Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cloud-soar.md #4675

Merged
merged 2 commits into from
Oct 21, 2024
Merged

Update cloud-soar.md #4675

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39ee74a
Update cloud-soar.md
wjakelee Oct 21, 2024
73e9216
Updates from review
jpipkin1 Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 38 additions & 8 deletions docs/alerts/webhook-connections/cloud-soar.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,44 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
* You'll need the **Manage connections** [role capability](/docs/manage/users-roles/roles/role-capabilities) to create webhook connections.
:::

To create a webhook connection from Sumo Logic to Cloud SOAR:
You can configure a webhook connection to allow you to send an alert from a scheduled search to Sumo Logic Cloud SOAR using an incident template.

1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Monitoring > Connections**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Monitoring** select **Connections**. You can also click the **Go To...** menu at the top of the screen and select **Connections**.
1. Click **+ Add** and choose **Cloud SOAR** as the connection type.<br/> <img src={useBaseUrl('img/connection-and-integration/SOAR-webhook-icon.png')} alt="SOAR webhook icon.png" width="200"/>
1. Enter a **Name** and give an optional **Description** to the connection.
1. The **URL** and **Authorization Header** are automatically defined by Sumo Logic. You should not edit these.
1. The **Templates** dropdown shows a list of all incident templates, by name, configured in your Cloud SOAR environment.
1. The default **Payload** synchronizes with the selected template and the associated `template_id` field is automatically defined in the default payload. A `template_id` is required in the payload in order to configure the connection. For details on variables you can use as parameters within your JSON object, see [Webhook Payload Variables](set-up-webhook-connections.md).
1. Click **Save**.
1. Click **+** and choose **Cloud SOAR** as the connection type. The **Create Cloud SOAR Connection** dialog is displayed.<br/><img src={useBaseUrl('img/cloud-soar/CSOAR-connection1.png')} alt="New connection" style={{border: '1px solid gray'}} width="600"/>
1. Enter a **Name** and give an optional **Description** to the connection.
1. The **URL** field shows your [Sumo Logic API endpoint](/docs/api/getting-started#sumo-logic-endpoints-by-deployment-and-firewall-security) followed by `/csoar/v3/incidents/`. For example, `https://api.us2.sumologic.com/api/csoar/v3/incidents/`
1. In **Authorization Header**, enter your basic authentication access information for the header. For example, `Basic <base64 encode <accessId>:<accessKey>>`. For more information, see [Basic Access (Base64 encoded)](/docs/api/getting-started#basic-access-base64-encoded).
1. Click **Save**. After save, the **Templates** dropdown shows a list of all incident templates by name configured in your Cloud SOAR environment.
1. Select a **Template**.
1. The default payload synchronizes with the selected template, and the **Alert Payload** field shows the associated `template_id` field automatically defined in the default payload. A `template_id` is required in the payload in order to configure the connection:

```
{
"template_id": <Template ID>,
"fields": {
"incidentid": "Incident Id"
}
}
```

For more detailed instructions, see [Configure a webhook for Cloud SOAR](/docs/cloud-soar/automation/#configure-a-webhook-for-cloud-soar).
You can add additional variables. For example:

```
{
"fields": {
"description": "string",
"additional_info": "string",
"starttime": "ISO-8601 datetime string",
"incident_kind": <ID incident kind>,
"incident_category": <ID incident category>,
"status": <ID incident status>,
"restriction": <ID incident restriction>
}
}
```
:::note
* For details on variables you can use as parameters within your JSON object, see [Configure Webhook Payload Variables](/docs/alerts/webhook-connections/set-up-webhook-connections/#configure-webhook-payload-variables).
* For information on additional fields, please refer to the [Cloud SOAR APIs](/docs/api/cloud-soar/) documentation.
* The preceding example shows an `ISO-8601 datetime string`. For information about how to configure it, see [parser documentation](https://dateutil.readthedocs.io/en/stable/parser.html#dateutil.parser.isoparse).
:::
1. Click **Save**.
Loading