Read and Review Automation Anywhere Documentation

Automation 360

Close Contents

Contents

Open Contents

Configure integration with SIEM

  • Updated: 2022/06/23
    • Automation 360 v.x
    • Explore
    • RPA Workspace

Configure integration with SIEM

The Automation Anywhere Control Room supports security information and event management (SIEM) tools ingesting logs from your tenant's Audit log. With SIEM integration, audit logs can be sent to analytic tools, such as Splunk, QRadar, Sumologic, and Arcsight.

By pushing audit log entries to SIEM tools, you can integrate and leverage the advanced searching and reporting features of SIEM solutions. When configured, the Control Room audit logs are forwarded to the configured SIEM server.

Configure an SIEM server step by step so that Automation 360 sends the audit messages to the SIEM server. In the following example, Sumo Logic is used as the SIEM provider. Use the same procedure to configure any other SIEM server.

Setting up Sumo Logic

To use Sumo Logic as a logging endpoint, you will need to create a Sumo Logic account, add a new source, and save the HTTP source URL. To add a new source in the Sumo Logic website, perform the following steps:

  1. After you create your Sumo Logic account, the Sumo Logic Setup Wizard appears. If you already have an account, you can access the wizard by selecting Setup Wizard from the Manage menu at the top of the Sumo Logic application. In the Setup Wizard, click Set Up Streaming Data.

    The Select Data Type window appears.

  2. Click All Other Sources.

    The Set Up Collection window appears.

  3. Click HTTP Source.

    The Configure Source: HTTP Source window appears.

  4. Enter a name in the Source Category (for example, Http Input), and select a timezone for your log files.

  5. Click Continue to see a magic url such as the following:
    https://endpoint1.collection.us2.sumologic.com/receiver/v1/http/ZaVnA4dhaV0nFJAEMuwFDGEEZUnDedm7hYhkdUJSAE44bmKKp1mp4LsYDCr2MzTA0C21czkqjz9UVjC1mk4lw512KQ7Usz3OAmNwCMWO09eK9r7h2VZT7B==

    Save this URL in an editor. You will need it when you add Sumo Logic as an SIEM logging endpoint. Adding Sumo Logic as an SIEM logging endpoint

Adding Sumo Logic as an SIEM logging endpoint

To configure the server where audit logs will be sent, perform the following steps:

Note:

To perform this task, you must be a Control Room administrator and have the required rights and permissions.

  1. Navigate to Administration > Settings > SIEM Integration Configuration.

  2. Select Enabled and paste the SIEM server endpoint that you copied previously, from Setting up Sumo Logic.
    Note: Ensure that you refer to your SIEM provider's documentation to get the information regarding the HTTP headers and requirements around JSON attributes (request body).


  3. Select POST HTTP method, because Sumo Logic accepts the inputs as a POST method.
    Note: The SIEM tool certificate is optional and depends on the SIEM provider. Some SIEM providers require you to enter a valid SIEM tool certificate.
  4. Enter a name for Event attribute(for example, audit). All the log messages will be logged under this category and will act as key to locate all the event logs.
    Note: The timestamp attribute is an optional field and depends on the SIEM provider's mapping for this field. For example, Splunk requires the value to be time and mapped to one of its timestamp fields. The maximum length allowed is 256 characters. All special characters are allowed except the backslash (\) and double quotation marks ("). These characters have to be escaped.
  5. Click on plus (+) sign to enter a few key-value pairs for body (static attributes) that are sent out along with the logs. The key-value pairs also take special characters as inputs. You will be able to configure a maximum of 50 attributes.

  6. Click on plus (+) sign to enter a few key value pairs for header to be sent with every event data log. The header data is specific to the SIEM provider. For example, with Sumo Logic, it supports header names starting with the letter X (for example, X-Sumo-Fields). You will be able to configure a maximum of 50 headers.

    For more information about header data, see the corresponding SIEM provider's documentation.

Verifying data in Sumo Logic

Reception of audit logs are verified using the Sumo Logic web interface. One way to do this is to search for events using the name of the collector and source. Perform the following steps to verify the data in Sumo Logic:
  1. Generate an audit log by generating an event. For example, create a user (Create a user).
  2. Go to Audit log to see the entry in the logs.

    In Sumo Logic, you will notice the event logged in the source that you configured when setting up Sumo Logic. Setting up Sumo Logic

  3. Navigate to Manage Data > Collections.
  4. On the Collection tab, click on the Open in Log Search icon next to the respective log source.

    It displays events filtered by collector and source. A user creation event in JSON format sent to Sumo Logic through HTTPS is displayed.

Send Feedback