From bbf3e769138127c34340a919b43f5ce541c3b598 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Wed, 2 Jul 2025 17:43:26 -0500 Subject: [PATCH 1/2] Reorg the overview --- docs/cloud-soar/automation.md | 14 +- docs/cloud-soar/incidents-triage.md | 36 +- docs/cloud-soar/index.md | 12 + docs/cloud-soar/introduction.md | 68 ++-- .../legacy/legacy-cloud-soar-mssp.md | 2 +- docs/cloud-soar/menus.md | 104 ++++++ docs/cloud-soar/overview.md | 342 +----------------- docs/cloud-soar/settings.md | 245 +++++++++++++ .../users-roles/roles/role-capabilities.md | 8 +- .../automation-service-audit-logging.md | 10 +- .../automation-service-integrations.md | 6 +- sidebars.ts | 2 + 12 files changed, 436 insertions(+), 413 deletions(-) create mode 100644 docs/cloud-soar/menus.md create mode 100644 docs/cloud-soar/settings.md diff --git a/docs/cloud-soar/automation.md b/docs/cloud-soar/automation.md index 69ddc1a54a..12b5ba0de0 100644 --- a/docs/cloud-soar/automation.md +++ b/docs/cloud-soar/automation.md @@ -10,9 +10,9 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; The **Automation** section contains configuration tools for Cloud SOAR's automation and orchestration features. -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access Automation, click the gear icon Settings menu icon in the top right and select **Automation**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access Automation, click the gear icon Settings menu icon in the top right and select **Automation**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access Automation, in the main Sumo Logic menu select **Automation**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access Automation, in the main Sumo Logic menu select **Automation**. Because Cloud SOAR provides automation functionality to the [Automation Service](/docs/platform-services/automation-service/), many features are identical between Cloud SOAR and the Automation Service. Therefore, for information about the following Cloud SOAR features, see the Automation Service articles: @@ -47,11 +47,11 @@ Incident templates define the way in which incidents will be created for a speci ### Create a new incident template -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Template**. You can also click the **Go To...** menu at the top of the screen and select **Template**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Template**. You can also click the **Go To...** menu at the top of the screen and select **Template**. 1. Click **+** to the left of **Template**.
Add template 1. Define the template:
Create incident template dialog 1. **Template name**. Enter a name that is easily identifiable and related to the activity it is developed for. - 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/overview/#custom-fields)). + 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields)). 1. **Tags**. Enter any tags to further categorize or define the incident. You can use these tags later when searching for or correlating events. 1. Click **Incident** at the top of the dialog. 1. Define any incident parameters you want to set by default when an incident is creating using the template:
Create incident template dialog to define the incident type @@ -116,7 +116,7 @@ Automation rules allow specific data to be parsed from the incoming data sources ### Create an automation rule -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Rules** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Rules** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 1. Click **+** to the left of **Rules**. 1. Select a name for the rule, then select the daemon to use with this new rule, the resource, and fill in all the remaining parameters.
Add automation rule 1. Click **Save**. The new rule is displayed.
Sample automation rule @@ -196,7 +196,7 @@ After you create a Slack app, you must add the appropriate permissions for use w Now you must configure the Slack integration in Cloud SOAR to use the Bot OAuth Token and Signing Secret you saved in the previous step. These tokens will give the Slack integration the permissions it needs to perform the tasks in the scopes you set up. 1. Add resources for the tokens: - 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select the Slack integration. The integration's resources appear.
Select the Slack integration 1. Click **+** to add a new Resource.
Add a resource 1. Name the resource "Bot User OAuth Access Token". @@ -204,7 +204,7 @@ Now you must configure the Slack integration in Cloud SOAR to use the Bot OAuth 1. Click **TEST** to verify configuration. 1. Once you have filled in all the required fields, click **SAVE**.
Bot resource 1. Configure instant messaging: - 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right and select **Settings**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General Settings**. You can also click the **Go To...** menu at the top of the screen and select **General**. + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right and select **Settings**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General Settings**. You can also click the **Go To...** menu at the top of the screen and select **General**. 1. Scroll down and open **Instant Messaging**.
Instant Messaging configuration dialog 1. For **Integration** select Slack. 1. Paste your previously saved Bot User OAuth Access Token to the **Bot OAuth** field. diff --git a/docs/cloud-soar/incidents-triage.md b/docs/cloud-soar/incidents-triage.md index 7ed0c3aee8..032a09ba7d 100644 --- a/docs/cloud-soar/incidents-triage.md +++ b/docs/cloud-soar/incidents-triage.md @@ -10,9 +10,9 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; ## SecOps and Dashboard -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access the SecOps and Dashboard screens, in the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**. The SecOps screen is where all your current tasks reside. Here you can approve, decline, and close tasks as well as customize this section to display all tasks assigned to a specific user or group. @@ -24,9 +24,9 @@ Select **Dashboard** in the upper left corner to see dashboards showing your tas Incidents are events that require investigation and remediation. Incidents are at the heart of Cloud SOAR. -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access incidents, in the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access incidents, in the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access incidents, in the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. The **Incidents** screen lists all Cloud SOAR incidents. Clicking on any of the incident IDs will open the incident. You can configure what incidents are displayed by creating queries against available incident data and saving them as incident filters. @@ -182,20 +182,20 @@ Investigators are users who are involved in incidents and have access to perform To add investigators to incidents: -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). At the top of the screen, click **Incidents**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. 1. Check the incidents you want to add investigators to. 1. Click the three-dot kebab menu in the upper left-hand corner of the screen. 1. Select **Add Investigator**.
The **Add Investigator** screen is displayed.
Add Investigator dialog 1. Select the investigators to add to the selected incidents. :::info - You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/overview/#groups). + You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/cloud-soar-settings/#groups). ::: 1. In the **Role** column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents. (If you are selecting a group as an investigator, you cannot change the group's assigned role here. You can only change the group's role on the group itself.) 1. Click **Apply**. #### View investigators assigned to an incident -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). At the top of the screen, click **Incidents**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. 1. Select an incident. The investigators appear in the **Investigators** widget.
Investigators widget 1. To add another investigator to the incident, click the **+** icon in the upper-right of the dialog. 1. To remove an investigator from the incident, hover your mouse over the investigator name and click the trash can icon that appears to the right. @@ -227,8 +227,8 @@ Cloud SOAR generates incidents with an automated process: #### Create a new incident manually 1. To create an incident manually, click the **+** button at the top of the **Incidents** screen.
Create incident button -1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/overview/#custom-fields).
Incident Creation screen -1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/overview/#custom-fields) to modify the variables displayed in the **Type** field.
Type field +1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields).
Incident Creation screen +1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields) to modify the variables displayed in the **Type** field.
Type field 1. Click **Next**. 1. Once you complete the **Details** page, you will want to assign appropriate playbooks to be associated with the incident. In addition to adding playbooks to the incident, you can also decide whether you want the playbook to automatically execute upon incident creation by sliding the **Autorun** button to **On**.
Incident Creation - Automation screen 1. Click **Next**. @@ -255,7 +255,7 @@ The incident properties section in the center contains all the important informa ### Overview tab -The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/overview/#custom-fields). +The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). ### Operations tab @@ -334,9 +334,9 @@ To add an attachment, click **+** to the left of the search bar and provide a de The **Triage** screen shows events that have been recorded but not yet converted to incidents. -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**. Triage screen @@ -361,7 +361,7 @@ Let's suppose you want to look at a pending event to determine if it needs inves By default, the triage module contains two fields, `Status` and `Type`. Additional values may be added to the `Status` field; however, the `Type` field is directly linked to the incident type field and cannot be modified directly. -New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/overview/#custom-fields). +New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). Note that to be able to filter events in the triage module based on the values of a field, **Use as filter** must be checked when adding or modifying a field. As fields are created, they will be assigned a number starting at `1`, which will be used to identify the field when adding events via the API. The first field added will be identified as `opt_1`, the second as `opt_2`, and so on. Regardless of the ordering of the fields on the screen, these numbers will remain the same. If a field is deleted, the number will not be reused. For example, if you have defined `opt_1` through `opt_8` and delete the field `opt_8`, the next field added will still become `opt_9`. It is important to remember these field numbers, as they will be used when the API is invoked. @@ -393,9 +393,9 @@ When creating incidents from Insights, adding additional required attributes to The **Entities** screen shows information about entities, unique actors encountered in incoming messages, such as a user, IP address, or host. Entities displayed here are from all incidents. To see entities associated with a specific incident, see [Entities tab](#entities-tab). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR > Entities**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Entities** screen, in the main Sumo Logic menu select **Cloud SOAR > Entities**. Entity section @@ -437,7 +437,7 @@ Watch the following micro lesson to learn about dashboards. You can create dashboards in Cloud SOAR similar to dashboards in the core Sumo Logic platform. You can also [create widgets](#create-widgets) to use in the dashboards that display text, graphs, and charts containing details about incidents and other aspects of Cloud SOAR. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Go to the home screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **ecOps & Dashboard**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Go to the home screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **ecOps & Dashboard**. 1. Select **Dashboard** in the upper-left corner of the UI.
Access dashboards 1. Click the **+** icon in the upper-right corner of the UI and select **New Dashboard**.
Add dashboard button
A blank dashboard screen appears.
Empty dashboard 1. Click on the name of the blank dashboard (such as **Dashboard 2** in the example), and give the dashboard a name. Click **No description available** and type a description. @@ -452,7 +452,7 @@ You can create dashboards in Cloud SOAR similar to dashboards in the core Sumo L You can create widgets as needed to help analysts and administrators quickly get the information they need. Widgets are reusable pieces that display information in different forms, such as text, pie chart, bar chart, graph, or table. 1. Open the widgets panel: - 1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Go to the home screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **ecOps & Dashboard**. + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Go to the home screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **ecOps & Dashboard**. 1. Select **Dashboard** in the upper-left corner of the UI.
Access dashboards 1. Select a dashboard. 1. Click the **Edit** button.
Empty dashboard
@@ -492,7 +492,7 @@ Let's suppose we want to create a dashboard that shows the current open and froz With the **Report** option, you can create incident reports to share with others as well as [widgets](#create-widgets) to use in the report that display text, graphs, tables, and charts containing details about incidents and other aspects of Cloud SOAR. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right and select **Report**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Report**. You can also click the **Go To...** menu at the top of the screen and select **Report**.
The Report UI appears.
Reports user interface +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right and select **Report**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > Report**. You can also click the **Go To...** menu at the top of the screen and select **Report**.
The Report UI appears.
Reports user interface 1. Click the **+** icon in the upper left corner. 1. On the right side, select widgets to add to the report from **My Widgets** or **Public**. These are the same widgets that are available to use in [dashboards](#create-a-dashboard). Widgets can be graphs, charts, tables, or any kind of visual element that contains information. Click **New** to [create a new widget](#create-widgets). Click **Show List** to see all available widgets. 1. Rearrange the widgets in the report as needed.
Widgets in a report diff --git a/docs/cloud-soar/index.md b/docs/cloud-soar/index.md index b10d5b5d29..5754349150 100644 --- a/docs/cloud-soar/index.md +++ b/docs/cloud-soar/index.md @@ -31,6 +31,18 @@ This section contains the following topics:

Compare the features of Cloud SOAR with the Automation Service.

+
+
+ Shield and gear icon

Cloud SOAR Settings

 +

Setup and configuration options for the Cloud SOAR platform.

+
+
+
+
+ Shield and gear icon

Cloud SOAR Menus

 +

Navigate menus in Cloud SOAR.

+
+
Shield and gear icon

Incidents and Triage

 diff --git a/docs/cloud-soar/introduction.md b/docs/cloud-soar/introduction.md index ac53d697da..0a26b6a1c3 100644 --- a/docs/cloud-soar/introduction.md +++ b/docs/cloud-soar/introduction.md @@ -89,12 +89,12 @@ Playbooks are central to SOAR automation. Inside playbooks, you can add nodes wi In this section, you’ll get to know the different parts of the Cloud SOAR UI. -1. Navigate to the SecOps page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**.
If you have any tasks or alerts assigned to you, you’ll see them here in the **My Operations** panel.
SecOps page +1. Navigate to the SecOps page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**.
If you have any tasks or alerts assigned to you, you’ll see them here in the **My Operations** panel.
SecOps page 1. Near the top left corner, above your user name, click **Dashboard**.
This will take you to your main dashboard page for your organization. Here you’ll see an overview of current incidents as well as statistics for recent incidents. We’ll learn how to customize this area in a later section.
Dashboards page -1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
Here you’ll see a list of all incidents for your organization. You can filter by various categories and search terms. For example, if you click **Bookmarks** and then select **Mine** you’ll only see incidents that have been assigned to you.
Incidents page -1. Navigate to the **Entities** page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Entities**.
Here you will see a list of all entities, such as IP addresses, host names, and other potential indicators of compromise. Entities are unique identifiers that can help you figure out who the potential threat actors are. Like the **Incidents** page, you can use filters and queries on the **Entities** page to sort through the entities in Cloud SOAR.
Entities page -1. Visit the Support page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click **Help** (question mark icon) in the upper right.
[**New UI**](/docs/cloud-soar/overview#new-ui). Click **Help** (question mark icon) in the upper right.
Here you’ll find links to documentation, information about APIs and integrations, and contact information if you need to reach out to the Sumo Logic support team. -1. View your profile.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click **Profile** (person icon) in the upper right corner.
[**New UI**](/docs/cloud-soar/overview#new-ui). Click **Profile** (person icon) in the upper right corner.
Here you’ll see details about your user profile, including the roles you’ve been assigned. +1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**.
Here you’ll see a list of all incidents for your organization. You can filter by various categories and search terms. For example, if you click **Bookmarks** and then select **Mine** you’ll only see incidents that have been assigned to you.
Incidents page +1. Navigate to the **Entities** page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**, and then click the **Entities** button at the top of the screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > Entities**.
Here you will see a list of all entities, such as IP addresses, host names, and other potential indicators of compromise. Entities are unique identifiers that can help you figure out who the potential threat actors are. Like the **Incidents** page, you can use filters and queries on the **Entities** page to sort through the entities in Cloud SOAR.
Entities page +1. Visit the Support page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click **Help** (question mark icon) in the upper right.
[**New UI**](/docs/get-started/sumo-logic-ui/). Click **Help** (question mark icon) in the upper right.
Here you’ll find links to documentation, information about APIs and integrations, and contact information if you need to reach out to the Sumo Logic support team. +1. View your profile.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click **Profile** (person icon) in the upper right corner.
[**New UI**](/docs/get-started/sumo-logic-ui/). Click **Profile** (person icon) in the upper right corner.
Here you’ll see details about your user profile, including the roles you’ve been assigned. ### Case management @@ -162,7 +162,7 @@ The **Entities** page contains in-depth information about entities related to th In this section, you’ll investigate an incident, gather information, and decide what to do in [response](#respond-to-an-incident) to it. -1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. 2. Click the column configuration icon in the upper right.
Column configuration icon 1. Make sure **Short Description** is under the **Active** column. If it isn’t, click the **+** next to **Short Description** in the **Available** column. Do the same with the **Type** and **Category** fields. Then click **Apply**. You’ll now see a short description based on the [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) of each incident. 1. Click any incident with a status of **Open**. @@ -242,7 +242,7 @@ You can modify an existing playbook or build one from scratch by dragging and dr To respond to an incident you [investigated previously](#investigate-an-incident): -1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. Navigate to the **Incidents** page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. 1. Select the incident you want respond to. 1. Click the **Operations** tab, then click **Playbooks**. 1. Click the **+** icon.
Add a playbook to an incident @@ -271,7 +271,7 @@ In order to prepare for the next potential threat, you’ll need to set up alert In this section, you’ll create and customize a dashboard using widgets. -1. Navigate to the Cloud SOAR SecOps page.
[**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**. +1. Navigate to the Cloud SOAR SecOps page.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > SecOps & Dashboard**. You can also click the **Go To...** menu at the top of the screen and select **SecOps & Dashboard**. 1. Near the top left corner, above your user name, click **Dashboard**. 1. Click the **+** icon in the upper right to create a new dashboard. 1. Click on the default dashboard name (**Dashboard #**) and change the name. Add a description if desired by clicking on the **No description available** field and adding some text. @@ -308,7 +308,7 @@ There are several considerations when designing a dashboard or report. Here are You can use Cloud SOAR to make downloadable reports, using the same information as in your dashboards. Like dashboards, you can use existing widgets to customize the content and structure of your report. In this section, you’ll create and export a report in this way. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right and select **Report**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Report**. You can also click the **Go To...** menu at the top of the screen and select **Report**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right and select **Report**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > Report**. You can also click the **Go To...** menu at the top of the screen and select **Report**. 1. In the report view, you'll have a blank page view and a sidebar on the right with the available widgets (similar to the dashboard edit view).
Report dialog 1. Click on one or more of the available widgets to add them to the report. (You can create new widgets using the same process as in the previous section about [creating a dashboard](#create-a-dashboard)). 1. Click **Save** when you've finished designing your report. @@ -351,31 +351,31 @@ Cloud SOAR administrators have privileged access to the Settings and Automation ##### General settings -The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/overview/#general). +The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/cloud-soar-settings/#general). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access general settings, click the gear icon Settings menu icon in the top right and select **Settings**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access general settings, click the gear icon Settings menu icon in the top right and select **Settings**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**. General Settings ##### Groups -Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/overview/#groups). +Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/cloud-soar-settings/#groups). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access groups settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access groups settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access groups settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access groups settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. Groups dialog ##### Event Triggers -The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/overview/#notifications). +The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/cloud-soar-settings/#notifications). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access event triggers settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access event triggers settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access event triggers settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access event triggers settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**. Events Triggers dialog @@ -384,17 +384,17 @@ The **Event Triggers** page contains a list of triggers where you can configure You can use additional settings to customize fields, incident labels, and triage information. Use these settings to customize many of the templates, field names, and incident names used in the views and reports your analysts generate. You can also set the defaults for incident triage. See: -* [Custom fields](/docs/cloud-soar/overview/#custom-fields) -* [Incident labels](/docs/cloud-soar/overview/#incident-labels) -* [Triage](/docs/cloud-soar/overview/#triage-1) +* [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields) +* [Incident labels](/docs/cloud-soar/cloud-soar-settings/#incident-labels) +* [Triage](/docs/cloud-soar/cloud-soar-settings/#triage) #### Exploring Cloud SOAR Automations In addition to settings, Cloud SOAR administrators have privileged access to the Automation section of the platform. For more information, see [Cloud SOAR Automation](/docs/cloud-soar/automation/). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access Automation, click the gear icon Settings menu icon in the top right and select **Automation**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access Automation, click the gear icon Settings menu icon in the top right and select **Automation**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access Automation, in the main Sumo Logic menu select **Automation**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access Automation, in the main Sumo Logic menu select **Automation**. Cloud SOAR Automation menu @@ -422,9 +422,9 @@ Fields can be used to apply advanced filters or add them as a new column in the #### Define and test a custom field -In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/overview/#custom-fields). +In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**. 1. In the **Custom Fields** menu, select **Incidents**. 1. Click the **+** icon. 1. Give the field a name that designates what it is for. For example, to create a field for IPs originating from entities, enter **Source IP**. @@ -435,7 +435,7 @@ In this section, we’ll create a custom field to map data that’s ingested int To test the new field, we'll create a new incident manually. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu select **Cloud SOAR**, and then select **Incidents** at the top of the SecOps screen.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. 1. Click the **+** icon to create a new incident. 1. Scroll down to the bottom to see your new field. Your field may appear in either the left or right column. It may be near the bottom or several rows up. 1. Type a value in your new field. For example, if your new field is for a source IP, you could type in an IP address, such as **1.1.1.1**. @@ -451,9 +451,9 @@ You will not be able to create the incident until there is a green **No Issue Fo Incidents are the main place where SOC analysts conduct their threat investigations and orchestrate their responses. There are several areas of the admin UI where you can customize the way incidents behave in Cloud SOAR: * **[Incident templates](/docs/cloud-soar/automation/#incident-templates)**. Incident templates control how incidents appear in the War Room and include fields like type, severity, and status. Incident Templates are also essential when creating [automation rules](/docs/cloud-soar/automation/#automation-rules) that trigger incidents. When you first set up and automate your SOC, it will primarily be using incident templates. -* **[General](/docs/cloud-soar/overview/#general)** settings **Incidents** section. Use this settings section for some configuration of the incidents in Cloud SOAR. You can allow or prohibit duplicate names, set whether closing notes are mandatory or not, and select which objects are extracted from incidents here. +* **[General](/docs/cloud-soar/cloud-soar-settings/#general)** settings **Incidents** section. Use this settings section for some configuration of the incidents in Cloud SOAR. You can allow or prohibit duplicate names, set whether closing notes are mandatory or not, and select which objects are extracted from incidents here. * **[Reports](/docs/cloud-soar/incidents-triage/#report)**. Use this feature to create and edit report templates. These templates are used when analysts export a report after closing an incident as part of the lessons learned stage of the incident response cycle. -* **[Incident Labels](/docs/cloud-soar/overview/#incident-labels)**. Incident labels are used to organize the way incidents are displayed inside Cloud SOAR. +* **[Incident Labels](/docs/cloud-soar/cloud-soar-settings/#incident-labels)**. Incident labels are used to organize the way incidents are displayed inside Cloud SOAR. Work with the analysts on your team to customize reports, labels, and templates to suit their needs. As a best practice, create labels and templates that use standardized and unique naming conventions. @@ -461,7 +461,7 @@ Work with the analysts on your team to customize reports, labels, and templates In this section, we’ll create a custom incident label. This new label will make it easier to sort and respond to incidents. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Incident Labels**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Incident Labels**. 1. Click the **+** icon to create a new incident label. 1. For **Name**, enter a name that designates what the incident is for. For example, to create a label for incidents originating in Cloud SIEM, you could enter **Cloud SIEM Alert**. 1. Optionally, you can include a short **Description**. @@ -475,15 +475,15 @@ Now you can use this incident label the next time you manually create an inciden Sometimes your system may record events that are unverified, or have a low confidence level such that you may want to triage them before reporting them as incidents. The triage features of Cloud SOAR allow users to view these events and their details, as well as assign up to 100 custom fields for triage use, allowing maximum flexibility over a variety of event use cases. For more information, see [Triage](/docs/cloud-soar/incidents-triage/#triage). -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**. +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR**. Then in the upper left of the **SecOps** screen click **Incidents > Triage**. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Triage** screen, in the main Sumo Logic menu select **Cloud SOAR > Triage**. Any recorded events that have not been converted to an incident will be displayed in a sortable table. Click on any column to sort by that field. By default, you will see two fields, **Status** and **Type**. Triage screen -The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/overview/#custom-fields)** page). +The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields)** page). To add additional custom fields (up to 100), select **Triage** from the **Custom Fields** list. To add a custom field, click the **+** button in the upper left of the display and set the field properties as desired. Make sure to check **Use as filter** if you want your new custom field to be filterable in the triage module. @@ -634,7 +634,7 @@ Incident templates define which attributes will be automatically set each time a In this section, we’ll create a custom incident template. This template will automatically assign the playbook you created earlier to certain new incidents, and then automatically run it. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Template**. You can also click the **Go To...** menu at the top of the screen and select **Template**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Incident templates** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Template**. You can also click the **Go To...** menu at the top of the screen and select **Template**. 1. Near the top, click the **+** icon to create a new template. 1. In the **Name** field, provide a name for the template. 1. In the **Category** field, enter a category (for example, **Test**). @@ -654,7 +654,7 @@ Automation rules can automatically pull information from sources. They can also Let's create a custom automation rule. This rule will pull information from Cloud SIEM every 5 hours. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Rules** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Rules**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Rules** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Rules**. 1. Near the top, click the **+** icon to create a new rule. 1. Enter a **Name** for the rule. 1. For **Integration daemon**, select **Sumo Logic Insights Daemon Extended**. diff --git a/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md b/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md index 081877079f..534823b1d3 100644 --- a/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md +++ b/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md @@ -99,4 +99,4 @@ When you mouse over the icons, you’ll see **Synchronized** and **Push Field**. Synchronized label -For more information about Custom Fields, see [Customization](/docs/cloud-soar/overview/#custom-fields). +For more information about Custom Fields, see [Customization](/docs/cloud-soar/cloud-soar-settings/#custom-fields). diff --git a/docs/cloud-soar/menus.md b/docs/cloud-soar/menus.md new file mode 100644 index 0000000000..94d0bd43a8 --- /dev/null +++ b/docs/cloud-soar/menus.md @@ -0,0 +1,104 @@ +--- +id: cloud-soar-menus +title: Cloud SOAR Menus +sidebar_label: Menus +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +## Classic UI + +The classic UI is the traditional way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic Classic UI](/docs/get-started/sumo-logic-ui-classic). + +### Top menu + +This menu appears at the top of the Cloud SOAR screen:
Top menu bar + +Use the top menu to access: +* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. +* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. +* Support menu icon **Support**. Access help, including documentation and support contact information. +* Settings menu icon [**Settings**](/docs/cloud-soar/cloud-soar-settings/). Configure Cloud SOAR settings. + +### Settings menu + +The **Settings** menu allows you to configure Cloud SOAR settings. To access the menu, click Settings menu icon on the [top menu](#top-menu).
Settings menu + +Use the **Settings** menu to access: +* [**Automation**](/docs/cloud-soar/automation/). Configure Cloud SOAR's automation and orchestration features. +* [**Settings**](/docs/cloud-soar/cloud-soar-settings/). Configure Cloud SOAR settings. +* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. + +## New UI + +The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui). + +### Cloud SOAR sidebar menu + +Click **Cloud SOAR** in the main Sumo Logic menu to open the sidebar menu.
Cloud SOAR sidebar menu + +Use the **Cloud SOAR** sidebar menu to access: +* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR. +* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. +* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents. +* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. +* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. + +### Automation sidebar menu + +Click **Automation** in the main Sumo Logic menu to open the sidebar menu.
Cloud SOAR sidebar menu + +Use the **Automation** sidebar menu to access: +* [**App Central**](/docs/platform-services/automation-service/app-central/). Add new integrations and playbooks to your environment. +* [**Playbooks**](/docs/platform-services/automation-service/automation-service-playbooks/). Create playbooks to run automated actions. +* [**Template**](/docs/cloud-soar/automation/#incident-templates). Create incident templates. +* [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations). Manage integrations with vendors. +* [**Rules**](/docs/cloud-soar/automation/#automation-rules). Create automation rules. +* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations. + +### Top menu + +This menu appears at the top of the screen:
Top menu bar + +Use the top menu to access: + +* Go To icon [**Go To...**](#go-to-menu) Launch Sumo Logic features, including for Cloud SOAR. +* Help icon **Help**. Access links to documentation, support, community, release notes, and system status. +* Configuration icon [**Configuration**](#configuration-menu). Configure Sumo Logic features, including for Cloud SOAR. +* Administration icon [**Administration**](#administration-menu). Administer Sumo Logic features, including for Cloud SOAR. +* Profile icon **Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings. + +### Go To... menu + +The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SOAR. To access this menu, click Go To icon on the [top menu](#top-menu-1).
Go To menu bar + +Use the **Go To...** menu to access these Cloud SOAR features: +* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations. +* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. +* [**Fields**](/docs/cloud-soar/cloud-soar-settings/#custom-fields). Customize fields to better suit your environment. +* [**General**](/docs/cloud-soar/cloud-soar-settings/). Configure general Cloud SOAR settings. +* [**Groups**](/docs/cloud-soar/cloud-soar-settings/#groups). Create a group of users that can be added as incident investigators. +* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. +* [**Incident Labels**](/docs/cloud-soar/cloud-soar-settings/#incident-labels). Define labels for the different types of incidents that will be investigated. +* [**Notifications**](/docs/cloud-soar/cloud-soar-settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. +* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. +* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR. +* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents. + +### Configuration menu + +The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SOAR. To access this menu, click Configuration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR configuration options.
Cloud SOAR options on the configuration menu + +Use the **Configuration** menu to access: +* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. +* [**Fields**](/docs/cloud-soar/cloud-soar-settings/#custom-fields). Customize fields to better suit your environment. +* [**Incident Labels**](/docs/cloud-soar/cloud-soar-settings/#incident-labels). Define labels for the different types of incidents that will be investigated. + +### Administration menu + +The **Administration** menu allows you to administer Sumo Logic features, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click Administration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options.
Cloud SOAR options on the administration menu + +Use the **Administration** menu to access: +* [**General**](/docs/cloud-soar/cloud-soar-settings/#general). Configure general Cloud SOAR settings. +* [**Notifications**](/docs/cloud-soar/cloud-soar-settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. +* [**Groups**](/docs/cloud-soar/cloud-soar-settings/#groups). Create a group of users that can be added as incident investigators. \ No newline at end of file diff --git a/docs/cloud-soar/overview.md b/docs/cloud-soar/overview.md index 1204b4aef6..4b23b0d1af 100644 --- a/docs/cloud-soar/overview.md +++ b/docs/cloud-soar/overview.md @@ -80,308 +80,6 @@ import Theme from '../reuse/dark-light-theme.md'; -## Cloud SOAR menus - -### Classic UI - -The classic UI is the traditional way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic Classic UI](/docs/get-started/sumo-logic-ui-classic). - -#### Top menu - -This menu appears at the top of the Cloud SOAR screen:
Top menu bar - -Use the top menu to access: -* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. -* Support menu icon **Support**. Access help, including documentation and support contact information. -* Settings menu icon [**Settings**](#settings-menu). Configure Cloud SOAR settings. - -#### Settings menu - -The **Settings** menu allows you to configure Cloud SOAR settings. To access the menu, click Settings menu icon on the [top menu](#top-menu).
Settings menu - -Use the **Settings** menu to access: -* [**Automation**](/docs/cloud-soar/automation/). Configure Cloud SOAR's automation and orchestration features. -* [**Settings**](/docs/cloud-soar/overview/#settings). Configure Cloud SOAR settings. -* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. - -### New UI - -The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui). - -#### Cloud SOAR sidebar menu - -Click **Cloud SOAR** in the main Sumo Logic menu to open the sidebar menu.
Cloud SOAR sidebar menu - -Use the **Cloud SOAR** sidebar menu to access: -* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR. -* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents. -* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. -* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. - -#### Automation sidebar menu - -Click **Automation** in the main Sumo Logic menu to open the sidebar menu.
Cloud SOAR sidebar menu - -Use the **Automation** sidebar menu to access: -* [**App Central**](/docs/platform-services/automation-service/app-central/). Add new integrations and playbooks to your environment. -* [**Playbooks**](/docs/platform-services/automation-service/automation-service-playbooks/). Create playbooks to run automated actions. -* [**Template**](/docs/cloud-soar/automation/#incident-templates). Create incident templates. -* [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations). Manage integrations with vendors. -* [**Rules**](/docs/cloud-soar/automation/#automation-rules). Create automation rules. -* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations. - -#### Top menu - -This menu appears at the top of the screen:
Top menu bar - -Use the top menu to access: - -* Go To icon [**Go To...**](#go-to-menu) Launch Sumo Logic features, including for Cloud SOAR. -* Help icon **Help**. Access links to documentation, support, community, release notes, and system status. -* Configuration icon [**Configuration**](#configuration-menu). Configure Sumo Logic features, including for Cloud SOAR. -* Administration icon [**Administration**](#administration-menu). Administer Sumo Logic features, including for Cloud SOAR. -* Profile icon **Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings. - -#### Go To... menu - -The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SOAR. To access this menu, click Go To icon on the [top menu](#top-menu-1).
Go To menu bar - -Use the **Go To...** menu to access these Cloud SOAR features: -* [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations. -* [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. -* [**Fields**](/docs/cloud-soar/overview/#custom-fields). Customize fields to better suit your environment. -* [**General**](#settings). Configure general Cloud SOAR settings. -* [**Groups**](#groups). Create a group of users that can be added as incident investigators. -* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Incident Labels**](#incident-labels). Define labels for the different types of incidents that will be investigated. -* [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users. -* [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. -* [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR. -* [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents. - -#### Configuration menu - -The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SOAR. To access this menu, click Configuration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR configuration options.
Cloud SOAR options on the configuration menu - -Use the **Configuration** menu to access: -* [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Fields**](/docs/cloud-soar/overview/#custom-fields). Customize fields to better suit your environment. -* [**Incident Labels**](#incident-labels). Define labels for the different types of incidents that will be investigated. - -#### Administration menu - -The **Administration** menu allows you to administer Sumo Logic features, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click Administration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options.
Cloud SOAR options on the administration menu - -Use the **Administration** menu to access: -* [**General**](#general). Configure general Cloud SOAR settings. -* [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users. -* [**Groups**](#groups). Create a group of users that can be added as incident investigators. - - -## Settings - -The following sections detail the various setup and configuration options for the Cloud SOAR platform. Although initial configuration can be performed in any order, the following sections are ordered in the suggested order for initial configuration. - -### General - -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access general settings, click the gear icon Settings menu icon in the top right and select **Settings**. - -[**New UI**](/docs/cloud-soar/overview#new-ui). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**. - - -General Settings - -#### System - -* **Use Proxy**. Enter settings if you need to use a proxy for Internet access. -* **Sticky Alert**. Set the number of seconds to display an alert in the Cloud SOAR UI when an incident generates an alert. -* **Date/Time Format**. Set the date and time format. - -#### Incidents - -Use these settings to configure how Cloud SOAR handles [incidents](/docs/cloud-soar/incidents-triage/#incidents). - -* **Duplicates**. - * **Prohibit duplicate naming**. Select this checkbox to prevent incidents from being named identically. - * **Default suffix for duplicated incident name**. Select the suffix to add to the end of incident names to differentiate incidents that are named the same. - * **Use suffix on non-duplicate**. Use the selected suffix on all incidents, regardless of whether they are named the same. -* **Objects**. Gather objects, such as IP addresses, domains and email addresses, and add them to the appropriate object's section within the incident. - * **Extract from**: - * **Incident field**. Gather objects from the incident properties. - * **Task field**. Gather objects from the incident tasks. - * **Note field**. Gather objects from the the incident notes. - * **Filename extension whitelist**. Enter filename extensions to allow when gathering objects. -* **Process Phase**. Configure phases for monitoring progress of incidents as they progress. Determine whether the phase is **Mandatory**, and the **Status** of the incident when the phase is reached. Select **Show Deleted** to show phases on deleted incidents. -* **Mandatory Closing Note**. Make a final incident note mandatory before the incident can be closed. - -#### Instant Messaging - -Use these settings to configure authentication for an instant messaging service such as Slack. - -* **Integration**. Enter the name of the instant messaging service to integrate with Cloud SOAR. -* **Bot Oauth**. Enter the authorization token for the instant messaging service. -* **Signing secret for verify requests**. Enter the signing secret for the instant messaging service. -* **Workspace**. Displays success or failure of the workspace connection to Cloud SOAR. - -For additional setup needed for Slack, see [Configure Slack for Cloud SOAR](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar). - -### Groups - -A *group* in Cloud SOAR is a collection of users that can be added as incident investigators. When you have a number of users to add as investigators, adding a group of users is faster and easier than adding each user individually. In addition, you can assign everyone in the group the same profile (role), limiting them as incident investigators to only the rights that the profile gives them. - -For example, let's say that you have a team of SOC analysts that share responsibility for investigating incidents. You can add all the members of the team to a group and give its members the "Analyst" profile. Then when you need to add the SOC analysts as investigators to incidents, you can simply select the group as the investigator. - -#### Create a group - -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. -1. The **Groups** dialog displays. Click the **+** icon next to **Groups**.
Groups dialog
The **Add Groups** dialog is displayed.
Add Group dialog -1. In **Name** enter a name for the group. -1. In **Profile** select the role to assign to members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system. -1. Click **Create**. The empty group is displayed.
Example group -1. Click the **+** icon next to **Members**. -1. Select the users to add to the group. -1. Click **Apply**. - -#### Assign a group as an incident investigator - -To add a group as an incident investigator, follow the same steps as described in [Add investigators](/docs/cloud-soar/incidents-triage/#add-investigators): -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. -1. Check the incidents you want to add investigators to. -1. Click the three-dot kebab menu in the upper left-hand corner of the screen. -1. Select **Add Investigator**.
The **Add Investigator** screen is displayed.
Add Investigator dialog -1. Select the group to add as investigator of the selected incidents. For example, in the sample screen above, select **SOC Team**. - :::note - The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself. - ::: -1. Click **Apply**. The group is added an an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group. - -#### Group role assignments - -The role specified in an assigned group profile supersedes the user's [role assignments in the Sumo Logic Log Analytics Platform](/docs/manage/users-roles/roles/add-remove-users-role/). The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted. - -| User | Result | -| :-- | :-- | -| In a group | Has the assigned group role (profile) | -| In multiple groups | Has the sum of the roles (profiles) from all the groups it is a member of | -| Not in a group | Has role assignments as assigned in the core platform | -| In group without a role (profile) | Has role assignments as assigned in the core platform | - -### Notifications - -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access notification settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**. - -[**New UI**](/docs/cloud-soar/overview#new-ui). To access notification settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**. - - -Events Triggers dialog - -Select the icon to the right of an event to trigger a notification to be sent when that event occurs. - -### Custom fields - -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access custom fields settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**. - -[**New UI**](/docs/cloud-soar/overview#new-ui). To access custom field settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**. - - -Cloud SOAR custom fields page - -The **Custom Fields** page allows you to customize all fields within the Cloud SOAR platform to better suit your environment. All fields are pre-populated by default and can be revised with environment-specific variables by manually creating or updating the fields. To begin defining Cloud SOAR's custom fields, select a Cloud SOAR section from the list on the left-side of the screen to view all available fields. To edit an existing field, hover your mouse over the field and select the Edit icon icon that appears next to the field. To add a new field, click the **+** button at the top of the panel. - -Tips for working with custom fields: -* For considerations when you create custom fields for triage, see [Triage field settings](/docs/cloud-soar/incidents-triage/#triage-field-settings). -* You can rename or delete custom fields that you add. However, you can only rename default fields; you cannot delete them. Although you may delete a custom field, it will not increase the number of custom fields available. Since the deleted field may contain data that was entered prior to the deletion of the field, the custom field remains reserved. You can rename internal values, but only personal values (denoted by having a trash can symbol next to the entry), can be deleted from the section's custom fields. -* For each field, a name and a type will always be required. The only attribute of an existing field that cannot be modified once the field is created is the field Type, such as Text or Date. -* Each section of Cloud SOAR supports different numbers of custom fields. The **Incidents** section, for example, supports up to 100 custom fields. The number of custom fields remaining will be displayed next to the section name at the top of the page. -* When you edit a field, the **Additional info** section allows you to provide additional information or context to the field, such as how the field should be used or where the data can be located. -* You can reorder fields in the **Custom Fields** section to change the order they appear on the Cloud SOAR screen. To change the order of the fields, click and hold on the six dots to the far left of the field name, then drag the field to its desired location. - -A complete list of field types is listed below. Additional fields are required or optional depending on the type selected. For example, a text field allows an optional default value to be specified, while a list field provides many additional options. - -#### Custom field types - -| Field Type | Description | -|:--|:--| -| Calculation | Perform a calculation between two fields or between a field and a static value. | -| Checkbox | Checkbox. | -| Color Picker | Interactive color picker to select a color. | -| Date | Date only picker. | -| Date & Time | Date and time picker. | -| Email Address | Email address available to use in actions which require a email input. | -| Filename | Filename available to use in actions which require a filename input. | -| Hash | Hash value available to use in actions which require a hash input. | -| IP Address | IP address available to use in actions which require a IP address input. | -| List | Dropdown list. | -| Multi Select List | Multiselect list box. | -| Numeric Textbox | Accepting numeric values only. | -| Tags | One or more user defined tags. | -| Text | Free text. | -| Time Interval | Numeric time interval which can be used as a value in another calculated field. | -| Timezone | Timezone list dropdown. | -| URL | URL available to use in actions which require a URL input. | -| User Details | User details, such as a user name. Available to use in actions which require a user details input. | - -#### Using custom fields for SLAs - -Custom fields can be used to calculate any number of custom service level agreements (SLAs). This can be achieved using combinations of `Date`, `Date & Time`, and `Time Interval` type fields. - -In the following example, custom fields provide information on the status of an organization's notification SLA. Two of the custom fields require user input: -* **Notification SLA Requirement** is used to store the SLA time interval, such as 30 minutes. -* **Customer Notified** allows you to enter the date and time the customer was notified. - -The remaining custom fields require no user input and are calculation fields only: -* **Notification Due By** will calculate and display the date and time the notification must be conducted by adding the Notification SLA Requirement field to the start time. -* **Actual Notification Time** will calculate and display the actual time taken to notify the customer by subtracting the start time from the Customer Notified time. - -SLA custom fields - -These custom field settings will appear in the Cloud SOAR Incident screen as follows: - -SLA fields on an incident - -### Incident labels - -The **Incident label** page allows you to define labels for different types of [incidents](/docs/cloud-soar/incidents-triage/#incidents). When incidents are created by the system, incident labels are automatically applied to the incidents. You specify the incident label to be used for each incident type when you create [incident templates](/docs/cloud-soar/automation/#incident-templates) and [automation rules](/docs/cloud-soar/automation/#automation-rules). - -To create an incident label: - -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Incident Labels**. -1. Click **+** to the left of **Incident label**.
Cloud SOAR incident label page -1. Enter the following on the **New label** dialog: - 1. **Name**. Enter a name for the label. This name will not appear in the label itself. - 1. **Description**. Enter a description for what the label will be used for. - 1. **Value**. Enter a value for the label. The fields below will be appended to this label. - 1. **ADD FIELD**. Double-click the following fields you want to append to the label. They will automatically generate values: - * **Day**. The day of the month. - * **Month**. The month of the year. - * **Year**. The year. - * **Roman numeral month**. The month represented as Roman numerals. For example, I, II, III, IV, V, VI, VII, VIII, IX, X, XI, XII. - * **Counter**. A counter beginning at 1. - * **Counter from**. A counter beginning at the number you specify. Replace the `X` in the field with the number to start from. - * **Counter year based**. A counter based on the year. - * **Counter day based**. A counter based on the day. - * **Random six digit number**. A randomly-generated number.
New label dialog - -### Triage - -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access triage configuration settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Triage**. - -[**New UI**](/docs/cloud-soar/overview#new-ui). To access triage configuration settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Triage**. - - -Cloud SOAR triage configuration page - -Cloud SOAR's [Triage](/docs/cloud-soar/incidents-triage/#triage) module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents. - -You can customize triage display preferences on the **Triage** configuration page. You can color-code triage events based on status to easily distinguish them from each other when viewing the list of triage events. You can also modify the name of the module from **Triage** to a name of your choosing. The new name will be displayed in all areas of Cloud SOAR, including the menu and logs. - -* **Section Name**. The name you want to use for the **Triage** section of the user interface. -* **Disable background cache generation**. Prevent cache from being generated for triage events. Selecting this box may speed up page load, but slow triage event retrieval. -* **Set event row style**. Set the colors to display for triage events. -* **Reassign Mail Configuration**. Customize the content of emails sent to analysts when triage events are reassigned. - ## Architecture Sumo Logic Cloud SOAR provides Security Operations and Automation Incident Response Platform to facilitate and expedite timely management of Incident Response with a rich library of customizable playbooks for different threats and use cases of incident response scenarios expediting and automating response time to incident response events. @@ -410,42 +108,4 @@ Cloud SOAR provides static egress for Cloud executions. IP addresses can be ente Cloud SOAR interacts with the platforms in your environment using a module called Automation Bridge. -Automation Bridge is a process running on a Linux-based VM (deployed inside the your environment) that interacts with your Cloud SOAR Instance and allows you to execute playbook actions on all the systems that Cloud SOAR is orchestrating in that specific environment. For more information, see [Automation Bridge](/docs/platform-services/automation-service/automation-service-bridge). - -## Data retention - -### Default retention periods by data type - -Sumo Logic automatically deletes the following customer data according to the table retention period below, except for customers required to ensure HIPAA compliance (see second table). - -| Data type | Retention period | -| :-- | :-- | -| Incidents | 2 years | -| Triage | 2 years | -| Entities | 2 years | -| Playbook and action executions | 2 years | - -For HIPAA-compliant customers, we delete data following the retention periods below. - -:::info -If you need to follow HIPAA compliance, it is important to explicitly communicate this when requesting Cloud SOAR activation. -::: - -| Data type | Retention period | -| :-- | :-- | -| Incidents | 7 years | -| Triage | 7 years | -| Entities | 7 years | -| Playbook and action executions | 7 years | - -### Custom retention periods - -You can request retention period times different from those declared in the tables above, as long as the retention period requested is greater than 1 day yet less than 5000 days. - -In order to do that, please open a [Support ticket](/docs/get-started/help#support) with your request. - -## Static IP addresses - -The following table provides the static IP addresses used for Cloud SOAR by deployment. These are provided in case you want to explicitly allow the IP addresses on the integrations you install. - - +Automation Bridge is a process running on a Linux-based VM (deployed inside the your environment) that interacts with your Cloud SOAR Instance and allows you to execute playbook actions on all the systems that Cloud SOAR is orchestrating in that specific environment. For more information, see [Automation Bridge](/docs/platform-services/automation-service/automation-service-bridge). \ No newline at end of file diff --git a/docs/cloud-soar/settings.md b/docs/cloud-soar/settings.md new file mode 100644 index 0000000000..b1b54b6f43 --- /dev/null +++ b/docs/cloud-soar/settings.md @@ -0,0 +1,245 @@ +--- +id: cloud-soar-settings +title: Cloud SOAR Settings +sidebar_label: Settings +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; +import StaticIpAddresses from '../reuse/static-ips-automation-service.md'; + +This article describes the various setup and configuration options for the Cloud SOAR platform. Although initial configuration can be performed in any order, the sections are presented in the suggested order for initial configuration. + +## General + +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access general settings, click the gear icon Settings menu icon in the top right and select **Settings**. + +[**New UI**](/docs/get-started/sumo-logic-ui/). To access general settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **General**. You can also click the **Go To...** menu at the top of the screen and select **General**. + + +General Settings + +### System + +* **Use Proxy**. Enter settings if you need to use a proxy for Internet access. +* **Sticky Alert**. Set the number of seconds to display an alert in the Cloud SOAR UI when an incident generates an alert. +* **Date/Time Format**. Set the date and time format. + +### Incidents + +Use these settings to configure how Cloud SOAR handles [incidents](/docs/cloud-soar/incidents-triage/#incidents). + +* **Duplicates**. + * **Prohibit duplicate naming**. Select this checkbox to prevent incidents from being named identically. + * **Default suffix for duplicated incident name**. Select the suffix to add to the end of incident names to differentiate incidents that are named the same. + * **Use suffix on non-duplicate**. Use the selected suffix on all incidents, regardless of whether they are named the same. +* **Objects**. Gather objects, such as IP addresses, domains and email addresses, and add them to the appropriate object's section within the incident. + * **Extract from**: + * **Incident field**. Gather objects from the incident properties. + * **Task field**. Gather objects from the incident tasks. + * **Note field**. Gather objects from the the incident notes. + * **Filename extension whitelist**. Enter filename extensions to allow when gathering objects. +* **Process Phase**. Configure phases for monitoring progress of incidents as they progress. Determine whether the phase is **Mandatory**, and the **Status** of the incident when the phase is reached. Select **Show Deleted** to show phases on deleted incidents. +* **Mandatory Closing Note**. Make a final incident note mandatory before the incident can be closed. + +### Instant Messaging + +Use these settings to configure authentication for an instant messaging service such as Slack. + +* **Integration**. Enter the name of the instant messaging service to integrate with Cloud SOAR. +* **Bot Oauth**. Enter the authorization token for the instant messaging service. +* **Signing secret for verify requests**. Enter the signing secret for the instant messaging service. +* **Workspace**. Displays success or failure of the workspace connection to Cloud SOAR. + +For additional setup needed for Slack, see [Configure Slack for Cloud SOAR](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar). + +## Groups + +A *group* in Cloud SOAR is a collection of users that can be added as incident investigators. When you have a number of users to add as investigators, adding a group of users is faster and easier than adding each user individually. In addition, you can assign everyone in the group the same profile (role), limiting them as incident investigators to only the rights that the profile gives them. + +For example, let's say that you have a team of SOC analysts that share responsibility for investigating incidents. You can add all the members of the team to a group and give its members the "Analyst" profile. Then when you need to add the SOC analysts as investigators to incidents, you can simply select the group as the investigator. + +### Create a group + +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. +1. The **Groups** dialog displays. Click the **+** icon next to **Groups**.
Groups dialog
The **Add Groups** dialog is displayed.
Add Group dialog +1. In **Name** enter a name for the group. +1. In **Profile** select the role to assign to members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system. +1. Click **Create**. The empty group is displayed.
Example group +1. Click the **+** icon next to **Members**. +1. Select the users to add to the group. +1. Click **Apply**. + +### Assign a group as an incident investigator + +To add a group as an incident investigator, follow the same steps as described in [Add investigators](/docs/cloud-soar/incidents-triage/#add-investigators): +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). At the top of the screen, click **Incidents**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. Check the incidents you want to add investigators to. +1. Click the three-dot kebab menu in the upper left-hand corner of the screen. +1. Select **Add Investigator**.
The **Add Investigator** screen is displayed.
Add Investigator dialog +1. Select the group to add as investigator of the selected incidents. For example, in the sample screen above, select **SOC Team**. + :::note + The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself. + ::: +1. Click **Apply**. The group is added an an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group. + +### Group role assignments + +The role specified in an assigned group profile supersedes the user's [role assignments in the Sumo Logic Log Analytics Platform](/docs/manage/users-roles/roles/add-remove-users-role/). The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted. + +| User | Result | +| :-- | :-- | +| In a group | Has the assigned group role (profile) | +| In multiple groups | Has the sum of the roles (profiles) from all the groups it is a member of | +| Not in a group | Has role assignments as assigned in the core platform | +| In group without a role (profile) | Has role assignments as assigned in the core platform | + +## Notifications + +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access notification settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**. + +[**New UI**](/docs/get-started/sumo-logic-ui/). To access notification settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Notifications**. You can also click the **Go To...** menu at the top of the screen and select **Notifications**. + + +Events Triggers dialog + +Select the icon to the right of an event to trigger a notification to be sent when that event occurs. + +## Custom fields + +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access custom fields settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**. + +[**New UI**](/docs/get-started/sumo-logic-ui/). To access custom field settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**. + + +Cloud SOAR custom fields page + +The **Custom Fields** page allows you to customize all fields within the Cloud SOAR platform to better suit your environment. All fields are pre-populated by default and can be revised with environment-specific variables by manually creating or updating the fields. To begin defining Cloud SOAR's custom fields, select a Cloud SOAR section from the list on the left-side of the screen to view all available fields. To edit an existing field, hover your mouse over the field and select the Edit icon icon that appears next to the field. To add a new field, click the **+** button at the top of the panel. + +Tips for working with custom fields: +* For considerations when you create custom fields for triage, see [Triage field settings](/docs/cloud-soar/incidents-triage/#triage-field-settings). +* You can rename or delete custom fields that you add. However, you can only rename default fields; you cannot delete them. Although you may delete a custom field, it will not increase the number of custom fields available. Since the deleted field may contain data that was entered prior to the deletion of the field, the custom field remains reserved. You can rename internal values, but only personal values (denoted by having a trash can symbol next to the entry), can be deleted from the section's custom fields. +* For each field, a name and a type will always be required. The only attribute of an existing field that cannot be modified once the field is created is the field Type, such as Text or Date. +* Each section of Cloud SOAR supports different numbers of custom fields. The **Incidents** section, for example, supports up to 100 custom fields. The number of custom fields remaining will be displayed next to the section name at the top of the page. +* When you edit a field, the **Additional info** section allows you to provide additional information or context to the field, such as how the field should be used or where the data can be located. +* You can reorder fields in the **Custom Fields** section to change the order they appear on the Cloud SOAR screen. To change the order of the fields, click and hold on the six dots to the far left of the field name, then drag the field to its desired location. + +A complete list of field types is listed below. Additional fields are required or optional depending on the type selected. For example, a text field allows an optional default value to be specified, while a list field provides many additional options. + +### Custom field types + +| Field Type | Description | +|:--|:--| +| Calculation | Perform a calculation between two fields or between a field and a static value. | +| Checkbox | Checkbox. | +| Color Picker | Interactive color picker to select a color. | +| Date | Date only picker. | +| Date & Time | Date and time picker. | +| Email Address | Email address available to use in actions which require a email input. | +| Filename | Filename available to use in actions which require a filename input. | +| Hash | Hash value available to use in actions which require a hash input. | +| IP Address | IP address available to use in actions which require a IP address input. | +| List | Dropdown list. | +| Multi Select List | Multiselect list box. | +| Numeric Textbox | Accepting numeric values only. | +| Tags | One or more user defined tags. | +| Text | Free text. | +| Time Interval | Numeric time interval which can be used as a value in another calculated field. | +| Timezone | Timezone list dropdown. | +| URL | URL available to use in actions which require a URL input. | +| User Details | User details, such as a user name. Available to use in actions which require a user details input. | + +### Using custom fields for SLAs + +Custom fields can be used to calculate any number of custom service level agreements (SLAs). This can be achieved using combinations of `Date`, `Date & Time`, and `Time Interval` type fields. + +In the following example, custom fields provide information on the status of an organization's notification SLA. Two of the custom fields require user input: +* **Notification SLA Requirement** is used to store the SLA time interval, such as 30 minutes. +* **Customer Notified** allows you to enter the date and time the customer was notified. + +The remaining custom fields require no user input and are calculation fields only: +* **Notification Due By** will calculate and display the date and time the notification must be conducted by adding the Notification SLA Requirement field to the start time. +* **Actual Notification Time** will calculate and display the actual time taken to notify the customer by subtracting the start time from the Customer Notified time. + +SLA custom fields + +These custom field settings will appear in the Cloud SOAR Incident screen as follows: + +SLA fields on an incident + +## Incident labels + +The **Incident label** page allows you to define labels for different types of [incidents](/docs/cloud-soar/incidents-triage/#incidents). When incidents are created by the system, incident labels are automatically applied to the incidents. You specify the incident label to be used for each incident type when you create [incident templates](/docs/cloud-soar/automation/#incident-templates) and [automation rules](/docs/cloud-soar/automation/#automation-rules). + +To create an incident label: + +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Incident labels**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Incident Labels**. +1. Click **+** to the left of **Incident label**.
Cloud SOAR incident label page +1. Enter the following on the **New label** dialog: + 1. **Name**. Enter a name for the label. This name will not appear in the label itself. + 1. **Description**. Enter a description for what the label will be used for. + 1. **Value**. Enter a value for the label. The fields below will be appended to this label. + 1. **ADD FIELD**. Double-click the following fields you want to append to the label. They will automatically generate values: + * **Day**. The day of the month. + * **Month**. The month of the year. + * **Year**. The year. + * **Roman numeral month**. The month represented as Roman numerals. For example, I, II, III, IV, V, VI, VII, VIII, IX, X, XI, XII. + * **Counter**. A counter beginning at 1. + * **Counter from**. A counter beginning at the number you specify. Replace the `X` in the field with the number to start from. + * **Counter year based**. A counter based on the year. + * **Counter day based**. A counter based on the day. + * **Random six digit number**. A randomly-generated number.
New label dialog + +## Triage + +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access triage configuration settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Triage**. + +[**New UI**](/docs/get-started/sumo-logic-ui/). To access triage configuration settings, in the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Triage**. + +Cloud SOAR triage configuration page + +Cloud SOAR's [Triage](/docs/cloud-soar/incidents-triage/#triage) module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents. + +You can customize triage display preferences on the **Triage** configuration page. You can color-code triage events based on status to easily distinguish them from each other when viewing the list of triage events. You can also modify the name of the module from **Triage** to a name of your choosing. The new name will be displayed in all areas of Cloud SOAR, including the menu and logs. + +* **Section Name**. The name you want to use for the **Triage** section of the user interface. +* **Disable background cache generation**. Prevent cache from being generated for triage events. Selecting this box may speed up page load, but slow triage event retrieval. +* **Set event row style**. Set the colors to display for triage events. +* **Reassign Mail Configuration**. Customize the content of emails sent to analysts when triage events are reassigned. + +## Data retention + +### Default retention periods by data type + +Sumo Logic automatically deletes the following customer data according to the table retention period below, except for customers required to ensure HIPAA compliance (see second table). + +| Data type | Retention period | +| :-- | :-- | +| Incidents | 2 years | +| Triage | 2 years | +| Entities | 2 years | +| Playbook and action executions | 2 years | + +For HIPAA-compliant customers, we delete data following the retention periods below. + +:::info +If you need to follow HIPAA compliance, it is important to explicitly communicate this when requesting Cloud SOAR activation. +::: + +| Data type | Retention period | +| :-- | :-- | +| Incidents | 7 years | +| Triage | 7 years | +| Entities | 7 years | +| Playbook and action executions | 7 years | + +### Custom retention periods + +You can request retention period times different from those declared in the tables above, as long as the retention period requested is greater than 1 day yet less than 5000 days. + +In order to do that, please open a [Support ticket](/docs/get-started/help#support) with your request. + +## Static IP addresses + +The following table provides the static IP addresses used for Cloud SOAR by deployment. These are provided in case you want to explicitly allow the IP addresses on the integrations you install. + + diff --git a/docs/manage/users-roles/roles/role-capabilities.md b/docs/manage/users-roles/roles/role-capabilities.md index 4955a724da..54a6c679fb 100644 --- a/docs/manage/users-roles/roles/role-capabilities.md +++ b/docs/manage/users-roles/roles/role-capabilities.md @@ -165,11 +165,11 @@ This section is for our Cloud SOAR SaaS version. If you have a legacy Cloud SOAR | Note | Access | Access all [notes](/docs/cloud-soar/incidents-triage/#notes). | | Note | Edit | Create, edit, and delete notes. | | War Room | Use | Be able to use the [War Room](/docs/cloud-soar/incidents-triage/#war-room). | -| Settings General | Configure | Configure [settings](/docs/cloud-soar/overview/#settings). | -| User Management | Groups | Manage [groups](/docs/cloud-soar/overview/#groups). | -| Notification | Configure | Configure [notifications](/docs/cloud-soar/overview/#notifications). | +| Settings General | Configure | Configure [settings](/docs/cloud-soar/cloud-soar-settings/). | +| User Management | Groups | Manage [groups](/docs/cloud-soar/cloud-soar-settings/#groups). | +| Notification | Configure | Configure [notifications](/docs/cloud-soar/cloud-soar-settings/#notifications). | | Customization | Logo | Customize the logo. | -| Customization | Fields | Customize [fields](/docs/cloud-soar/overview/#custom-fields). | +| Customization | Fields | Customize [fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). | | Customization | Incident Labels | Customize incident labels. | | Customization | Triage | Customize triage. | | Audit and Information | License Information | View license [audit and information](/docs/cloud-soar/legacy/legacy-cloud-soar-global-functions-menu/#audit-and-information). | diff --git a/docs/platform-services/automation-service/automation-service-audit-logging.md b/docs/platform-services/automation-service/automation-service-audit-logging.md index b65cb0d462..3acbdce1db 100644 --- a/docs/platform-services/automation-service/automation-service-audit-logging.md +++ b/docs/platform-services/automation-service/automation-service-audit-logging.md @@ -69,26 +69,26 @@ The table below shows the `_sourceCategory` that is assigned to Audit Event Inde | Product Feature | _sourceCategory Value | |:--|:--| -| [Custom Field](/docs/cloud-soar/overview/#custom-fields) | `oarCustomFields` | +| [Custom Field](/docs/cloud-soar/cloud-soar-settings/#custom-fields) | `oarCustomFields` | | [Daemon](/docs/platform-services/automation-service/integration-framework/about-integration-framework/#daemon-action-definitions) | `oarDaemons` | | [Dashboard](/docs/cloud-soar/incidents-triage/#dashboards) | `oarDashboards` | | Email | `oarEmails` | | [Entity](/docs/cloud-soar/incidents-triage/#entities) | `oarEntities` | | Folder | `oarFolders` | -| [Group](/docs/cloud-soar/overview/#groups) | `oarGroups` | +| [Group](/docs/cloud-soar/cloud-soar-settings/#groups) | `oarGroups` | | [Incident](/docs/cloud-soar/incidents-triage/#incidents) | `oarIncidents` | | [Incident Artifact](/docs/cloud-soar/incidents-triage/#create-a-new-incident-manually) | `oarIncidentArtifacts` | | [Incident Attachment](/docs/cloud-soar/incidents-triage/#documentation-tab) | `oarIncidentAttachments` | | [Incident Investigator](/docs/cloud-soar/incidents-triage/#add-investigators) | `oarIncidentInvestigators` | | [Incident Note](/docs/cloud-soar/incidents-triage/#notes) | `oarIncidentNotes` | | [Incident Template](/docs/cloud-soar/automation/#incident-templates) | `oarIncidentTemplates` | -| [Notification](/docs/cloud-soar/overview/#notifications) | `oarNotifications`| +| [Notification](/docs/cloud-soar/cloud-soar-settings/#notifications) | `oarNotifications`| | [Report](/docs/cloud-soar/incidents-triage/#report) | `oarReports` | -| [Setting](/docs/cloud-soar/overview/#settings) | `oarSettings` | +| [Setting](/docs/cloud-soar/cloud-soar-settings/) | `oarSettings` | | [Task](/docs/cloud-soar/incidents-triage/#tasks) | `oarTasks` | | [Triage](/docs/cloud-soar/incidents-triage/#triage) | `oarTriage` | | [Triage Attachment](/docs/cloud-soar/incidents-triage/#triage) | `oarTriageAttachments` | -| [Triggers](/docs/cloud-soar/overview/#notifications) | `oarTriggers` | +| [Triggers](/docs/cloud-soar/cloud-soar-settings/#notifications) | `oarTriggers` | | [Widget](/docs/cloud-soar/incidents-triage/#create-widgets) | `oarWidgets` | ## System Event Index events diff --git a/docs/platform-services/automation-service/automation-service-integrations.md b/docs/platform-services/automation-service/automation-service-integrations.md index b26c906259..932a4328eb 100644 --- a/docs/platform-services/automation-service/automation-service-integrations.md +++ b/docs/platform-services/automation-service/automation-service-integrations.md @@ -66,7 +66,7 @@ To create a new integration in the Automation Service, you must supply an integr To create a new integration: 1. Create an integration definition YAML file, as well as an action definition YAML file for each action in the integration. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu click **Automation**. Then click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu click **Automation**. Then click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select the **+** icon at the top of the screen to the left of **Integrations**.
Add Integration button 1. A **New Integration** dialog appears. Drag the integration definition YAML file into the **New Integration** dialog.
Add Integration button 1. Click **Upload**. The new integration is listed on the **Integrations** page. @@ -89,7 +89,7 @@ To make your custom integration available for everyone in App Central, see [Publ If you have Cloud SOAR installed, you can build basic integrations without having to provide custom YAML files. -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu click **Cloud SOAR**. Then click the gear icon Settings menu icon in the top right of the screen, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu click **Cloud SOAR**. Then click the gear icon Settings menu icon in the top right of the screen, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select the **+** icon at the top of the screen to the left of **Integrations**.
Add Integration button 1. Fill out the **New Integration** dialog: 1. Upload a **Logo** for your integration. @@ -134,7 +134,7 @@ You can test an action on an integration to ensure that it is working correctly. You can set integrations, and their related action execution, to be executed in the cloud or through the Bridge. Only certified integrations can be executed in the cloud, while custom integrations must be executed through the [Bridge](/docs/platform-services/automation-service/automation-service-bridge/). -1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). In the main Sumo Logic menu click **Automation**. Then click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu click **Automation**. Then click the gear icon Settings menu icon in the top right, select **Automation**, and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select an integration. 1. Hover your mouse over the resource name and click the **Edit** button that appears.
Resource edit button 1. In the **Edit resource** dialog, click the **Automation engine** field to select **Cloud execution** (for certified integrations only) or select a Bridge option (for custom integrations).
Automation engine field diff --git a/sidebars.ts b/sidebars.ts index 157e112ceb..ef032bf11b 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -3031,6 +3031,8 @@ integrations: [ 'cloud-soar/overview', 'cloud-soar/introduction', 'cloud-soar/compared-to-automation-service', + 'cloud-soar/cloud-soar-settings', + 'cloud-soar/cloud-soar-menus', 'cloud-soar/incidents-triage', 'cloud-soar/automation', { From 2b6499e82e018b0e143e38a28eb26288af8f96e3 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 3 Jul 2025 09:21:27 -0500 Subject: [PATCH 2/2] Updates from Kim's review --- docs/cloud-soar/automation.md | 2 +- docs/cloud-soar/incidents-triage.md | 10 +++---- docs/cloud-soar/index.md | 4 +-- docs/cloud-soar/introduction.md | 20 ++++++------- .../legacy/legacy-cloud-soar-mssp.md | 2 +- docs/cloud-soar/menus.md | 30 ++++++++++--------- docs/cloud-soar/settings.md | 4 +-- .../users-roles/roles/role-capabilities.md | 8 ++--- .../automation-service-audit-logging.md | 10 +++---- sidebars.ts | 4 +-- 10 files changed, 48 insertions(+), 46 deletions(-) diff --git a/docs/cloud-soar/automation.md b/docs/cloud-soar/automation.md index 12b5ba0de0..1360202766 100644 --- a/docs/cloud-soar/automation.md +++ b/docs/cloud-soar/automation.md @@ -51,7 +51,7 @@ Incident templates define the way in which incidents will be created for a speci 1. Click **+** to the left of **Template**.
Add template 1. Define the template:
Create incident template dialog 1. **Template name**. Enter a name that is easily identifiable and related to the activity it is developed for. - 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields)). + 1. **Category**. Enter a category for this template. For example, suppose we're building a template for a DLP incident. We might enter a category named **Data Theft**, but we can enter anything we want that will help us group incident templates in the future. You can customize this field to fit your environment, as well as all other fields in Cloud SOAR (see [Custom fields](/docs/cloud-soar/settings/#custom-fields)). 1. **Tags**. Enter any tags to further categorize or define the incident. You can use these tags later when searching for or correlating events. 1. Click **Incident** at the top of the dialog. 1. Define any incident parameters you want to set by default when an incident is creating using the template:
Create incident template dialog to define the incident type diff --git a/docs/cloud-soar/incidents-triage.md b/docs/cloud-soar/incidents-triage.md index 032a09ba7d..e1a958fedb 100644 --- a/docs/cloud-soar/incidents-triage.md +++ b/docs/cloud-soar/incidents-triage.md @@ -188,7 +188,7 @@ To add investigators to incidents: 1. Select **Add Investigator**.
The **Add Investigator** screen is displayed.
Add Investigator dialog 1. Select the investigators to add to the selected incidents. :::info - You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/cloud-soar-settings/#groups). + You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/settings/#groups). ::: 1. In the **Role** column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents. (If you are selecting a group as an investigator, you cannot change the group's assigned role here. You can only change the group's role on the group itself.) 1. Click **Apply**. @@ -227,8 +227,8 @@ Cloud SOAR generates incidents with an automated process: #### Create a new incident manually 1. To create an incident manually, click the **+** button at the top of the **Incidents** screen.
Create incident button -1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields).
Incident Creation screen -1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields) to modify the variables displayed in the **Type** field.
Type field +1. A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones that are required will have an asterisk (`*`) marked next to them which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted with [custom fields](/docs/cloud-soar/settings/#custom-fields).
Incident Creation screen +1. One of the most important fields is the **Type** field. This field will dictate which playbooks will be recommended later on in the configuration process. See [custom fields](/docs/cloud-soar/settings/#custom-fields) to modify the variables displayed in the **Type** field.
Type field 1. Click **Next**. 1. Once you complete the **Details** page, you will want to assign appropriate playbooks to be associated with the incident. In addition to adding playbooks to the incident, you can also decide whether you want the playbook to automatically execute upon incident creation by sliding the **Autorun** button to **On**.
Incident Creation - Automation screen 1. Click **Next**. @@ -255,7 +255,7 @@ The incident properties section in the center contains all the important informa ### Overview tab -The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). +The incident **Overview** tab contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be configured in [custom fields](/docs/cloud-soar/settings/#custom-fields). ### Operations tab @@ -361,7 +361,7 @@ Let's suppose you want to look at a pending event to determine if it needs inves By default, the triage module contains two fields, `Status` and `Type`. Additional values may be added to the `Status` field; however, the `Type` field is directly linked to the incident type field and cannot be modified directly. -New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). +New types must be added from the incidents section of the **Custom Fields** page. Up to 100 custom fields and be created for the triage module, allowing customization for any use case. To add additional custom fields for triage, see [Custom fields](/docs/cloud-soar/settings/#custom-fields). Note that to be able to filter events in the triage module based on the values of a field, **Use as filter** must be checked when adding or modifying a field. As fields are created, they will be assigned a number starting at `1`, which will be used to identify the field when adding events via the API. The first field added will be identified as `opt_1`, the second as `opt_2`, and so on. Regardless of the ordering of the fields on the screen, these numbers will remain the same. If a field is deleted, the number will not be reused. For example, if you have defined `opt_1` through `opt_8` and delete the field `opt_8`, the next field added will still become `opt_9`. It is important to remember these field numbers, as they will be used when the API is invoked. diff --git a/docs/cloud-soar/index.md b/docs/cloud-soar/index.md index 5754349150..f6a2870ab7 100644 --- a/docs/cloud-soar/index.md +++ b/docs/cloud-soar/index.md @@ -33,13 +33,13 @@ This section contains the following topics:
- Shield and gear icon

Cloud SOAR Settings

 + Shield and gear icon

Cloud SOAR Settings

Setup and configuration options for the Cloud SOAR platform.

- Shield and gear icon

Cloud SOAR Menus

 + Shield and gear icon

Cloud SOAR Menus

Navigate menus in Cloud SOAR.

diff --git a/docs/cloud-soar/introduction.md b/docs/cloud-soar/introduction.md index 0a26b6a1c3..de45eab1c7 100644 --- a/docs/cloud-soar/introduction.md +++ b/docs/cloud-soar/introduction.md @@ -351,7 +351,7 @@ Cloud SOAR administrators have privileged access to the Settings and Automation ##### General settings -The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/cloud-soar-settings/#general). +The **General** settings page includes sections for **System**, **Incidents**, and **Instant Messaging**. Administrators can set proxy settings and date/time formats in the **System** section. The **Incidents** section can control incident processing settings and file extension whitelisting. You can also configure integrations like Slack under **Instant Messaging**. For more information, see [General](/docs/cloud-soar/settings/#general). [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access general settings, click the gear icon Settings menu icon in the top right and select **Settings**. @@ -361,7 +361,7 @@ The **General** settings page includes sections for **System**, **Incidents**, a ##### Groups -Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/cloud-soar-settings/#groups). +Basic user management and role-based access control (RBAC) is done through the main Sumo Logic interface; however, you can create user groups specific to Cloud SOAR through the **Groups** page. For more information, see [Groups](/docs/cloud-soar/settings/#groups). [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access groups settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**. @@ -371,7 +371,7 @@ Basic user management and role-based access control (RBAC) is done through the m ##### Event Triggers -The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/cloud-soar-settings/#notifications). +The **Event Triggers** page contains a list of triggers where you can configure default email notifications whenever key events happen. For more information, see [Notifications](/docs/cloud-soar/settings/#notifications). [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access event triggers settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Notifications > Event Triggers**. @@ -384,9 +384,9 @@ The **Event Triggers** page contains a list of triggers where you can configure You can use additional settings to customize fields, incident labels, and triage information. Use these settings to customize many of the templates, field names, and incident names used in the views and reports your analysts generate. You can also set the defaults for incident triage. See: -* [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields) -* [Incident labels](/docs/cloud-soar/cloud-soar-settings/#incident-labels) -* [Triage](/docs/cloud-soar/cloud-soar-settings/#triage) +* [Custom fields](/docs/cloud-soar/settings/#custom-fields) +* [Incident labels](/docs/cloud-soar/settings/#incident-labels) +* [Triage](/docs/cloud-soar/settings/#triage) #### Exploring Cloud SOAR Automations @@ -422,7 +422,7 @@ Fields can be used to apply advanced filters or add them as a new column in the #### Define and test a custom field -In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). +In this section, we’ll create a custom field to map data that’s ingested into Cloud SOAR. We'll create a standardized naming convention for source IP addresses to help organize our Cloud SOAR instance. For more information, see [Custom fields](/docs/cloud-soar/settings/#custom-fields). 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **Customization > Fields**.
[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Cloud SOAR Configurations** select **Fields**. 1. In the **Custom Fields** menu, select **Incidents**. @@ -451,9 +451,9 @@ You will not be able to create the incident until there is a green **No Issue Fo Incidents are the main place where SOC analysts conduct their threat investigations and orchestrate their responses. There are several areas of the admin UI where you can customize the way incidents behave in Cloud SOAR: * **[Incident templates](/docs/cloud-soar/automation/#incident-templates)**. Incident templates control how incidents appear in the War Room and include fields like type, severity, and status. Incident Templates are also essential when creating [automation rules](/docs/cloud-soar/automation/#automation-rules) that trigger incidents. When you first set up and automate your SOC, it will primarily be using incident templates. -* **[General](/docs/cloud-soar/cloud-soar-settings/#general)** settings **Incidents** section. Use this settings section for some configuration of the incidents in Cloud SOAR. You can allow or prohibit duplicate names, set whether closing notes are mandatory or not, and select which objects are extracted from incidents here. +* **[General](/docs/cloud-soar/settings/#general)** settings **Incidents** section. Use this settings section for some configuration of the incidents in Cloud SOAR. You can allow or prohibit duplicate names, set whether closing notes are mandatory or not, and select which objects are extracted from incidents here. * **[Reports](/docs/cloud-soar/incidents-triage/#report)**. Use this feature to create and edit report templates. These templates are used when analysts export a report after closing an incident as part of the lessons learned stage of the incident response cycle. -* **[Incident Labels](/docs/cloud-soar/cloud-soar-settings/#incident-labels)**. Incident labels are used to organize the way incidents are displayed inside Cloud SOAR. +* **[Incident Labels](/docs/cloud-soar/settings/#incident-labels)**. Incident labels are used to organize the way incidents are displayed inside Cloud SOAR. Work with the analysts on your team to customize reports, labels, and templates to suit their needs. As a best practice, create labels and templates that use standardized and unique naming conventions. @@ -483,7 +483,7 @@ Any recorded events that have not been converted to an incident will be displaye Triage screen -The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields)** page). +The **Type** field is directly linked to the incident type field (and can be added through the **Triage** section of the **[Custom Fields](/docs/cloud-soar/settings/#custom-fields)** page). To add additional custom fields (up to 100), select **Triage** from the **Custom Fields** list. To add a custom field, click the **+** button in the upper left of the display and set the field properties as desired. Make sure to check **Use as filter** if you want your new custom field to be filterable in the triage module. diff --git a/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md b/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md index 534823b1d3..2ac3e894b8 100644 --- a/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md +++ b/docs/cloud-soar/legacy/legacy-cloud-soar-mssp.md @@ -99,4 +99,4 @@ When you mouse over the icons, you’ll see **Synchronized** and **Push Field**. Synchronized label -For more information about Custom Fields, see [Customization](/docs/cloud-soar/cloud-soar-settings/#custom-fields). +For more information about Custom Fields, see [Customization](/docs/cloud-soar/settings/#custom-fields). diff --git a/docs/cloud-soar/menus.md b/docs/cloud-soar/menus.md index 94d0bd43a8..8a8de14eb0 100644 --- a/docs/cloud-soar/menus.md +++ b/docs/cloud-soar/menus.md @@ -1,11 +1,13 @@ --- -id: cloud-soar-menus +id: menus title: Cloud SOAR Menus sidebar_label: Menus --- import useBaseUrl from '@docusaurus/useBaseUrl'; +This article describes the menus and navigation options for Cloud SOAR. + ## Classic UI The classic UI is the traditional way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic Classic UI](/docs/get-started/sumo-logic-ui-classic). @@ -18,7 +20,7 @@ Use the top menu to access: * [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. * [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. * Support menu icon **Support**. Access help, including documentation and support contact information. -* Settings menu icon [**Settings**](/docs/cloud-soar/cloud-soar-settings/). Configure Cloud SOAR settings. +* Settings menu icon [**Settings**](/docs/cloud-soar/settings/). Configure Cloud SOAR settings. ### Settings menu @@ -26,7 +28,7 @@ The **Settings** menu allows you to configure Cloud SOAR settings. To access the Use the **Settings** menu to access: * [**Automation**](/docs/cloud-soar/automation/). Configure Cloud SOAR's automation and orchestration features. -* [**Settings**](/docs/cloud-soar/cloud-soar-settings/). Configure Cloud SOAR settings. +* [**Settings**](/docs/cloud-soar/settings/). Configure Cloud SOAR settings. * [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. ## New UI @@ -75,12 +77,12 @@ The **Go To...** menu allows you to launch Sumo Logic features, including for Cl Use the **Go To...** menu to access these Cloud SOAR features: * [**Bridge**](/docs/platform-services/automation-service/automation-service-bridge). Configure a bridge to run custom actions or integrations. * [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. -* [**Fields**](/docs/cloud-soar/cloud-soar-settings/#custom-fields). Customize fields to better suit your environment. -* [**General**](/docs/cloud-soar/cloud-soar-settings/). Configure general Cloud SOAR settings. -* [**Groups**](/docs/cloud-soar/cloud-soar-settings/#groups). Create a group of users that can be added as incident investigators. +* [**Fields**](/docs/cloud-soar/settings/#custom-fields). Customize fields to better suit your environment. +* [**General**](/docs/cloud-soar/settings/). Configure general Cloud SOAR settings. +* [**Groups**](/docs/cloud-soar/settings/#groups). Create a group of users that can be added as incident investigators. * [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Incident Labels**](/docs/cloud-soar/cloud-soar-settings/#incident-labels). Define labels for the different types of incidents that will be investigated. -* [**Notifications**](/docs/cloud-soar/cloud-soar-settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. +* [**Incident Labels**](/docs/cloud-soar/settings/#incident-labels). Define labels for the different types of incidents that will be investigated. +* [**Notifications**](/docs/cloud-soar/settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. * [**Report**](/docs/cloud-soar/incidents-triage/#report). Configure reports. * [**SecOps & Dashboard**](/docs/cloud-soar/incidents-triage/#secops-and-dashboard). Open the home screen of Cloud SOAR. * [**Triage**](/docs/cloud-soar/incidents-triage/#triage). Triage events which may be unverified or have a low confidence level before they are converted to incidents. @@ -91,14 +93,14 @@ The **Configuration** menu allows you to configure Sumo Logic features, includin Use the **Configuration** menu to access: * [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. -* [**Fields**](/docs/cloud-soar/cloud-soar-settings/#custom-fields). Customize fields to better suit your environment. -* [**Incident Labels**](/docs/cloud-soar/cloud-soar-settings/#incident-labels). Define labels for the different types of incidents that will be investigated. +* [**Fields**](/docs/cloud-soar/settings/#custom-fields). Customize fields to better suit your environment. +* [**Incident Labels**](/docs/cloud-soar/settings/#incident-labels). Define labels for the different types of incidents that will be investigated. ### Administration menu -The **Administration** menu allows you to administer Sumo Logic features, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click Administration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options.
Cloud SOAR options on the administration menu +The **Administration** menu allows you to administer Sumo Logic features, such as for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/). You can also administer Cloud SOAR features. To access this menu, click Administration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SOAR administration options.
Cloud SOAR options on the administration menu Use the **Administration** menu to access: -* [**General**](/docs/cloud-soar/cloud-soar-settings/#general). Configure general Cloud SOAR settings. -* [**Notifications**](/docs/cloud-soar/cloud-soar-settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. -* [**Groups**](/docs/cloud-soar/cloud-soar-settings/#groups). Create a group of users that can be added as incident investigators. \ No newline at end of file +* [**General**](/docs/cloud-soar/settings/#general). Configure general Cloud SOAR settings. +* [**Notifications**](/docs/cloud-soar/settings/#notifications). Configure notifications to Cloud SOAR users as well as other external users. +* [**Groups**](/docs/cloud-soar/settings/#groups). Create a group of users that can be added as incident investigators. \ No newline at end of file diff --git a/docs/cloud-soar/settings.md b/docs/cloud-soar/settings.md index b1b54b6f43..2c8968eff0 100644 --- a/docs/cloud-soar/settings.md +++ b/docs/cloud-soar/settings.md @@ -1,5 +1,5 @@ --- -id: cloud-soar-settings +id: settings title: Cloud SOAR Settings sidebar_label: Settings --- @@ -80,7 +80,7 @@ To add a group as an incident investigator, follow the same steps as described i :::note The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself. ::: -1. Click **Apply**. The group is added an an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group. +1. Click **Apply**. The group is added an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group. ### Group role assignments diff --git a/docs/manage/users-roles/roles/role-capabilities.md b/docs/manage/users-roles/roles/role-capabilities.md index 54a6c679fb..c661058848 100644 --- a/docs/manage/users-roles/roles/role-capabilities.md +++ b/docs/manage/users-roles/roles/role-capabilities.md @@ -165,11 +165,11 @@ This section is for our Cloud SOAR SaaS version. If you have a legacy Cloud SOAR | Note | Access | Access all [notes](/docs/cloud-soar/incidents-triage/#notes). | | Note | Edit | Create, edit, and delete notes. | | War Room | Use | Be able to use the [War Room](/docs/cloud-soar/incidents-triage/#war-room). | -| Settings General | Configure | Configure [settings](/docs/cloud-soar/cloud-soar-settings/). | -| User Management | Groups | Manage [groups](/docs/cloud-soar/cloud-soar-settings/#groups). | -| Notification | Configure | Configure [notifications](/docs/cloud-soar/cloud-soar-settings/#notifications). | +| Settings General | Configure | Configure [settings](/docs/cloud-soar/settings/). | +| User Management | Groups | Manage [groups](/docs/cloud-soar/settings/#groups). | +| Notification | Configure | Configure [notifications](/docs/cloud-soar/settings/#notifications). | | Customization | Logo | Customize the logo. | -| Customization | Fields | Customize [fields](/docs/cloud-soar/cloud-soar-settings/#custom-fields). | +| Customization | Fields | Customize [fields](/docs/cloud-soar/settings/#custom-fields). | | Customization | Incident Labels | Customize incident labels. | | Customization | Triage | Customize triage. | | Audit and Information | License Information | View license [audit and information](/docs/cloud-soar/legacy/legacy-cloud-soar-global-functions-menu/#audit-and-information). | diff --git a/docs/platform-services/automation-service/automation-service-audit-logging.md b/docs/platform-services/automation-service/automation-service-audit-logging.md index 3acbdce1db..9f6ca288b3 100644 --- a/docs/platform-services/automation-service/automation-service-audit-logging.md +++ b/docs/platform-services/automation-service/automation-service-audit-logging.md @@ -69,26 +69,26 @@ The table below shows the `_sourceCategory` that is assigned to Audit Event Inde | Product Feature | _sourceCategory Value | |:--|:--| -| [Custom Field](/docs/cloud-soar/cloud-soar-settings/#custom-fields) | `oarCustomFields` | +| [Custom Field](/docs/cloud-soar/settings/#custom-fields) | `oarCustomFields` | | [Daemon](/docs/platform-services/automation-service/integration-framework/about-integration-framework/#daemon-action-definitions) | `oarDaemons` | | [Dashboard](/docs/cloud-soar/incidents-triage/#dashboards) | `oarDashboards` | | Email | `oarEmails` | | [Entity](/docs/cloud-soar/incidents-triage/#entities) | `oarEntities` | | Folder | `oarFolders` | -| [Group](/docs/cloud-soar/cloud-soar-settings/#groups) | `oarGroups` | +| [Group](/docs/cloud-soar/settings/#groups) | `oarGroups` | | [Incident](/docs/cloud-soar/incidents-triage/#incidents) | `oarIncidents` | | [Incident Artifact](/docs/cloud-soar/incidents-triage/#create-a-new-incident-manually) | `oarIncidentArtifacts` | | [Incident Attachment](/docs/cloud-soar/incidents-triage/#documentation-tab) | `oarIncidentAttachments` | | [Incident Investigator](/docs/cloud-soar/incidents-triage/#add-investigators) | `oarIncidentInvestigators` | | [Incident Note](/docs/cloud-soar/incidents-triage/#notes) | `oarIncidentNotes` | | [Incident Template](/docs/cloud-soar/automation/#incident-templates) | `oarIncidentTemplates` | -| [Notification](/docs/cloud-soar/cloud-soar-settings/#notifications) | `oarNotifications`| +| [Notification](/docs/cloud-soar/settings/#notifications) | `oarNotifications`| | [Report](/docs/cloud-soar/incidents-triage/#report) | `oarReports` | -| [Setting](/docs/cloud-soar/cloud-soar-settings/) | `oarSettings` | +| [Setting](/docs/cloud-soar/settings/) | `oarSettings` | | [Task](/docs/cloud-soar/incidents-triage/#tasks) | `oarTasks` | | [Triage](/docs/cloud-soar/incidents-triage/#triage) | `oarTriage` | | [Triage Attachment](/docs/cloud-soar/incidents-triage/#triage) | `oarTriageAttachments` | -| [Triggers](/docs/cloud-soar/cloud-soar-settings/#notifications) | `oarTriggers` | +| [Triggers](/docs/cloud-soar/settings/#notifications) | `oarTriggers` | | [Widget](/docs/cloud-soar/incidents-triage/#create-widgets) | `oarWidgets` | ## System Event Index events diff --git a/sidebars.ts b/sidebars.ts index ef032bf11b..436c8517b4 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -3031,8 +3031,8 @@ integrations: [ 'cloud-soar/overview', 'cloud-soar/introduction', 'cloud-soar/compared-to-automation-service', - 'cloud-soar/cloud-soar-settings', - 'cloud-soar/cloud-soar-menus', + 'cloud-soar/settings', + 'cloud-soar/menus', 'cloud-soar/incidents-triage', 'cloud-soar/automation', {