Adding a new SIEM connecter

Coro integrates with Security Information and Event Management (SIEM) solutions. Coro makes ticket data available in real time within your SIEM platform, enabling you to utilize these data benefits.

Coro currently supports the following integrations:

Fluency

Fluency is a streaming analytics SIEM platform that delivers risk-prioritized insights from across your environment. Fluency can be integrated with Coro to collect information related to an event, for example, detected malware, or a mass download event.

Configuring a Fluency connector via the Coro console

To configure a Fluency connector:

  1. Sign in to the Coro console and select Control Panel from the toolbar

    Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    Coro displays The Connectors page:

    The Connectors page

  3. Select ADD CONNECTOR .

    Coro displays the Add connector dialog:

    The Fluency Add connector dialog

  4. Enter a Name for the new connector.
  5. Select Fluency from the Format dropdown.
  6. Enter the Listener URL and Token (both retrieved from your SIEM provider).
  7. (Optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

    note

    Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.

    For further information, see Managing Workspaces.

  8. Select ADD .

    Add Fluency connector

    Coro triggers a test event to verify the configuration. If any configuration settings are incorrect, Coro displays an error:

    Invalid connector configuration

    After successful configuration, Coro displays the new connection with a Connected status:

    Successful Fluency connector configuration

    The connector is added to the channel workspace and to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

If the SIEM endpoint becomes unavailable after the configuration, Coro retries the connection in two hours. If the SIEM endpoint remains unavailable after this, Coro displays a message in the Messages section of the Coro Actionboard:

Unavailable connector message

If the SIEM service is not connected, Coro displays a Disconnected status:

Failed connector configuration

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically try reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

Data returned from SIEM service

note

The event information returned may differ depending on the SIEM provider being used for the connector.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom _ FQCR _ b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing
note

For further information on connector actions, see SIEM connector actions

Generic webhook integration

Coro supports the integration of custom webhooks. These can be used to send data (for example, ticket log information) from the Coro console to a specified URL endpoint. This endpoint could be the REST API endpoint for an internal IT system.

The configuration process is similar to that of supported SIEM platforms:

  1. Provide a Name for the new connector.
  2. Select Generic from the Format dropdown.
  3. Enter an external webhook into the Listener URL field (retrieved from your organization’s internal IT system).
  4. (Optional) You apply headers by selecting + Header . All headers are encrypted before storage.

    Adding an additional header to a connector

  5. Select Add :

    Add generic connector

    note

    The above information is an example.

    After successful configuration, the new generic connection is displayed with a Connected status.

    Successful generic connector configuration

    The connector is added to the channel workspace and to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

The configured webhook endpoint now receives all events from Coro in real time. All data/metadata related to the event is returned.

Data returned from SIEM service

To learn about SIEM connector actions, see SIEM connector actions.

Microsoft Sentinel

Microsoft Sentinel offers robust real-time threat detection and response capabilities, seamlessly integrating with existing Microsoft tools. Its cloud-native architecture ensures scalability and flexibility, while AI-driven automation enhances incident analysis. With rich analytics and customizable dashboards, organizations gain deeper insights into security postures, enabling proactive defense against evolving cyber threats.

Microsoft Sentinel can be integrated with Coro to collect information related to an event, for example, detected malware, or a mass download event.

note

Coro first sends SIEM data to Azure Monitor by using the HTTP Data Collector API. This data is then pulled into Microsoft Sentinel.

note

To configure a Microsoft Sentinel connector, your Microsoft 365 account must have admin permissions.

Configuring a Microsoft Sentinel connector via the Coro console

To configure a Microsoft Sentinel connector:

  1. Sign in to the Coro console and select Control Panel from the toolbar

    Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    Coro displays the Connectors page:

    The Connectors page

  3. Select ADD CONNECTOR .

    Coro displays the Add connector dialog:

    The MS Sentinel Add connector dialog

  4. (Required) Enter a Name for the new connector.
  5. Select Azure Sentinel from the Format dropdown.
  6. (Required) Enter a valid Microsoft Workspace ID .
  7. (Required) Enter a valid Primary Key (API key).
  8. Log Type specifies where logs are stored within Microsoft Sentinel. The default value is Coro, but the value can be modified.
  9. (Optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

    note

    Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.

    For further information, see Managing Workspaces.

  10. Select ADD .

    Add MS Sentinel connector

    Coro triggers a test event to verify the configuration. If any configuration settings are incorrect, Coro displays an error:

    Invalid connector configuration

    After successful configuration, Coro displays the new connection with a Connected status:

    Successful MS Sentinel connector configuration

    Coro adds the connector to the channel workspace and all child workspaces linked to it (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

If the SIEM endpoint becomes unavailable after the configuration, Coro retries the connection in two hours. If the SIEM endpoint remains unavailable after this, Coro displays a message in the Messages section of the Coro Actionboard:

Unavailable connector message

If the SIEM service is not connected, Coro displays a Disconnected status:

Failed connector configuration

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically try reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

Data returned from SIEM service

note

The event information returned may differ depending on the SIEM provider being used for the connector.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom _ FQCR _ b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing
note

For further information on connector actions, see SIEM connector actions

Splunk

Splunk is a platform designed for collecting, analyzing, and visualizing machine-generated data. It is commonly used for log management, Security Information and Event Management (SIEM), and operational intelligence. Splunk helps organizations process and analyze large volumes of data generated by their systems, applications, and devices.

Integrate Splunk with Coro to collect information related to events, such as detected malware or mass download activity. Splunk uses this information for analytics and reporting.

note

Coro sends SIEM data to Splunk via HTTP event collector (HEC) REST API endpoints.

Important

Turn off Enable indexer acknowledgment when configuring an HEC on the Splunk Cloud Platform: Enable Indexer Acknowledgment

Configuring a Splunk connector via the Coro console

To configure a Splunk connector:

  1. Sign in to the Coro console and select Control Panel from the toolbar:

    Accessing the Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    Coro displays the Connectors page:

    The Connectors page

  3. Select ADD CONNECTOR .

    Coro displays the Add connector dialog:

    The Add connector dialog

  4. Provide a Name for the new connector.
  5. Select Splunk from the Format dropdown.
  6. Enter the Listener URL (retrieved from your SIEM provider).
    Important
    • The Listener URL must be in the format: http(s)://Public IP Address of Splunk/services/collector .

      Example value: https://192.0.2.0:8088/services/collector

    • The Listener URL must match the SSL configuration ( Enable SSL option) in your Splunk cloud platform HEC settings:

      SSL configuration

      • If Enable SSL is turned on, use https://
      • If Enable SSL is turned off, use http://

      SSL configuration

    • The port number part of the Listener URL must match the HTTP Port Number value in your Splunk cloud platform HEC settings:

      HTTP Port Number

      HTTP Port Number

  7. Enter the Authorization header (retrieved from your SIEM provider).
    Important

    The Authorization header must be in the format: Splunkf <Authorization_token>.

    Example value: Splunkf 9b30ab7-85bf-4dd5-8fd9-b42bb3a74163.

    Apply connector to all customers

  8. (Optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

    note

    Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.

    For further information, see Managing Workspaces.

  9. Select ADD .

    Add Splunk connector

    Coro triggers a test event to verify the configuration. If any settings are incorrect, Coro displays an error:

    Invalid connector configuration

    After successfully configuring, Coro displays the new connection with a Connected status.

    Successful Splunk connector configuration

    Coro adds the connector to the channel workspace and all child workspaces linked to it, provided Apply to all customers was enabled during configuration.

    Configuration is complete.

If the SIEM endpoint becomes unavailable after the SIEM configuration is created, Coro retries the connection in two hours. If the endpoint is still unavailable, Coro displays a message in the Messages section of the Actionboard:

Unavailable connector message

If the SIEM service is not connected, Coro displays a Disconnected status:

Failed connector configuration

note

Coro does not collect events when the SIEM service is disconnected, which typically occurs if the downstream SIEM server is unavailable. Users can retry the connection by using the Sync action.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId: Data returned from SIEM service

note

The SIEM provider used for the connector determines the event information that is returned.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom _ FQCR _ b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing