You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are excited to announce the ability to manage library content on the new **Manage Content** tab. Now MSSP administrators can conveniently push content in the **Library** folder to multiple child organizations at once, including dashboards, saved searches, and scheduled searches. [Learn more](/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps/).
14
+
15
+
:::note
16
+
This feature is in Beta. To participate, contact your Sumo Logic account executive or our Support Team.
Copy file name to clipboardExpand all lines: docs/cloud-soar/introduction.md
-7Lines changed: 0 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,7 +64,6 @@ Finally, you can take the Insights from Cloud SIEM and automatically respond to
64
64
Sumo Logic’s Cloud SOAR is a cloud-based web application available as an add-on to existing Sumo Logic deployments. Some of Cloud SOAR’s key features include:
65
65
66
66
***War Room**. A central location for all the information, analysis, and actions related to an incident. This includes notes, documentation, and knowledge transfer as well as tools for collecting data and assessing, investigating, and correlating different incidents.
67
-
***ARK**. The Automated Responder Knowledge (ARK) learns from past incidents and threat intel to recommend relevant playbooks for future incidents.
68
67
***App Central**. A large out-of-the-box library of playbooks, integrations, and use cases for different threats to get you started.
69
68
***Cybersecurity best practices**. Cloud SOAR’s design and architecture meets many cybersecurity industry standards, regulatory frameworks, and best practices from organizations like ISO, GDPR, OASIS, NIST, and many others.
70
69
@@ -210,12 +209,6 @@ Here are some other workflows you could automate with a playbook:
210
209
211
210
Cloud SOAR has hundreds of prebuilt playbooks and templates, so you can quickly and easily automate any of these tasks, or create new custom playbooks to suit your specific business needs. Normally, playbooks are automatically attached to incidents based on information like entities and severity scores.
212
211
213
-
##### ARK suggestions
214
-
215
-
Playbooks automate the individual tasks of incident response. But Cloud SOAR's Automated Responder Knowledge (ARK) suggestions take things one step further. ARK uses machine learning to suggest the most appropriate playbook for your incidents based on what you've done on similar incidents in the past. This frees up even more resources for analysts, as they don't have to spend time choosing a playbook before responding.
216
-
217
-
When ARK suggests a playbook to you, you have the option to add the playbook to the incident, run it, or dismiss the suggestion.
218
-
219
212
#### App Central, custom integrations, and other automations
220
213
221
214
Cloud SOAR has hundreds of pre-built playbooks which you can use as-is or customize. You can also build your own custom playbooks, which you can learn about in the Cloud SIEM Administration class.
ARK or Automated Responder Knowledge is the Machine Learning component of Cloud SOAR which implements the Supervised learning in Case-Based Reasoning (CBR) algorithm.
40
-
CBR solves new problems by adapting previously successful solutions to similar problems. In Cloud SOAR, this can be leveraged by analyzing solved incidents to hint steps and procedures to operators in new similar threats.<br/> <img src={useBaseUrl('img/cloud-soar/image15e.png')} alt="Automation menu" style={{border: '1px solid gray'}} width="250"/>
41
-
42
-
ARK assists operators during investigations in two main areas: Automatically suggesting/prompting next actions/tasks in Playbooks (until version 5) and Correlation/ Deduplication of similar threats into 1 unique incident.
43
-
44
-
#### Enable ARK
45
-
46
-
To enable ARK, click the cog icon, then **Settings** > **ARK** and make sure you have it set to **ON**.
47
-
48
-
From this page, it’s possible to configure also other ARK Settings such as the Neighbor incidents considered for each recommendation and an age relevance threshold. Those two parameters will allow you to tune the incidents that the Machine Learning algorithm will consider.
When an incident is created in Cloud SOAR, the Incident Type field will be the one defining which Playbooks you can attach to that incident.
53
-
54
-
#### ARK Usage
55
-
56
-
ARK has a correlation and deduplication or merging mechanism you can use with the ARK OIF.
57
-
58
-
ARK 2.0 OIF is a custom Sumo Logic integration which allows investigators to implement a mechanism for deduplication and correlation of ingested alerts and Cloud SOAR incidents.
OIF ARK enrichment action “Get parents for incident” allows you to retrieve every incident (as proposed parents) that is similar to the analyzed one.
65
-
66
-
Each optional field allows you to fine tune the weight of the fields, acceptance thresholds and of the algorithm which needs to be trained and fine-tuned in order to get correct and reliable results.
Alert deduplication or merging can be achieved by utilizing ARK OIF enrichment actions and Cloud SOAR’s unique Triage capability.
71
-
72
-
Triage is a customizable section which can be used for enriching and preprocessing multiple different scenarios.
73
-
74
-
By dispatching the ingested alerts into Triage events, Cloud SOAR can automatically enrich each event, deduplicate them based on the logic configured in our associated Playbooks (which can invoke Ark OIF enrichment) and decide if Cloud SOAR should aggregate multiple entries in one unique incident, create multiple incidents for each event or if a similar incident has already been created, to update the existing incident with updated information.
75
-
76
-
Cloud SOAR can also correlate existing incidents to check if specific data is already present in the Cloud SOAR Database. It is crucial that all merging or deduplication must be done prior to conversion of an alert into incident. For example, a Triage event that allows you to invoke one or multiple playbooks for each Triage event created.
Copy file name to clipboardExpand all lines: docs/cloud-soar/overview.md
-2Lines changed: 0 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -402,8 +402,6 @@ Cloud SOAR has been designed with Interoperability for Cybersecurity Industry st
402
402
403
403
Cloud SOAR design and architecture follows Cybersecurity Industry standards and regulatory frameworks, and adheres to best Industry practices to meet best Cybersecurity practices followed by ISO, GDPR, OASIS, NIST, Sec Regulations, and more.
404
404
405
-
Cloud SOAR offers a patent-pending Automated Responder Knowledge (DF-ARK) module which applies machine learning to historical responses and threats. It recommends relevant Playbooks, paths of action to expedite the process, and responses to manage and mitigate similar incidents with better response time.
406
-
407
405
Cloud SOAR provides static egress for Cloud executions. IP addresses can be entered into the allowlist. For a list of Cloud SOAR addresses by region, contact [Support](https://support.sumologic.com/support/s/).
0 commit comments