Three Cloud SIEM innovations that improve team collaboration, tailor SOC workflows, and encourage customization

Sumo Logic is constantly improving our Cloud SIEM solution to meet the needs and demands of our current and future customers and help them modernize their security operations. Via our cloud-native platform, our engineers perform continuous delivery of product features and improvements to all Cloud SIEM customers—simultaneously—several times each week. This allows us to iterate and develop what customers want quickly, without requiring them to lift a finger (or update their software and rules content).

Customers tell us they love using our Cloud SIEM because of its flexibility and customization capabilities. We provide the flexibility and controls to map our product workflows to their business requirements. This means the product adapts to the way they want to work, and not the other way around.

As such, I’m proud to highlight three new product features and enhancements that provide SOC teams and security analysts with new optimizations to help them adapt Cloud SIEM to their environment even better. Together, these features help improve team collaboration and consistently communicate threat information and event statuses while also saving time during threat investigation and response activities.

Custom Tag Schemas

Sumo Logic Cloud SIEM uses two types of searchable metadata tags applied to Rules, Entities, Signals, and Insights: schema keys, and keyword tags. Schema keys are predefined key-value pairs and Sumo provides two built-in tags for the MITRE ATT&CK framework, including Tactics and Techniques. Keyword tags are simple freeform labels that security analysts can define arbitrarily for any custom Rules, Entities, and Insights.

However, these freeform keyword tags have no enforcement and problems can occur when each user creates whatever tag they want. One person will call a classification of servers for threat detection and investigations “FinanceServers,” and later, someone else could call it “Financeservers,” and a third analyst might call it “financeservers.” All are intended to capture the same characteristic, but unfortunately, these result in three different tags. In addition, some customers need the flexibility to create customized tag schemas with consistent, static names defined by a SOC administrator, and values associated by the SOC team.

“Custom Tag Schemas” is a new enhancement to our Cloud SIEM tagging capability that now allows users to define their custom tag schemas with the enforcement of schema definition and association of tags. Similar to how MITRE ATT&CK Tactics and Techniques can be chosen from a drop-down, now customers can define their own standard set of tags to leverage; their appearance in drop-downs allows team members to choose the correct tags. This allows consistency across the SOC team and makes it easier for security analysts to navigate objects with those tags and search for them. Implementing a Custom Tag Schema means reports, filters, and analytics are easier to look up along with being reliable and consistent. Best of all, CISOs and SOC directors will appreciate how Custom Tag Schemas will improve analyst efficiencies and ultimately save time.

Create new Schema for custom tag including value, label, and a clickable link

After selecting the Schema (e.g., Cybersecurity Threat Type), the list of allowable values are displayed in a separate dropdown (e.g., Ransomware)

Custom Insight Statuses

SecOps workflows and processes can vary between different organizations and their deployments. The categorization of Insight statuses needs to match the workflow in the platform and the processes the team are accustomed to. While giving guidance of what the flow should be (default settings), customers need the ability to create and organize their own specific workflow categories to meet their existing processes and flows.

In Sumo Logic’s Cloud SIEM, there are preconfigured Insight statuses that cannot be edited or deleted including New, In Progress, and Closed. While customers have been able to create custom workflow categories (i.e., Insight statuses), they couldn’t arrange the order to match their specific workflows.

With “Custom Insight Statuses”, customers can now create their unique Insight statuses and change the order depicted in the Cloud SIEM interface—enabling SOC teams to map the workflows to their specific needs. Each custom Insight status has a name and description and can be easily re-ordered by moving the handle alongside its name on the Workflow page. Users can change the order in real-time at will, however, the New status must always be the first status, and Closed must always be the last status. Once set, the custom workflow is displayed in the desired order throughout the interface including Status drop-downs within Insight Details pages and when filtering Insights by Status.

This flexibility frees customers to use our Cloud SIEM in a fashion that more closely matches their needs. Customers still get all of the ease-of-use functionality of workflow mapping (dropdown and drag and drop) but can now map the flow to their unique use cases. Mirroring their existing workflows in the platform where they spend most of their time throughout the day helps ensure the entire SOC team is collaborating effectively while efficiently moving Insights toward closure.

Create customized Insight statuses directly from the Workflow page

Board view of Insights page, reflecting tailored workflow and associated Insights within each status

Custom Insight Resolutions

We understand customers require flexibility in how they track and maintain the status of their closed Insights. There are use cases in which SOC teams need customization and granularity for their Insight resolutions that are associated with existing internal workflows and processes.

“Custom Insight Resolutions” is a new Cloud SIEM functionality enabling customers to define and name their own descriptions for closing Insights. Custom resolutions are nested under any of the four existing built-in resolutions: Duplicate, False Positive, No Action, and Resolved. This increases clarity and provides additional context as to why an Insight was closed.

Now, analysts gain their desired openness and granularity as they interact with the interface. By closing every Insight with tailored, descriptive resolutions customers capture accurate metrics to help tune their content over time. Meanwhile, Sumo’s machine learning model receives consistent data that benefits all Cloud SIEM customers (i.e., Global Confidence scores). As mentioned above, this is another great example of how we’re making Cloud SIEM adapt to our customers’ processes, instead of forcing them to remap or rethink what already is working. Enabling customers to map Insight resolutions to their specific requirements improves team collaboration and communication and reduces the time needed to investigate, close, and manage past Insights.

Create new granular resolutions (e.g., “Threat Remediated”) for SOC analysts to select for resolved Insights

Here’s a quick demonstration of the underlying features that provide this flexibility and customization for customers

Learn More

• If you’re already a Cloud SIEM customer (or interested) you can read more about these features in our product documentation: Custom Tag Schemas | Custom Insight Statuses | Custom Insight Resolutions

• Don’t have Sumo Logic Cloud SIEM but you’re already a Sumo Logic customer? Contact your sales representative or authorized Sumo Logic reseller to find out how you can upgrade to our complete Cloud SIEM solution.

• Didn’t know Sumo Logic offers a complete, cloud-native SaaS SIEM to help modernize your security operations? Learn what the industry is saying or check out this quick highlight reel.