You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cloud-soar/incidents-triage.md
+23-16Lines changed: 23 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,6 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
14
14
15
15
[**New UI**](/docs/cloud-soar/overview#new-ui). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**.
16
16
17
-
18
17
The SecOps screen is where all your current tasks reside. Here you can approve, decline, and close tasks as well as customize this section to display all tasks assigned to a specific user or group.
19
18
20
19
Select **Dashboard** in the upper left corner to see dashboards showing your tasks. For more information, see [Dashboards](#dashboards).
@@ -28,11 +27,6 @@ Incidents are events that require investigation and remediation. Incidents are a
28
27
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
29
28
30
29
[**New UI**](/docs/cloud-soar/overview#new-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
31
-
32
-
33
-
The **Incidents** screen lists all Cloud SOAR incidents. Clicking on any of the incident IDs will open the incident. You can configure what incidents are displayed by creating queries against available incident data and saving them as incident filters.
Watch this micro lesson to learn more about incidents in Cloud SOAR.
38
32
@@ -47,18 +41,18 @@ Watch this micro lesson to learn more about incidents in Cloud SOAR.
47
41
allowfullscreen
48
42
/>
49
43
50
-
### Incident generation process
44
+
### Filter incidents
51
45
52
-
Cloud SOAR generates incidents with an automated process:
53
-
1. An alert is received by Cloud SOAR via an integration.
54
-
1.[Automation rules](/docs/cloud-soar/automation/#automation-rules) process the alert. Behind the scenes, parsing rules break out the data into artifacts to be used as arguments in playbooks, such as IP addresses, usernames, host names, and so on.
55
-
1. The data is fed into an [incident template](/docs/cloud-soar/automation/#incident-templates).
56
-
1.[Playbooks](#playbooks) run against the data.
57
-
1. Cloud SOAR generates an incident.
46
+
The **Incidents** screen lists all Cloud SOAR incidents. Clicking on any of the incident IDs will open the incident. You can configure what incidents are displayed by creating queries against available incident data and saving them as incident filters.
The following criteria apply to the incidents list:
49
+
* The last 500 incidents are displayed by default.
50
+
* When no filters are applied, incidents that are marked as a favorite or not deleted will be displayed.
51
+
* When a filter is applied, incidents marked as a favorite or that meet the filter criteria will be shown. Deleted incidents that satisfy either of these conditions will also be displayed.
52
+
* If an incident is marked as a favorite, it will be displayed regardless of whether it has been deleted.
53
+
* In **Show All**, all incidents meeting the above criteria will be displayed without the 500-item limit.
You can configure what data is to be displayed on the **Incidents** screen by adjusting which columns are viewable. To adjust these columns, click the filter icon <img src={useBaseUrl('img/cloud-soar/filter-icon.png')} alt="Filter icon" width="25"/> in the top right corner of the screen. This displays a configuration screen that allows you to choose which data is displayed. To change where on the screen it should be displayed, click the **+** next to the selection and drag and drop it in the order to be viewed. Once you have added and organized the columns, click **Apply**.
64
58
@@ -119,7 +113,20 @@ For example, an incident contains sensitive data in the notes section. If you wa
119
113
To allow users to access incidents without being added as investigators, assign them the **Incident > Access all** role Cloud SOAR role capability. This privilege is useful for users who need to monitor all incidents.
120
114
:::
121
115
122
-
### Create a new incident manually
116
+
### Incident generation
117
+
118
+
#### Automatically generate incidents
119
+
120
+
Cloud SOAR generates incidents with an automated process:
121
+
1. An alert is received by Cloud SOAR via an integration.
122
+
1.[Automation rules](/docs/cloud-soar/automation/#automation-rules) process the alert. Behind the scenes, parsing rules break out the data into artifacts to be used as arguments in playbooks, such as IP addresses, usernames, host names, and so on.
123
+
1. The data is fed into an [incident template](/docs/cloud-soar/automation/#incident-templates).
1. To create an incident manually, click the **+** button at the top of the **Incidents** screen. <br/><img src={useBaseUrl('img/cloud-soar/create-incident-button.png')} alt="Create incident button" style={{border: '1px solid gray'}} width="100"/>
125
132
1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/overview/#custom-fields). <br/><img src={useBaseUrl('img/cloud-soar/incident-creation-screen.png')} alt="Incident Creation screen" style={{border: '1px solid gray'}} width="700"/>
0 commit comments