Update cloud-soar.md (#4675)

wjakelee · jpipkin1 · web-flow · commit 9a1dedb8fed4 · 2024-10-21T18:28:27.000Z
* Update cloud-soar.md Need to update the steps in this page according to https://help.sumologic.com/docs/cloud-soar/automation/#configure-a-webhook-for-cloud-soar * Updates from review --------- Co-authored-by: John Pipkin <jpipkin@sumologic.com>
diff --git a/docs/alerts/webhook-connections/cloud-soar.md b/docs/alerts/webhook-connections/cloud-soar.md
@@ -16,14 +16,44 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 * You'll need the **Manage connections** [role capability](/docs/manage/users-roles/roles/role-capabilities) to create webhook connections.
 :::
 
-To create a webhook connection from Sumo Logic to Cloud SOAR:
+You can configure a webhook connection to allow you to send an alert from a scheduled search to Sumo Logic Cloud SOAR using an incident template.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Monitoring > Connections**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Monitoring** select **Connections**. You can also click the **Go To...** menu at the top of the screen and select **Connections**. 
-1. Click **+ Add** and choose **Cloud SOAR** as the connection type.<br/> <img src={useBaseUrl('img/connection-and-integration/SOAR-webhook-icon.png')} alt="SOAR webhook icon.png" width="200"/>
-1. Enter a **Name** and give an optional **Description** to the connection.
-1. The **URL** and **Authorization Header** are automatically defined by Sumo Logic. You should not edit these.
-1. The **Templates** dropdown shows a list of all incident templates, by name, configured in your Cloud SOAR environment.
-1. The default **Payload** synchronizes with the selected template and the associated `template_id` field is automatically defined in the default payload. A `template_id` is required in the payload in order to configure the connection. For details on variables you can use as parameters within your JSON object, see [Webhook Payload Variables](set-up-webhook-connections.md).
-1. Click **Save**.
+1. Click **+** and choose **Cloud SOAR** as the connection type. The **Create Cloud SOAR Connection** dialog is displayed.<br/><img src={useBaseUrl('img/cloud-soar/CSOAR-connection1.png')} alt="New connection" style={{border: '1px solid gray'}} width="600"/>
+1. Enter a **Name** and give an optional **Description** to the connection.
+1. The **URL** field shows your [Sumo Logic API endpoint](/docs/api/getting-started#sumo-logic-endpoints-by-deployment-and-firewall-security) followed by `/csoar/v3/incidents/`. For example, `https://api.us2.sumologic.com/api/csoar/v3/incidents/`
+1. In **Authorization Header**, enter your basic authentication access information for the header. For example, `Basic <base64 encode <accessId>:<accessKey>>`. For more information, see [Basic Access (Base64 encoded)](/docs/api/getting-started#basic-access-base64-encoded).
+1. Click **Save**. After save, the **Templates** dropdown shows a list of all incident templates by name configured in your Cloud SOAR environment.
+1. Select a **Template**.
+1. The default payload synchronizes with the selected template, and the **Alert Payload** field shows the associated `template_id` field automatically defined in the default payload. A `template_id` is required in the payload in order to configure the connection:
+
+    ```
+    {
+      "template_id": <Template ID>,
+     "fields": {
+        "incidentid": "Incident Id"
+      }
+    }
+    ```
 
-For more detailed instructions, see [Configure a webhook for Cloud SOAR](/docs/cloud-soar/automation/#configure-a-webhook-for-cloud-soar).
+    You can add additional variables. For example:
+
+    ```
+    {
+      "fields": {
+        "description": "string",
+        "additional_info": "string",
+        "starttime": "ISO-8601 datetime string",
+        "incident_kind": <ID incident kind>,
+        "incident_category": <ID incident category>,
+        "status": <ID incident status>,
+        "restriction": <ID incident restriction>
+      }
+    }
+    ```
+    :::note
+    * For details on variables you can use as parameters within your JSON object, see [Configure Webhook Payload Variables](/docs/alerts/webhook-connections/set-up-webhook-connections/#configure-webhook-payload-variables).
+    * For information on additional fields, please refer to the [Cloud SOAR APIs](/docs/api/cloud-soar/) documentation.
+    * The preceding example shows an `ISO-8601 datetime string`. For information about how to configure it, see [parser documentation](https://dateutil.readthedocs.io/en/stable/parser.html#dateutil.parser.isoparse).
+    :::
+1. Click **Save**.
