Skip to main content

Webhook Connection for Cloud SOAR

icon

Cloud SOAR can receive alerts from Sumo Logic Monitors and Scheduled Searches to create Incidents. First, you'll need to create a Cloud SOAR connection. Then you can use the connection as the Connection Type in a Monitor or the Alert Type in a Scheduled Search.

before you begin
  • You need to have Cloud SOAR enabled on your account for this connection to be available.
  • You'll need the Manage connections role capability to create webhook connections.

You can configure a webhook connection to allow you to send an alert from a scheduled search to Sumo Logic Cloud SOAR using an incident template.

  1. Classic UI. In the main Sumo Logic menu, select Manage Data > Monitoring > Connections.
    New UI. In the main Sumo Logic menu select Monitoring > Connections. You can also click the Go To... menu at the top of the screen and select Connections.

  2. Click + and choose Cloud SOAR as the connection type. The Create Cloud SOAR Connection dialog is displayed.
    New connection

  3. Enter a Name and give an optional Description to the connection.

  4. The URL field shows your Sumo Logic API endpoint followed by /csoar/v3/incidents/. For example, https://api.us2.sumologic.com/api/csoar/v3/incidents/

  5. In Authorization Header, enter your basic authentication access information for the header. For example, Basic <base64 encode <accessId>:<accessKey>>. For more information, see Basic Access (Base64 encoded).

  6. Click Save. After save, the Templates dropdown shows a list of all incident templates by name configured in your Cloud SOAR environment.

  7. Select a Template.

  8. The default payload synchronizes with the selected template, and the Alert Payload field shows the associated template_id field automatically defined in the default payload. A template_id is required in the payload in order to configure the connection:

    {
    "template_id": <Template ID>,
    "fields": {
    "incidentid": "Incident Id"
    }
    }

    You can add additional variables. For example:

    {
    "fields": {
    "description": "string",
    "additional_info": "string",
    "starttime": "ISO-8601 datetime string",
    "incident_kind": <ID incident kind>,
    "incident_category": <ID incident category>,
    "status": <ID incident status>,
    "restriction": <ID incident restriction>
    }
    }
    note
  9. Click Save.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.