Faster security investigation with Cloud SIEM playbooks

Playbooks — and automated processes in general — used to be associated primarily with security orchestration, automation and response (SOAR) platforms, but that has changed recently. Many modern security information and event management (SIEM) solutions have started incorporating SOAR-like functionality, enabling you to automate security workflows and improve your mean time to detect (MTTD) and mean time to respond (MTTR). 

This tendency results from organizations dealing with a plethora of repetitive, manual tasks involving multiple applications and context switching, aggravating analyst fatigue and degrading security teams’ efficiency and productivity. The idea is to streamline threat management by doing as much as possible from one place: event management, event analysis, threat detection, and incident response. As a result, organizations have started looking for an integrated solution covering various use cases, such as a feature- and functionality-rich SIEM tool.

Sumo Logic has never been a stranger to innovation, and Cloud SIEM is no exception. This article will introduce you to the newly launched Cloud SIEM Automation Service and show how to speed up security investigation with Cloud SIEM playbooks and improve your security incident response.

A brief excursion into modern SIEM

Modern SIEM is a broad topic that requires a whole separate discussion. But for our purposes, it would suffice to say that technology research authorities such as Omdia and Gartner (as first suggested in its Magic Quadrant for SIEM in 2017 and now reiterated in 2022) see built-in SOAR-like capabilities as one of the essential elements of modern SIEM.

What do we mean by “SOAR-like capabilities”? 

Primarily, this refers to security automation. Based on analysts’ forecasts, this functionality will play a crucial role in the market demand for SIEM in the coming years.

A graphical editor for building and customizing playbooks without coding plays a significant role in modern SIEM. Out-of-the-box and custom-built workflows (i.e., playbooks) allow you to automate the typical steps security analysts take when your SIEM detects a potential security threat.

The ability to orchestrate and control your tool stack from one place reduces context switching, meaning pivots between platforms and tools. Playbooks make it possible to define in advance and streamline the most suitable workflows for common scenarios and repetitive tasks, thus reducing security teams’ workload and analyst fatigue. They also eliminate manual tasks and deliver contextual information the security analyst needs to improve response accuracy.

The advent of modern SIEM is gradually making the distinction between SOAR and SIEM somewhat blurry. Despite that, a meaningful difference between the two continues to exist. In simple terms, a full-fledged SOAR tool is still the better choice for heavy-duty threat response and containment; for everything else, there is modern SIEM.

What is the Cloud SIEM Automation Service?

The Cloud SIEM Automation Service enables you to create, customize, and use fully automated workflows — playbooks including enrichment and notification actions. It allows you to investigate potential security threats promptly, notify everyone involved, and enhance your threat response. Sumo Logic has developed the Automation Service based on its award-winning Cloud SOAR solution, and it is free to use for all Cloud SIEM customers.

You can choose to activate a playbook manually or automatically based on triggers like the creation of a new Insight. 

The Sumo Logic Cloud SIEM Automation Service has out-of-the-box playbooks you can customize in its graphical editor. You can also build new playbooks from scratch without coding, creating workflows consisting of the following five types of nodes:

• Enrichment
• Notification
• Custom action
• Nested playbook
• Machine choice (automated conditionals forking into different directions hinging on the outcomes of previous nodes)

Besides playbooks and a playbook editor, the Automation Service gives you access to the Open Integration Framework (OIF) and hundreds of pre-built integrations with services as diverse as AWS, Recorded Future, Jira, ChatGPT, and more. The sheer number of integrations implies a high probability that you find the tools you need in your cyber environment. 

But even if a security tool is missing, in addition to customizing the current integrations, just like playbooks, you can build your own integrations from the ground up and fill any existing gaps. You can also ask the Sumo Logic team to develop new integrations without incurring additional charges.

How can the Cloud SIEM Automation Service help?

In general terms, the Cloud SIEM Automation Service helps you address the following pain points:

• Overextended threat intelligence cycle due to the lack of automated alert enrichment capabilities
• Overly long threat investigation
• Lack of alert contextualization and prioritization
• Missing automated or centralized notification mechanisms that slow down a security team’s or SOC’s (security operations center) response
• Poorly integrated security stack

Structured processes for efficient security investigation

The Automation Service allows you to investigate potential threats through structured processes embodied in enrichment and notification playbooks. They make it possible to automatically enrich alerts with information from internal (e.g., historical data in a data lake) or external sources (third-party products and services). 

The Cloud SIEM playbooks provide clear context so analysts can properly and quickly evaluate alerts, reliably determine whether they are false or true positives, and act accordingly. In short, structured enrichment and notification processes turn security investigation into a much more efficient process. 

Integration and automation for a highly integrated security stack

Security stacks inevitably include a range of disparate technologies, where tools with overlapping features are often utilized for the same tasks. Poorly integrated tool stacks severely affect productivity, efficiency, and analyst engagement, preventing teams from optimizing their work. For this reason, the ability to easily incorporate different technologies and make them work in unison has become vital to modern security teams and SOCs. 

By taking advantage of the integration and automation capabilities of the Cloud SIEM Automation Service, you can operate even the most complex security stacks from a single place. The Cloud SIEM Automation Service allows disparate tools to talk to each other and work together in an automated workflow, enabling you to gain better control over your security operations.

Insights and playbooks for reliable alert prioritization

Cloud SIEM Insights provide an excellent ground for alert prioritization, but the Automation Service refines the process even further. It allows you to adjust alert severity and prioritize Insights even more efficiently based on the results of the run playbooks. When a Cloud SIEM playbook runs, you obtain all the relevant data to differentiate between Insights and focus primarily on those that point to the most urgent security threats.

Examples of Sumo Logic SIEM playbooks

Though this distinction does not do justice to the rich nature of Cloud SIEM playbooks, generally speaking, they can take two forms: simple and complex, both fully customizable. More precisely: 

1. A playbook can be as simple as a single action, such as looking up an IP address in a threat intelligence service and opening a Jira ticket.
2. A playbook can comprise a complex set of actions that include logic — looking up an IP, and if it is malicious, sending an email and increasing the severity of the Insight. Another example would be a playbook performing enrichment for multiple entities — one ”path“ for each Entity type — and then checking for maliciousness for any of them. 

Learn more about the Sumo Logic Automation Service, and sign up for a demo to see it in action!