SumoLogic · jpipkin1 · Dec 10, 2024 · Nov 12, 2024 · Nov 13, 2024 · Nov 13, 2024
@@ -73,10 +73,10 @@ The notification sent by a Rule Action contains the name of the rule and the re
 ## Create an Action
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Actions**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Actions**. You can also click the **Go To...** menu at the top of the screen and select **Actions**. 
-1. On the **Actions** page, click **Create**.
-1. The **Create Action** popup appears. <br/><img src={useBaseUrl('img/cse/create-action-empty.png')} alt="Create Action dialog" style={{border: '1px solid gray'}} width="500" />
+1. On the **Actions** tab, click **+ Add Action**.
+1. The **Add Action** popup appears. <br/><img src={useBaseUrl('img/cse/create-action-empty.png')} alt="Create Action dialog" style={{border: '1px solid gray'}} width="400" />
 1. **Name**. Enter a name that communicates what the Action does.
-1. **Type**. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
+1. **Action Type**. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
     * [AWS Simple Notification Service](#aws-simple-notification-service-sns)
     * [Demisto](#demistocortex-xsoar)
     * [Email](#email)

@@ -32,7 +32,7 @@ The Context Actions menu will be available for any of these types, wherever they
 
 ## How a user accesses Context Actions
 
-A user runs a Context Action by clicking the Context Action icon next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
+A user runs a Context Action by clicking the Context Action icon <img src={useBaseUrl('img/cse/context-action-icon.png')} alt="Context action icon" style={{border: '1px solid gray'}} width="20"/> next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
 
 In the screenshot below, Context Actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
 
@@ -58,17 +58,18 @@ import Iframe from 'react-iframe';
 ## Configure a Context Action
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Context Actions**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Context Actions**. You can also click the **Go To...** menu at the top of the screen and select **Context Actions**.  
-1. On the **Context Actions** page click **Create**.
-1. Create the context action.  <br/><img src={useBaseUrl('img/cse/configured-action.png')} alt="Configure action" style={{border: '1px solid gray'}} width="500"/>
-    1. **Enter Context Action Name**. Enter a name for the Context Action. 
-    1. Choose whether you want to open a **URL** to an external service or
-        a **Sumo Logic Query**. 
-    1. Enter the URL or log query that the context action will issue.
+1. On the **Context Actions** tab click **+ Add Context Action**.
+1. Create the context action.  <br/><img src={useBaseUrl('img/cse/configured-action.png')} alt="Configure action" style={{border: '1px solid gray'}} width="400"/>
+    1. **Name**. Enter a name for the Context Action. 
+    1. **Action Type**. Choose whether you want to open a **Sumo Logic Query** or a **URL** to an external service. 
+    1. **Query**. Enter the URL or log query that the context action will issue.
         For instructions, see:
         * [Create a Sumo Logic search URL](#create-a-sumo-logic-search-url)
         * [Create a URL to external service](#create-an-url-to-an-external-service)
     1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target Record’s [timestamp](/docs/cse/schema/schema-attributes) field.
-    1. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
+    1. **Entity Types**. Select the Entity types that the context action will apply to.
+    1. **Record Properties**. Select the Record properties that the context action will apply to.
+    1. **IOC Data Types**. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
         * **Domain**
         * **Entity Types**
         * **Hash**

@@ -23,13 +23,14 @@ You can define custom *sub-resolutions* for any of the built-in resolutions. Thi
 ## Create a custom sub-resolution
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Resolutions**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Resolutions**. You can also click the **Go To...** menu at the top of the screen and select **Insight Resolutions**.  
-1. On the **Insight Resolutions** page, click **Create**. 
-1. The **Create Insight Resolution** page appears.
+1. On the **Insight Resolutions** tab, click **+ Add Resolution**. 
+1. The **Add Insight Resolution** popup appears.
     1. **Name**. Enter a meaningful name for the new resolution.
     1. **Parent Resolution**. Display the dropdown list and select a built-in resolution.
     1. **Description**. (Optional) Enter a description that will help other users understand when to use the new resolution.
-    1. Click **Create**. <br/><img src={useBaseUrl('img/cse/create-insight-resolution.png')} alt="Create Insight resolution dialog" style={{border: '1px solid gray'}} width="400"/>
-    1. The new resolution appears on the **Insight Resolutions** page, indented below the parent resolution. 
+    1. Click **Save**. <br/><img src={useBaseUrl('img/cse/create-insight-resolution.png')} alt="Create Insight resolution dialog" style={{border: '1px solid gray'}} width="400"/>
+
+The new resolution appears on the **Insight Resolutions** tab, indented below the parent resolution. 
 
 ## Close an Insight using a custom resolution
 

@@ -14,7 +14,7 @@ This page has information about creating and managing custom Insight statuses.
 To view Insight statuses:
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**. 
-1. This screenshot of the **Statuses** page shows the three Insight statuses that are preconfigured:
+1. This screenshot of the **Insight Statuses** tab shows the three Insight statuses that are preconfigured:
     * **New**. Insights that have not been worked on yet.
     * **In Progress**. Insights that are being investigated. If you want to create custom statuses to represent different types of "in progress" states, you can click the **Enabled** toggle to disable the default **In Progress** status to reduce confusion.
     * **Closed**. Insights whose investigations are complete.  <br/><img src={useBaseUrl('img/cse/workflow-page.png')} alt="Statuses page" style={{border: '1px solid gray'}} width="700"/>
@@ -26,28 +26,28 @@ Preconfigured Insight statuses cannot be edited or deleted. You can however crea
 To create a custom Insight status:
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui).  In the top menu select **Configuration**, and then under **Workflow** select **Statuses**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**. 
-1. On the **Statuses** page, click **Create Status**.
-1. On the **New Status** popup, enter a name and description for the status. 
+1. On the **Insight Statuses** tab, click **+ Add Status**.
+1. On the **Add Insight Status** popup, enter a name and description for the status. 
 1. Click **Color** to select a color for the status. The color will appear on the status on the [Heads Up Display](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display).
 
 ## Change the order of Insight statuses
 
-You can change the status of an Insight on the **Details** pane of the page for the Insight. Note that the items in the **Status** dropdown appear in the same order as they do on the **Statuses** page.
+You can change the status of an Insight on the **Details** pane of the page for the Insight. Note that the items in the **Status** dropdown appear in the same order as they do on the **Insight Statuses** tab.
 
 <img src={useBaseUrl('img/cse/status-dropdown.png')} alt="Status dropdown" style={{border: '1px solid gray'}} width="300"/>
 
-To change the order that the statuses appear in the **Status** dropdown, you can reorder them on the **Statuses** page, except for **New** and **Closed**. **New** must always be the first status, and **Closed** must always be the last.
+To change the order that the statuses appear in the **Status** dropdown, you can reorder them on the **Insight Statuses** tab, except for **New** and **Closed**. **New** must always be the first status, and **Closed** must always be the last.
 
 To change the order of Insight statuses:
 
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**.  
-1. On the **Statuses** page, each status that can be moved has a handle to the left of its name.  <br/><img src={useBaseUrl('img/cse/reorder-icons.png')} alt="Reorder icons" style={{border: '1px solid gray'}} width="200"/>
+1. On the **Insight Statuses** tab, each status that can be moved has a handle to the left of its name.  <br/><img src={useBaseUrl('img/cse/reorder-icons.png')} alt="Reorder icons" style={{border: '1px solid gray'}} width="600"/>
 1. To move a status to a different location on the list, use your mouse to drag it to the desired location.
 
 ## Edit or delete a custom Insight status
 
-On the **Statuses** page, you can edit or delete any of the custom Insight statuses that have been created. 
+On the **Insight Statuses** tab, you can edit or delete any of the custom Insight statuses that have been created. 
 
 The edit and delete icons are only available for custom statuses.
 

@@ -47,7 +47,7 @@ Before you can access the Automation Service from Cloud SIEM, you must first [co
 
 1. To access the Automation Service from Cloud SIEM:
    1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. <br/>The list of available Cloud SIEM automations appears. Each automation runs a playbook.<br/><img src={useBaseUrl('img/cse/automations-automations-list.png')} alt="Automations list" style={{border: '1px solid gray'}} width="800"/>
-   1. At the top of the screen, click **Manage Playbooks**.<br/><img src={useBaseUrl('img/cse/automations-manage-playbooks.png')} alt="Manage Playbooks menu option" width="400"/> <br/>The Automation Service screen displays: <br/><img src={useBaseUrl('img/cse/automations-playbook-list.png')} alt="Automation Playbook list" style={{border: '1px solid gray'}} width="800"/>
+   1. At the top of the screen, click **Manage Playbooks**.<br/><img src={useBaseUrl('img/cse/automations-manage-playbooks.png')} alt="Manage Playbooks menu option" width="300"/> <br/>The Automation Service screen displays: <br/><img src={useBaseUrl('img/cse/automations-playbook-list.png')} alt="Automation Playbook list" style={{border: '1px solid gray'}} width="800"/>
      :::note
      You can also launch the Automation Service by selecting **Automation** from the main menu: <br/><img src={useBaseUrl('img/cse/automation-menu-in-nav-bar.png')} alt="Automation menu option in the nav bar" style={{border: '1px solid gray'}} width="200"/> <br/>If you also have Cloud SOAR installed, a **Cloud SOAR** option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM.
      :::

@@ -55,10 +55,10 @@ Now that the playbook is configured, you can add it to an automation.
 
 1. [Create a new automation](#create-an-automation).
 1. Select the playbook you created in Step 2.
-1. In **Expects attributes for**,  select **Entity** or **Insight**.
+1. In **Object (expects attributes for)**, select **Entity** or **Insight**.
 1. Select whether you want to automatically run the automation when an Insight is created or closed, or to run it manually. (For the purposes of this overview, select **Manually Done**.)
 1. Select **Enabled**.
-1. Click **Add to List**.
+1. Click **Save**.
 
 ### Step 4: Run the automation
 
@@ -92,13 +92,12 @@ To view the automations that have run on Insights or Entities, see [View results
 The following procedure provides a brief introduction to how to create an automation. For detailed examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. 
-1. At the top of the automations screen, click **Create**.  (To modify an existing automation, click on the edit icon for the corresponding automation.)<br/><img src={useBaseUrl('img/cse/automations-automations-list.png')} alt="Automations list" style={{border: '1px solid gray'}} width="800"/>
-1. In the **New Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation. <br/><img src={useBaseUrl('img/cse/automations-new.png')} alt="New Automation" style={{border: '1px solid gray'}} width="400"/>
-1. In **Expects attributes for** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM.
-1. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
-1. Select one or more **Executes when** Insight triggers: **Insight Created**, **Insight Closed**, or **Manually Done**. If **Manually Done** is not selected, the automation will not appear in any **Actions** menu on Insights or **Automations** menus on Entities.
+1. At the top of the **Automation** tab, click **+ Add Automation**. (To modify an existing automation, select the automation and click **Edit**.)<br/><img src={useBaseUrl('img/cse/automations-automations-list.png')} alt="Automations list" style={{border: '1px solid gray'}} width="800"/>
+1. In the **Add Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation. <br/><img src={useBaseUrl('img/cse/automations-new.png')} alt="New Automation" style={{border: '1px solid gray'}} width="400"/>
 1. Set the **Status**. Disabled automations will not run automatically and will not appear in any **Actions** or **Automations** menus.
-1. Click **Add to List** (or **Update** if editing an existing automation).
+1. In **Object (xpects attributes for)** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
+1. For **Execution** select when the automation runs: **Insight Created**, **Insight Closed**, or **Manually Done**. If **Manually Done** is not selected, the automation will not appear in any **Actions** menu on Insights or **Automations** menus on Entities.
+1. Click **Save**.
 
 ## Run an automation automatically