You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cloud-soar/introduction.md
+94Lines changed: 94 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -409,3 +409,97 @@ Within Automation, you’ll see subsections for:
409
409
*[Rules](/docs/cloud-soar/automation/#automation-rules). Lets you create new automation rules.
410
410
*[Bridge](https://help.sumologic.com/docs/platform-services/automation-service/automation-service-bridge/). Contains configuration details on any installed bridges.
411
411
412
+
### Settings and configurations
413
+
414
+
#### Fields
415
+
416
+
Fields are used to map data that is imported into Cloud SOAR to various attributes used by Cloud SOAR. Fields are often pre-populated as data is imported into Cloud SOAR. However, there are some times you may wish to customize fields. For example, you can use a custom field to make sure the data you’re importing from Cloud SIEM, such as an entity, gets mapped properly to the equivalent entity field in Cloud SOAR. Or, you might want to create a custom field called Time to Manage that calculates the difference between incident Open Time and Close Time. You could then track Time to Manage across different incident types or different analysts to find pain points in your SOC.
417
+
418
+
Administrators can edit existing fields, delete fields, and add new fields for almost every section of Cloud SOAR. Fields can be customized one by one manually, or an administrator can import a CSV file to customize them in bulk. Any existing field can have its name or value edited, but its type cannot be changed. Field types include date, text, numeric, timezone, email address, IP address, and many others.
419
+
420
+
There are several categories of fields you can customize in Cloud SOAR: triage, incidents, tasks, notes, and attachments. Each section of Cloud SOAR supports different numbers of custom fields. The Incidents section, for example, supports up to 100 custom fields.
421
+
422
+
Custom fields are an essential component of Cloud SOAR. They are used to normalize data collected from the different platforms such as SIEMs, ticketing systems like Jira, or any kind of technology that sends data. The data ingested from all these sources can have different names but thanks to custom fields we can map the data to a unique Field in Cloud SOAR.
423
+
424
+
Fields can be used to apply advanced filters or add them as a new column in the incident list view. For example, you might want to sort your incidents by the IP address field. You can also use fields to perform some calculations on other fields to create a new field.
425
+
426
+
#### Define and test a custom field
427
+
428
+
In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance.
429
+
430
+
##### Define a custom field
431
+
432
+
1.[**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon <img src={useBaseUrl('img/cloud-soar/cloud-soar-settings-icon.png')} alt="Settings menu icon" style={{border: '1px solid gray'}} width="25"/> in the top right, select **Settings**, and on the left menu select **Customization > Fields**.<br/>[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**.
433
+
1. In the **Custom Fields** menu, select **Incidents**.
434
+
1. Click the **+** icon.
435
+
1. Give the field a name that designates what it is for. For example, to create a field for IPs originating from entities, enter **Source IP**.
436
+
1. For **Type** select **Text**.
437
+
1. Click **Create**.
438
+
439
+
##### View your custom field
440
+
441
+
To test the new field, we'll create a new incident manually.
442
+
443
+
1.[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.<br/>[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
444
+
1. Click the **+** icon to create a new incident.
445
+
1. Scroll down to the bottom to see your new field. Your field may appear in either the left or right column. It may be near the bottom or several rows up.
446
+
1. Type a value in your new field. For example, if your new field is for a source IP, you could type in an IP address, such as **1.1.1.1**.
447
+
1. For **Incident ID**, enter a unique identifier.
448
+
1. For for **Type** select **General**, for **Purpose** select **Generic**, and for **Category** select **General**.
449
+
1. Leave other fields as their defaults, then click **Create**.
450
+
451
+
:::note
452
+
You will not be able to create the incident until there is a green **No Issue Found** in the top right corner. If you see the orange **Warning** icon, hover over it to learn what fields are missing or erroneous.
453
+
:::
454
+
455
+
#### Incidents
456
+
457
+
Incidents are the main place where SOC analysts conduct their threat investigations and orchestrate their responses. There are several areas of the admin UI where you can customize the way incidents behave in Cloud SOAR:
458
+
***[Incident templates](/docs/cloud-soar/automation/#incident-templates)**. Incident templates control how incidents appear in the War Room and include fields like type, severity, and status. Incident Templates are also essential when creating [automation rules](/docs/cloud-soar/automation/#automation-rules) that trigger incidents. When you first set up and automate your SOC, it will primarily be using incident templates.
459
+
***[General](/docs/cloud-soar/overview/#general)** settings **Incidents** section. Use this settings section for some configuration of the incidents in Cloud SOAR. You can allow or prohibit duplicate names, set whether closing notes are mandatory or not, and select which objects are extracted from Incidents here.
460
+
***[Reports](/docs/cloud-soar/incidents-triage/#report)**. Use this feature to create and edit report templates. These templates are used when analysts export a report after closing an incident as part of the lessons learned stage of the incident response cycle.
461
+
***[Incident Labels](/docs/cloud-soar/overview/#incident-labels)**. Incident labels are used to organize the way incidents are displayed inside Cloud SOAR.
462
+
463
+
Work with the analysts on your team to customize reports, labels, and templates to suit their needs. As a best practice, create labels and templates that use standardized and unique naming conventions.
464
+
465
+
#### Customize incident labels
466
+
467
+
In this section, we’ll create a custom incident label. This new label will make it easier to sort and respond to incidents.
468
+
469
+
1.[**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon <img src={useBaseUrl('img/cloud-soar/cloud-soar-settings-icon.png')} alt="Settings menu icon" style={{border: '1px solid gray'}} width="25"/> in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**. <br/>[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Incident Labels**.
470
+
1. Click the **+** icon to create a new incident label.
471
+
1. For **Name**, enter a name that designates what the incident is for. For example, to create a label for incidents originating in Cloud SIEM, you could enter **Cloud SIEM Alert**.
472
+
1. Optionally, you can include a short **Description**.
473
+
1. For **Value**, type the label as you want it to appear in the UI. For example, type **Cloud SIEM Alert -**.
474
+
7. Double-click entries you want to add to the value. For example, double-click **Counter**. The fields inside the brackets will be replaced by the appropriate variable when this incident label is used. For example, if the incident is created in October, the `[=MONTH]` field will be replaced by 10.
475
+
1. Click **Save**.
476
+
477
+
Now you can use this incident label the next time you manually create an incident. You can also use it when creating or configuring automation rules that create incidents.
478
+
479
+
#### Triage
480
+
481
+
##### Incident triage
482
+
483
+
Sometimes your system may record events that are unverified, or have a low confidence level such that you may want to triage them before reporting them as incidents. The triage features of Cloud SOAR allow users to view these events and their details, as well as assign up to 100 custom fields for triage use, allowing maximum flexibility over a variety of event use cases.
484
+
485
+
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**.
486
+
487
+
[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**.
488
+
489
+
Any recorded events that have not been converted to an incident will be displayed in a sortable table. Click on any column to sort by that field. By default, you will see two fields, **Status** and **Type**.
The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/overview/#custom-fields)** page).
494
+
495
+
To add additional custom fields (up to 100), select **Triage** from the **Custom Fields** list. To add a custom field, click the **+** button in the upper left of the display and set the field properties as desired. Make sure to check **Use as filter** if you want your new custom field to be filterable in the triage module.
496
+
497
+
##### Triaging an event
498
+
499
+
In the **Triage** page, you can begin triaging an event by assigning the event to a user. Hover over an event and click on the person icon to assign or "grab" that event.<br/><img src={useBaseUrl('img/cloud-soar/grab-event.png')} alt="Grab event" style={{border: '1px solid gray'}} width="150"/>
500
+
501
+
Grabbing an event assigns that event to the selected analyst, and any playbooks defined for that incident type will be automatically executed, with the results displayed on the event details screen. Because all playbooks for the specified incident type are executed automatically, it is recommended to create separate incident types and playbooks for triage use.
502
+
503
+
To convert the event to an incident, click the three-dot kebab in the upper-right of the event and select **Convert To Incident**. Select the appropriate incident template, owner, and label, then click **Save**. The new incident will now be available in the **Incidents** screen along with any custom information gathered by playbooks run during triage.
504
+
505
+
<br/><img src={useBaseUrl('img/cloud-soar/reassign-discard-convert-event.png')} alt="Reassign or convert to incident" style={{border: '1px solid gray'}} width="600"/>
0 commit comments