Adding a new SIEM connecter¶

Coro has the ability to integrate with Security Information and Event Management (SIEM) solutions. This means that ticket data is available in real time within your SIEM platform, allowing you to maximize these data benefits.

Coro currently supports the following integrations:

• Splunk
• Microsoft Sentinel
• Fluency
• Generic webhook integrations

Splunk¶

Splunk is a leading platform for collecting, analyzing, and visualizing machine-generated data. It is widely used for log management, SIEM, and operational intelligence. Splunk enables organizations to gain valuable insights from the vast amounts of data generated by their systems, applications, and devices.

Splunk can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event. This information is used for analytics and reporting.

Configuring a Splunk connector via the Coro console¶

To configure a Splunk connector:

1. Log into the Coro console and select Control Panel from the toolbar:

   

2. Under Workspace, select Connectors:

   

   The Connectors page is displayed:

   

3. Select ADD CONNECTOR.

   The Add connector dialog is displayed:

   

4. Provide a Name for the new connector.

5. Select Splunk from the Format dropdown.

6. Enter the Listener URL and Authorization token (both retrieved from your SIEM provider). The authorization header must be in the format: Splunk <authorization_token>.

7. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

   

8. Select ADD.

   

   A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

   

   After successful configuration, the new connection is displayed with a Connected status:

   

   The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

   Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

If the SIEM service is currently not connected, a Disconnected status is displayed:

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

The following example demonstrates the data returned for an Email Phishing ticket:

• workspaceId: corodevcom_FQCR_b

• ticketType: emailPhishing

ticketDetails:

• affectedUser: phisher@externalcoro.demo

• service: office365Enforcement

locations:

• ip: 175.45.176.34

• countryName: North Korea

emailMetadata:

• subject: Change of Password Required Immediately

• senderEmail: phisher@externalcoro.demo

recipients:

• demouser1@coro.net

• demouser3@coro.net

• demouser2@coro.net

processedMessages:

• messageId: demo_phishing_message_id_corodevcom_FQCR_b

• firstEventTime: 1691595068186

• lastEventTime: 1691595068186

• creationTime: 1691595068188

• processed: true

• processedTime: 1691595068186

• ticketTrigger: emailPhishing

Microsoft Sentinel¶

Microsoft Sentinel offers robust real-time threat detection and response capabilities, seamlessly integrating with existing Microsoft tools. Its cloud-native architecture ensures scalability and flexibility, while AI-driven automation enhances incident analysis. With rich analytics and customizable dashboards, organizations gain deeper insights into security postures, enabling proactive defense against evolving cyber threats.

Microsoft Sentinel can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event.

Configuring a Microsoft Sentinel connector via the Coro console¶

To configure a Microsoft Sentinel connector:

1. Log into the Coro console and select Control Panel from the toolbar

   

2. Under Workspace, select Connectors:

   

   The Connectors page is displayed:

   

3. Click ADD CONNECTOR.

   The Add connector dialog is displayed:

   

4. Provide a Name for the new connector.

5. Select Azure Sentinel from the Format dropdown.

6. Provide a valid Microsoft Workspace ID.

7. Provide a valid Primary Key (API key).

1. Log Type specifies where logs are stored within Microsoft Sentinel. The default value is Coro, but the value can be modified.

2. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

   

3. Select ADD.

   

   A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

   

   After successful configuration, the new connection is displayed with a Connected status:

   

   The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

   Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

If the SIEM service is currently not connected, a Disconnected status is displayed:

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically retry reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

The following example demonstrates the data returned for an Email Phishing ticket:

• workspaceId: corodevcom_FQCR_b

• ticketType: emailPhishing

ticketDetails:

• affectedUser: phisher@externalcoro.demo

• service: office365Enforcement

locations:

• ip: 175.45.176.34

• countryName: North Korea

emailMetadata:

• subject: Change of Password Required Immediately

• senderEmail: phisher@externalcoro.demo

recipients:

• demouser1@coro.net

• demouser3@coro.net

• demouser2@coro.net

processedMessages:

• messageId: demo_phishing_message_id_corodevcom_FQCR_b

• firstEventTime: 1691595068186

• lastEventTime: 1691595068186

• creationTime: 1691595068188

• processed: true

• processedTime: 1691595068186

• ticketTrigger: emailPhishing

Fluency¶

Fluency is a streaming analytics SIEM platform that delivers risk-prioritized insights from across your environment. Fluency can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event.

Configuring a Fluency connector via the Coro console¶

To configure a Microsoft Sentinel connector:

1. Log into the Coro console and select Control Panel from the toolbar

   

2. Under Workspace, select Connectors:

   

   The Connectors page is displayed:

   

3. Click ADD CONNECTOR.

   The Add connector dialog is displayed:

   

4. Provide a Name for the new connector.

5. Select Fluency from the Format dropdown.

6. Enter the Listener URL and Token (both retrieved from your SIEM provider).

7. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

   

8. Select ADD.

   

   A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

   

   After successful configuration, the new connection is displayed with a Connected status:

   

   The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

   Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

If the SIEM service is currently not connected, a Disconnected status is displayed:

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically retry reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

The following example demonstrates the data returned for an Email Phishing ticket:

• workspaceId: corodevcom_FQCR_b

• ticketType: emailPhishing

ticketDetails:

• affectedUser: phisher@externalcoro.demo

• service: office365Enforcement

locations:

• ip: 175.45.176.34

• countryName: North Korea

emailMetadata:

• subject: Change of Password Required Immediately

• senderEmail: phisher@externalcoro.demo

recipients:

• demouser1@coro.net

• demouser3@coro.net

• demouser2@coro.net

processedMessages:

• messageId: demo_phishing_message_id_corodevcom_FQCR_b

• firstEventTime: 1691595068186

• lastEventTime: 1691595068186

• creationTime: 1691595068188

• processed: true

• processedTime: 1691595068186

• ticketTrigger: emailPhishing

Generic webhook integration¶

Coro supports the integration of custom webhooks. These can be used to send data (for example, ticket log information) from the Coro Console tog a specified URL endpoint. This endpoint could be the REST API endpoint for an internal IT system.

The configuration process is similar to that of supported SIEM platforms:

1. Provide a Name for the new connector.

2. Select Generic from the Format dropdown.

3. Enter an external webhook into the Listener URL field (retrieved from your organization’s internal IT system.)

4. (Optional) headers can be applied by selecting + Header. All headers are encrypted before storage.

   

5. Select Add.

   

   Note

   The above information is an example.

   After successful configuration, the new generic connection is displayed with a Connected status.

   

   The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

   Configuration is complete.

The configured webhook endpoint will now receive all events from Coro in real time. All data/metadata related to the event is returned.

To learn about SIEM connector actions, see SIEM connector actions.