Cloud SOAR can receive alerts from Sumo Logic Monitors and Scheduled Searches to create Incidents. First, you'll need to create a Cloud SOAR connection. Then you can use the connection as the Connection Type in a Monitor or the Alert Type in a Scheduled Search.
You need to have Cloud SOAR enabled on your account for this connection to be available.
Create a Cloud SOAR Connection
This section demonstrates how to create a webhook connection from Sumo Logic to Cloud SOAR.
- In Sumo Logic, go to Manage Data > Monitoring > Connections.
- Click + Add and choose Cloud SOAR as the connection type.
- Enter a Name and give an optional Description to the connection.
- The URL and Authorization Header are automatically defined by Sumo Logic. You should not edit these.
- The Templates dropdown shows a list of all incident templates, by name, configured in your Cloud SOAR environment.
- The default Payload synchronizes with the selected template and the associated
template_idfield is automatically defined in the default payload. A
template_idis required in the payload in order to configure the connection. For details on variables you can use as parameters within your JSON object, see Webhook Payload Variables.
- Click Save.