Integrate your Layerlog Cloud SIEM with Siemplify to automatically remediate incidents identified by Layerlog Cloud SIEM and increase observability into incident details.
Siemplify is an industry-leading Security Orchestration, Automation & Response (SOAR) solution that gives SOC teams the ability to manage Security Operations from a single platform.
Advantages of the Layerlog <> Siemplify integration
-
Siemplify can automatically fetch Layerlog security events as new cases. If you prefer to be selective about event fetching, filter Layerlog security events by rule severity and/or rule name. Retroactive fetching is fully supported.
-
Siemplify playbooks can trigger automated responses to cases originating in security events identifed by Layerlog.
-
Get event details for a specific case. Any Siemplify playbook can use Layerlog actions to increase observability by querying logs for additional details. Siemplify users will be able to run log queries on their Layerlog data within Siemplify playbook actions and investigate events directly from the Siemplify interface.
-
Implement the out-of-the-box Layerlog Indicator Hunting Playbook for guidance and best practices for conducting an investigation.
Setting up the integration in Siemplify
Before you begin, you’ll need:
- An active account with Siemplify.
- An active account with Layerlog.
- A valid Layerlog API token. Contact support if your account doesn’t have one.
Add a Layerlog instance to your Siemplify workspace
To set up an integration with Layerlog as a Default Environment, you can add Layerlog directly from the Siemplify Marketplace.
In Siemplify, open the Marketplace and search for Layerlog. Select the cogwheel to configure a new instance.
Alternatively, if you prefer to add Layerlog as a Shared Instance, select the cogswheel > Integrations from the top right menu. Select Shared Instance from the left menu, then select the plus ➕ to add a new instance. Select the Layerlog integration and save.
Configure a Custom Trigger for the Siemplify playbook
Each playbook starts with a custom trigger from an incoming alert.
To associate your playbook with a specific Layerlog alert, you need to initialize this trigger with the relevant Layerlog alert parameters and conditions in the first action panel of the playbook.
For incoming Layerlog alerts, the event trigger is [Event.event_name] Equals <title of a specific alert >
-
In the playbook, click Custom Trigger.
-
Set the first placeholder to
[Event.event_name]and select the=operator
-
Enter the specific Layerlog alert title that will trigger the playbook, and Save the trigger.
-
Your configured Custom Trigger is ready to activate a playbook.
Fill in the Layerlog integration panel
Fill in the Layerlog integration panel:
- Layerlog Security Token - Enter the API token for your selected Security account.
- Layerlog Region - Enter the 2-letter region code for your Layerlog account. Look up your Layerlog account region code.
- Layerlog Operations Token - Enter the token for your selected Log Management account.
- Layerlog Custom Endpoint - (Optional) Only relevant if you use a custom URL with the Layerlog API.
- Enter the base url, without the direct path to the method
- Relevant if your Layerlog endpoint is NOT in the standard format of
api(region_code).layerlog.com/. - Overrides
logzio_region
- Test your connection and save it!
Create the Layerlog connector
Configure the Layerlog connector LOGZ.IO fetch-security-events to create cases in your Siemplify workspace from Layerlog security events.
Layerlog writes a security event log whenever a security rule triggers in your Layerlog Cloud SIEM account. The event log contains details about the rule that was triggered and the conditions it met.
- Configure the connector to open new Siemplify cases based on security events triggered in Layerlog Cloud SIEM. You can make use of the filtering options to be selective about the events.
Set the Run Every field to at least 30 seconds.
-
Enable the connector.
-
Save the connector. Siemplify will now fetch security events from Layerlog and open new cases accordingly.
If you have configured retroactive fetching, there may be many cases created all at once, when you first enable the connector.
Use Layerlog Actions and Playbooks
The Layerlog integration offers a sample indicator hunting playbook for Siemplify. The playbook can be used to investigate and hunt Indicators of Compromise (IOCs), such as file hashes, suspicious IP addresses, domains, and URLS.
The playbook makes use of Layerlog actions that investigate events and output related information concerning the events, including involved users, IP addresses, host names, etc. that can be used to further research the indicators. Learn more about investigating security events in Layerlog and by API.
Layerlog Actions for Siemplify
Logzio-search-logs
Searches the logs in your Layerlog Operations account using the Layerlog log search API. Upon success, returns the logs that match the query as a paginated list in JSON format.
{
"results": [
{
#log
},
....
{
#log
}
]
}
- Script timeout: 30 seconds
- Parameters extracted from the integration:
logzio_operations_tokenlogzio_regionlogzio_custom_endopoint
If the timeframe for your search exceeds 48 hours, the search is only applied to the first 48 hours of that timeframe.
| Parameter | Type | Required/Default | Description |
|---|---|---|---|
| from_time | String | Required | Earliest time to search. Accepts any format supported by the Date parser python library. Examples include unix timestamps in milliseconds, relative time such as yesterday or 24 hours ago, or the format %Y-%m-%dT%H:%M:%S.%f. |
| to_time | String | -- | Latest time to search. (Leave blank if relative time was used for the parameter from_time.) |
| query | String | * |
A search query written in valid Lucene syntax. Cannot be null - send a wildcard (*) if not using a search query. For more info and limitations |
| size | String | -- | Number of log results per query. Limited to 1000 logs. |
Logzio-get-logs-by-event-id
Fetches the logs that triggered a security event using the Layerlog Cloud SIEM API. Upon success, returns the logs that match the query as a paginated list in JSON format.
{
"results": [
{
#log
},
....
{
#log
}
]
}
- Script timeout: 30 seconds
- Parameters extracted from the integration:
logzio_operations_tokenlogzio_regionlogzio_custom_endopoint
| Parameter | Type | Required/Default | Description |
|---|---|---|---|
| alert_event_id | String | Required | Unique GUID of the security event in your Layerlog security account. This is the ID of the event you want to investigate. |
| page_size | String | 25 | Controls the number of results per page. Valid inputs are 1 to 1000. Defaults to 25. |
Json-adapter
Converts logs from your Layerlog accounts into a constant JSON format that is compatible with Siemplify’s playbooks. Receives fields to search, and a json to search them in.
The json must be received in the following format:
{
"results": [
{
#log
},
.....
]
}
If the fields exist in the json, it returns them in the following format:
{
"results": [
{
"entityType": "field_from_json",
"entityIdentifier": "value_from_json"
},
.....
]
}
- Script timeout: 30 seconds
| Parameter | Type | Required/Default | Description |
|---|---|---|---|
| fields_to_search | String | Required | Comma separated list of fields to search within the JSON. |
| raw_json | String | Required | Raw data in JSON format that is to be searched. |
Ping
Pings Layerlog to test and validate connectivity to both your Layerlog security and operations accounts using the Layerlog API.
- Script timeout: 20 seconds.
- Parameters extracted from the integration:
logzio_security_tokenlogzio_operations_tokenlogzio_regionlogzio_custom_endopoint
Initializing the Layerlog playbook in Siemplify
Add the Layerlog Playbook
In your Siemplify workspace, import the playbook Layerlog Indicator Hunting.
The playbook makes use of the following actions:
- logzio-search-logs
- logzio Json-adapter
- Trigger - custom value
- Blocks
- Previous action conditions
- Instruction
- Case tag
- Create entity relationship
Initialize the block parameters
The playbook offers 4 use-cases (aka branches), each specific to a single indicator type: hash, URL, IP, and domain.
Configure the input parameter that will initialize the playbook.
| Action | Field | Description |
|---|---|---|
| Hash_initialize_block | PB_Hash | Initializes hash input parameters |
| URL_initialize_block | PB_Url | Initializes URL input parameters |
| IP_initialize_block | PB_IP | Initializes IP input parameters |
| Domain_initialize_block | PB_Domain | Initializes domain input parameters |
Initialize the json-adapter parameters
Whenever the initializing block is triggered, the Logzio-search-logs action will automatically run a search query in your Layerlog account for logs that match the output of the initializing block.
The action returns an array of relevant logs that matched the query in JSON format. The results are designed to help SOC analysts investigate the context surrounding the indicator.
The Logzio-json-adapter action translates Layerlog output into entities that conform to the Siemplify schema and can be reused by any Siemplify playbook and action.
In the example below, the action searches for sourceHostName in all the logs and extracts the results to a Siemplify entity.
You can provide more than 1 field, regardless of the log type.
Investigate the indicator
In our example, the playbook ran an action to extract the field sourceHostName from all logs. As a result, the playbook identified another hostname affected by the same hash indicator. The red color indicates that the new station is involved and was discovered by the playbook.
Repeat for other indicator types
The Layerlog Indicator Hunting Playbook can help you track several indicator types. You’ll need to repeat the process to initialize the playbook for each indicator type, as relevant.
The set of actions for each branch are indicator-specific, yet equivalent.