Configure integration with SIEM
The Automation Anywhere Control Room supports security information and event management (SIEM) tools ingesting logs from your tenant's Audit log. With SIEM integration, audit logs can be sent to analytic tools, such as Splunk, QRadar, Sumologic, and Arcsight.
Configure an SIEM server step by step so that Automation 360 sends the audit messages to the SIEM server. In the following example, Sumo Logic is used as the SIEM provider. Use the same procedure to configure any other SIEM server.
Setting up Sumo Logic
To use Sumo Logic as a logging endpoint, you will need to create a Sumo Logic account, add a new source, and save the HTTP source URL. To add a new source in the Sumo Logic website, perform the following steps:
- After you create your Sumo Logic account, the Sumo Logic Setup Wizard appears.
If you already have an account, you can access the wizard by selecting
Setup Wizard from the Manage
menu at the top of the Sumo Logic application. In the Setup
Wizard, click Set Up Streaming
The Select Data Type window appears.
- Click All Other Sources.
The Set Up Collection window appears.
- Click HTTP Source.
The Configure Source: HTTP Source window appears.
- Enter a name in the Source Category (for example, Http
Input), and select a timezone for your log files.
- Click Continue to see a magic url such as the following:
Save this URL in an editor. You will need it when you add Sumo Logic as an SIEM logging endpoint. Adding Sumo Logic as an SIEM logging endpoint
Adding Sumo Logic as an SIEM logging endpoint
To configure the server where audit logs will be sent, perform the following steps:
To perform this task, you must be a Control Room administrator and have the required rights and permissions.
- Navigate to
- Select Enabled and paste the SIEM server
endpoint that you copied previously, from Setting up Sumo Logic.Note: Ensure that you refer to your SIEM provider's documentation to get the information regarding the HTTP headers and requirements around JSON attributes (request body).
- Select POST HTTP method, because Sumo Logic accepts the
inputs as a POST method.Note: The SIEM tool certificate is optional and depends on the SIEM provider. Some SIEM providers require you to enter a valid SIEM tool certificate.
- Enter a name for Event attribute(for example, audit). All
the log messages will be logged under this category and will act as key to
locate all the event logs.Note: The timestamp attribute is an optional field and depends on the SIEM provider's mapping for this field. For example, Splunk requires the value to be time and mapped to one of its timestamp fields. The maximum length allowed is 256 characters. All special characters are allowed except the backslash (\) and double quotation marks ("). These characters have to be escaped.
- Click on plus (+) sign to enter a few key-value pairs for
body (static attributes) that are sent out along with the logs.
The key-value pairs also take special characters as inputs. You will be able to
configure a maximum of 50 attributes.
- Click on plus (+) sign to enter a few key value pairs for
header to be sent with every event data log. The header data is
specific to the SIEM provider. For example, with Sumo Logic, it supports header
names starting with the letter X (for example, X-Sumo-Fields). You will be able
to configure a maximum of 50 headers.
For more information about header data, see the corresponding SIEM provider's documentation.
Verifying data in Sumo Logic
- Generate an audit log by generating an event. For example, create a user (Create a user).
- Go to Audit log to see the entry
in the logs.
In Sumo Logic, you will notice the event logged in the source that you configured when setting up Sumo Logic. Setting up Sumo Logic
- Navigate to .
- On the Collection tab, click on the Open
in Log Search icon next to the respective log source.It displays events filtered by collector and source. A user creation event in JSON format sent to Sumo Logic through HTTPS is displayed.