Manage Organizations for MSSPs

Beta

This article describes how to manage organizations for Managed Security Service Providers (MSSPs). MSSP administrators must ensure that the content of their child organizations is properly configured. MSSPs often consist of a parent organization with child organizations that use Cloud SIEM.

Prerequisites

Roles

You must have the following organization role capabilities to create and manage organizations as an MSSP administrator:

• Organizations
  • View Organizations
  • Create Organizations
  • Manage Organizations

Update content in child organizations

To ensure that content is consistent across child organizations, use the Content Management tab.

You can update the following:

• Cloud SIEM rules
• Cloud SIEM rule tuning expressions

To update content:

1. Classic UI. In the main Sumo Logic menu, select Administration > Organizations.
   New UI. In the main Sumo Logic menu, select Organizations. You can also click the Go To... menu at the top of the screen and select Organizations.
2. Select the Content Management tab.
3. In the Source field, select the organization that will provide the source data to be updated in other organizations.
4. In the Content bar, select the content to be updated:
   • Cloud SIEM Rules
   • Rule Tuning Expressions
5. Select individual items to be updated, or all items.
6. Click Update Selected Items.
   
7. On the Update Selected Items box, click Destinations to select the organizations to update the selected items to. You can update to all organizations, a single child organization, or multiple child organizations.
   
   Tips:
   • If you select All Child Organizations, you can then select organizations to exclude, allowing you to update to all organizations except those you select:
     
   • When you update rule tuning expressions, select Include Associated Cloud SIEM Rules to also update all the Cloud SIEM rules that the expressions are used on:
     
8. Click Update. An Updating in progress dialog is displayed.

View history

1. Click View History in the upper-right corner of the page.
   A query for update history displays:
   
2. Click the search button.
   The update history displays. The email of the individual who performed the update appears in the user_email column, and the updated items appear in the content column.
   
3. Investigate any updates that failed and re-run the update if needed.

FAQs

What to expect when updating Cloud SIEM rules

• Are rule tuning expressions included?
  No, they are not included, but can be updated separately.
• What happens when a rule with the same name already exists?
  It will be replaced in the child organization.
• What if errors occur during updating?
  Affected items will be skipped. Once the rest of the content is updated, you can review errors in log search and retry.

What to expect when updating Cloud SIEM rule tuning expressions

• What happens if a tuning expression with the same name already exists?
  It will be replaced in the child organization.
• What if errors occur during updating?
  Affected items will be skipped. Once the rest of the content is updated, you can review errors in log search and retry.
• What happens if the source tuning expression contains Cloud SIEM rules?
  If the Include Linked Cloud SIEM Rules option is selected, existing rules with the same name in the destination organization will be linked to match the source tuning expression.
• What if no matching Cloud SIEM rules are found in the destination organization?
  The update will complete with a warning, and missing rules will be logged in the audit log. You can update those rules separately and re-run the tuning expression update.

Multi-insights list page in Cloud SIEM

If you are logged in to a parent organization with child organizations that also use Cloud SIEM, the insights list page in Cloud SIEM allows you to view insights in child organizations.