Skip to main content

Cloud SOAR Overview

Cloud SOAR fully automates triage, investigation, and remediation of threats for any security professional. The open integrations framework allows you to connect to a multitude of third-party applications. The platform provides full incident response lifecycle management with machine learning and threat hunting, accelerating mean time to respond (MTTR).

Cloud SOAR user interface

Access Cloud SOAR

To access Cloud SOAR, click Cloud SOAR in the Sumo Logic navigation menu.

Cloud SOAR must be enabled by Sumo Logic before it is accessible to users in your organization. If you would like to use Cloud SOAR in your organization, contact your Sumo Logic account representative.


You can view the user interface in a dark theme or a light theme:

  1. Click your user name in the main Sumo Logic navigation menu and select Preferences.
  2. Scroll down to Theme and select Dark theme or Light theme.

For more information, see Setting Account Preferences and Credentials.

Cloud SOAR menus

Top menu

This menu appears at the top of the Cloud SOAR screen:
Top menu bar

Use the top menu to access:

  • Incidents. Manage security incidents that require investigation and action.
  • Entities. Manage entities identified across incidents.
  • Support menu icon Support. Access help, including documentation and support contact information.
  • Settings menu icon Settings. Configure Cloud SOAR settings.

Settings menu

The Settings menu allows you to configure Cloud SOAR settings. To access the menu, click Settings menu icon on the top menu.
Settings menu

Use the Settings menu to access:

  • Automation. Configure Cloud SOAR's automation and orchestration features.
  • Settings. Configure Cloud SOAR settings.
  • Report. Configure reports.

Why Cloud SOAR?

Cloud SOAR is a modern security operations technology platform that empowers MSSPs, SOCs, and security teams by providing collaborative and automated real-time incident management and threat response. Make quick and insightful decisions during security response with workflow automation.

  • All-in-one platform for minimizing the response time
    • Integrates disparate technologies focusing analysts on real threats.
    • Makes the most of automation, orchestrating several tools in Standard Operating Procedures (SOPs).
    • Measures success and improves communication.
  • Better collaboration
    Cloud SOAR’s native orchestration capabilities boost the collaboration within the SOC team, ensuring efficient synergy during each phase of incident response. Automation of the full incident lifecycle eases the burden on security analysts, while helping to successfully pinpoint real threats and coordinate an effective response across tools and team members.
  • Customizable reports
    Quickly assemble highly customizable reports and dashboards to easily navigate and assess your security intelligence portfolio. Use relevant templates to capture workflow processes, job functions, and response timeframes, including critical indicators of compromise (IOC) and corrective actions taken. Use reports to create greater visibility for KPIs and make collective improvements across the SOC team.
  • Speed incident response
    Cloud SOAR improves incident response time with flexible workflow automation across tools and teams. Machine learning distinguishes real threats from false positives to reduce alert fatigue.
  • Connect disparate tools
    Cloud SOAR acts as the connective tissue between your existing tools to automate processes across the SOC and derive relevant insights throughout your security portfolio.
  • Close the skill gap
    Automated workflow processes help analysts function at an optimal level and reduce the skills gap that exists from the lack of qualified cybersecurity professionals.
  • Comprehensive security portfolio
    Cloud SOAR comprises both the Automation Service, which allows Sumo Logic to leverage the power of automated playbooks, and the full Cloud SOAR. Cloud SOAR combines automation with case management, among many other capabilities aimed at helping your organization modernize security operations.

Cloud SOAR highlights

Cloud SOAR helps secure operations and automate incident response through integrations with leading third-party threat intelligence vendors. Following are some of the highlights.


Cloud SOAR provides automated investigation of indicators of compromise (IoCs) for cyber and non-cyber use cases. For more information, see Triage.

Advanced triage

War Room

The War Room provides a complete, chronological, and detailed picture of a specific incident process. It also enables security analysts to work simultaneously on incidents with granular role-based access control (RBAC) for general and incident profiles. For more information, see War Room.

Case Management


Playbooks orchestrate your security operation center (SOC) team’s security stack and automate time-consuming tasks to improve your standard operating procedures (SOPs) and minimize response time. For more information, see Playbooks.

Automated SOPs

Dashboards and reports

Gain complete insight into incident response performance with customizable dashboards and reports. Keep track of your most important KPIs with real-time data on each phase of the incident response life cycle. For more information, see Dashboards.

KPI dashboards

Open Integration Framework (OIF)

Choose from hundreds of out-of-the-box actions and playbooks or ask the Sumo Logic team to develop the connectors you need. Anyone can access the API code to quickly integrate tools without any coding experience required. For more information, see Integrations.


Incident generation process

Incidents are at the heart of Cloud SOAR. Incidents are events that require investigation and remediation. Cloud SOAR generates incidents with an automated process:

  1. An alert is received by Cloud SOAR via an integration.
  2. Automation rules process the alert. Behind the scenes, parsing rules break out the data into artifacts to be used as arguments in playbooks, such as IP addresses, usernames, host names, and so on.
  3. The data is fed into an incident template.
  4. Playbooks run against the data.
  5. Cloud SOAR generates an incident.
Cloud SOAR automation flow


The following sections detail the various setup and configuration options for the Cloud SOAR platform. Although initial configuration can be performed in any order, the following sections are ordered in the suggested order for initial configuration.

General settings

To access General settings, click the gear icon Settings menu icon in the top right and select Settings.

The following sections describe available settings.


  • Display Notification __ Number of seconds
  • Display Session Timeout __ The Session timeout in minutes will be applied to the next user login.
General Settings

International Settings

International Settings

Language Settings

French language is now enabled in Cloud SOAR. It can be enabled under user profile section.

Language Settings

Instant Messaging

Instant Messaging integration can be enabled from here.

Instant Messaging dialog

The same integration has to be updated under the user profile configuration.

User profile dialog


There are several Incident settings that you should consider when configuring Cloud SOAR.

Cloud SOAR's Automatic Observables Harvesting feature examines free text areas of Cloud SOAR to gather observables, such as IP addresses, domains and email addresses. When enabled, Cloud SOAR will automatically harvest these observables and add them to the appropriate observables section within the incident. Checking the boxes under Automatically extract Observables elements from will cause Cloud SOAR to perform Automatic Observables Harvesting on the checked sections.

Under the Incident settings, it is also possible to make a final incident note mandatory before the incident can be closed. This can be used to enforce the policy of recording the final disposition of an incident before it is closed.

Incident Settings Incident General Settings
Incidents Documentation

For more information, refer to Incidents and Triage.

Incident Process Phases

Cloud SOAR allows managers to monitor the progress of incident phases as the incident progresses. These phases and their properties can be configured by administrators in the General settings page.

Incident Phases

In addition to the phase name, administrators can determine whether the phase is mandatory and the status of the incident when the new phase is reached. Administrators may also disable phase management at the top of the Incident Process Phase section or choose not to show the phase management section in the Incident Details screen.

Incident Process Phase Settings

Queue Settings

One or more queues may be configured which can be used to assign incidents to until they are ready to be assigned to users. Queues can be managed at the bottom of the General settings page.

New Queue dialog

Click the + button in the upper right-hand corner of the queue settings to add a new queue. There are no restrictions on the number, or the scheme used to create queues. Common schemes are to create one general queue, a queue for each analyst tier, or a queue by job function.

Queue Settings dialog

Internet Connection Settings

Internet Connection Settings

User Management


You can create a group of users and assign a role to all the users in the group. This makes it easy to assign a specialized role to multiple users at once rather than adding the users individually to the role.

For example, say there is a group of users with different roles responsible for customer support. Access to a specific incident with restricted privileges needs to be granted to all investigators of the incident. You can create a role with just the needed Cloud SOAR role capabilities and select it as the role (also known as a profile) for members of the group. Then when you add investigators for the incident, you can select the group rather than individual users.

Create a group
  1. Click the gear icon Settings menu icon in the top right and select Automation.
  2. On the left navigation bar, select User Management > Groups. The Groups dialog is displayed.
    Groups dialog
  3. Click the + icon next to Groups. The Add Groups dialog is displayed.
    Add Group dialog
  4. In Name enter a name for the group.
  5. In Profile select the role to use for members of the group. These are roles already created in the system. To see role capabilities assigned to these roles, in the Sumo Logic Log Analytics Platform select Administration > Users and Roles and click the Roles tab. For more information about roles, see Create and Manage Roles.
  6. Click Create. The empty group is displayed.
    Example group
  7. Click the + icon next to Members.
  8. Select the users to add to the group.
  9. Click Apply.
Group role assignments

The role specified in an assigned group profile supersedes the user's role assignments in the Sumo Logic Log Analytics Platform. The group permissions are persistent until the user leaves the group, the profile is removed from the group, or the group is deleted.

In a groupHas the assigned group role (profile)
In multiple groupsHas the sum of the roles (profiles) from all the groups it is a member of
Not in a groupHas role assignments as assigned in the core platform
In group without a role (profile)Has role assignments as assigned in the core platform


Cloud SOAR allows administrators to configure notifications to Cloud SOAR users as well as other external users. These notifications can be sent via Cloud SOAR's internal messaging platform, as well as email and SMS. Watcher Groups can also be created, which allows Cloud SOAR to send notifications to those who are not necessarily assigned to an incident when certain conditions are met, such as notifying managers when a high severity incident is created.

The Notifications selection enables you to configure outbound email (SMTP) settings, and set up text messaging for incident notifications. Notifications can be configured by clicking on Notifications from the Settings menu.

Email Server Configuration

Under the Email Server Configuration tab, users configure outbound mail and confirm privacy settings to fit their organization's needs. Once these options are set, Administrators can configure which types of events should trigger notifications to which users and by what means.

Email Configuration Settings

Mail Notification Queue

The Mail Notification Queue shows the status of all email notifications sent by Cloud SOAR.

Mail Notification Queue

By navigating to the Mail Notification Queue, you can view any delivery failures, the details of the original notification, as well as have the options to resend or delete the notification.


Under the Customization dropdown, you will find an arsenal of tools at their disposal. These tools will assist in the creation of reports, custom fields, and incident elements, just to name a few. The full list of features is listed below.

Incident Reports

Report Templates allow you to build their own reports by selecting various components of an incident they wish to include in the report.

Custom Fields

Custom Fields allows administrators to edit existing fields as well as add new fields for almost every section of Cloud SOAR. All Cloud SOAR sections which permit custom fields are displayed on the left-hand side of the page. Clicking on any one of these sections will display all current fields for that section on the right-hand side of the page. Any existing field may be edited, to include changing the name or adding list values. The only attribute which cannot be changed is the type of the field, such as text or date. New fields may also be added from this page.

The Logo section allows administrators to customize both their Cloud SOAR user interface and reports with the logo of their company or the logo of their clients. This can be done by simply uploading their image in the specified .PNG file format size.

Logo Settings

Incident Label

The Incident labels section allows an administrator to define labels for the different types of incidents that will be investigated. These labels can also be created during the automation rule and incident template creation process which will be explained in later sections.


Cloud SOAR's Triage module ingests events via the Cloud SOAR API and can be used to triage events which may be unverified or have a low confidence level before they are converted to incidents. The Triage module can be completely customized for use cases from financial fraud to network IDS alerts.

Data retention

This section lists the retention period for each type of data generated.

Default retention periods by data type

Sumo Logic automatically deletes the following customer data according to the table retention period below, except for customers required to ensure HIPAA compliance (see second table).

Data typeRetention period
Incidents2 years
Triage2 years
Entities2 years
Playbook and action executions2 years

For HIPAA-compliant customers, we delete data following the retention periods below.


If you need to follow HIPAA compliance, it is important to explicitly communicate this when requesting Cloud SOAR activation.

Data typeRetention period
Incidents7 years
Triage7 years
Entities7 years
Playbook and action executions7 years

Custom retention periods

You can request retention period times different from those declared in the tables above, as long as the retention period requested is greater than 1 day yet less than 5000 days.

In order to do that, please open a Support ticket with your request.

Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.