Skip to main content
All CollectionsInformation Center
A Guide to Integrating Reco's Platform with Your SIEM and Workflow Tools for Seamless Security Operation
A Guide to Integrating Reco's Platform with Your SIEM and Workflow Tools for Seamless Security Operation
Reco Product Management avatar
Written by Reco Product Management
Updated over 9 months ago

Reco's platform enhances its operational and security capabilities through seamless integration with Security Information and Event Management (SIEM) systems and workflow automation tools. This connection optimizes efficiency, enhances security, and significantly reduces the time required for manual investigations of SaaS security alerts. By integrating Reco's smart alerts with your SIEM and workflow tools, you gain a comprehensive view of threats, ensuring your security and operational playbooks are well-equipped to handle alerts effectively.

Setting Up SIEM and Workflow Integration

Access the SOAR and Automation Configuration

  1. Navigate to Configurations -> Integration Page: Begin by accessing the 'Configurations' section within Reco's platform. From there, proceed to the 'Integration Page'.

  2. Select the 'SOAR and Automation' Tab: Within the 'Integration Page', find and select the tab labeled 'SOAR and Automation'. This section is specifically designed for managing webhook integrations with your SIEM and workflow automation tools.

Initiate Webhook Integration

  1. Click on 'Add Webhook': To start integrating your SIEM or workflow tool with Reco, click on the 'Add Webhook' button. This initiates the process of creating a new webhook integration.

  2. Choose 'Policy Alert Created' as Event Type: When setting up the webhook, select 'Policy Alert Created' from the event type options. This selection ensures that the webhook triggers a notification in your SIEM or workflow tool whenever a policy alert is created within Reco's platform.

  3. Enter the URI from Your SIEM/Workflow Tool: In the URI field, input the endpoint address from your SIEM or workflow tool. This address acts as the destination for webhook notifications from Reco, facilitating real-time alert communication.

  4. Customize Request Headers (Optional): Depending on the integration requirements of your SIEM or workflow tool, you may customize the webhook's request headers. Add key-value pairs as needed in the 'Custom Request Headers' section. This step is optional and tailored to the specific needs of your integration.

Monitoring and Managing Webhooks

After completing the setup, the newly created webhook instance will be visible in the table under the 'SOAR and Automation' tab. This table provides a comprehensive overview of all active webhooks, including their status and the ability to manage them directly.

Connecting to Your SIEM/SOAR Tools

Integrating Reco with your Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) tools is a straightforward process designed to enhance your security operations with automated alerting and response capabilities. Here’s how you can establish this connection:

Enter URI from Your SIEM/Workflow Tool

  1. Identify the Listener URI: Determine the URI endpoint within your SIEM or workflow tool that will act as the receiver for webhook calls from Reco. This URI is crucial as it establishes a direct communication line for alerts.

  2. Input the URI: In the designated URI section on Reco's 'SOAR and Automation' tab, input the identified URI from your SIEM or workflow tool. For example, if you are using the automation tool Blink, reference its provided URI format as a guide for your integration setup.

Customize Request Headers (Optional)

  1. Understand the Requirement: Some SIEM or SOAR tools may require specific request headers for successful communication. This might involve authentication tokens, content-type specifications, or other key-value pairs that authenticate and direct the webhook content appropriately.

  2. Add Custom Headers: If your tool requires these custom headers, navigate to the 'Custom Request Headers' section in Reco's webhook setup and add the necessary key-value pairs. This customization allows for tailored communication between Reco and your SIEM/SOAR tool, ensuring the alerts are processed correctly.

Triggering Alerts and Ensuring Responsive Actions

  1. Activation: Once the setup is complete, Reco is configured to automatically trigger alerts to your SIEM or SOAR tool whenever a policy violation or security event is detected. This ensures real-time alerting that is critical for prompt incident response.

  2. Immediate Response: The direct alert system facilitates a rapid response mechanism within your Security Operations Center (SOC). Your team can quickly mobilize to assess and mitigate the threat, leveraging the integrated tools for an efficient and coordinated action.

  3. Monitoring and Management: Active webhooks, including those connected to your SIEM/SOAR tools, will be listed under the 'SOAR and Automation' tab. This centralized view enables easy monitoring and management of your integrations, ensuring that your security posture remains robust and reactive to emerging threats.

By following these straightforward steps, you not only establish a direct line of communication between Reco's platform and your SIEM/workflow tools but also ensure a swift and cohesive response to security alerts within your existing operational workflows.

Did this answer your question?