Add a Step to Import Events
Playbooks help you automate different processes in your company. An event triggers each process in a company. For example, it can be a remediation process in response to an undesirable event or an investigation launched to understand an unknown event. Similarly, automated processes in the playbook are run in response to a specific event or events. Therefore, the first step in such a playbook is to retrieve alerts or logs to identify such events.
You can retrieve such data from SIEMs like SumoLogic through event types or directly from the tool through integrations. You can also use data stored in files hosted locally or on the web.
A playbook usually starts with a set of events; take action based on an undesirable event and automate responses for them.
In Devo SOAR, we provide multiple ways to import events. You connect to SIEMs to import data, and you can connect to other applications that you use directly. You can even create your own data directly within the product or upload a CSV or JSON file.
What You'll Learn
How to connect to a SIEM from the playbook using a Connection?
How to retrieve events from the SIEM to the playbook using an Event Type?
How to retrieve events from an external tool through Integrations?
Retrieve Events from SIEM through Event Types
A connection is used to link Devo SOAR and a SIEM and an event type to read the data from an external server.
To add a connection and event type from the playbook:
Click New Playbook on the left navigation and click New Blank Playbook on the pop-up window.
Click Connect to SIEM. A list of SIEM opens up on the right pane. Select a SIEM.
First, add an event type to bring data into Devo SOAR. If you have previously created an event type, choose from the drop-down; else, create a new event type.
Next, add a connection to the link between the Devo SOAR and a SIEM. If you have previously created a connection, choose from the drop-down; else, create a new connection type.
In the connection form, enter the credentials to connect to the SIEM and click Next.
Enter the query to bring data into Devo SOAR for analysis and click Run.
Based on the query you entered, a new connection with the event type will be created. Now, you can build your playbook triage.
You can add a new connection from the Connections listing page and new event type from the Event Types listing page.
Retrieve Events from an External Tool through Integrations
Integrations allow you to exchange data with third-party applications.
To connect to an Integration:
Click New Playbook on the left navigation and click New Blank Playbook on the pop-up window.
Click Connect to a Tool. A list of Integrations opens up on the right pane.
For example, choose AWS to establish a connection to the AWS.
Choose a connection for AWS integration or create a new connection.
Enter the details in the subsequent form and click Run.