Webhook Connection for Cloud SOAR

Cloud SOAR can receive alerts from Sumo Logic Monitors and Scheduled Searches to create Incidents. First, you'll need to create a Cloud SOAR connection. Then you can use the connection as the Connection Type in a Monitor or the Alert Type in a Scheduled Search.

before you begin

• You need to have Cloud SOAR enabled on your account for this connection to be available.
• You'll need the Manage connections role capability to create webhook connections.

You can configure a webhook connection to allow you to send an alert from a scheduled search to Sumo Logic Cloud SOAR using an incident template.

1. Classic UI. In the main Sumo Logic menu, select Manage Data > Monitoring > Connections.
   New UI. In the top menu select Configuration, and then under Monitoring select Connections. You can also click the Go To... menu at the top of the screen and select Connections.

2. Click + and choose Cloud SOAR as the connection type. The Create Cloud SOAR Connection dialog is displayed.
   

3. Enter a Name and give an optional Description to the connection.

4. The URL field shows your Sumo Logic API endpoint followed by /csoar/v3/incidents/. For example, https://api.us2.sumologic.com/api/csoar/v3/incidents/

5. In Authorization Header, enter your basic authentication access information for the header. For example, Basic <base64 encode <accessId>:<accessKey>>. For more information, see Basic Access (Base64 encoded).

6. Click Save. After save, the Templates dropdown shows a list of all incident templates by name configured in your Cloud SOAR environment.

7. Select a Template.

8. The default payload synchronizes with the selected template, and the Alert Payload field shows the associated template_id field automatically defined in the default payload. A template_id is required in the payload in order to configure the connection:

   {
     "template_id": <Template ID>,
    "fields": {
       "incidentid": "Incident Id"
     }
   }

   You can add additional variables. For example:

   {
     "fields": {
       "description": "string",
       "additional_info": "string",
       "starttime": "ISO-8601 datetime string",
       "incident_kind": <ID incident kind>,
       "incident_category": <ID incident category>,
       "status": <ID incident status>,
       "restriction": <ID incident restriction>
     }
   }
   note

   • For details on variables you can use as parameters within your JSON object, see Configure Webhook Payload Variables.
   • For information on additional fields, please refer to the Cloud SOAR APIs documentation.
   • The preceding example shows an ISO-8601 datetime string. For information about how to configure it, see parser documentation.

9. Click Save.