"bro_ssl_clientCertChainFuids": [],
"cseSignal": {},
"day": 11,
"device_ip": "172.30.202.30",
"device_ip_ipv4IntValue": 2887698974,
"device_ip_isInternal": true,
"device_ip_version": 4,
"fieldTags": {},
"fields": {
"auth_method": "ssh2",
"endpoint_ip": "172.30.202.30",
"endpoint_username": "bL0ofHLH",
"event_message": "Failed password for invalid user",
"src_port": "39788"
},
"friendlyName": "record",
"hour": 10,
"http_requestHeaders": {},
"listMatches": [],
"matchedItems": [],
"metadata_deviceEventId": "citrix_xenserver_auth_message",
"metadata_mapperName": "Citrix Xenserver Auth Message",
"metadata_mapperUid": "bcc62402-2870-49ad-ba8d-64ddf22fd342",
"metadata_parseTime": 1646994593976,
"metadata_product": "Hypervisor",
"metadata_productGuid": "6751ee25-4ef9-4f9f-9c8b-c39668856994",
"metadata_receiptTime": 1646994592,
"metadata_relayHostname": "centos-002",
"metadata_schemaVersion": 3,
"metadata_sensorId": "0b52e838-2dbd-4fc0-a2b5-7135a5dc72b7",
"metadata_sensorInformation": {},
"metadata_sensorZone": "default",
"metadata_vendor": "Citrix",
"month": 3,
"normalizedAction": "logon",
"objectType": "Authentication",
"srcDevice_ip": "172.30.202.30",
"srcDevice_ip_ipv4IntValue": 2887698974,
"srcDevice_ip_isInternal": true,
"srcDevice_ip_version": 4,
"success": false,
"timestamp": 1646994592000,
"uid": "7a89ebd4-3346-59fe-839a-9fc9bf99f51a",
"user_username": "bL0ofHLH",
"user_username_raw": "bL0ofHLH",
"year": 2022
}
],
"artifacts": [],
"contentType": "ANOMALY",
"description": "Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.",
"entity": {
"entityType": "_ip",
"hostname": null,
"id": "_ip-172.30.202.30",
"macAddress": null,
"name": "172.30.202.30",
"sensorZone": "",
"value": "172.30.202.30"
},
"id": "a9288779-354c-5a61-b492-f617d302c5ed",
"name": "Password Attack",
"recordCount": 10,
"recordTypes": [],
"ruleId": "THRESHOLD-S00095",
"severity": 4,
"stage": "Initial Access",
"suppressed": true,
"tags": [
"_mitreAttackTactic:TA0001",
"_mitreAttackTactic:TA0006",
"_mitreAttackTechnique:T1110",
"_mitreAttackTechnique:T1078",
"_mitreAttackTechnique:T1078.001",
"_mitreAttackTechnique:T1078.002",
"_mitreAttackTechnique:T1078.003",
"_mitreAttackTechnique:T1078.004",
"_mitreAttackTechnique:T1586",
"_mitreAttackTechnique:T1586.001",
"_mitreAttackTechnique:T1586.002",
"_mitreAttackTactic:TA0008",
"_mitreAttackTechnique:T1110.003",
"_mitreAttackTechnique:T1110.002",
"_mitreAttackTechnique:T1110.001"
],
"timestamp": "2022-03-11T10:29:52"
}
]
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If found at least one signal (is_success=true): "Successfully returned signals for the following entities in Sumo Logic Cloud SIEM: {entities}." If nothing was found for one entity (is_success=true): "No signals were found for the following entities in Sumo Logic Cloud SIEM: {entities}." If nothing is found for all entities (is_success=true): "No signals were found for the provided entities in Sumo Logic Cloud SIEM." If the 500 status code is reported for one entity (is_success=true): "Action wasn't able to retrieve signals for the following entities in Sumo Logic Cloud SIEM: {entities}." If the 500 status code is reported for all entities (is_success=false): "Action wasn't able to retrieve signals for the provided entities in Sumo Logic Cloud SIEM." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Search Entity Signals". Reason: {0}''.format(error.Stacktrace) |
General |
Update Insight
Description
Update insight status in Sumo Logic Cloud SIEM.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Insight ID | String | N/A | Yes | Specify the ID of the insight needs to be updated. |
| Status | DDL | Select One Possible Values:
|
Yes | Specify the status to set for the insight. |
| Assignee Type | DDL | User Possible Values:
|
Yes | Specify the assignee type for the "Assignee" parameter. |
| Assignee | String | N/A | No | Specify the assignee identifier. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"data": {
"artifacts": [],
"assignedTo": "tip.labops",
"assignee": {
"displayName": "tip.labops@siemplify.co",
"username": "tip.labops"
},
"closed": "2022-03-23T11:04:33.731971",
"closedBy": "tip.labops",
"confidence": 0.1,
"created": "2022-03-11T08:48:26.030204",
"description": "Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.",
"entity": {
"entityType": "_ip",
"hostname": null,
"id": "_ip-172.30.202.30",
"macAddress": null,
"name": "172.30.202.30",
"sensorZone": "",
"value": "172.30.202.30"
},
"id": "dbc30c20-6d99-4f6f-8580-157ce70368a5",
"lastUpdated": "2022-03-23T11:04:33.740470",
"lastUpdatedBy": null,
"name": "Initial Access",
"orgId": "siemplify",
"readableId": "INSIGHT-13927",
"recordSummaryFields": [],
"resolution": "False Positive",
"severity": "CRITICAL",
"signals": [
{
"allRecords": [
{
"action": "failed password attempt",
"bro_dns_answers": [],
"bro_file_bytes": {},
"bro_file_connUids": [],
"bro_flow_service": [],
"bro_ftp_pendingCommands": [],
"bro_http_cookieVars": [],
"bro_http_origFuids": [],
"bro_http_origMimeTypes": [],
"bro_http_request_headers": {},
"bro_http_request_proxied": [],
"bro_http_response_headers": {},
"bro_http_response_respFuids": [],
"bro_http_response_respMimeTypes": [],
"bro_http_tags": [],
"bro_http_uriVars": [],
"bro_kerberos_clientCert": {},
"bro_kerberos_serverCert": {},
"bro_sip_headers": {},
"bro_sip_requestPath": [],
"bro_sip_responsePath": [],
"bro_ssl_certChainFuids": [],
"bro_ssl_clientCertChainFuids": [],
"cseSignal": {},
"day": 11,
"device_ip": "172.30.202.30",
"device_ip_ipv4IntValue": 2887698974,
"device_ip_isInternal": true,
"device_ip_version": 4,
"fieldTags": {},
"fields": {
"auth_method": "ssh2",
"endpoint_ip": "172.30.202.30",
"endpoint_username": "1ewk0XJn",
"event_message": "Failed password for invalid user",
"src_port": "59088"
},
"friendlyName": "record",
"hour": 8,
"http_requestHeaders": {},
"listMatches": [],
"matchedItems": [],
"metadata_deviceEventId": "citrix_xenserver_auth_message",
"metadata_mapperName": "Citrix Xenserver Auth Message",
"metadata_mapperUid": "bcc62402-2870-49ad-ba8d-64ddf22fd342",
"metadata_parseTime": 1646987453926,
"metadata_product": "Hypervisor",
"metadata_productGuid": "6751ee25-4ef9-4f9f-9c8b-c39668856994",
"metadata_receiptTime": 1646987443,
"metadata_relayHostname": "centos-002",
"metadata_schemaVersion": 3,
"metadata_sensorId": "0b52e838-2dbd-4fc0-a2b5-7135a5dc72b7",
"metadata_sensorInformation": {},
"metadata_sensorZone": "default",
"metadata_vendor": "Citrix",
"month": 3,
"normalizedAction": "logon",
"objectType": "Authentication",
"srcDevice_ip": "172.30.202.30",
"srcDevice_ip_ipv4IntValue": 2887698974,
"srcDevice_ip_isInternal": true,
"srcDevice_ip_version": 4,
"success": false,
"timestamp": 1646987443000,
"uid": "c2e6188b-202c-5736-9b4d-248ab6ba88dd",
"user_username": "1ewk0XJn",
"user_username_raw": "1ewk0XJn",
"year": 2022
}
],
"artifacts": [],
"contentType": "ANOMALY",
"description": "Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.",
"id": "b4adb0dc-1340-56ec-87aa-c6f1fc0fa247",
"name": "Password Attack",
"recordCount": 10,
"recordTypes": [],
"ruleId": "THRESHOLD-S00095",
"severity": 4,
"stage": "Initial Access",
"tags": [
"_mitreAttackTactic:TA0001"
],
"timestamp": "2022-03-11T08:31:28"
}
],
"source": "USER",
"status": {
"displayName": "Closed",
"name": "closed"
},
"subResolution": null,
"tags": [
"aaa3"
],
"teamAssignedTo": null,
"timeToDetection": 1271.030204,
"timeToRemediation": 1044967.701767,
"timeToResponse": 21.186055,
"timestamp": "2022-03-11T08:31:28"
},
"errors": []
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully updated insight with ID "{id}" in Sumo Logic Cloud SIEM." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Insight". Reason: {0}''.format(error.Stacktrace) If errors are reported: "Error executing action "Update Insight". Reason: {message}.' If "Select One" is selected for the "Status" parameter and no assignee is provided: "Error executing action "Update Insight". Reason: either status or assignee needs to be provided." |
General |
Add Comment To Insight
Description
Add a comment to an insight in Sumo Logic Cloud SIEM.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Insight ID | String | N/A | Yes | Specify the ID of the insight to which action needs to add a comment. |
| Comment | String | N/A | Yes | Specify the comment that needs to be added to the insight. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"data": {
"author": {
"username": "tip.labops"
},
"body": "In Progress",
"id": "1",
"timestamp": "2022-03-16T12:03:56.472109"
},
"errors": []
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully added a comment to an insight with ID "{id}" in Sumo Logic Cloud SIEM." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Comment To Insight". Reason: {0}''.format(error.Stacktrace) If errors are reported: "Error executing action "Add Comment To Insight". Reason: {message}. |
General |
Add Tags To Insight
Description
Add tags to an insight in Sumo Logic Cloud SIEM.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Insight ID | String | N/A | Yes | Specify the ID of the insight to which action needs to add tags. |
| Tags | CSV | N/A | Yes | Specify a comma-separated list of tags that needs to be added to the insight. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"data": {
"author": {
"username": "tip.labops"
},
"body": "In Progress",
"id": "1",
"timestamp": "2022-03-16T12:03:56.472109"
},
"errors": []
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully added tags to an insight with ID "{id}" in Sumo Logic Cloud SIEM." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Add Tags To Insight". Reason: {0}''.format(error.Stacktrace) If errors are reported: "Error executing action "Add Tags To Insight". Reason: {message}. |
General |
Enrich Entities
Description
Enrich entities using information from Sumo Logic Cloud SIEM. Supported entities: Hostname, User, IP Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing all of the retrieved information about the entity. |
Run On
This action runs on the following entities:
- Hostname
- User
- IP Address
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"activityScore": 8,
"criticality": null,
"entityType": "_ip",
"firstSeen": null,
"hostname": null,
"id": "_ip-172.30.202.30",
"inventory": [],
"isSuppressed": false,
"isWhitelisted": false,
"lastSeen": "2022-03-11T09:44:53",
"macAddress": null,
"name": "172.30.202.30",
"sensorZone": null,
"tags": [],
"value": "172.30.202.30"
}
Entity Enrichment - Prefix SumoLogicCloudSIEM_
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| isSuppressed | isSuppressed | When available in JSON |
| isWhitelisted | isWhitelisted | When available in JSON |
| tags | CSV of tags | When available in JSON |
| firstSeen | firstSeen | When available in JSON |
| lastSeen | lastSeen | When available in JSON |
| criticality | criticality | When available in JSON |
| activityScore | activityScore | When available in JSON |
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Harmony Mobile: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Sumo Logic Cloud SIEM: {entity.identifier}" If data is not available for all entities (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
|
Entity |
Connectors
Sumo Logic Cloud SIEM - Insights Connector
Description
Pull information about insights from Sumo Logic Cloud SIEM.
Configure Sumo Logic Cloud SIEM - Insights Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | N/A | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | generalized_data_name | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://{instance} | Yes | API root of the Sumo Logic Cloud SIEM instance. |
| API Key | String | N/A | No | API Key of the Sumo Logic Cloud SIEM account. Note: API key has priority over other authentication method. |
| Access ID | String | N/A | No | Access ID of the Sumo Logic Cloud SIEM account. Note: Both Access ID and Access Key are required for this type of authentication. |
| Access Key | Secret | N/A | No | Access Key of the Sumo Logic Cloud SIEM account. Note: Both Access ID and Access Key are required for this type of authentication. |
| Lowest Severity To Fetch | String | N/A | No | The lowest priority that needs to be used to fetch cases. Possible values: Low, Medium, High, Critical. If nothing is specified, the connector will ingest insights with all severities. |
| Max Hours Backwards | Integer | 1 | No | Number of hours from where to fetch insights. |
| Max Insights To Fetch | Integer | 20 | No | Number of insights to process per one connector iteration. |
| Use dynamic list as a blacklist | Checkbox | Unchecked | Yes | If enabled, dynamic list is used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify that the SSL certificate for the connection to the Sumo Logic Cloud SIEM server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.