Skip to main content

Cloud SOAR Incident Management and Triage

SecOps and dashboard

The SecOps screen is where all your current tasks reside. Here you can approve, decline, and close tasks as well as customize this section to display all tasks assigned to a specific user or group.

Home page

In the upper left corner you can select Dashboard to see dashboards showing your tasks. For more information, see Dashboards.

Incidents screen

The Incident section lists all Cloud SOAR incidents. Clicking on any of the incident IDs in the Incident section will open the incident. You can configure what incidents are displayed by creating queries against available incident data and saving them as incident filters.

Cloud SOAR incidents

Watch this micro lesson to learn more about Incidents in Cloud SOAR.

Filtering Incidents

You can also manipulate what data is to be displayed from the Incident section by adjusting which columns are viewable. The adjust these columns, click on the cogwheel on the top right-side of the screen. This will display a configuration screen that allows you to choose which data is displayed and where on the screen it should be displayed by clicking the + sign next to the selection and then dragging and dropping the selection in the order to be viewed.

Adjust columns

Once the columns are added and organized, click Apply to continue.

From the Incident section you can search, build, and issue queries against existing incidents by simply typing in the search bar at the top of the screen.

Search issues

Cloud SOAR also provides its you with a command cheat sheet to help build incident filtering queries. To access the cheat sheet, click on the information icon to display the query options.

Once a query or a search is committed, they can be saved for future use by clicking the star icon to the right of the search bar. These saved searches will be stored as tabs just below the search bar.

save query

Bulk actions may be performed on any incidents in the Incident Overview list. To perform bulk actions on incidents, check the incidents you wish to perform the bulk actions on, then click the three-dot kebab menu in the upper left-hand corner of the screen and select the appropriate bulk action. Bulk actions include:

  • Edit
  • Close
  • Reopen
  • Delete
  • Restore
  • Add Investigator
  • Change Owner
    Bulk actions

Add investigators

Investigators are users who are involved in incidents and have access to perform operations on the incidents and view the incident data. To be able to add investigators to incidents, you must be assigned the Manage Investigators Cloud SOAR role capability.

To add investigators to incidents:

  1. At the top of the screen, click Incidents.
  2. Check the incidents you want to add investigators to.
  3. Click the three-dot kebab menu in the upper left-hand corner of the screen.
  4. Select Add Investigator.
    The Add Investigator screen is displayed.
    Add Investigator dialog
  5. Select the investigators to add to the selected incidents.

    You can also select groups in addition to selecting individuals. For more information, see Groups.

  6. In the Role column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents.
  7. Click Apply.

View investigators assigned to an incident

  1. At the top of the screen, click Incidents.
  2. Select an incident. The investigators appear in the Investigators widget.
    Investigators widget
  3. To add another investigator to the incident, click the + icon in the upper-right of the dialog.
  4. To remove an investigator from the incident, hover your mouse over the investigator name and click the trash can icon that appears to the right.
  5. To change the role an investigator has for the incident, in the Role column select the role assigned to the user that you want them to have as an investigator.

Investigator roles

When you add an investigator to an incident, you select the role assigned to the users that you want them to have as an investigator. The selected role must have the appropriate Cloud SOAR role capabilities that you want the investigator to have to be able to effectively investigate the incident.

For example, an incident contains sensitive data in the notes section. If you want the investigators on the incident to be able to access the notes data, the investigators you assign to the incident must have the Note > Access Cloud SOAR role capability assigned to their role.


To allow users to access incidents without being added as investigators, assign them the Incident > Access all role Cloud SOAR role capability. This privilege is useful for users who need to monitor all incidents.

Working with Incidents

Opening an incident from any section of Cloud SOAR will display the Incident Details page. The Incident Details page is composed of three sections: The Incident VIP Section, on the left side of the screen, the Incident Properties section in the center, and the Incident Widgets section to the right side of the screen.

Incident details page

Incident VIP section

Incident VIP section

The Incident VIP Section displays high-level details about a specific incident. You can also take actions such as add additional investigators or close the incident from this section. To view all available actions, click the vertical ellipsis to the left of the cogwheel. You can change the owner of the incident, change the folder where the incident is housed, export the Incident details via PDF, DOC, or custom report, and clone or permanently delete the incident.

To customize the details displayed in the Incident VIP Section, click the cogwheel at the top-right of the section. A new screen will be presented which will allow for adding and deleting of incident detail fields. To add a new field, you will click on the + sign next to the field to be added. Once all the desired fields are added, they can easily be rearranged in the desired order by dragging and dropping into place. To remove a field, simply click the x next to the field to be removed. Once all the details have been added and are in place, click Apply.

Incident Properties

The Incident Details section contains all the important information that makes up the incident, such as executed Playbooks and incident tasks. This information is divided into four different sections: Overview, Operations, Entities, and Documentation.

Incident Overview


The Incident Overview section contains all the pertinent information for a specific incident such as the severity, SLA counter, and category of alert. This information can be customized in the Custom Fields section of the platform. For more information, see Custom Fields.


The Operations section contains all the investigative information for a specific incident and is broken out into the following sections: War Room, playbook, Tasks, and Notes.

Watch this micro lesson to learn more about security automation with playbooks.

War Room

All the information related to the incident ongoing are visible in one place in the War Room section. You can quickly view and check all the steps of the analysis, done either manually or by the automation, any entities related to the incident, results of actions performed and notes added during the incident's investigation. Information can be filtered out for the different categories, and by pressing the + button, you can add new notes.

War room


Any playbook that has been applied to an incident can be found under the playbook section. You can quickly view and make any necessary adjustments to the incident's Playbooks as well as add any additional Playbooks that may be required during an incident's investigation.

Playbook option menu

The playbook option menu can be found at the bottom of the playbook screen. From here, you can re-execute a playbook, export, edit, or expand the existing playbook. If during an incident's investigation it is determined that the type of incident has changed (i.e. phishing incident turns into a ransomware incident) another type of playbook may be needed to correctly remediate an incident. You can add additional Playbooks to the incident by clicking the + sign at the top of the playbook screen.

Add playbook

This will open a new screen that lists all available Playbooks. Either type in the playbook name to use or manually search through all available options and click Add when finished.

Viewing Playbook Results

The results of a Playbook, either while it is executing or after execution has completed, can be viewed from the playbook section. By clicking the expansion button on the bottom left of the screen will expand the playbook and will display the execution results.

Playbook results

The results of the playbook can also be viewed as a list by clicking the List button next the + at the top of the page. The execution path of the playbook will be shown, along with the status of the execution of each action. The execution history of the playbook will be displayed in a tab on the right-hand side of the screen, which can be minimized.

Action details

To view the details of any individual action, including the results, click on the action node. A new window displaying the action details will be displayed on the left-hand side of the screen. From this view, you can see the status of the action, its configuration, and have the choice to download the JSON results of the action.

Action details

To view the details of the result, click on the magnifying glass and the action's details window will be displayed. The details section displays the results of the action in table view which you can also filter through by using the details search bar at the top of the screen. For more detailed information, you can switch to the action's JSON results screen by clicking the View JSON Results button next to the action's search bar. The JSON results view displays the full results of the executed action. Because some integrations return large data sets, the table view is designed to show only a select set of attributes. To view the complete results of verbose integrations, the JSON tab should be used.

Action result Action result JSON


Cloud SOAR's Tasks section allows incident managers to assign and track tasks which must be completed during an investigation. Tasks may be added from Playbooks or Playbooks, as discussed in previous sections, or manually from the incident's Tasks section.

Adding a Task

To add a new Task, click the + button at the top-left of the Task list screen. Fill in all required fields and add any additional information necessary under the Description section if desired.

The user listed in the Assigned to field will be the user responsible for completing the task.

The field titled Effort should be the number of hours estimated to complete the Task. As the Task is updated by the Assignee, this field should be changed to reflect the actual number of hours that were required to complete the Task. This number will be used to provide Task Assessment information, discussed in more detail in the Documentation section of this manual.

New task
Working with Tasks

Once a task has been created and assigned, it will appear in the Home section of the Main Menu. To view the details of a task click on the task from the My Operations section of the screen, or to view a task by its incident, select one or multiple incidents from the task list on the left-side of the screen.

View tasks

Selecting a task will open the incident where the task was created. This will allow you to review the details of the task and access any automated Playbooks and notes from the incident investigation. Once the incident data has been reviewed investigators can choose to approve, approve and close, or decline a task by clicking the thumbs up, thumbs down or check mark buttons next to the task's title.

Task selected


Like the Tasks section, the Notes section contains all notes either automatically created during a playbook's execution or manually created during the incident's investigation. Both sections offer the ability to export and search for different results depending on the operational need.

Adding a Note

To manually add a note, click the + symbol to the left of the search bar and a new configuration screen will appear. Enter the note into the free form text box and click create when finished.

Add note

Closing Note

Closing incident will result in asking a note for incident closing as below:

Close Incident Closing Note


The Documentation section provides investigators with an area to document all steps taken during an incident's investigation.


The Attachments section is a repository for investigators to use to house attachments related to an incident's investigation. The source of this data can vary but will often be the output of monitoring tools and supporting documents. For each record, users can define:

  • Reference: an identifier for what the record refers to;
  • Date: a timestamp for when the record was uploaded;
  • Application: information about the system or application used to generate the record;
  • Short description: a free-form textual description of the record; and,
  • Parent folder: employed if arranging various records in a tree structure for logical classification.

As with our other documentation tools, attachments can also be added as a timeline event and associated with a knowledge base article.

New Attachment Screen

Create a new incident manually

To create an Incident manually, click the + Incident button on the top right-side of the screen.

Incident Overview Screen

A new configuration box will be displayed that contains fields an investigator can utilize to develop their incident. Not all these fields are mandatory. The ones which are required will have an asterisk (*) marked next to it which indicates the field has a dependency within the Cloud SOAR platform. These required fields can have their dependencies and requirements adjusted in the Custom Fields section.

New Incident Editor

One of the most important fields is the Type field. This field will dictate which Playbooks will be recommended later on in the configuration process. See Custom Fields to modify the variables displayed in the Type field.

New Incident Editor

Once the details page is completed, you will want to assign appropriate Playbooks to be associated with the incident. In addition to adding the playbook to the incident, you can also decide whether they want the playbook to automatically execute upon incident creation by sliding the Autorun button to On.

New Incident Editor

Incident Artifacts

When creating an incident manually, the investigator may already have artifacts that they would like to add to the incident. The Incident Artifact section allows for the manual entry of new artifacts. To add a new artifact click Add Artifact and choose what target field to append the data and add its value. Once completed, click Next.

Add artifact

Parent/Child Relationships

You have the option to create manual Parent/Child relationships between the new incident and any previous incident created in Cloud SOAR. Click the Advanced button at the bottom of the screen to select an existing incident to group together.

Incident Relationships

The final step in manual incident creation is to add an investigator or a group of investigators to the incident. Select an investigator or group from the left side of the screen by double-clicking on their name and the investigator will be added to the investigators pane. Once finished, click Create.

Custom Fields

To access custom fields, click the gear icon Settings menu icon in the top right, select Settings, and in the left select Customization > Fields.

Fields Configuration Settings

The Custom Fields section allows you to customize all fields within the Cloud SOAR platform to better suit your environment. All fields are pre-populated by default and can be revised with environment-specific variables by manually creating or updating the fields or by importing a file which is formatted with entries for each line.

To begin defining Cloud SOAR's custom fields, select a Cloud SOAR section from the list on the left-side of the screen to view all available fields. To edit an existing field, select the Edit icon icon next to the field to be updated, or to add a new field select +ADD at the bottom right-side of the screen. A new configuration box will be displayed.

The only attribute of an existing field which cannot be modified once the field is created is the field Type, such as Text or Date. You can rename internal values but only personal values, which are denoted by having a trash can symbol next to the entry, can be deleted from the section's custom fields.

Each section of Cloud SOAR supports different numbers of custom fields. The Incidents section, for example, supports up to 100 custom fields. The number of custom fields remaining will be displayed next to the section name at the top of the page.

Custom fields added by a user can be renamed or deleted. However, default fields can only be renamed, they cannot be deleted. Although a custom field may be deleted, it will not increase the number of custom fields available. Since the deleted field may contain data that was entered prior to the deletion of the field, the custom field remains reserved.

For each field, a name and a type will always be required. A complete list of field types is listed below. Additional fields will be required or optional depending on the type selected. For example, a text field allows an optional default value to be specified, while a list field provides many additional options.

The Visualization tab allows you to disable the field, specify if the field is used within Incident notifications, and set conditions under which the field is visible. For example, a field can be made visible only if the incident is of a certain type.

The Additional Info tab allows you to provide additional information or context to the field, such as how the field should be used or where the data can be located.

Fields may be reorder in the Custom Fields section to change the order in which they appear on the Cloud SOAR screen. To change the order of the fields, click and hold on the six dots to the far left of the field name, then drag the field to its desired location.

Custom Field Types

Field TypeDescription
CalculationPerform a calculation between two fields or between a field and a static value.
Color PickerInteractive color picker to select a color.
DateDate only picker.
Date & TimeDate and time picker.
Email AddressEmail address available to use in actions which require a email input.
FilenameFilename available to use in actions which require a filename input.
HashHash value available to use in actions which require a hash input.
IP AddressIP address available to use in actions which require a IP address input.
ListDropdown list.
Multi Select ListMultiselect list box.
Numeric TextboxAccepting numeric values only.
TagsOne or more user defined tags.
TextFree text.
Time IntervalNumeric time interval which can be used as a value in another calculated field.
TimezoneTimezone list dropdown.
URLURL available to use in actions which require a URL input.
User DetailsUser details, such as a user name. Available to use in actions which require a user details input.

Using Custom Fields for SLAs

Custom fields can be used to calculate any number of custom service level agreements (SLAs). This can be achieved using combinations of Date, Date & Time and Time Interval fields.

In the following example, five custom fields have been added to provide information on the status of an organizations Notification SLA. Two of the custom fields require user input:

SLA User Input
  • Notification SLA Requirement will be used to store the SLA time interval, such as 5 minutes.
  • Customer Notified will allow you to enter the date & time the customer was notified.

The remaining three custom fields require no user input and are calculation fields only:

SLA Calculated Fields
  • Notification Due By will calculate and display the date & time the notification must be conducted by adding the Notification SLA Requirement field to the Start Time.
  • Notification Time Remaining will calculate and display time remaining before the notification must be conducted by subtracting the Current Time from the Notification Due By field.
  • Actual Notification Time will calculate and display actual time taken to notify the customer by subtracting the Start Time from the Customer Notified Time.

These Custom Field settings will appear in the Cloud SOAR Incident screen as follows:

SLA View

Credential Manager - CyberArk Configuration

You can use CyberArk Credential Manager to manage data that will be used in integration resources.


Using the cogwheel icon on the right in the integrations section, the main section of the CyberArk configuration opens.

CyberArk configuration

Here you can set URL and port of the Components server, and the credentials needed to connect to CyberArk. The Enable checkbox can be enabled or disabled later.

If enabled, when you go to open the detail of a integration resource you'll find a new checkbox (Use CyberArk fields) at the top already active. If the checkbox on above window is disabled, the checkbox in the resource window will be disabled by default, and it will not be possible to activate it.

Enable CyberArk fields

If the checkbox Use CyberArk fields is enabled, two new mandatory fields will appear:

  • Account Name > userName in CyberArk
  • Platform ID > platformId in CyberArk

Near to the fields there will be the relative toggle that will enable the related field for use on CyberArk.

CyberArk fields enabled

In the image above, you can see two custom fields of the resource with their toggles. The first field has been enabled to use CyberArk, while the second not.

Within the CyberArk fields you need to enter the name of the Properties present in the corresponding Platform ID on CyberArk.

Case sensitive

Pay attention to uppercase and lowercase letters.

Property names

Through the name of the Properties, (in the above case MB3) during the execution of the resource, it will be replaced with the value present on CyberArk for that resource, in our case 84ca4444-9082-40b7-.

In the fields enabled for CyberArk, in addition to the account properties, you can also recall the value of the CyberArk Account password, to do this, write the word Password in the field.


If the checkbox for CyberArk is enabled for a resource field, the data type allowed for that field will be string only, even if the same field was configured to accept lists, checkboxes, numbers, and more.

The only property that will be retained is the mandatory nature of the field.

Values entered in the field not enabled for CyberArk, if previously entered and saved, will be retained if the field becomes enabled for CyberArk. The same is not true otherwise.

If the CyberArk switch is enabled and one switch on the field line is disabled, that CyberArk field value will be saved empty.

CyberArk fields

Configuring the automation bridge for CyberArk

If you are using CyberArk, you will need to add the following certificates given by CyberArk:


to the /opt/automation-bridge/ directory.

The names must be exactly the same.


The Cloud SOAR Triage module ingests events via the Cloud SOAR API. You can use it to triage events which may be unverified or have a low confidence level before they are converted to incidents. The Triage module can be completely customized for use cases from financial fraud to network IDS alerts.

Display Settings

Triage display preferences can be customized. Triage events can be color coded based on status to easily distinguish them from each other when viewing the list of Triage events.

The name of the module can also be modified from Triage to a name of your choosing. The new name will be displayed in all areas of Cloud SOAR, including the menu and logs.

Triage section

Field Settings

By default, the Triage module contains two fields, Status and Type. Additional values may be added to the Status field; however, the Type field is directly linked to the Incident Type field and cannot be modified directly. New types must be added from the Incidents section of the Custom Fields page. Up to 100 custom fields and be created for the Triage module, allowing customization for any use case.

To add additional fields:

  1. Click the gear icon Settings menu icon in the top right, select Settings, and in the left select Customization > Fields.
  2. Select Triage Events (or the name of the module if you have renamed it from the default of Triage).
  3. To add a new field, click Add from the upper right-hand corner and configure the field as desired. Note that to be able to filter events in the Triage module based on the values of a field, Use as filter must be checked in the Visualization tab when adding or modifying a field.

As fields are created, they will be assigned a number starting at 1, which will be used to identify the field when adding events via the API. The first field added will be identified as opt_1, the second as opt_2, and so on. Regardless of the ordering of the fields on the screen, these numbers will remain the same. If a field is deleted, the number will not be reused. For example, if you have defined opt_1 through opt_8 and delete the field opt_8, the next field added will still become opt_9. It is important to remember these field numbers, as they will be used when the API is invoked.

Attributes sent from Cloud SIEM

You can ingest Cloud SIEM Insights into Cloud SOAR for incident triage using the GetInsight Cloud SOAR API. The following Insight attributes are returned.

When you create an incident from an Insight, you can map the Insight attributes to fields in Cloud SOAR as follows:

Attribute in Cloud SIEMField in Cloud SOAR
assigneeInsight Assignee (custom field)
createdStart time
descriptionAdditional Info
entity.valuePrimary Entity (custom field)
entity.typeEntity Type (custom field)
idInsight ID (custom field)
involvedEntities[].valueInvolved Entities (custom field)
readableIdIncident ID

When creating incidents from Insights, adding additional required attributes to the incident template will result in an error. Only those attributes sent over with Insights can be used as required attributes on the template.

Working with Events

The Triage module is accessible from the Incidents section by clicking on Triage (or the name of the module if you have renamed it from the default of Triage). All events which have not been converted to an Incident will be displayed in a sortable table on the Triage main screen. Events may be sorted by any column values by clicking on the appropriate column.


The list of events can be filtered by any of the fields listed in the filter section at the top of the Triage main screen.

Filter events

To view the details of a Triage event, click on the box and arrow icon in the Actions column for the event. If additional information is available, it will be displayed in this Event Details screen.

To begin triaging an event, click on the person icon in the Actions column for the event to grab the event. Once an event is grabbed by an analyst, any Playbooks defined for that incident type will be automatically executed and the results will be displayed in the Results section of the Event Details screen. Because all Playbooks for the specified incident type are automatically executed as soon as the incident is grabbed, it is recommended that separate incident types and Playbooks be created for Triage events.

After triaging the event, the event may be reassigned to another user for further analysis, discarded or converted to an incident. To reassign the event to another user, click on the circular arrow icon in the Actions column for the event. To discard the event, click on the trash can icon in the Actions column for the event.

Discard events

To convert the event to an incident, click Convert to Incident in the far right-hand corner of the Event in question. Select the appropriate incident template, owner and label, then click Save. The event, including all enrichment information gathered from any Playbooks, will be automatically converted to an incident.

Convert to incident


With the Report option, you can create incident reports to share with others as well as widgets to use in the report that display text, graphs, tables, and charts containing details about incidents and other aspects of Cloud SOAR.

  1. Click the gear icon Settings menu icon in the top right and select Report.
    The Report UI appears.
    Reports user interface
  2. Click the + icon in the upper left corner.
  3. On the right side, select widgets to add to the report from My Widgets or Public. These are the same widgets that are available to use in dashboards. Widgets can be graphs, charts, tables, or any kind of visual element that contains information. Click New to create a new widget. Click Show List to see all available widgets.
  4. Rearrange the widgets in the report as needed.
    Widgets in a report
  5. Click Save. In the dialog:
    1. Provide a Report name and a Description.
    2. Click Schedule to schedule the report to run on a regular basis.
    3. Scroll to the bottom of the dialog and click Public if you want to make the report available to others.
    4. Click Save.
      Save a report
  6. Click Export to export the report to PDF.
  7. Click Open to open available reports.


Watch the following micro lesson to learn about dashboards and KPI reports.

The Cloud SOAR Dashboard layout renders data for quick comprehension using a combination of graphics (e.g., charts, tables, graphs, and visual indicators) called Widgets. The data is helpful to security analysts tasked with incident handling and operational activities and provides supervisors and stakeholders a summary overview from which to derive strategic information.


Cloud SOAR's dashboards section is used to highlight the most important pieces of data to the user or investigator who is logged into the platform. This data is presented through the use of multiple widgets that you can add, remove, and customize to include all data relevant to your job functions and duties.

Cloud Soar Dashboard

To begin customizing the dashboard select the Customize button on the top of the screen. Once selected, a new configuration box will be displayed.

Dashboard Widget Editor Dashboard Widget Configurator

The widgets section on the left-side of the screen displays how the dashboard is structured. To begin adding widgets to the dashboard, click + on the desired section.

A new popup will be displayed with a list of all widget choices for the selected section. To add a new widget, click +.

Once a widget is added to a section, they will be displayed on the right-side of the screen. To configure, click the cogwheel next to the widget to be customized. A new configuration screen will be displayed. These configuration screens will vary depending on the information it utilizes. Users have the option to add or remove filters and values, rename the section, as well as choose what data they would like to have displayed.

To change how the widgets appear in a section, you can drag and drop into the desired positions by clicking and holding the left-side of selection and dragging to a new location. Users can utilize Cloud SOAR's Carousel feature to cycle through different Dashboard displays on a SOC board to ensure constant visibility within the Cloud SOAR platform. Once the desired widgets have been added and configured, click save to commit.

Cloud Soar Dashboard Carousel

Most widgets inside of the Cloud SOAR dashboard are drillable. To drill down into a specific statistic, click on either an Incident ID or a section of a pie chart to limit the information shown to the areas of concern.


Make sure to allow popups from the Cloud SOAR site to drill into dashboard statistics.

Dashboard Pie Chart

You can also export Dashboards to an Excel spreadsheet or PDF document to include in reporting. To export a dashboard, select Export from the top of the dashboard screen and select which format to use. A new window will open with the requested document, which can either be saved to your machine or printed.

Dashboard Menu

Create a dashboard

You can create dashboards in Cloud SOAR similar to dashboards in the core Sumo Logic platform. You can also create widgets to use in the dashboards that display text, graphs, and charts containing details about incidents and other aspects of Cloud SOAR.

  1. Go to the home screen.
  2. Select Dashboard in the upper-left corner of the UI.
    Access dashboards
  3. Click the + icon in the upper-right corner of the UI and select New Dashboard.
    Add dashboard button
    A blank dashboard appears.
    Empty dashboard
  4. Click on the name of the blank dashboard (such as Dashboard 1 in the example), and give the dashboard a name. Click No description available and type a description.
  5. Click the Edit button.
    Empty dashboard
    The widgets panel displays to the right of the dashboard.
    Widgets panel on the dashboard
  6. Under My Widgets or Public, select widgets you'd like to add to the dashboard. These are the same widgets that are available to use in reports. Widgets can be graphs, charts, tables, or any kind of visual element that contains information. Click New to create a new widget. Click Show List to see all available widgets.
  7. Rearrange the widgets in the dashboard as desired.
  8. (Optional) Click Public at the top of the dashboard panel if you want to make the dashboard available for others to use.
  9. (Optional) Click Export to to the upper-right of the dashboard panel to export the dashboard to PDF.

Create widgets

You can create widgets as needed to help analysts and administrators quickly get the information they need. Widgets are reusable pieces that display information in different forms, such as text, pie chart, bar chart, graph, or table.

  1. Open the widgets panel:
    1. Go to the home screen.
    2. Select Dashboard in the upper-left corner of the UI.
      Access dashboards
    3. Select a dashboard.
    4. Click the Edit button.
      Empty dashboard

    Widgets are shared between Dashboards and Reports.

  2. The widgets panel displays to the right of the screen.
    Widgets panel
  3. Click New.
    The dialog to create new widgets displays.
    Create a widget
  4. In Name, provide a name that clearly explains the widget's purpose.
  5. In Group by, select whether you want incidents listed in the widget to be grouped by Status, Incident ID, or Start time.
  6. On the left, select the type of widget to create (pie chart, bar chart, graph, table, or text).
  7. At the top, query for elements to view in the widget, such as incidents, notes, tasks, and attachments.
  8. Click Public if you want to make the widget available for others to use.
  9. Click Save when done.


The Entities tab provides access to data from across all incidents, as well as other information which can be stored within Cloud SOAR.
Entity Section

Observables from every incident can be found in this section, along with any enrichment data associated with these data types and the incidents they were reported in. You'll find all variables including artifacts related to an incident. Clicking on an entity in the entity list will display the results of any previous actions taken on the entity, or where in the incident the entity was extracted.

Entity Details

A timeline of actions taken on the entity can be displayed on the far right-hand corner of the screen by clicking on the stopwatch symbol. Hover over the date tabs to expand the timeline and see additional information about the actions taken on each date.

Latest actions

While any observable is selected, a menu bar will be available in the top right-hand corner of the screen which allows users to perform certain actions on the observable.

Observables Menu Bar
  • Lock: Lock the observable to prevent any actions from being taken on it. This may be useful if you want to ensure that no enrichment actions are taken on attacker-controlled infrastructure or that an observable is not accidentally blocked.
  • Delete: Delete the observable.
  • Mark as Favorite: Mark the observable as a favorite and move it to the top of the observables list.

Adding a New Entity

To add a new entity, click the + sign at the top of the screen and a new configuration box will be displayed. Select an entity type from the dropdown menu and an additional configuration box will be displayed. This configuration box allows the user to input information about the entity, such as adding a file or its file hash. Once the entity is created, click Create to continue.

Adding a new Entity
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.