Automating Security for Observability: Cortex XSOAR & Logz.io

Automating security with Cortex XSOAR & Logz.io

Managing a complex microservice-based architecture requires defending multiple endpoints. Automating security covers a vast amount of tools and methodologies, so making sure they all communicate is critical. Additionally, tool sprawl in any aspect of DevOps requires putting automation to good use. The Logz.io Cloud-Based SIEM focuses on identifying threats. To optimize its effectiveness, we have negotiated and built out multiple integrations tying complementary tools together. Recently, Logz.io launched a collaboration with the Palo Alto Networks Cortex XSOAR (a.k.a and formerly Demisto).

Cortex XSOAR is a SOAR platform that combines many automated tools and iterations investigation of attacks, severity calculation, incident lifecycle and incident management.

What is a SOAR? What is a SIEM?

SOARs get their name because they manage Security Orchestration, Automation, and Response to these events. There are many on the market today, all with varying degrees of ability and their own best use cases. Regardless, many teams opt for or are compelled to use integrations with many tools.

Logz.io Cloud SIEM

The Logz.io Cloud SIEM is designed to automate the connection between security and observability elements like logs. It’s built on top of open source tools like the ELK Stack and fuses with security-focused tools like Suricata, OSSEC, Falco, and Wazuh.

By using the threat intelligence of a dozen feeds, security dashboards and reports outlining the present risks that it spots. Automating security via threat detection, it brings to bear a series of security rules for each tool’s respective logs. Cloud SIEM then sifts through the data to identify and separate IPs by attacker and kinds of suspicious activity.

Logz.io Cloud SIEM puts these features to use on its own and in conjunction with other tools. One of those tandems is with Cortex XSOAR. Namely, the SIEM adds quite a bit of strength to Cortex XSOAR’s own capabilities. Then, Cortex XSOAR uses that richer data when it applies its response playbooks.

Cortex XSOAR (formerly Demisto)

Cortex XSOAR can organize alerts from many tools like Logz.io Cloud SIEM into one feed. But beyond that, it deploys specific playbooks for each alert (called an “Incident” in Cortex XSOAR) depending on its origin.

A playbook, as you might have guessed, lays out a prefab and automatic response plan to specific incidents. That plan will likely look different from tool to tool, even if they detect similar incidents like data breaches or malicious IP contact.

Cortex XSOAR automates up to 95 percent of all response options, reserving teams’ energy for the most critical cases. Cortex XSOAR playbooks automatically prioritize which Alerts and Incidents get teams’ attention.

Each playbook can be configured to automatically detect issues in two-way communication between Logz.io Alerts and Cortex XSOAR incidents.The idea is to make the analyst’s job easier. This automates mundane tasks to save time for the respective analyst.

This post will cover Logz.io’s pairing with Cortex XSOAR, how to set it up, and use cases for the two tools in tandem.

Automating Security Investigations: Linking Logz.io and Cortex XSOAR

Cortex XSOAR and Logz.io architecture for automating security

The pipeline we need puts Logz.io in front of Cortex XSOAR. Logz.io has to create security events, but then Cortex XSOAR has to automatically respond to these events with quick investigation and remediation.

Logz.io will monitor your environment and alert you to security events. Then, Cortex XSOAR will provide you the next step in your investigation and propose tactical responses.

To create a Logz.io instance in Cortex XSOAR platform, go to Settings > Integrations in Cortex XSOAR and select Logz.io. Click the cog, configure a new instance, and finally open the integration panel.

At this point, all triggered alerts from Logz.io will appear in a list on your Cortex XSOAR Incident page. Here, you can reset the time frame for log collection and filter by the logs’ respective timestamps.

Every Incident contains a unique input query ID and a more extensive hoard of output data. That output will include the logs relevant to the triggered alert and their fields. Whenever an alert comes into Demisto, it opens a new Incident report, which includes source instance, severity and the source brand.

Use Case: Malware Detection

In every security incident, we have the option to gather all the relevant data in one place to solve it as fast as we can. For example, consider a Logz.io customer receiving an alert from his SIEM with some kind of EDR (such as SentinelOne or Mcafee) saying a new malware has been detected.

Now, the security analyst needs to investigate that Alert. He or she must inspect the data related to the Alert in order to respond and classify the event.

The integration with Cortex XSOAR transfers your Cloud SIEM Alerts directly to Cortex XSOAR where they are registered as Incidents.

Then, Cortex XSOAR launches an automated, prefabricated playbook. Inside those playbooks you can use Logz.io commands to either:

Fetch the logs relevant to the Alert from the Logz.io database (brute force, for example), or
Query Logz.io from Cortex XSOAR in order to locate more related data in your Logz.io Database as part of your investigation (to find out if other machines in our environment were infected that we didn’t know about or to find older, but related security episodes).

Those commands we implemented will reduce the time needed to investigate, classify and respond to breaches or attacks.

Conclusion

Automating security with the connection between Logz.io Cloud SIEM and a SOAR tool, in this case Cortex XSOAR, will make investigations shorter. It’s an effective cyber security cost management strategy (in budgets, time, energy, and team focus) to connect these two services combines the power of SIEM detection with SOAR response, with the advantage of security rules and feeds from both services.

The integration with Logz.io strengthens Cortex XSOAR’s responses, while in turn the integration with Cortex XSOAR further prioritizes your Logz.io security logs in combing through security events. Being able to retain both tools and utilize their complementary strengths is a massive advantage for any software backend.