|
| 1 | +--- |
| 2 | +id: manage-orgs-for-mssps-csiem-rules |
| 3 | +title: Manage Organizations for MSSPs - Cloud SIEM |
| 4 | +sidebar_label: Manage Orgs for MSSPs - Cloud SIEM |
| 5 | +description: Learn how to manage organizational Cloud SIEM rules and rule tuning for Managed Security Service Providers (MSSPs). |
| 6 | +--- |
| 7 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 8 | + |
| 9 | +This article describes how to manage Cloud SIEM rules and rule tuning expressions in organizations for Managed Security Service Providers (MSSPs). MSSP administrators must ensure that the content of their child organizations is properly configured. MSSPs often consist of a parent organization with child organizations that use [Cloud SIEM](/docs/cse/). |
| 10 | + |
| 11 | +## Considerations |
| 12 | + |
| 13 | +### Roles |
| 14 | + |
| 15 | +You must have the following [organization role capabilities](/docs/manage/users-roles/roles/role-capabilities/#organizations) to create and manage organizations as an MSSP administrator: |
| 16 | + |
| 17 | +* Organizations |
| 18 | + * View Organizations |
| 19 | + * Create Organizations |
| 20 | + * Manage Organizations |
| 21 | + |
| 22 | +### Multi-insights list page in Cloud SIEM |
| 23 | + |
| 24 | +If you are logged in to a parent organization with child organizations that also use Cloud SIEM, the insights list page in Cloud SIEM allows you to [view insights in child organizations](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#view-insights-in-child-organizations). |
| 25 | + |
| 26 | +<!-- After this article is no longer beta, show the following text: |
| 27 | +This multi-insights list page (also known as a "federated" page) shows insights just as in a normal insights list page. When you click an insight on the page, you are automatically signed in to the child organization (if SSO is enabled for the child organization), and the insight's details open in the child organization's UI. You can also use the board view on the multi-insights page to move insights to different statuses. |
| 28 | +
|
| 29 | +To be able to see insights in child organizations, add child organizations that use Cloud SIEM. Then when the parent organization user goes to their Cloud SIEM insights list page, all the child organizations' insights appear in the list. |
| 30 | +--> |
| 31 | + |
| 32 | +## Manage Cloud SIEM rules |
| 33 | + |
| 34 | +To ensure that content is consistent across child organizations, use the **Manage Content** tab to push content in target organizations with content from a source organization. |
| 35 | + |
| 36 | +You can push the following: |
| 37 | +* Cloud SIEM [rules](/docs/cse/rules/) |
| 38 | +* Cloud SIEM [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions/) |
| 39 | + |
| 40 | +1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Organizations**. You can also click the **Go To...** menu at the top of the screen and select **Organizations**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Organizations**. |
| 41 | +1. Select the **Manage Content** tab. |
| 42 | +1. In the **Source Org** field, select the organization that will provide the source data to be pushed in other organizations. |
| 43 | +1. In the **Content** bar, select the content to be pushed: |
| 44 | + * **Cloud SIEM Rules**. For more information about Cloud SIEM rules, refer to [Cloud SIEM Rules](/docs/cse/rules/). |
| 45 | + * **Cloud SIEM Rule Tuning**. For more information about Cloud SIEM rule tuning expressions, refer to [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions/). |
| 46 | +1. Select individual items to be pushed, or all items. |
| 47 | +1. Click **Push to Orgs **.< br/><img src={useBaseUrl('img/manage/subscriptions/mssp-orgs-sync-selected-items-csiem.png')} alt="Push Selected Items button" style={{border: '1px solid gray'}} width="800"/> |
| 48 | +1. On the **Push Selected Items ** box, navigate to the **Destinations ** section to select the organizations to push the selected items to. You can push to all organizations, a single child organization, or multiple child organizations.< br/><img src={useBaseUrl('img/manage/subscriptions/mssp-orgs-sync-selected-items-2-csiem.png')} alt="Push Selected Items dialog" style={{border: '1px solid gray'}} width="400"/> |
| 49 | +1. Click **Push**. A **Pushing in progress** dialog is displayed. |
| 50 | + |
| 51 | +### Tips |
| 52 | + |
| 53 | +* If you select **All Child Organizations **, you can then select organizations to exclude, allowing you to push to all organizations except those you select:< br/><img src={useBaseUrl('img/manage/subscriptions/mssp-orgs-selected-organizations.png')} alt="Selected organizations" style={{border: '1px solid gray'}} width="300"/> |
| 54 | +* When you push rule tuning expressions, select **Include Associated Cloud SIEM Rules ** to push all the Cloud SIEM rules that the expressions are used on:< br/><img src={useBaseUrl('img/manage/subscriptions/mssp-orgs-sync-associated-rules.png')} alt="Include Associated Cloud SIEM Rules checkbox" style={{border: '1px solid gray'}} width="200"/> |
| 55 | + |
| 56 | +### Limitations |
| 57 | + |
| 58 | +- If an item with the same name exists in the target organization, it will be replaced. |
| 59 | +- Once a push is initiated, it cannot be reversed. Administrators should carefully review their selections before updating. |
| 60 | +- If errors occur during the push, administrators must manually re-attempt the failed push. To see failed pushes, use [View History](#view-history). |
| 61 | +- Push operations may take longer based on the volume of content being pushed. |
| 62 | +- Rule tuning expressions must be pushed separately from rules. |
| 63 | +- *Cloud SIEM Legacy Rule Type* is not supported for sync or push. |
| 64 | + |
| 65 | +## View history |
| 66 | + |
| 67 | +1. Click **View History ** in the upper-right corner of the page. A query for push history displays:< br/><img src={useBaseUrl('img/manage/subscriptions/mssp-view-history-query.png')} alt="View history query" style={{border: '1px solid gray'}} width="800"/> |
| 68 | +1. Click the search button. <img src={useBaseUrl('img/manage/subscriptions/search-button.png')} alt="Search button" width="75"/> < br/>The push history displays. The email of the individual who performed the push appears in the **user_email ** column, and the pushed items appear in the **content ** column. < br/><img src={useBaseUrl('img/manage/subscriptions/mssp-view-history-query-results.png')} alt="View history query results" style={{border: '1px solid gray'}} width="800"/> |
| 69 | +1. Investigate any push that failed and re-run the push if needed. |
| 70 | + |
| 71 | +## View push in the audit log |
| 72 | + |
| 73 | +You can view all content management push in the [Audit Event Index](/docs/manage/security/audit-indexes/audit-event-index/) by using the following query: |
| 74 | + |
| 75 | +```sql |
| 76 | +_index=sumologic_audit_events |
| 77 | +| where eventname = "ContentSynced" |
| 78 | +``` |
| 79 | + |
| 80 | +To see the results displayed the same as in [View History](#view-history), use the following query: |
| 81 | + |
| 82 | +```sql |
| 83 | +_index=sumologic_audit_events |
| 84 | +| where eventname = "ContentSynced" |
| 85 | +| orchestratorJob.id as job_sync_id |
| 86 | +| operator.email as user_email |
| 87 | +| parseDate(eventTime, "yyyy-MM-dd'T'HH:mm:ss.SSSXXX") as eventTimeInmilliseconds |
| 88 | +| values(resourceIdentity.name) as content, values(resourceIdentity.type) as content_type, min(eventTimeInmilliseconds) as content_sync_job_time_ms, values(status) as all_status by job_sync_id, user_email |
| 89 | +| if (contains(all_status, "Failed"), "Failed", "Success") as status |
| 90 | +| sort by content_sync_job_time_ms |
| 91 | +| formatDate(content_sync_job_time_ms, "yyyy-MM-dd") as content_sync_date |
| 92 | +| formatDate(content_sync_job_time_ms, "HH:mm:ss") as content_sync_time |
| 93 | +| fields content_sync_date, content_sync_time, job_sync_id, status, user_email, content_type, content |
| 94 | +``` |
| 95 | + |
| 96 | +## FAQs |
| 97 | + |
| 98 | +* **What happens when an item with the same name already exists?**<br/>It will be replaced in the child organization. |
| 99 | +* **What happens if an item selected for push doesn't already exist in the target organization?**<br/>The item will be created in the target organization. |
| 100 | +* **What if errors occur during pushing?**<br/>Affected items will be skipped. Once the rest of the content is pushed, you can review errors in [View History](#view-history) and retry. |
| 101 | +* **Can I roll back changes after a push operation?**<br/>No, rollback is not supported. After a push operation is initiated, changes cannot be reversed. |
| 102 | +* **How can I monitor push progress?**<br/>During a push, the system displays real-time status, including progress tracking, success or failure messages, and error logs. |
| 103 | +* **How can I view push history?**<br/>Click **View History** in the upper-right corner of the page. A query for push history will display, showing the email of the individual who performed the push and the pushed items. |
| 104 | +* **Who can I contact for additional questions or support?**<br/>Reach out to your Sumo Logic representative with any questions, issues, or feedback. |
| 105 | + |
| 106 | +#### Pushing Cloud SIEM Rules |
| 107 | + |
| 108 | +**Are rule tuning expressions included?**<br/>No, they are not included, but can be pushed separately. |
| 109 | + |
| 110 | +#### Pushing Cloud SIEM Rule tuning expressions |
| 111 | + |
| 112 | +* **What happens if the source tuning expression contains Cloud SIEM rules?**<br/>If the **Include Linked Cloud SIEM Rules** option is selected, existing rules with the same name in the destination organization will be linked to match the source tuning expression. |
| 113 | +* **What if no matching Cloud SIEM rules are found in the destination organization?**<br/>Push will complete with a warning, and missing rules will be logged in the audit log. You can push those rules separately and re-run the tuning expression push. |
0 commit comments