+ })
+Cloud SOAR Settings
+Setup and configuration options for the Cloud SOAR platform.
+}){kind=icon}
in the top right and select **Automation**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access Automation, click the gear icon in the top right and select **Automation**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access Automation, in the main Sumo Logic menu select **Automation**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access Automation, in the main Sumo Logic menu select **Automation**.
Because Cloud SOAR provides automation functionality to the [Automation Service](/docs/platform-services/automation-service/), many features are identical between Cloud SOAR and the Automation Service. Therefore, for information about the following Cloud SOAR features, see the Automation Service articles:
@@ -47,11 +47,11 @@ Incident templates define the way in which incidents will be created for a speci
### Create a new incident template
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar. in the top right, select **Automation**, and then select **Incident templates** in the left nav bar. })
1. Define the template: })
1. **Template name**. Enter a name that is easily identifiable and related to the activity it is developed for.
- 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/overview/#custom-fields)).
+ 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/settings/#custom-fields)).
1. **Tags**. Enter any tags to further categorize or define the incident. You can use these tags later when searching for or correlating events.
1. Click **Incident** at the top of the dialog.
1. Define any incident parameters you want to set by default when an incident is creating using the template: })
@@ -116,7 +116,7 @@ Automation rules allow specific data to be parsed from the incoming data sources
### Create an automation rule
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Automation**, and then select **Rules** in the left nav bar. in the top right, select **Automation**, and then select **Rules** in the left nav bar. })
1. Click **Save**. The new rule is displayed. })
@@ -196,7 +196,7 @@ After you create a Slack app, you must add the appropriate permissions for use w
Now you must configure the Slack integration in Cloud SOAR to use the Bot OAuth Token and Signing Secret you saved in the previous step. These tokens will give the Slack integration the permissions it needs to perform the tasks in the scopes you set up.
1. Add resources for the tokens:
- 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar. in the top right, select **Automation**, and then select **Integrations** in the left nav bar. })
1. Click **+** to add a new Resource.})
1. Name the resource "Bot User OAuth Access Token".
@@ -204,7 +204,7 @@ Now you must configure the Slack integration in Cloud SOAR to use the Bot OAuth
1. Click **TEST** to verify configuration.
1. Once you have filled in all the required fields, click **SAVE**.})
1. Configure instant messaging:
- 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right and select **Settings**. in the top right and select **Settings**. })
1. For **Integration** select Slack.
1. Paste your previously saved Bot User OAuth Access Token to the **Bot OAuth** field.
diff --git a/docs/cloud-soar/incidents-triage.md b/docs/cloud-soar/incidents-triage.md
index 7ed0c3aee8..e1a958fedb 100644
--- a/docs/cloud-soar/incidents-triage.md
+++ b/docs/cloud-soar/incidents-triage.md
@@ -10,9 +10,9 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
## SecOps and Dashboard
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**.
The SecOps screen is where all your current tasks reside. Here you can approve, decline, and close tasks as well as customize this section to display all tasks assigned to a specific user or group.
@@ -24,9 +24,9 @@ Select **Dashboard** in the upper left corner to see dashboards showing your tas
Incidents are events that require investigation and remediation. Incidents are at the heart of Cloud SOAR.
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access incidents, in the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access incidents, in the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
The **Incidents** screen lists all Cloud SOAR incidents. Clicking on any of the incident IDs will open the incident. You can configure what incidents are displayed by creating queries against available incident data and saving them as incident filters.
@@ -182,20 +182,20 @@ Investigators are users who are involved in incidents and have access to perform
To add investigators to incidents:
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**. })
1. Select the investigators to add to the selected incidents.
:::info
- You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/overview/#groups).
+ You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/settings/#groups).
:::
1. In the **Role** column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents. (If you are selecting a group as an investigator, you cannot change the group's assigned role here. You can only change the group's role on the group itself.)
1. Click **Apply**.
#### View investigators assigned to an incident
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**. })
1. To add another investigator to the incident, click the **+** icon in the upper-right of the dialog.
1. To remove an investigator from the incident, hover your mouse over the investigator name and click the trash can icon that appears to the right.
@@ -227,8 +227,8 @@ Cloud SOAR generates incidents with an automated process:
#### Create a new incident manually
1. To create an incident manually, click the **+** button at the top of the **Incidents** screen. })
-1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/overview/#custom-fields). })
-1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/overview/#custom-fields) to modify the variables displayed in the **Type** field. })
+1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/settings/#custom-fields).
+1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/settings/#custom-fields) to modify the variables displayed in the **Type** field.
1. Click **Next**.
1. Once you complete the **Details** page, you will want to assign appropriate playbooks to be associated with the incident. In addition to adding playbooks to the incident, you can also decide whether you want the playbook to automatically execute upon incident creation by sliding the **Autorun** button to **On**. })
1. Click **Next**.
@@ -255,7 +255,7 @@ The incident properties section in the center contains all the important informa
### Overview tab
-The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/overview/#custom-fields).
+The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/settings/#custom-fields).
### Operations tab
@@ -334,9 +334,9 @@ To add an attachment, click **+** to the left of the search bar and provide a de
The **Triage** screen shows events that have been recorded but not yet converted to incidents.
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**.
})
@@ -361,7 +361,7 @@ Let's suppose you want to look at a pending event to determine if it needs inves
By default, the triage module contains two fields, `Status` and `Type`. Additional values may be added to the `Status` field; however, the `Type` field is directly linked to the incident type field and cannot be modified directly.
-New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/overview/#custom-fields).
+New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/settings/#custom-fields).
Note that to be able to filter events in the triage module based on the values of a field, **Use as filter** must be checked when adding or modifying a field. As fields are created, they will be assigned a number starting at `1`, which will be used to identify the field when adding events via the API. The first field added will be identified as `opt_1`, the second as `opt_2`, and so on. Regardless of the ordering of the fields on the screen, these numbers will remain the same. If a field is deleted, the number will not be reused. For example, if you have defined `opt_1` through `opt_8` and delete the field `opt_8`, the next field added will still become `opt_9`. It is important to remember these field numbers, as they will be used when the API is invoked.
@@ -393,9 +393,9 @@ When creating incidents from Insights, adding additional required attributes to
The **Entities** screen shows information about entities, unique actors encountered in incoming messages, such as a user, IP address, or host. Entities displayed here are from all incidents. To see entities associated with a specific incident, see [Entities tab](#entities-tab).
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR > Entities**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR > Entities**.
})
@@ -437,7 +437,7 @@ Watch the following micro lesson to learn about dashboards.
You can create dashboards in Cloud SOAR similar to dashboards in the core Sumo Logic platform. You can also [create widgets](#create-widgets) to use in the dashboards that display text, graphs, and charts containing details about incidents and other aspects of Cloud SOAR.
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Go to the home screen. })
1. Click the **+** icon in the upper-right corner of the UI and select **New Dashboard**.})
})
1. Click on the name of the blank dashboard (such as **Dashboard 2** in the example), and give the dashboard a name. Click **No description available** and type a description.
@@ -452,7 +452,7 @@ You can create dashboards in Cloud SOAR similar to dashboards in the core Sumo L
You can create widgets as needed to help analysts and administrators quickly get the information they need. Widgets are reusable pieces that display information in different forms, such as text, pie chart, bar chart, graph, or table.
1. Open the widgets panel:
- 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Go to the home screen.
1. Select a dashboard.
1. Click the **Edit** button. })
in the top right and select **Report**. })
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon in the top right and select **Report**.
1. Click the **+** icon in the upper left corner.
1. On the right side, select widgets to add to the report from **My Widgets** or **Public**. These are the same widgets that are available to use in [dashboards](#create-a-dashboard). Widgets can be graphs, charts, tables, or any kind of visual element that contains information. Click **New** to [create a new widget](#create-widgets). Click **Show List** to see all available widgets.
1. Rearrange the widgets in the report as needed.})
diff --git a/docs/cloud-soar/index.md b/docs/cloud-soar/index.md
index b10d5b5d29..f6a2870ab7 100644
--- a/docs/cloud-soar/index.md
+++ b/docs/cloud-soar/index.md
@@ -31,6 +31,18 @@ This section contains the following topics:
Compare the features of Cloud SOAR with the Automation Service.
+Setup and configuration options for the Cloud SOAR platform.
+Navigate menus in Cloud SOAR.
+})
+1. Navigate to the SecOps page.
1. Near the top left corner, above your user name, click **Dashboard**.})
-1. Navigate to the **Incidents** page. })
-1. Navigate to the **Entities** page.})
-1. Visit the Support page.
+1. Navigate to the **Entities** page.
+1. Visit the Support page.}){kind=icon}
1. Make sure **Short Description** is under the **Active** column. If it isn’t, click the **+** next to **Short Description** in the **Available** column. Do the same with the **Type** and **Category** fields. Then click **Apply**. You’ll now see a short description based on the [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) of each incident.
1. Click any incident with a status of **Open**.
@@ -242,7 +242,7 @@ You can modify an existing playbook or build one from scratch by dragging and dr
To respond to an incident you [investigated previously](#investigate-an-incident):
-1. Navigate to the **Incidents** page. })
@@ -271,7 +271,7 @@ In order to prepare for the next potential threat, you’ll need to set up alert
In this section, you’ll create and customize a dashboard using widgets.
-1. Navigate to the Cloud SOAR SecOps page. in the top right and select **Report**. in the top right and select **Report**. })
1. Click on one or more of the available widgets to add them to the report. (You can create new widgets using the same process as in the previous section about [creating a dashboard](#create-a-dashboard)).
1. Click **Save** when you've finished designing your report.
@@ -351,31 +351,31 @@ Cloud SOAR administrators have privileged access to the Settings and Automation
##### General settings
-The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/overview/#general).
+The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/settings/#general).
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access general settings, click the gear icon in the top right and select **Settings**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access general settings, click the gear icon in the top right and select **Settings**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**.
})
##### Groups
-Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/overview/#groups).
+Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/settings/#groups).
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access groups settings, click the gear icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access groups settings, click the gear icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access groups settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access groups settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.
})
##### Event Triggers
-The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/overview/#notifications).
+The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/settings/#notifications).
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access event triggers settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access event triggers settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access event triggers settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access event triggers settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**.
})
@@ -384,17 +384,17 @@ The **Event Triggers** page contains a list of triggers where you can configure
You can use additional settings to customize fields, incident labels, and triage information. Use these settings to customize many of the templates, field names, and incident names used in the views and reports your analysts generate. You can also set the defaults for incident triage.
See:
-* [Custom fields](/docs/cloud-soar/overview/#custom-fields)
-* [Incident labels](/docs/cloud-soar/overview/#incident-labels)
-* [Triage](/docs/cloud-soar/overview/#triage-1)
+* [Custom fields](/docs/cloud-soar/settings/#custom-fields)
+* [Incident labels](/docs/cloud-soar/settings/#incident-labels)
+* [Triage](/docs/cloud-soar/settings/#triage)
#### Exploring Cloud SOAR Automations
In addition to settings, Cloud SOAR administrators have privileged access to the Automation section of the platform. For more information, see [Cloud SOAR Automation](/docs/cloud-soar/automation/).
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access Automation, click the gear icon in the top right and select **Automation**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access Automation, click the gear icon in the top right and select **Automation**.
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access Automation, in the main Sumo Logic menu select **Automation**.
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access Automation, in the main Sumo Logic menu select **Automation**.
})
@@ -422,9 +422,9 @@ Fields can be used to apply advanced filters or add them as a new column in the
#### Define and test a custom field
-In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/overview/#custom-fields).
+In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/settings/#custom-fields).
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**. in the top right, select **Settings**, and on the left menu select **Customization > Fields**. in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**. in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
-The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/overview/#custom-fields)** page).
+The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/settings/#custom-fields)** page).
To add additional custom fields (up to 100), select **Triage** from the **Custom Fields** list. To add a custom field, click the **+** button in the upper left of the display and set the field properties as desired. Make sure to check **Use as filter** if you want your new custom field to be filterable in the triage module.
@@ -634,7 +634,7 @@ Incident templates define which attributes will be automatically set each time a
In this section, we’ll create a custom incident template. This template will automatically assign the playbook you created earlier to certain new incidents, and then automatically run it.
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar. in the top right, select **Automation**, and then select **Incident templates** in the left nav bar. in the top right, select **Automation**, and then select **Rules** in the left nav bar. in the top right, select **Automation**, and then select **Rules** in the left nav bar. })
-For more information about Custom Fields, see [Customization](/docs/cloud-soar/overview/#custom-fields).
+For more information about Custom Fields, see [Customization](/docs/cloud-soar/settings/#custom-fields).
diff --git a/docs/cloud-soar/menus.md b/docs/cloud-soar/menus.md
new file mode 100644
index 0000000000..8a8de14eb0
--- /dev/null
+++ b/docs/cloud-soar/menus.md
@@ -0,0 +1,106 @@
+---
+id: menus
+title: Cloud SOAR Menus
+sidebar_label: Menus
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This article describes the menus and navigation options for Cloud SOAR.
+
+## Classic UI
+
+The classic UI is the traditional way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic Classic UI](/docs/get-started/sumo-logic-ui-classic).
+
+### Top menu
+
+This menu appears at the top of the Cloud SOAR screen: })
+
+Use the top menu to access:
+* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
+* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
+* }){kind=icon}
**Support**. Access help, including documentation and support contact information.
+* [**Settings**](/docs/cloud-soar/settings/). Configure Cloud SOAR settings.
+
+### Settings menu
+
+The **Settings** menu allows you to configure Cloud SOAR settings. To access the menu, click on the [top menu](#top-menu). })
+
+Use the **Settings** menu to access:
+* [**Automation**](/docs/cloud-soar/automation/). Configure Cloud SOAR's automation and orchestration features.
+* [**Settings**](/docs/cloud-soar/settings/). Configure Cloud SOAR settings.
+* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
+
+## New UI
+
+The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui).
+
+### Cloud SOAR sidebar menu
+
+Click **Cloud SOAR** in the main Sumo Logic menu to open the sidebar menu.})
+
+Use the **Cloud SOAR** sidebar menu to access:
+* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR.
+* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
+* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents.
+* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
+* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
+
+### Automation sidebar menu
+
+Click **Automation** in the main Sumo Logic menu to open the sidebar menu.})
+
+Use the **Automation** sidebar menu to access:
+* [**App Central**](/docs/platform-services/automation-service/app-central/). Add new integrations and playbooks to your environment.
+* [**Playbooks**](/docs/platform-services/automation-service/automation-service-playbooks/). Create playbooks to run automated actions.
+* [**Template**](/docs/cloud-soar/automation/#incident-templates). Create incident templates.
+* [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations). Manage integrations with vendors.
+* [**Rules**](/docs/cloud-soar/automation/#automation-rules). Create automation rules.
+* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations.
+
+### Top menu
+
+This menu appears at the top of the screen:})
+
+Use the top menu to access:
+
+* }){kind=icon}
[**Go To...**](#go-to-menu) Launch Sumo Logic features, including for Cloud SOAR.
+* }){kind=icon}
**Help**. Access links to documentation, support, community, release notes, and system status.
+* }){kind=icon}
[**Configuration**](#configuration-menu). Configure Sumo Logic features, including for Cloud SOAR.
+* }){kind=icon}
[**Administration**](#administration-menu). Administer Sumo Logic features, including for Cloud SOAR.
+* }){kind=icon}
**Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings.
+
+### Go To... menu
+
+The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SOAR. To access this menu, click on the [top menu](#top-menu-1). })
+
+Use the **Go To...** menu to access these Cloud SOAR features:
+* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations.
+* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
+* [**Fields**](/docs/cloud-soar/settings/#custom-fields). Customize fields to better suit your environment.
+* [**General**](/docs/cloud-soar/settings/). Configure general Cloud SOAR settings.
+* [**Groups**](/docs/cloud-soar/settings/#groups). Create a group of users that can be added as incident investigators.
+* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
+* [**Incident Labels**](/docs/cloud-soar/settings/#incident-labels). Define labels for the different types of incidents that will be investigated.
+* [**Notifications**](/docs/cloud-soar/settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users.
+* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
+* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR.
+* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents.
+
+### Configuration menu
+
+The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SOAR. To access this menu, click on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR configuration options. })
+
+Use the **Configuration** menu to access:
+* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
+* [**Fields**](/docs/cloud-soar/settings/#custom-fields). Customize fields to better suit your environment.
+* [**Incident Labels**](/docs/cloud-soar/settings/#incident-labels). Define labels for the different types of incidents that will be investigated.
+
+### Administration menu
+
+The **Administration** menu allows you to administer Sumo Logic features, such as for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options. })
+
+Use the **Administration** menu to access:
+* [**General**](/docs/cloud-soar/settings/#general). Configure general Cloud SOAR settings.
+* [**Notifications**](/docs/cloud-soar/settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users.
+* [**Groups**](/docs/cloud-soar/settings/#groups). Create a group of users that can be added as incident investigators.
\ No newline at end of file
diff --git a/docs/cloud-soar/overview.md b/docs/cloud-soar/overview.md
index 1204b4aef6..4b23b0d1af 100644
--- a/docs/cloud-soar/overview.md
+++ b/docs/cloud-soar/overview.md
@@ -80,308 +80,6 @@ import Theme from '../reuse/dark-light-theme.md';
-
-Use the top menu to access:
-* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
-* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
-* **Support**. Access help, including documentation and support contact information.
-* [**Settings**](#settings-menu). Configure Cloud SOAR settings.
-
-#### Settings menu
-
-The **Settings** menu allows you to configure Cloud SOAR settings. To access the menu, click on the [top menu](#top-menu).
-
-Use the **Settings** menu to access:
-* [**Automation**](/docs/cloud-soar/automation/). Configure Cloud SOAR's automation and orchestration features.
-* [**Settings**](/docs/cloud-soar/overview/#settings). Configure Cloud SOAR settings.
-* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
-
-### New UI
-
-The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui).
-
-#### Cloud SOAR sidebar menu
-
-Click **Cloud SOAR** in the main Sumo Logic menu to open the sidebar menu.
-
-Use the **Cloud SOAR** sidebar menu to access:
-* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR.
-* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
-* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents.
-* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
-* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
-
-#### Automation sidebar menu
-
-Click **Automation** in the main Sumo Logic menu to open the sidebar menu.
-
-Use the **Automation** sidebar menu to access:
-* [**App Central**](/docs/platform-services/automation-service/app-central/). Add new integrations and playbooks to your environment.
-* [**Playbooks**](/docs/platform-services/automation-service/automation-service-playbooks/). Create playbooks to run automated actions.
-* [**Template**](/docs/cloud-soar/automation/#incident-templates). Create incident templates.
-* [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations). Manage integrations with vendors.
-* [**Rules**](/docs/cloud-soar/automation/#automation-rules). Create automation rules.
-* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations.
-
-#### Top menu
-
-This menu appears at the top of the screen:
-
-Use the top menu to access:
-
-* [**Go To...**](#go-to-menu) Launch Sumo Logic features, including for Cloud SOAR.
-* **Help**. Access links to documentation, support, community, release notes, and system status.
-* [**Configuration**](#configuration-menu). Configure Sumo Logic features, including for Cloud SOAR.
-* [**Administration**](#administration-menu). Administer Sumo Logic features, including for Cloud SOAR.
-* **Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings.
-
-#### Go To... menu
-
-The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SOAR. To access this menu, click on the [top menu](#top-menu-1).
-
-Use the **Go To...** menu to access these Cloud SOAR features:
-* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations.
-* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents.
-* [**Fields**](/docs/cloud-soar/overview/#custom-fields). Customize fields to better suit your environment.
-* [**General**](#settings). Configure general Cloud SOAR settings.
-* [**Groups**](#groups). Create a group of users that can be added as incident investigators.
-* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
-* [**Incident Labels**](#incident-labels). Define labels for the different types of incidents that will be investigated.
-* [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users.
-* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports.
-* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR.
-* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents.
-
-#### Configuration menu
-
-The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SOAR. To access this menu, click on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR configuration options.
-
-Use the **Configuration** menu to access:
-* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action.
-* [**Fields**](/docs/cloud-soar/overview/#custom-fields). Customize fields to better suit your environment.
-* [**Incident Labels**](#incident-labels). Define labels for the different types of incidents that will be investigated.
-
-#### Administration menu
-
-The **Administration** menu allows you to administer Sumo Logic features, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options.
-
-Use the **Administration** menu to access:
-* [**General**](#general). Configure general Cloud SOAR settings.
-* [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users.
-* [**Groups**](#groups). Create a group of users that can be added as incident investigators.
-
-
-## Settings
-
-The following sections detail the various setup and configuration options for the Cloud SOAR platform. Although initial configuration can be performed in any order, the following sections are ordered in the suggested order for initial configuration.
-
-### General
-
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access general settings, click the gear icon in the top right and select **Settings**.
-
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**.
-
-
-
-
-#### System
-
-* **Use Proxy**. Enter settings if you need to use a proxy for Internet access.
-* **Sticky Alert**. Set the number of seconds to display an alert in the Cloud SOAR UI when an incident generates an alert.
-* **Date/Time Format**. Set the date and time format.
-
-#### Incidents
-
-Use these settings to configure how Cloud SOAR handles [incidents](/docs/cloud-soar/incidents-triage/#incidents).
-
-* **Duplicates**.
- * **Prohibit duplicate naming**. Select this checkbox to prevent incidents from being named identically.
- * **Default suffix for duplicated incident name**. Select the suffix to add to the end of incident names to differentiate incidents that are named the same.
- * **Use suffix on non-duplicate**. Use the selected suffix on all incidents, regardless of whether they are named the same.
-* **Objects**. Gather objects, such as IP addresses, domains and email addresses, and add them to the appropriate object's section within the incident.
- * **Extract from**:
- * **Incident field**. Gather objects from the incident properties.
- * **Task field**. Gather objects from the incident tasks.
- * **Note field**. Gather objects from the the incident notes.
- * **Filename extension whitelist**. Enter filename extensions to allow when gathering objects.
-* **Process Phase**. Configure phases for monitoring progress of incidents as they progress. Determine whether the phase is **Mandatory**, and the **Status** of the incident when the phase is reached. Select **Show Deleted** to show phases on deleted incidents.
-* **Mandatory Closing Note**. Make a final incident note mandatory before the incident can be closed.
-
-#### Instant Messaging
-
-Use these settings to configure authentication for an instant messaging service such as Slack.
-
-* **Integration**. Enter the name of the instant messaging service to integrate with Cloud SOAR.
-* **Bot Oauth**. Enter the authorization token for the instant messaging service.
-* **Signing secret for verify requests**. Enter the signing secret for the instant messaging service.
-* **Workspace**. Displays success or failure of the workspace connection to Cloud SOAR.
-
-For additional setup needed for Slack, see [Configure Slack for Cloud SOAR](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar).
-
-### Groups
-
-A *group* in Cloud SOAR is a collection of users that can be added as incident investigators. When you have a number of users to add as investigators, adding a group of users is faster and easier than adding each user individually. In addition, you can assign everyone in the group the same profile (role), limiting them as incident investigators to only the rights that the profile gives them.
-
-For example, let's say that you have a team of SOC analysts that share responsibility for investigating incidents. You can add all the members of the team to a group and give its members the "Analyst" profile. Then when you need to add the SOC analysts as investigators to incidents, you can simply select the group as the investigator.
-
-#### Create a group
-
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.})
-1. In **Name** enter a name for the group.
-1. In **Profile** select the role to assign to members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system.
-1. Click **Create**. The empty group is displayed. })
-1. Click the **+** icon next to **Members**.
-1. Select the users to add to the group.
-1. Click **Apply**.
-
-#### Assign a group as an incident investigator
-
-To add a group as an incident investigator, follow the same steps as described in [Add investigators](/docs/cloud-soar/incidents-triage/#add-investigators):
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**.
-1. Select the group to add as investigator of the selected incidents. For example, in the sample screen above, select **SOC Team**.
- :::note
- The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself.
- :::
-1. Click **Apply**. The group is added an an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group.
-
-#### Group role assignments
-
-The role specified in an assigned group profile supersedes the user's [role assignments in the Sumo Logic Log Analytics Platform](/docs/manage/users-roles/roles/add-remove-users-role/). The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted.
-
-| User | Result |
-| :-- | :-- |
-| In a group | Has the assigned group role (profile) |
-| In multiple groups | Has the sum of the roles (profiles) from all the groups it is a member of |
-| Not in a group | Has role assignments as assigned in the core platform |
-| In group without a role (profile) | Has role assignments as assigned in the core platform |
-
-### Notifications
-
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access notification settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**.
-
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access notification settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**.
-
-
-
-
-Select the icon to the right of an event to trigger a notification to be sent when that event occurs.
-
-### Custom fields
-
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access custom fields settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**.
-
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access custom field settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**.
-
-
-})
-
-The **Custom Fields** page allows you to customize all fields within the Cloud SOAR platform to better suit your environment. All fields are pre-populated by default and can be revised with environment-specific variables by manually creating or updating the fields. To begin defining Cloud SOAR's custom fields, select a Cloud SOAR section from the list on the left-side of the screen to view all available fields. To edit an existing field, hover your mouse over the field and select the }){kind=small}
icon that appears next to the field. To add a new field, click the **+** button at the top of the panel.
-
-Tips for working with custom fields:
-* For considerations when you create custom fields for triage, see [Triage field settings](/docs/cloud-soar/incidents-triage/#triage-field-settings).
-* You can rename or delete custom fields that you add. However, you can only rename default fields; you cannot delete them. Although you may delete a custom field, it will not increase the number of custom fields available. Since the deleted field may contain data that was entered prior to the deletion of the field, the custom field remains reserved. You can rename internal values, but only personal values (denoted by having a trash can symbol next to the entry), can be deleted from the section's custom fields.
-* For each field, a name and a type will always be required. The only attribute of an existing field that cannot be modified once the field is created is the field Type, such as Text or Date.
-* Each section of Cloud SOAR supports different numbers of custom fields. The **Incidents** section, for example, supports up to 100 custom fields. The number of custom fields remaining will be displayed next to the section name at the top of the page.
-* When you edit a field, the **Additional info** section allows you to provide additional information or context to the field, such as how the field should be used or where the data can be located.
-* You can reorder fields in the **Custom Fields** section to change the order they appear on the Cloud SOAR screen. To change the order of the fields, click and hold on the six dots to the far left of the field name, then drag the field to its desired location.
-
-A complete list of field types is listed below. Additional fields are required or optional depending on the type selected. For example, a text field allows an optional default value to be specified, while a list field provides many additional options.
-
-#### Custom field types
-
-| Field Type | Description |
-|:--|:--|
-| Calculation | Perform a calculation between two fields or between a field and a static value. |
-| Checkbox | Checkbox. |
-| Color Picker | Interactive color picker to select a color. |
-| Date | Date only picker. |
-| Date & Time | Date and time picker. |
-| Email Address | Email address available to use in actions which require a email input. |
-| Filename | Filename available to use in actions which require a filename input. |
-| Hash | Hash value available to use in actions which require a hash input. |
-| IP Address | IP address available to use in actions which require a IP address input. |
-| List | Dropdown list. |
-| Multi Select List | Multiselect list box. |
-| Numeric Textbox | Accepting numeric values only. |
-| Tags | One or more user defined tags. |
-| Text | Free text. |
-| Time Interval | Numeric time interval which can be used as a value in another calculated field. |
-| Timezone | Timezone list dropdown. |
-| URL | URL available to use in actions which require a URL input. |
-| User Details | User details, such as a user name. Available to use in actions which require a user details input. |
-
-#### Using custom fields for SLAs
-
-Custom fields can be used to calculate any number of custom service level agreements (SLAs). This can be achieved using combinations of `Date`, `Date & Time`, and `Time Interval` type fields.
-
-In the following example, custom fields provide information on the status of an organization's notification SLA. Two of the custom fields require user input:
-* **Notification SLA Requirement** is used to store the SLA time interval, such as 30 minutes.
-* **Customer Notified** allows you to enter the date and time the customer was notified.
-
-The remaining custom fields require no user input and are calculation fields only:
-* **Notification Due By** will calculate and display the date and time the notification must be conducted by adding the Notification SLA Requirement field to the start time.
-* **Actual Notification Time** will calculate and display the actual time taken to notify the customer by subtracting the start time from the Customer Notified time.
-
-})
-
-These custom field settings will appear in the Cloud SOAR Incident screen as follows:
-
-})
-
-### Incident labels
-
-The **Incident label** page allows you to define labels for different types of [incidents](/docs/cloud-soar/incidents-triage/#incidents). When incidents are created by the system, incident labels are automatically applied to the incidents. You specify the incident label to be used for each incident type when you create [incident templates](/docs/cloud-soar/automation/#incident-templates) and [automation rules](/docs/cloud-soar/automation/#automation-rules).
-
-To create an incident label:
-
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**. })
-1. Enter the following on the **New label** dialog:
- 1. **Name**. Enter a name for the label. This name will not appear in the label itself.
- 1. **Description**. Enter a description for what the label will be used for.
- 1. **Value**. Enter a value for the label. The fields below will be appended to this label.
- 1. **ADD FIELD**. Double-click the following fields you want to append to the label. They will automatically generate values:
- * **Day**. The day of the month.
- * **Month**. The month of the year.
- * **Year**. The year.
- * **Roman numeral month**. The month represented as Roman numerals. For example, I, II, III, IV, V, VI, VII, VIII, IX, X, XI, XII.
- * **Counter**. A counter beginning at 1.
- * **Counter from**. A counter beginning at the number you specify. Replace the `X` in the field with the number to start from.
- * **Counter year based**. A counter based on the year.
- * **Counter day based**. A counter based on the day.
- * **Random six digit number**. A randomly-generated number.})
-
-### Triage
-
-[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access triage configuration settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Triage**.
-
-[**New UI**](/docs/cloud-soar/overview#new-ui). To access triage configuration settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Triage**.
-
-
-})
-
-Cloud SOAR's [Triage](/docs/cloud-soar/incidents-triage/#triage) module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents.
-
-You can customize triage display preferences on the **Triage** configuration page. You can color-code triage events based on status to easily distinguish them from each other when viewing the list of triage events. You can also modify the name of the module from **Triage** to a name of your choosing. The new name will be displayed in all areas of Cloud SOAR, including the menu and logs.
-
-* **Section Name**. The name you want to use for the **Triage** section of the user interface.
-* **Disable background cache generation**. Prevent cache from being generated for triage events. Selecting this box may speed up page load, but slow triage event retrieval.
-* **Set event row style**. Set the colors to display for triage events.
-* **Reassign Mail Configuration**. Customize the content of emails sent to analysts when triage events are reassigned.
-
## Architecture
Sumo Logic Cloud SOAR provides Security Operations and Automation Incident Response Platform to facilitate and expedite timely management of Incident Response with a rich library of customizable playbooks for different threats and use cases of incident response scenarios expediting and automating response time to incident response events.
@@ -410,42 +108,4 @@ Cloud SOAR provides static egress for Cloud executions. IP addresses can be ente
Cloud SOAR interacts with the platforms in your environment using a module called Automation Bridge.
-Automation Bridge is a process running on a Linux-based VM (deployed inside the your environment) that interacts with your Cloud SOAR Instance and allows you to execute playbook actions on all the systems that Cloud SOAR is orchestrating in that specific environment. For more information, see [Automation Bridge](/docs/platform-services/automation-service/automation-service-bridge).
-
-## Data retention
-
-### Default retention periods by data type
-
-Sumo Logic automatically deletes the following customer data according to the table retention period below, except for customers required to ensure HIPAA compliance (see second table).
-
-| Data type | Retention period |
-| :-- | :-- |
-| Incidents | 2 years |
-| Triage | 2 years |
-| Entities | 2 years |
-| Playbook and action executions | 2 years |
-
-For HIPAA-compliant customers, we delete data following the retention periods below.
-
-:::info
-If you need to follow HIPAA compliance, it is important to explicitly communicate this when requesting Cloud SOAR activation.
-:::
-
-| Data type | Retention period |
-| :-- | :-- |
-| Incidents | 7 years |
-| Triage | 7 years |
-| Entities | 7 years |
-| Playbook and action executions | 7 years |
-
-### Custom retention periods
-
-You can request retention period times different from those declared in the tables above, as long as the retention period requested is greater than 1 day yet less than 5000 days.
-
-In order to do that, please open a [Support ticket](/docs/get-started/help#support) with your request.
-
-## Static IP addresses
-
-The following table provides the static IP addresses used for Cloud SOAR by deployment. These are provided in case you want to explicitly allow the IP addresses on the integrations you install.
-
- in the top right and select **Settings**.
+
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**.
+
+
+
+
+### System
+
+* **Use Proxy**. Enter settings if you need to use a proxy for Internet access.
+* **Sticky Alert**. Set the number of seconds to display an alert in the Cloud SOAR UI when an incident generates an alert.
+* **Date/Time Format**. Set the date and time format.
+
+### Incidents
+
+Use these settings to configure how Cloud SOAR handles [incidents](/docs/cloud-soar/incidents-triage/#incidents).
+
+* **Duplicates**.
+ * **Prohibit duplicate naming**. Select this checkbox to prevent incidents from being named identically.
+ * **Default suffix for duplicated incident name**. Select the suffix to add to the end of incident names to differentiate incidents that are named the same.
+ * **Use suffix on non-duplicate**. Use the selected suffix on all incidents, regardless of whether they are named the same.
+* **Objects**. Gather objects, such as IP addresses, domains and email addresses, and add them to the appropriate object's section within the incident.
+ * **Extract from**:
+ * **Incident field**. Gather objects from the incident properties.
+ * **Task field**. Gather objects from the incident tasks.
+ * **Note field**. Gather objects from the the incident notes.
+ * **Filename extension whitelist**. Enter filename extensions to allow when gathering objects.
+* **Process Phase**. Configure phases for monitoring progress of incidents as they progress. Determine whether the phase is **Mandatory**, and the **Status** of the incident when the phase is reached. Select **Show Deleted** to show phases on deleted incidents.
+* **Mandatory Closing Note**. Make a final incident note mandatory before the incident can be closed.
+
+### Instant Messaging
+
+Use these settings to configure authentication for an instant messaging service such as Slack.
+
+* **Integration**. Enter the name of the instant messaging service to integrate with Cloud SOAR.
+* **Bot Oauth**. Enter the authorization token for the instant messaging service.
+* **Signing secret for verify requests**. Enter the signing secret for the instant messaging service.
+* **Workspace**. Displays success or failure of the workspace connection to Cloud SOAR.
+
+For additional setup needed for Slack, see [Configure Slack for Cloud SOAR](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar).
+
+## Groups
+
+A *group* in Cloud SOAR is a collection of users that can be added as incident investigators. When you have a number of users to add as investigators, adding a group of users is faster and easier than adding each user individually. In addition, you can assign everyone in the group the same profile (role), limiting them as incident investigators to only the rights that the profile gives them.
+
+For example, let's say that you have a team of SOC analysts that share responsibility for investigating incidents. You can add all the members of the team to a group and give its members the "Analyst" profile. Then when you need to add the SOC analysts as investigators to incidents, you can simply select the group as the investigator.
+
+### Create a group
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
+1. In **Name** enter a name for the group.
+1. In **Profile** select the role to assign to members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system.
+1. Click **Create**. The empty group is displayed.
+1. Click the **+** icon next to **Members**.
+1. Select the users to add to the group.
+1. Click **Apply**.
+
+### Assign a group as an incident investigator
+
+To add a group as an incident investigator, follow the same steps as described in [Add investigators](/docs/cloud-soar/incidents-triage/#add-investigators):
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). At the top of the screen, click **Incidents**.
+1. Select the group to add as investigator of the selected incidents. For example, in the sample screen above, select **SOC Team**.
+ :::note
+ The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself.
+ :::
+1. Click **Apply**. The group is added an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group.
+
+### Group role assignments
+
+The role specified in an assigned group profile supersedes the user's [role assignments in the Sumo Logic Log Analytics Platform](/docs/manage/users-roles/roles/add-remove-users-role/). The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted.
+
+| User | Result |
+| :-- | :-- |
+| In a group | Has the assigned group role (profile) |
+| In multiple groups | Has the sum of the roles (profiles) from all the groups it is a member of |
+| Not in a group | Has role assignments as assigned in the core platform |
+| In group without a role (profile) | Has role assignments as assigned in the core platform |
+
+## Notifications
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access notification settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**.
+
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access notification settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**.
+
+
+
+
+Select the icon to the right of an event to trigger a notification to be sent when that event occurs.
+
+## Custom fields
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access custom fields settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**.
+
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access custom field settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**.
+
+
+
+
+The **Custom Fields** page allows you to customize all fields within the Cloud SOAR platform to better suit your environment. All fields are pre-populated by default and can be revised with environment-specific variables by manually creating or updating the fields. To begin defining Cloud SOAR's custom fields, select a Cloud SOAR section from the list on the left-side of the screen to view all available fields. To edit an existing field, hover your mouse over the field and select the icon that appears next to the field. To add a new field, click the **+** button at the top of the panel.
+
+Tips for working with custom fields:
+* For considerations when you create custom fields for triage, see [Triage field settings](/docs/cloud-soar/incidents-triage/#triage-field-settings).
+* You can rename or delete custom fields that you add. However, you can only rename default fields; you cannot delete them. Although you may delete a custom field, it will not increase the number of custom fields available. Since the deleted field may contain data that was entered prior to the deletion of the field, the custom field remains reserved. You can rename internal values, but only personal values (denoted by having a trash can symbol next to the entry), can be deleted from the section's custom fields.
+* For each field, a name and a type will always be required. The only attribute of an existing field that cannot be modified once the field is created is the field Type, such as Text or Date.
+* Each section of Cloud SOAR supports different numbers of custom fields. The **Incidents** section, for example, supports up to 100 custom fields. The number of custom fields remaining will be displayed next to the section name at the top of the page.
+* When you edit a field, the **Additional info** section allows you to provide additional information or context to the field, such as how the field should be used or where the data can be located.
+* You can reorder fields in the **Custom Fields** section to change the order they appear on the Cloud SOAR screen. To change the order of the fields, click and hold on the six dots to the far left of the field name, then drag the field to its desired location.
+
+A complete list of field types is listed below. Additional fields are required or optional depending on the type selected. For example, a text field allows an optional default value to be specified, while a list field provides many additional options.
+
+### Custom field types
+
+| Field Type | Description |
+|:--|:--|
+| Calculation | Perform a calculation between two fields or between a field and a static value. |
+| Checkbox | Checkbox. |
+| Color Picker | Interactive color picker to select a color. |
+| Date | Date only picker. |
+| Date & Time | Date and time picker. |
+| Email Address | Email address available to use in actions which require a email input. |
+| Filename | Filename available to use in actions which require a filename input. |
+| Hash | Hash value available to use in actions which require a hash input. |
+| IP Address | IP address available to use in actions which require a IP address input. |
+| List | Dropdown list. |
+| Multi Select List | Multiselect list box. |
+| Numeric Textbox | Accepting numeric values only. |
+| Tags | One or more user defined tags. |
+| Text | Free text. |
+| Time Interval | Numeric time interval which can be used as a value in another calculated field. |
+| Timezone | Timezone list dropdown. |
+| URL | URL available to use in actions which require a URL input. |
+| User Details | User details, such as a user name. Available to use in actions which require a user details input. |
+
+### Using custom fields for SLAs
+
+Custom fields can be used to calculate any number of custom service level agreements (SLAs). This can be achieved using combinations of `Date`, `Date & Time`, and `Time Interval` type fields.
+
+In the following example, custom fields provide information on the status of an organization's notification SLA. Two of the custom fields require user input:
+* **Notification SLA Requirement** is used to store the SLA time interval, such as 30 minutes.
+* **Customer Notified** allows you to enter the date and time the customer was notified.
+
+The remaining custom fields require no user input and are calculation fields only:
+* **Notification Due By** will calculate and display the date and time the notification must be conducted by adding the Notification SLA Requirement field to the start time.
+* **Actual Notification Time** will calculate and display the actual time taken to notify the customer by subtracting the start time from the Customer Notified time.
+
+
+
+These custom field settings will appear in the Cloud SOAR Incident screen as follows:
+
+
+
+## Incident labels
+
+The **Incident label** page allows you to define labels for different types of [incidents](/docs/cloud-soar/incidents-triage/#incidents). When incidents are created by the system, incident labels are automatically applied to the incidents. You specify the incident label to be used for each incident type when you create [incident templates](/docs/cloud-soar/automation/#incident-templates) and [automation rules](/docs/cloud-soar/automation/#automation-rules).
+
+To create an incident label:
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
+1. Enter the following on the **New label** dialog:
+ 1. **Name**. Enter a name for the label. This name will not appear in the label itself.
+ 1. **Description**. Enter a description for what the label will be used for.
+ 1. **Value**. Enter a value for the label. The fields below will be appended to this label.
+ 1. **ADD FIELD**. Double-click the following fields you want to append to the label. They will automatically generate values:
+ * **Day**. The day of the month.
+ * **Month**. The month of the year.
+ * **Year**. The year.
+ * **Roman numeral month**. The month represented as Roman numerals. For example, I, II, III, IV, V, VI, VII, VIII, IX, X, XI, XII.
+ * **Counter**. A counter beginning at 1.
+ * **Counter from**. A counter beginning at the number you specify. Replace the `X` in the field with the number to start from.
+ * **Counter year based**. A counter based on the year.
+ * **Counter day based**. A counter based on the day.
+ * **Random six digit number**. A randomly-generated number.
+
+## Triage
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access triage configuration settings, click the gear icon in the top right, select **Settings**, and on the left menu select **Customization > Triage**.
+
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access triage configuration settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Triage**.
+
+
+
+Cloud SOAR's [Triage](/docs/cloud-soar/incidents-triage/#triage) module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents.
+
+You can customize triage display preferences on the **Triage** configuration page. You can color-code triage events based on status to easily distinguish them from each other when viewing the list of triage events. You can also modify the name of the module from **Triage** to a name of your choosing. The new name will be displayed in all areas of Cloud SOAR, including the menu and logs.
+
+* **Section Name**. The name you want to use for the **Triage** section of the user interface.
+* **Disable background cache generation**. Prevent cache from being generated for triage events. Selecting this box may speed up page load, but slow triage event retrieval.
+* **Set event row style**. Set the colors to display for triage events.
+* **Reassign Mail Configuration**. Customize the content of emails sent to analysts when triage events are reassigned.
+
+## Data retention
+
+### Default retention periods by data type
+
+Sumo Logic automatically deletes the following customer data according to the table retention period below, except for customers required to ensure HIPAA compliance (see second table).
+
+| Data type | Retention period |
+| :-- | :-- |
+| Incidents | 2 years |
+| Triage | 2 years |
+| Entities | 2 years |
+| Playbook and action executions | 2 years |
+
+For HIPAA-compliant customers, we delete data following the retention periods below.
+
+:::info
+If you need to follow HIPAA compliance, it is important to explicitly communicate this when requesting Cloud SOAR activation.
+:::
+
+| Data type | Retention period |
+| :-- | :-- |
+| Incidents | 7 years |
+| Triage | 7 years |
+| Entities | 7 years |
+| Playbook and action executions | 7 years |
+
+### Custom retention periods
+
+You can request retention period times different from those declared in the tables above, as long as the retention period requested is greater than 1 day yet less than 5000 days.
+
+In order to do that, please open a [Support ticket](/docs/get-started/help#support) with your request.
+
+## Static IP addresses
+
+The following table provides the static IP addresses used for Cloud SOAR by deployment. These are provided in case you want to explicitly allow the IP addresses on the integrations you install.
+
+ in the top right, select **Automation**, and then select **Integrations** in the left nav bar. in the top right, select **Automation**, and then select **Integrations** in the left nav bar. })
1. A **New Integration** dialog appears. Drag the integration definition YAML file into the **New Integration** dialog.})
1. Click **Upload**. The new integration is listed on the **Integrations** page.
@@ -89,7 +89,7 @@ To make your custom integration available for everyone in App Central, see [Publ
If you have Cloud SOAR installed, you can build basic integrations without having to provide custom YAML files.
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu click **Cloud SOAR**. Then click the gear icon in the top right of the screen, select **Automation**, and then select **Integrations** in the left nav bar. in the top right of the screen, select **Automation**, and then select **Integrations** in the left nav bar.
1. Fill out the **New Integration** dialog:
1. Upload a **Logo** for your integration.
@@ -134,7 +134,7 @@ You can test an action on an integration to ensure that it is working correctly.
You can set integrations, and their related action execution, to be executed in the cloud or through the Bridge. Only certified integrations can be executed in the cloud, while custom integrations must be executed through the [Bridge](/docs/platform-services/automation-service/automation-service-bridge/).
-1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu click **Automation**. Then click the gear icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar. in the top right, select **Automation**, and then select **Integrations** in the left nav bar. })
1. In the **Edit resource** dialog, click the **Automation engine** field to select **Cloud execution** (for certified integrations only) or select a Bridge option (for custom integrations).})
diff --git a/sidebars.ts b/sidebars.ts
index 157e112ceb..436c8517b4 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -3031,6 +3031,8 @@ integrations: [
'cloud-soar/overview',
'cloud-soar/introduction',
'cloud-soar/compared-to-automation-service',
+ 'cloud-soar/settings',
+ 'cloud-soar/menus',
'cloud-soar/incidents-triage',
'cloud-soar/automation',
{