Adding a new SIEM connecter
Coro integrates with Security Information and Event Management (SIEM) solutions. Coro makes ticket data available in real time within your SIEM platform, enabling you to utilize these data benefits.
Coro currently supports the following integrations:
Fluency
Fluency is a streaming analytics SIEM platform that delivers risk-prioritized insights from across your environment. Fluency can be integrated with Coro to collect information related to an event, for example, detected malware, or a mass download event.
Configuring a Fluency connector via the Coro console
To configure a Fluency connector:
-
Sign in to the Coro console
and select
Control Panel
from the toolbar
-
Under
Workspace
, select
Connectors
:
Coro displays The Connectors page:
-
Select
ADD CONNECTOR
.
Coro displays the Add connector dialog:
- Enter a Name for the new connector.
- Select Fluency from the Format dropdown.
- Enter the Listener URL and Token (both retrieved from your SIEM provider).
-
(Optional) Enable
Apply to all customers
to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.
note
Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.
For further information, see Managing Workspaces.
-
Select
ADD
.
Coro triggers a test event to verify the configuration. If any configuration settings are incorrect, Coro displays an error:
After successful configuration, Coro displays the new connection with a Connected status:
The connector is added to the channel workspace and to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).
Configuration is complete.
If the SIEM endpoint becomes unavailable after the configuration, Coro retries the connection in two hours. If the SIEM endpoint remains unavailable after this, Coro displays a message in the Messages section of the Coro Actionboard:
If the SIEM service is not connected, Coro displays a Disconnected status:
No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically try reconnecting automatically.
Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:
note
The event information returned may differ depending on the SIEM provider being used for the connector.
The following example demonstrates the data returned for an Email Phishing ticket:
- workspaceId : corodevcom _ FQCR _ b
- ticketType : emailPhishing
ticketDetails:
- affectedUser : phisher @ externalcoro.demo
- service : office365Enforcement
locations:
- ip : 175.45.176.34
- countryName : North Korea
emailMetadata:
- subject : Change of Password Required Immediately
- senderEmail : phisher @ externalcoro.demo
recipients:
- demouser1 @ coro.net
- demouser3 @ coro.net
- demouser2 @ coro.net
processedMessages:
- messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
- firstEventTime : 1691595068186
- lastEventTime : 1691595068186
- creationTime : 1691595068188
- processed : true
- processedTime : 1691595068186
- ticketTrigger : emailPhishing
note
For further information on connector actions, see SIEM connector actions
Generic webhook integration
Coro supports the integration of custom webhooks. These can be used to send data (for example, ticket log information) from the Coro console to a specified URL endpoint. This endpoint could be the REST API endpoint for an internal IT system.
The configuration process is similar to that of supported SIEM platforms:
- Provide a Name for the new connector.
- Select Generic from the Format dropdown.
- Enter an external webhook into the Listener URL field (retrieved from your organization’s internal IT system).
-
(Optional) You apply headers by selecting
+ Header
. All headers are encrypted before storage.
-
Select
Add
:
note
The above information is an example.
After successful configuration, the new generic connection is displayed with a Connected status.
The connector is added to the channel workspace and to all child workspaces linked to the channel workspace (provided Apply to all customers was enabled during configuration).
Configuration is complete.
The configured webhook endpoint now receives all events from Coro in real time. All data/metadata related to the event is returned.
To learn about SIEM connector actions, see SIEM connector actions.
Microsoft Sentinel
Microsoft Sentinel offers robust real-time threat detection and response capabilities, seamlessly integrating with existing Microsoft tools. Its cloud-native architecture ensures scalability and flexibility, while AI-driven automation enhances incident analysis. With rich analytics and customizable dashboards, organizations gain deeper insights into security postures, enabling proactive defense against evolving cyber threats.
Microsoft Sentinel can be integrated with Coro to collect information related to an event, for example, detected malware, or a mass download event.
note
Coro first sends SIEM data to Azure Monitor by using the HTTP Data Collector API. This data is then pulled into Microsoft Sentinel.
note
To configure a Microsoft Sentinel connector, your Microsoft 365 account must have admin permissions.
Configuring a Microsoft Sentinel connector via the Coro console
To configure a Microsoft Sentinel connector:
-
Sign in to the Coro console
and select
Control Panel
from the toolbar
-
Under
Workspace
, select
Connectors
:
Coro displays the Connectors page:
-
Select
ADD CONNECTOR
.
Coro displays the Add connector dialog:
- (Required) Enter a Name for the new connector.
- Select Azure Sentinel from the Format dropdown.
- (Required) Enter a valid Microsoft Workspace ID .
- (Required) Enter a valid Primary Key (API key).
- Log Type specifies where logs are stored within Microsoft Sentinel. The default value is Coro, but the value can be modified.
-
(Optional) Enable
Apply to all customers
to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.
note
Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.
For further information, see Managing Workspaces.
-
Select
ADD
.
Coro triggers a test event to verify the configuration. If any configuration settings are incorrect, Coro displays an error:
After successful configuration, Coro displays the new connection with a Connected status:
Coro adds the connector to the channel workspace and all child workspaces linked to it (provided Apply to all customers was enabled during configuration).
Configuration is complete.
If the SIEM endpoint becomes unavailable after the configuration, Coro retries the connection in two hours. If the SIEM endpoint remains unavailable after this, Coro displays a message in the Messages section of the Coro Actionboard:
If the SIEM service is not connected, Coro displays a Disconnected status:
No events are collected when the SIEM service is disconnected. This commonly happens if the downstream SIEM server is down. Users can retry the connection by using the Sync action, else the connection will periodically try reconnecting automatically.
Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:
note
The event information returned may differ depending on the SIEM provider being used for the connector.
The following example demonstrates the data returned for an Email Phishing ticket:
- workspaceId : corodevcom _ FQCR _ b
- ticketType : emailPhishing
ticketDetails:
- affectedUser : phisher @ externalcoro.demo
- service : office365Enforcement
locations:
- ip : 175.45.176.34
- countryName : North Korea
emailMetadata:
- subject : Change of Password Required Immediately
- senderEmail : phisher @ externalcoro.demo
recipients:
- demouser1 @ coro.net
- demouser3 @ coro.net
- demouser2 @ coro.net
processedMessages:
- messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
- firstEventTime : 1691595068186
- lastEventTime : 1691595068186
- creationTime : 1691595068188
- processed : true
- processedTime : 1691595068186
- ticketTrigger : emailPhishing
note
For further information on connector actions, see SIEM connector actions
Splunk
Splunk is a platform designed for collecting, analyzing, and visualizing machine-generated data. It is commonly used for log management, Security Information and Event Management (SIEM), and operational intelligence. Splunk helps organizations process and analyze large volumes of data generated by their systems, applications, and devices.
Integrate Splunk with Coro to collect information related to events, such as detected malware or mass download activity. Splunk uses this information for analytics and reporting.
note
Coro sends SIEM data to Splunk via HTTP event collector (HEC) REST API endpoints.
Important
Turn off Enable indexer acknowledgment when configuring an HEC on the Splunk Cloud Platform:
Configuring a Splunk connector via the Coro console
To configure a Splunk connector:
-
Sign in to the Coro console
and select
Control Panel
from the toolbar:
-
Under
Workspace
, select
Connectors
:
Coro displays the Connectors page:
-
Select
ADD CONNECTOR
.
Coro displays the Add connector dialog:
- Provide a Name for the new connector.
- Select Splunk from the Format dropdown.
-
Enter the
Listener URL
(retrieved from your SIEM provider).
Important
-
The
Listener URL
must be in the format:
http(s)://Public IP Address of Splunk/services/collector
.
Example value:
https://192.0.2.0:8088/services/collector
-
The
Listener URL
must match the SSL configuration (
Enable SSL
option) in your Splunk cloud platform HEC settings:
- If Enable SSL is turned on, use https://
- If Enable SSL is turned off, use http://
-
The port number part of the
Listener URL
must match the
HTTP Port Number
value in your Splunk cloud platform HEC settings:
-
The
Listener URL
must be in the format:
http(s)://Public IP Address of Splunk/services/collector
.
-
Enter the
Authorization
header (retrieved from your SIEM provider).
Important
The Authorization header must be in the format: Splunkf <Authorization_token>.
Example value:
Splunkf 9b30ab7-85bf-4dd5-8fd9-b42bb3a74163
. -
(Optional) Enable
Apply to all customers
to create the new connector for all child workspaces linked to the channel workspace. All events from the child workspaces are sent to the SIEM provider.
note
Apply to all customers is applicable to Managed Service Provider (MSP) channel workspaces.
For further information, see Managing Workspaces.
-
Select
ADD
.
Coro triggers a test event to verify the configuration. If any settings are incorrect, Coro displays an error:
After successfully configuring, Coro displays the new connection with a Connected status.
Coro adds the connector to the channel workspace and all child workspaces linked to it, provided Apply to all customers was enabled during configuration.
Configuration is complete.
If the SIEM endpoint becomes unavailable after the SIEM configuration is created, Coro retries the connection in two hours. If the endpoint is still unavailable, Coro displays a message in the Messages section of the Actionboard:
If the SIEM service is not connected, Coro displays a Disconnected status:
note
Coro does not collect events when the SIEM service is disconnected, which typically occurs if the downstream SIEM server is unavailable. Users can retry the connection by using the Sync action.
Coro sends all events to the configured SIEM in real time. All data/metadata related to the event is returned, for example, ticketType and workspaceId:
note
The SIEM provider used for the connector determines the event information that is returned.
The following example demonstrates the data returned for an Email Phishing ticket:
- workspaceId : corodevcom _ FQCR _ b
- ticketType : emailPhishing
ticketDetails:
- affectedUser : phisher @ externalcoro.demo
- service : office365Enforcement
locations:
- ip : 175.45.176.34
- countryName : North Korea
emailMetadata:
- subject : Change of Password Required Immediately
- senderEmail : phisher @ externalcoro.demo
recipients:
- demouser1 @ coro.net
- demouser3 @ coro.net
- demouser2 @ coro.net
processedMessages:
- messageId : demo _ phishing _ message _ id _ corodevcom _ FQCR _ b
- firstEventTime : 1691595068186
- lastEventTime : 1691595068186
- creationTime : 1691595068188
- processed : true
- processedTime : 1691595068186
- ticketTrigger : emailPhishing