diff --git a/docs/cloud-soar/incidents-triage.md b/docs/cloud-soar/incidents-triage.md index 40bd3b3052..c826f02615 100644 --- a/docs/cloud-soar/incidents-triage.md +++ b/docs/cloud-soar/incidents-triage.md @@ -95,7 +95,7 @@ To add investigators to incidents: :::info You can also select groups in addition to selecting individuals. For more information, see [Groups](/docs/cloud-soar/overview/#groups). ::: -1. In the **Role** column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents. +1. In the **Role** column, select the role assigned to the users that you want them to have as investigators. For example, select Analyst, Administrator, or some other role. The roles must have the appropriate Cloud SOAR role capabilities that you want them to have as investigators of the incidents. (If you are selecting a group as an investigator, you cannot change the group's assigned role here. You can only change the group's role on the group itself.) 1. Click **Apply**. #### View investigators assigned to an incident diff --git a/docs/cloud-soar/overview.md b/docs/cloud-soar/overview.md index 15aa8f03b5..587e1f306a 100644 --- a/docs/cloud-soar/overview.md +++ b/docs/cloud-soar/overview.md @@ -153,7 +153,7 @@ Use the **Go To...** menu to access these Cloud SOAR features: * [**Entities**](/docs/cloud-soar/incidents-triage/#entities). Manage entities identified across incidents. * [**Fields**](/docs/cloud-soar/overview/#custom-fields). Customize fields to better suit your environment. * [**General**](#settings). Configure general Cloud SOAR settings. -* [**Groups**](#groups). Create a group of users and assign a role to all the users in the group. +* [**Groups**](#groups). Create a group of users that can be added as incident investigators. * [**Incidents**](/docs/cloud-soar/incidents-triage/#incidents). Manage security incidents that require investigation and action. * [**Incident Labels**](#incident-labels). Define labels for the different types of incidents that will be investigated. * [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users. @@ -177,7 +177,7 @@ The **Administration** menu allows you to administer Sumo Logic features, such a Use the **Administration** menu to access: * [**General**](#general). Configure general Cloud SOAR settings. * [**Notifications**](#notifications). Configure notifications to Cloud SOAR users as well as other external users. -* [**Groups**](#groups). Create a group of users and assign a role to all the users in the group. +* [**Groups**](#groups). Create a group of users that can be added as incident investigators. ## Settings @@ -229,26 +229,33 @@ For additional setup needed for Slack, see [Configure Slack for Cloud SOAR](/doc ### Groups -[**Classic UI**](/docs/cloud-soar/overview#classic-ui). To access groups settings, click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**. +A *group* in Cloud SOAR is a collection of users that can be added as incident investigators. When you have a number of users to add as investigators, adding a group of users is faster and easier than adding each user individually. In addition, you can assign everyone in the group the same profile (role), limiting them as incident investigators to only the rights that the profile gives them. -[**New UI**](/docs/cloud-soar/overview#new-ui). To access groups settings, in the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. - - -Groups dialog +For example, let's say that you have a team of SOC analysts that share responsibility for investigating incidents. You can add all the members of the team to a group and give its members the "Analyst" profile. Then when you need to add the SOC analysts as investigators to incidents, you can simply select the group as the investigator. #### Create a group -You can create a group of users and assign a role to all the users in the group. This makes it easy to assign a specialized role to multiple users at once rather than adding the users individually to the role. - -For example, say there is a group of users with different roles responsible for customer support. Access to a specific incident with restricted privileges needs to be granted to all investigators of the incident. You can create a role with just the needed [Cloud SOAR role capabilities](/docs/manage/users-roles/roles/role-capabilities/#cloud-soar) and select it as the role (also known as a profile) for members of the group. Then when you [add investigators](/docs/cloud-soar/incidents-triage/#add-investigators) for the incident, you can select the group rather than individual users. - -1. Click the **+** icon next to **Groups**. The **Add Groups** dialog is displayed.
Add Group dialog +1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). Click the gear icon Settings menu icon in the top right, select **Settings**, and on the left menu select **User Management > Groups**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the top menu select **Administration**, and then under **Cloud SOAR Settings** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**. +1. The **Groups** dialog displays. Click the **+** icon next to **Groups**.
Groups dialog
The **Add Groups** dialog is displayed.
Add Group dialog 1. In **Name** enter a name for the group. -1. In **Profile** select the role to use for members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system. +1. In **Profile** select the role to assign to members of the group. These are [roles](/docs/manage/users-roles/roles/) already created in the system. 1. Click **Create**. The empty group is displayed.
Example group 1. Click the **+** icon next to **Members**. 1. Select the users to add to the group. -1. Click **Apply**. +1. Click **Apply**. + +#### Assign a group as an incident investigator + +To add a group as an incident investigator, follow the same steps as described in [Add investigators](/docs/cloud-soar/incidents-triage/#add-investigators): +1. [**Classic UI**](/docs/cloud-soar/overview#classic-ui). At the top of the screen, click **Incidents**.
[**New UI**](/docs/cloud-soar/overview#new-ui). In the main Sumo Logic menu, select **Cloud SOAR > Incidents**. You can also click the **Go To...** menu at the top of the screen and select **Incidents**. +1. Check the incidents you want to add investigators to. +1. Click the three-dot kebab menu in the upper left-hand corner of the screen. +1. Select **Add Investigator**.
The **Add Investigator** screen is displayed.
Add Investigator dialog +1. Select the group to add as investigator of the selected incidents. For example, in the sample screen above, select **SOC Team**. + :::note + The **Role** column displays the profile assigned to the members of the group. You cannot change the group's assigned profile (role) here like you can for individual users. You can only change the group's assigned profile on the group itself. + ::: +1. Click **Apply**. The group is added an an investigator of the selected incidents. While investigating the incidents, members of the group have the rights given by the the role (profile) assigned to members of the group. #### Group role assignments diff --git a/static/img/cloud-soar/cloud-soar-add-investigator.png b/static/img/cloud-soar/cloud-soar-add-investigator.png index e4f2146ac2..e771a88f52 100644 Binary files a/static/img/cloud-soar/cloud-soar-add-investigator.png and b/static/img/cloud-soar/cloud-soar-add-investigator.png differ