Finish 'automations and integration'

jpipkin1 · jpipkin1 · commit cf0e68dca578 · 2024-11-08T16:47:10.000-06:00
diff --git a/docs/cloud-soar/introduction.md b/docs/cloud-soar/introduction.md
@@ -571,61 +571,102 @@ Before you begin creating or customizing a playbook, decide what you’d like to
 
 #### Create a custom playbook for Cloud SIEM Insights
 
-Cloud SOAR allows us to create automations that will run whenever Cloud SIEM Insights are created or closed.  These automations are powered through "playbooks" as discussed in the previous section, predefined actions run in an automated workflow to respond to an incident.  
+Cloud SOAR allows us to create automations that will run whenever Cloud SIEM Insights are created or closed.  These automations are powered through playbooks, predefined actions run in an automated workflow to respond to an incident.  
 
-Let’s use Cloud SOAR to create a playbook for use in Cloud SIEM.
+Let’s create a playbook for use in Cloud SIEM.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic).  In the main Sumo Logic menu, select **Automation > Playbooks**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. 
 1. You can click on any of the existing playbooks which will open the playbook diagram in the sidebar on the right. You can view here the individual nodes and sequences in the selected playbooks, to give you an idea of the type of actions and structures that you can create with custom playbooks. Playbooks can have any number of actions, as well as branching conditions to manage different sequences of actions, depending on selected criteria.  You can click on any component of a playbook to see more detailed information about each node.  
-1. Let's create a playbook of our own. Click the plus icon near the top to create a new playbook.   
+1. Click the **+** icon near the top to create a new playbook.   
    1. Enter a name, for example, **Test Playbook**. You can optionally enter a description.  Select **Cloud SIEM** as the **Type** for the playbook.
    1. Click **Create** when finished.<br/>On the following screen you will see the starting template for your new (empty) playbook, with "Start" and "End" nodes.  
 1. Switch to edit mode by clicking on the **Edit** (pencil) icon in the bottom toolbar.
 1. Before we start adding actions to our playbook, we’ll want to set up the initial configuration of the playbook so we get the proper inputs from the Cloud SIEM Insight.  
    1. Mouse over the Start node, and click on the Edit (pencil) icon.  
    1. In the Edit Node popup, select **Insight** from the playbook input parameters dropdown. Choosing **Insight** will automatically populate the popup view with a number of input parameters that will be added to the playbook from the corresponding Insight.
-   1. Click **Update** to save and close the input parameters.    
+   1. Click **Update** to save and close the input parameters.
+1. Add an action node:
+   1. Click the **+** button on the Start node.
    1. Select **Action** from the node type options. 
-   1. Fill in a node name, for example, “Get Insight Details”
+   1. Fill in a node name, for example, “Get Insight Details”.
    1. From the **Integration** options, select **Sumo Logic Cloud SIEM**.
    1. For **Type**, ensure **Enrichment** is selected.
    1. As the **Action**, select **Get Insight V2**.
-   1. as the **Insight ID**, select **CSE Insight ID**.
-   1. Click **Create** when finished.
-1. Add another action to the playbook by clicking the **+** icon on the **Get Insight Details** node you just created.  Use the parameters outlined below:
-    1. Name: “Get VirusTotal Info”
-    1. Integration: “VirusTotal V3”
-    1. Type: “Enrichment”
-    1. Action: “IP Reputation”
-    1. For the IPs field, click the “cog” icon on the right, and select the “Get Insight Details” action.  Then find the “output.entity.ip.address” field and select it.
-    1. Click Update to save the new action.
-1. Add another action to the playbook by clicking the **+** icon on the “Get VirusTotal Info” node you just created. Use the parameters outlined below:
-    1. Name: “Add Entity Enrichment”
-    1. Integration: “Sumo Logic Cloud SIEM”
-    1. Type: “Notification”
-    1. Action: “Add Entity Enrichment”
-    1. Entity ID: “cog” icon > Get Insight Details > output.entity.id
-    1. Enrichment Name: “VirusTotal IP Reputation”
-    1. Raw JSON: “cog” icon > Get VirusTotal Info > output.raw
-    1. You can leave the other fields blank. Click **Update** to save the action.
-1. Playbooks also allow “condition” nodes that can switch execution branches depending on the true/false results of a given expression.  Let’s add a condition node to our playbook that will differentiate the execution branch depending on the severity of the insight.
-   1. Click the **+** icon under our last action (the blue “Add Entity Enrichment” action). Choose a Condition node.
-   1. Click the pencil icon to edit the new Condition node.
-   1. For the top “select a value”, select the “output.severity” option from the “Get Insight Details” action.  Make sure “==” is selected in the middle row.
-   1. For the bottom “select a value” field, add a manual value: “High”.
-   1. Click **Update** to save the Condition node.
-1. Click the ‘plus’ icon under the Condition node to create a new node.  Select “Action” for this new node.
-   1. Set the Name for this action to “Send Notification Email”.
-   1. For the Integration, select “Basic Tools”. Set Type to be “Notification” and Action to be “Send Email”.
-   1. For Recipients, enter an email address (real or fake). Make sure you hit Enter after typing the email address to signal the Recipients field to parse and accept the email address.
-   1. Type in a subject into the Subject field “High Severity Insight detected”.
-   1. When composing content for an email notification, you have the option of using input parameters from earlier nodes in the playbook in addition to any desired custom text. Click on the “{ }” icon to add a parameter field to your HTML Content (Body) text.
-   1. Click on the red parameter box that appears and select a source for the desired input parameter (for instance: “Insight.Severity” or “Get Insight Details.output.name”).  The parameter box will turn green once you have selected a valid source parameter.  You can add custom text before or after the source parameter.
-   1. Add one or more source parameters and accompanying custom text to outline what you want the email to say (for instance, explain that a high severity insight has been detected with the following details: name, timestamp, etc).
+   1. As the **Insight ID**, select **Insight ID**.
+   1. Click **Create**.
+1. Add another action to the playbook by clicking the **+** icon on the **Get Insight Details** node you just created and selecting **Action**. Use the parameters outlined below:
+    1. **Name**: “Get VirusTotal Info”
+    1. **Integration**: **VirusTotal**
+    1. **Type**: **Enrichment**
+    1. **Action**: **IP Reputation**
+    1. For the **IP** field, click the cog icon on the right, and select the **Get Insight Details** action. Then find the **output.entity.ip.address** field and select it.
+    1. Click **Create** to save the new action.
+1. Add another action to the playbook by clicking the **+** icon on the **Get VirusTotal Info** node you just created and selecting **Action**. Use the parameters outlined below:
+    1. **Name**: “Add Entity Enrichment”
+    1. **Integration**: **Sumo Logic Cloud SIEM Internal**
+    1. **Type**: **Notification**
+    1. **Action**: **Add Entity Enrichment**
+    1. **Entity ID**: Click the cog icon on the right, and select the **Get Insight Details** action. Then find the **output.entity.id** field and select it.
+    1. **Enrichment Name**: “VirusTotal IP Reputation”
+    1. **Raw JSON**: Click the cog icon, select **Get VirusTotal Info**, then select **output.raw**.
+    1. You can leave the other fields blank. Click **Create** to save the action.
+1. Playbooks also allow condition nodes that can switch execution branches depending on the true/false results of a given expression. Let’s add a condition node to our playbook that will differentiate the execution branch depending on the severity of the insight.
+   1. Click the **+** icon under our last action (the blue **Add Entity Enrichment** action). Choose the **Condition** node type.
+   1. For the top **select a value**, select **Get Insight Details**, and then **output.severity** option. 
+   Make sure **==** is selected in the middle row.
+   1. For the bottom **select a value** field, add a manual value: **High**.
+   1. Click **Create** to save the Condition node.
+1. Click the **+** icon under the **Condition** node to create a new node. Select **Action** for this new node. Use the parameters outlined below:
+   1. **Name**: "Send Notification Email"
+   1. **Integration**: **Basic Tools**
+   1. **Type**: **Notification**
+   1. **Action**: **Send Email**.
+   1. For **Recipients**, enter an email address (real or fake). Make sure you press Enter after typing the email address to signal the **Recipients** field to parse and accept the email address.
+   1. Type in a subject into the **Subject** field: “High Severity Insight detected”.
+   1. In **HTML Content (Body)**, click on the `{ }` icon to add a parameter field to your text. When composing content for an email notification, you have the option of using input parameters from earlier nodes in the playbook in addition to any desired custom text. 
+   1. Click on the red parameter box that appears and select a source for the desired input parameter (for instance, **Get Insight Details.output.name**). The parameter box will turn green once you have selected a valid source parameter. You can add custom text before or after the source parameter.
+   1. Add one or more source parameters and accompanying custom text to outline what you want the email to say (for instance, explain that a high severity insight has been detected with the following details: name, timestamp, and so on).
    1. Click **Create** when finished with this action.
-1. When you’ve created your final node(s) for your playbook, manually drag the mouse cursor from the gray connection circle on the right side of the Email Notification node to the left connection area of the “End” node.  Drag and connect the “failure” end of the condition node to the End node as well.
-1. Verify that the Start > End node sequence for all branches have been completed – it will look more or less like the screenshot below.  (Note that you can always drag playbook elements anywhere in the playbook canvas for clarity or organization).
-1. Click the disk (**Save**) icon at the bottom to save your playbook.
-1. You can test your playbook before publishing by going to the “triple dot” icon in the upper right corner and selecting **Run Test**. 
-1. After testing and troubleshooting playbook details (if needed), click the **Publish** (clipboard) icon next to the edit/pencil icon to publish your playbook.  (You can add a description here if you wish.)
+1. When you’ve created your final node(s) for your playbook, manually drag the mouse cursor from the gray connection circle on the right side of the **Email Notification** node to the left connection area of the **End** node. Drag and connect the “failure” end of the condition node to the **End** node as well.
+1. Verify that the **Start > End** node sequence for all branches have been completed. (Note that you can always drag playbook elements anywhere in the playbook canvas for clarity or organization.)
+1. Click **Save** (disk) icon at the bottom to save your playbook.
+1. You can test your playbook before publishing by going to the “triple dot” icon in the upper-right corner and selecting **Run Test**. 
+1. After testing and troubleshooting playbook details (if needed), click the **Publish** (clipboard) icon next to the edit/pencil icon to publish your playbook. You can add a description here if you wish.
+
+#### Create a custom incident template
+
+Incident templates define which attributes will be automatically set each time an incident is generated. These attributes include incident type, classification, assignment, playbooks, and many others. For example, you may want to automatically assign certain incoming incidents to a certain analyst based on their timezone or area of expertise. Or, you might want to automatically run a playbook on all incoming incidents.
+
+In this section, we’ll create a custom incident template. This template will automatically assign the playbook you created earlier to certain new incidents, and then automatically run it.  
+
+1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon <img src={useBaseUrl('img/cloud-soar/cloud-soar-settings-icon.png')} alt="Settings menu icon" style={{border: '1px solid gray'}} width="25"/> in the top right, select **Automation**, and then select **Incident templates** in the left nav bar. <br/>[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Template**. You can also click the **Go To...** menu at the top of the screen and select **Template**.
+1. Near the top, click the **+** icon to create a new template.
+1. In the **Name** provide a name for the template. 
+1. In the **Category** field enter a category, for example, **Test**. 
+1. Click the **Incident** tab.
+1. Leave the fields as their defaults, and select **General** for **Type**.
+1. Click **Apply** to create the template. The template is displayed.
+1. Click the **+** icon next to **Playbook** to add a new playbook.
+1. Select the check mark next to the playbook you created in the previous section. 
+1. Click **Add**.
+1. Toggle the **Autorun** switch to the **Enabled** (blue) position.
+
+#### Automation rules
+
+Automation rules define what happens when data is received from a source. These rules allow specific data to be parsed from the incoming data sources and then acted upon automatically. 
+
+Automation rules can automatically pull information from sources. They can also execute playbooks based on certain criteria. For example, you might want to pull Insights from Cloud SIEM once an hour and create incidents from them. Then, you could configure a rule that runs a playbook based on the tags in the Incident. This way, the entire incident response cycle is automated: Cloud SIEM identifies a threat, and playbooks in Cloud SOAR are automatically deployed to contain and eradicate the threats, restore systems, and email a final report for an analyst to review.  
+
+#### Create a custom automation rule
+
+In this section, we’ll create a custom automation rule. This rule will pull information from Cloud SIEM every five hours.
+
+1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon <img src={useBaseUrl('img/cloud-soar/cloud-soar-settings-icon.png')} alt="Settings menu icon" style={{border: '1px solid gray'}} width="25"/> in the top right, select **Automation**, and then select **Rules** in the left nav bar. <br/>[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Rules**.  
+1. Near the top, click the **+** icon to create a new rule.
+1. Enter a **Name** for the rule.
+1. For **Integration daemon**, select **Sumo Logic Insights Daemon Extended**.
+1. For **Integration resource**, select **Sumo Logic CSE Resource**.
+1. For **Search performed every**, type **5** then select **Hours**. 
+1. Leave the other fields as their defaults, then click **Save**. 
+1. As a best practice, you can enable and test the new rule, but then disable it, since it can disrupt your environment. Continue testing your rule until their behavior is expected before deciding to enable it.
 
