Adding a new SIEM connecter

Coro has the ability to integrate with Security Information and Event Management (SIEM) solutions. This means that ticket data is available in real time within your SIEM platform, allowing you to maximize these data benefits.

Coro currently supports the following integrations:

note

Additional integrations are planned to be supported in the future.

Splunk

Splunk is a leading platform for collecting, analyzing, and visualizing machine-generated data. It is widely used for log management, SIEM, and operational intelligence. Splunk enables organizations to gain valuable insights from the vast amounts of data generated by their systems, applications, and devices.

Splunk can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event. This information is used for analytics and reporting.

note

Coro sends SIEM data to Splunk via HTTP Event Collector REST API endpoints.

Configuring a Splunk connector via the Coro console

To configure a Splunk connector:

  1. Log into the Coro console and select Control Panel from the toolbar:

    Accessing the Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    The Connectors page is displayed:

    The Connectors page

  3. Select ADD CONNECTOR .

    The Add connector dialog is displayed:

    The Add connector dialog

  4. Provide a Name for the new connector.
  5. Select Splunk from the Format dropdown.
  6. Enter the Listener URL and Authorization token (both retrieved from your SIEM provider). The authorization header must be in the format: Splunk <authorization_token> .
  7. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

  8. Select ADD .

    Add Splunk connector

    A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

    Invalid connector configuration

    After successful configuration, the new connection is displayed with a Connected status:

    Successful Splunk connector configuration

    The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

Unavailable connector message

If the SIEM service is currently not connected, a Disconnected status is displayed:

Failed connector configuration

note

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId: Data returned from SIEM service

note

The event information returned may differ depending on the SIEM provider being used for the connector.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom FQCR b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo phishing message id corodevcom FQCR b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing

Microsoft Sentinel

Microsoft Sentinel offers robust real-time threat detection and response capabilities, seamlessly integrating with existing Microsoft tools. Its cloud-native architecture ensures scalability and flexibility, while AI-driven automation enhances incident analysis. With rich analytics and customizable dashboards, organizations gain deeper insights into security postures, enabling proactive defense against evolving cyber threats.

Microsoft Sentinel can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event.

note

Coro first sends SIEM data to Azure Monitor by using the HTTP Data Collector API. This data is then pulled into Microsoft Sentinel.

note

To configure a Microsoft Sentinel connector, your Microsoft 365 account must have admin permissions.

Configuring a Microsoft Sentinel connector via the Coro console

To configure a Microsoft Sentinel connector:

  1. Log into the Coro console and select Control Panel from the toolbar

    Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    The Connectors page is displayed:

    The Connectors page

  3. Click ADD CONNECTOR .

    The Add connector dialog is displayed:

    The MS Sentinel Add connector dialog

  4. Provide a Name for the new connector.
  5. Select Azure Sentinel from the Format dropdown.
  6. Provide a valid Microsoft Workspace ID .
  7. Provide a valid Primary Key (API key).
note

Name, Workspace ID, and Primary Key are required fields.

  1. Log Type specifies where logs are stored within Microsoft Sentinel. The default value is Coro, but the value can be modified.
  2. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

  3. Select ADD .

    Add MS Sentinel connector

    A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

    Invalid connector configuration

    After successful configuration, the new connection is displayed with a Connected status:

    Successful MS Sentinel connector configuration

    The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

Unavailable connector message

If the SIEM service is currently not connected, a Disconnected status is displayed:

Failed connector configuration

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically retry reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

Data returned from SIEM service

note

The event information returned may differ depending on the SIEM provider being used for the connector.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom FQCR b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo phishing message id corodevcom FQCR b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing
note

For further information on connector actions, see Connector Actions

Fluency

Fluency is a streaming analytics SIEM platform that delivers risk-prioritized insights from across your environment. Fluency can be integrated with Coro in order to collect information related to an event, for example, detected malware, or a mass download event.

Configuring a Fluency connector via the Coro console

To configure a Microsoft Sentinel connector:

  1. Log into the Coro console and select Control Panel from the toolbar

    Control Panel

  2. Under Workspace , select Connectors :

    "Connectors"

    The Connectors page is displayed:

    The Connectors page

  3. Click ADD CONNECTOR .

    The Add connector dialog is displayed:

    The Fluency Add connector dialog

  4. Provide a Name for the new connector.
  5. Select Fluency from the Format dropdown.
  6. Enter the Listener URL and Token (both retrieved from your SIEM provider).
  7. (optional) Enable Apply to all customers to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.

    Apply connector to all customers

  8. Select ADD .

    Add Fluency connector

    A test event is triggered to ensure the configuration is correct. If any configuration settings are incorrect, an error is displayed:

    Invalid connector configuration

    After successful configuration, the new connection is displayed with a Connected status:

    Successful Fluency connector configuration

    The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

If, after a SIEM configuration has been created, the SIEM endpoint becomes unavailable Coro will retry the connection in two hours. If the SIEM endpoint remains unavailable after this, a message is displayed in the Messages section of the Coro Actionboard:

Unavailable connector message

If the SIEM service is currently not connected, a Disconnected status is displayed:

Failed connector configuration

No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically retry reconnecting automatically.

Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:

Data returned from SIEM service

note

The event information returned may differ depending on the SIEM provider being used for the connector.

The following example demonstrates the data returned for an Email Phishing ticket:

  • workspaceId : corodevcom FQCR b
  • ticketType : emailPhishing

ticketDetails:

  • affectedUser : phisher @ externalcoro.demo
  • service : office365Enforcement

locations:

  • ip : 175.45.176.34
  • countryName : North Korea

emailMetadata:

  • subject : Change of Password Required Immediately
  • senderEmail : phisher @ externalcoro.demo

recipients:

  • demouser1 @ coro.net
  • demouser3 @ coro.net
  • demouser2 @ coro.net

processedMessages:

  • messageId : demo phishing message id corodevcom FQCR b
  • firstEventTime : 1691595068186
  • lastEventTime : 1691595068186
  • creationTime : 1691595068188
  • processed : true
  • processedTime : 1691595068186
  • ticketTrigger : emailPhishing
note

For further information on connector actions, see Connector Actions

Generic webhook integration

Coro supports the integration of custom webhooks. These can be used to send data (for example, ticket log information) from the Coro Console tog a specified URL endpoint. This endpoint could be the REST API endpoint for an internal IT system.

The configuration process is similar to that of supported SIEM platforms:

  1. Provide a Name for the new connector.
  2. Select Generic from the Format dropdown.
  3. Enter an external webhook into the Listener URL field (retrieved from your organization’s internal IT system.)
  4. (Optional) headers can be applied by selecting + Header . All headers are encrypted before storage.

    Adding an additional header to a connector

  5. Select Add .

    Add generic connector

    note

    The above information is an example.

    After successful configuration, the new generic connection is displayed with a Connected status.

    Successful generic connector configuration

    The connector is added to the channel workspace as well as to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).

    Configuration is complete.

The configured webhook endpoint will now receive all events from Coro in real time. All data/metadata related to the event is returned.

Data returned from SIEM service

To learn about SIEM connector actions, see SIEM connector actions.