SumoLogic · JV0812 · Jun 30, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
@@ -64,7 +64,6 @@ Finally, you can take the Insights from Cloud SIEM and automatically respond to
 Sumo Logic’s Cloud SOAR is a cloud-based web application available as an add-on to existing Sumo Logic deployments. Some of Cloud SOAR’s key features include:
 
 * **War Room**. A central location for all the information, analysis, and actions related to an incident. This includes notes, documentation, and knowledge transfer as well as tools for collecting data and assessing, investigating, and correlating different incidents.
-* **ARK**. The Automated Responder Knowledge (ARK) learns from past incidents and threat intel to recommend relevant playbooks for future incidents.
 * **App Central**. A large out-of-the-box library of playbooks, integrations, and use cases for different threats to get you started. 
 * **Cybersecurity best practices**. Cloud SOAR’s design and architecture meets many cybersecurity industry standards, regulatory frameworks, and best practices from organizations like ISO, GDPR, OASIS, NIST, and many others.
 
@@ -210,12 +209,6 @@ Here are some other workflows you could automate with a playbook:
 
 Cloud SOAR has hundreds of prebuilt playbooks and templates, so you can quickly and easily automate any of these tasks, or create new custom playbooks to suit your specific business needs. Normally, playbooks are automatically attached to incidents based on information like entities and severity scores. 
 
-##### ARK suggestions
-
-Playbooks automate the individual tasks of incident response. But Cloud SOAR's Automated Responder Knowledge (ARK) suggestions take things one step further. ARK uses machine learning to suggest the most appropriate playbook for your incidents based on what you've done on similar incidents in the past. This frees up even more resources for analysts, as they don't have to spend time choosing a playbook before responding.
-
-When ARK suggests a playbook to you, you have the option to add the playbook to the incident, run it, or dismiss the suggestion. 
-
 #### App Central, custom integrations, and other automations
 
 Cloud SOAR has hundreds of pre-built playbooks which you can use as-is or customize. You can also build your own custom playbooks, which you can learn about in the Cloud SIEM Administration class. 

@@ -25,11 +25,3 @@ All multi-tenant installations offer:
 - Isolation of external actions (e.g., enrichment of indicators of compromise, containment actions prescribed to a host)
 
 <img src={useBaseUrl('img/cloud-soar/image5.png')} alt="Multiple database symbols" width="600"/>
-
-## Automated Responder Knowledge (DF-ARK)
-
-Cloud SOAR's Automated Responder Knowledge (DF-ARK) module utilizes machine
-learning through historical responses to past incidents and threat
-intelligence feeds to enrich new incidents. This enrichment allows
-Cloud SOAR to recommend relevant Playbooks and plans of action to expedite
-detection and response times.
@@ -32,49 +32,6 @@ When a search result is located within an incident, the incident number will be
 
 <img src={useBaseUrl('img/cloud-soar/image12.png')} alt="Global Search Results" style={{border: '1px solid gray'}} width="800"/>
 
-## Automation
-
-### ARK
-
-ARK or Automated Responder Knowledge is the Machine Learning component of Cloud SOAR which implements the Supervised learning in Case-Based Reasoning (CBR) algorithm.
-CBR solves new problems by adapting previously successful solutions to similar problems. In Cloud SOAR, this can be leveraged by analyzing solved incidents to hint steps and procedures to operators in new similar threats.<br/> <img src={useBaseUrl('img/cloud-soar/image15e.png')} alt="Automation menu" style={{border: '1px solid gray'}} width="250"/>
-
-ARK assists operators during investigations in two main areas: Automatically suggesting/prompting next actions/tasks in Playbooks (until version 5) and Correlation/ Deduplication of similar threats into 1 unique incident.
-
-#### Enable ARK
-
-To enable ARK, click the cog icon, then **Settings** > **ARK** and make sure you have it set to **ON**.
-
-From this page, it’s possible to configure also other ARK Settings such as the Neighbor incidents considered for each recommendation and an age relevance threshold. Those two parameters will allow you to tune the incidents that the Machine Learning algorithm will consider.
-
-<img src={useBaseUrl('img/cloud-soar/image16b.png')} alt="ARK Settings" style={{border: '1px solid gray'}} width="800"/>
-
-When an incident is created in Cloud SOAR, the Incident Type field will be the one defining which Playbooks you can attach to that incident.
-
-#### ARK Usage
-
-ARK has a correlation and deduplication or merging mechanism you can use with the ARK OIF.
-
-ARK 2.0 OIF is a custom Sumo Logic integration which allows investigators to implement a mechanism for deduplication and correlation of ingested alerts and Cloud SOAR incidents.
-
-<img src={useBaseUrl('img/cloud-soar/image16d.png')} alt="ARK OIF" style={{border: '1px solid gray'}} width="800"/>
-
-<img src={useBaseUrl('img/cloud-soar/image16e.png')} alt="Test Action" style={{border: '1px solid gray'}} width="800"/>
-
-OIF ARK enrichment action “Get parents for incident” allows you to retrieve every incident (as proposed parents) that is similar to the analyzed one.
-
-Each optional field allows you to fine tune the weight of the fields, acceptance thresholds and of the algorithm which needs to be trained and fine-tuned in order to get correct and reliable results.
-
-<img src={useBaseUrl('img/cloud-soar/image16f.png')} alt="Field Weight" style={{border: '1px solid gray'}} width="800"/>
-
-Alert deduplication or merging can be achieved by utilizing ARK OIF enrichment actions and Cloud SOAR’s unique Triage capability.
-
-Triage is a customizable section which can be used for enriching and preprocessing multiple different scenarios.
-
-By dispatching the ingested alerts into Triage events, Cloud SOAR can automatically enrich each event, deduplicate them based on the logic configured in our associated Playbooks (which can invoke Ark OIF enrichment) and decide if Cloud SOAR should aggregate multiple entries in one unique incident, create multiple incidents for each event or if a similar incident has already been created, to update the existing incident with updated information.
-
-Cloud SOAR can also correlate existing incidents to check if specific data is already present in the Cloud SOAR Database. It is crucial that all merging or deduplication must be done prior to conversion of an alert into incident. For example, a Triage event that allows you to invoke one or multiple playbooks for each Triage event created.
-
 ## Settings
 
 ### General Settings

@@ -402,8 +402,6 @@ Cloud SOAR has been designed with Interoperability for Cybersecurity Industry st
 
 Cloud SOAR design and architecture follows Cybersecurity Industry standards and regulatory frameworks, and adheres to best Industry practices to meet best Cybersecurity practices followed by ISO, GDPR, OASIS, NIST, Sec Regulations, and more.
 
-Cloud SOAR offers a patent-pending Automated Responder Knowledge (DF-ARK) module which applies machine learning to historical responses and threats. It recommends relevant Playbooks, paths of action to expedite the process, and responses to manage and mitigate similar incidents with better response time.
-
 Cloud SOAR provides static egress for Cloud executions. IP addresses can be entered into the allowlist. For a list of Cloud SOAR addresses by region, contact [Support](https://support.sumologic.com/support/s/).
 
 <img src={useBaseUrl('img/cloud-soar/image3.png')} alt="Cloud SOAR architecture diagram" style={{border: '1px solid gray'}} width="800"/>