Skip to main content

Cloud SOAR Global Functions Menu

Cloud SOAR is a pure web-based application that does not require an additional add-on or client to deploy. The Global Functions Menu consists of all Cloud SOAR configuration and administrative options you'll need, such as user access, integration configurations, and auditing information.

Global Functions Menu

Automation

The Automation section contains all the functions related to automation and orchestration processes of the Cloud SOAR platform.

To access this section, click the cog icon (cog menu) > Automation.

Automation Docs

See Automation for in-depth information.

Playbook

Playbooks, previously known as Playbooks, are the core of Cloud SOAR's automation capabilities. Playbooks permit administrators to create automated and semi-automated workflows utilizing Cloud SOAR integrations, tasks and a variety of flow control decisions and other actions.

Automation menu

Playbook workflows can be configured to execute automatically without human intervention, or can be executed in an interactive mode, where user input is required to authorize predefined actions.

Incident Template

Incident Templates allow you to define a certain number of incident attributes that will automatically be set each time an incident is generated based on the template. This may include type, classification, incident assignment, playbooks or any other incident attribute.

Automation menu

Integrations

The Integrations section allows administrators to configure bidirectional integrations with third-party technologies, as well as view the supported actions for each integration. In addition, this section allows administrators to manage custom scripts, which can be written in Python, Perl, PowerShell or Bash.

Automation menu

Rules

The Events Automation tab enables you to establish any daemonized integration rules to define what occurs when data is received from each of these sources. These rules allow specific data to be parsed from the incoming data sources and the acted upon automatically or through manual actions.

Automation menu

Settings

The Settings section contains several Cloud SOAR administrative functions. To access, click the cog icon (cog menu)
Automation

Settings menu

The following sections detail the various setup and configuration options for the Cloud SOAR platform. Although initial configuration can be performed in any order, the following sections are ordered in the suggested order for initial configuration.

General Settings

The following options can be configured under General Settings:

System

  • Display Notification __ Number of seconds
  • Display Session Timeout __ The Session timeout in minutes will be applied to the next user login.
General Settings

International Settings

International Settings

Language Settings

French language is now enabled in Cloud SOAR. It can be enabled under user profile section.

Language Settings

Instant Messaging

Instant Messaging integration can be enabled from here.

messaging integration

The same integration has to be updated under the user profile configuration.

messaging integration

Incidents

There are several Incident settings that you should consider when configuring Cloud SOAR.

Cloud SOAR's Automatic Observables Harvesting feature examines free text areas of Cloud SOAR to gather observables, such as IP addresses, domains and email addresses. When enabled, Cloud SOAR will automatically harvest these observables and add them to the appropriate observables section within the incident. Checking the boxes under Automatically extract Observables elements from will cause Cloud SOAR to perform Automatic Observables Harvesting on the checked sections.

Under the Incident settings, it is also possible to make a final incident note mandatory before the incident can be closed. This can be used to enforce the policy of recording the final disposition of an incident before it is closed.

Incident Settings Incident General Settings
Incidents Documentation

For more information, refer to Incidents and Triage.

Incident Process Phases

Cloud SOAR allows managers to monitor the progress of incident phases as the incident progresses. These phases and their properties can be configured by administrators in the General settings page.

Incident Phases

In addition to the phase name, administrators can determine whether the phase is mandatory and the status of the incident when the new phase is reached. Administrators may also disable phase management at the top of the Incident Process Phase section or choose not to show the phase management section in the Incident Details screen.

Incident Process Phase Settings

Queue Settings

One or more queues may be configured which can be used to assign incidents to until they are ready to be assigned to users. Queues can be managed at the bottom of the General settings page.

Queue Settings

Click the + button in the upper right-hand corner of the queue settings to add a new queue. There are no restrictions on the number, or the scheme used to create queues. Common schemes are to create one general queue, a queue for each analyst tier, or a queue by job function.

Queue Settings

Internet Connection Settings

Internet Connection Settings

User Management

Groups

You can create a group of users and assign a role to all the users in the group. This makes it easy to assign a specialized role to multiple users at once rather than adding the users individually to the role.

For example, say there is a group of users with different roles responsible for customer support. Access to a specific incident with restricted privileges needs to be granted to all investigators of the incident. You can create a role with just the needed Cloud SOAR role capabilities and select it as the role (also known as a profile) for members of the group. Then when you add investigators for the incident, you can select the group rather than individual users.

Create a group
  1. In the upper-right corner of the Cloud SOAR UI, click the cog icon cog menu and select Automation.
  2. On the left navigation bar, select User Management > Groups. The Groups dialog is displayed.
    Groups dialog
  3. Click the + icon next to Groups. The Add Groups dialog is displayed.
    Add Group dialog
  4. In Name enter a name for the group.
  5. In Profile select the role to use for members of the group. These are roles already created in the system. To see role capabilities assigned to these roles, in the Sumo Logic Log Analytics Platform select Administration > Users and Roles and click the Roles tab. For more information about roles, see Create and Manage Roles.
  6. Click Create. The empty group is displayed.
    Example group
  7. Click the + icon next to Members.
  8. Select the users to add to the group.
  9. Click Apply.
Group role assignments

The role specified in an assigned group profile supersedes the user's role assignments in the Sumo Logic Log Analytics Platform. The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted.

UserResult
In a groupHas the assigned group role (profile)
In multiple groupsHas the sum of the roles (profiles) from all the groups it is a member of
Not in a groupHas role assignments as assigned in the core platform
In group without a role (profile)Has role assignments as assigned in the core platform

Notifications

Cloud SOAR allows administrators to configure notifications to Cloud SOAR users as well as other external users. These notifications can be sent via Cloud SOAR's internal messaging platform, as well as email and SMS. Watcher Groups can also be created, which allows Cloud SOAR to send notifications to those who are not necessarily assigned to an incident when certain conditions are met, such as notifying managers when a high severity incident is created.

The Notifications selection enables you to configure outbound email (SMTP) settings, and set up text messaging for incident notifications. Notifications can be configured by clicking on Notifications from the Settings menu.

Email Server Configuration

Under the Email Server Configuration tab, users configure outbound mail and confirm privacy settings to fit their organization's needs. Once these options are set, Administrators can configure which types of events should trigger notifications to which users and by what means.

Email Configuration Settings

Mail Notification Queue

The Mail Notification Queue shows the status of all email notifications sent by Cloud SOAR.

Mail Notification Queue

By navigating to the Mail Notification Queue, you can view any delivery failures, the details of the original notification, as well as have the options to resend or delete the notification.

Customization

Under the Customization dropdown, you will find an arsenal of tools at their disposal. These tools will assist in the creation of reports, custom fields, and incident elements, just to name a few. The full list of features is listed below.

Incident Reports

Report Templates allow you to build their own reports by selecting various components of an incident they wish to include in the report.

Custom Fields

Custom Fields allows administrators to edit existing fields as well as add new fields for almost every section of Cloud SOAR. All Cloud SOAR sections which permit custom fields are displayed on the left-hand side of the page. Clicking on any one of these sections will display all current fields for that section on the right-hand side of the page. Any existing field may be edited, to include changing the name or adding list values. The only attribute which cannot be changed is the type of the field, such as text or date. New fields may also be added from this page.

The Logo section allows administrators to customize both their Cloud SOAR user interface and reports with the logo of their company or the logo of their clients. This can be done by simply uploading their image in the specified .PNG file format size.

Logo Settings

Incident Label

The Incident labels section allows an administrator to define labels for the different types of incidents that will be investigated. These labels can also be created during the automation rule and incident template creation process which will be explained in later sections.

Triage

Cloud SOAR's Triage module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents. The Triage module can be completely customized for use cases from financial fraud to network IDS alerts.

Report

With the Report option, you can create incident reports to share with others as well as widgets to use in the report that display text, graphs, tables, and charts containing details about incidents and other aspects of Cloud SOAR.

  1. Click the gear icon in the upper-right corner of the UI, then select Report.
    Access reports
    The Report UI appears.
    Reports user interface
  2. Click the + icon in the upper left corner.
  3. On the right side, select widgets to add to the report from My Widgets or Public. These are the same widgets that are available to use in dashboards. Widgets can be graphs, charts, tables, or any kind of visual element that contains information. Click New to create a new widget. Click Show List to see all available widgets.
  4. Rearrange the widgets in the report as needed.
    Widgets in a report
  5. Click Save. In the dialog:
    1. Provide a Report name and a Description.
    2. Click Schedule to schedule the report to run on a regular basis.
    3. Scroll to the bottom of the dialog and click Public if you want to make the report available to others.
    4. Click Save.
      Save a report
  6. Click Export to export the report to PDF.
  7. Click Open to open available reports.

Support

Under the Support section, you can find valuable information such as the Cloud SOAR user manual, API Integrations, the Integration Framework, a link to our Community portal, as well as contact Sumo Logic for other support issues.

To access, click the question mark icon in the top nav.

Support Page
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.