Eyeglass Solutions Publication

Sumo Logic SOAR Integrations

Home



 

Overview

Customers using Sumo Logic SOAR solution can now leverage a native integration Playbook and Integrations that enables Cyber Storage .   Customers can augment the capabilities of Sumo Logic SOAR with threat intelligence and Cyber Storage capabilities of Superna Security Edition.

Support Statement

  1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

  1. None

Solution Overview

Superna Defender Zero Trust API enables native playbooks and integrations within Sumo Logic Cloud SOAR or Sumo Logic automations within the SIEM platform.

Advanced Zero Trust Capabilities

  1. SOAR Playbooks that enable the following use cases
    1. Snapshot critical NAS data to create an immutable rollback point.  This snapshot can be used by Data Security Edition to recover data from a cyber attack with automated single file recovery and compromised data quarantine.
    2. User lockout workflow allows triggering a user account permissions lookup and blocking the users access to data.  This would be used when a users credentials are compromised and proactive data protection actions should be taken. NOTE: unblocking a user can be completed from the Data Security Essentials Active Alert incidents interface.

What is Sumo Logic SOAR?

Sumo Logic Cloud Cloud SOAR provides security analysts and SOC managers with enhanced visibility across the enterprise to thoroughly understand the scope and context of an attack. Streamlined workflows and automated playbooks that automate data protection responses can extend Cyber Storage protection to Sumo Logic customers.  Streamlined incident response provides better outcomes from Cyber attacks.


Integration Architecture



Solution Configuration in Sumo Logic SOAR

Prerequisites

  1. Installed Security Edition
  2. Eyeglass OS appliance version 15.5 or later
    1. cat /etc/os-release
  3. License key for the Zero Trust API 
  4. Zero Trust API token from Eyeglass
  5. Sumo Logic SOAR or Sumo Logic base SIEM product 
    1. Automation Bridge installed https://help.sumologic.com/docs/platform-services/automation-service/automation-service-bridge/#requirements


Configuration in Sumo Logic SOAR

Steps to Import Playbooks and Integrations for Automation

  1. Log in to Sumo Logic console and open automation integrations
    2. Select the + Integration button to import a yaml file defition of the integration.
      1. Download the YAML files for Snapshot Automation of NAS data.  Unzip the file yaml files.  
    3. Import both YAML files
      1.  
    4. This should import an integration and an HTTP POST API action
    5. Edit the Resource defaults (snapshotapidata) on the integration to enter the IP address of the eyeglass VM and update the HTTP headers section with the API key from Eyeglass.
      1. Create API token,   Login to Eyeglass VM --> Integrations Icon --> API token tab --> + to create a new token , enter a name.  copy the token value to update headers following steps below.  In the image below replace the 172.31.1.102 ip address with your Eyeglass VM.
    6.   
    7. Edit this text and replace the yellow with your API token.  "api_key: igls-1sbevrp1mogkeg9q6r2usit6fpbkdk9md4umtlpinvm51cnbndqu, Content-Type: application/json"  and paste into the header section.
    8. Scroll down and select the Automation Bridge name that will be used to proxy API calls to an on premise endpoint.
  2. Click Save
  3. Import the Playbook
    1.  
    2. Click the + to import a playbook
    3.  
    4. Download this Playbook compressed file.
    5. Click the upload button and provide the compressed gz file as the input.  This will import all the files needed to create the playbook, that leverages the integration created in the previous step.
  4.  done



How to test the Integration with Sumo Logic SOAR

  1. To test the playbook use the playbook test option
    1.  
    2. the 3 dots reveal a test option
      1. Change the drop down to show custom
      2. Then click Run
      3. A successful execution will show the results of the API call and green success
      4.  


Sumo Logic SOAR Alert Monitor Playbook Integration 

The Sumo Logic SOAR automation playbooks can be integrated with Alert monitors.   The examples below provide pre-built Alert Monitors that can be imported and leverated witht he integration and playbooks.


Prerequisites 

  1. Installed and configured all Superna integration and playbooks as per steps in this guide.


Critical Data NAS Snapshot Alert Monitor

  1. Open the Alert Monitor UI on the console
  2. Import a new Monitor definition
    2. Download the json definition of the  Superna Critical with Snapshot playbook monitor. (right click download and save as) 
    3. Open this file to import the playbook definition.
    4. It should be enabled by default.  Click subscribe on the playbook action menu to be notified when this monitor triggers.
    5. Now edit the Monitor and scroll down to the automated playbooks section and make sure the playbook is listed (Superna Zero Trust Snapshot),  you may need to paste the name again and save the monitor to link the playbook ID with your instance's ID number for the playbook.
  3. Example Alert

  4. Done. 
  5. NOTE:  The snapshot playbook could be associated with other Monitor definitions for any scenario where protecting data is a required next step.  Example user account has been phished or multiple failed login attempts indicating a brute force attack on passwords.



© Superna Inc