Merge branch 'main' into chvik/berry

Author: kimsauce

.clabot

@@ -181,7 +181,9 @@
     "ankitgoelcmu",
     "Deklin",
     "justrelax19",
-    "dlindelof-sumologic"
+    "dlindelof-sumologic",
+    "snyk-bot",
+    "stephenthedev"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

.github/workflows/build_and_deploy.yml

@@ -28,7 +28,7 @@ on:
 
 jobs:
   build-and-deploy:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
       url: ${{ inputs.hostname }}${{ inputs.base_url }}

.github/workflows/delete-review.yml

@@ -4,7 +4,7 @@ on: delete
 
 jobs:
   delete-branch-environment:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     environment:
       name: review/${{ github.ref_name }}
     env:

.github/workflows/pr.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
     build-and-deploy:
-      runs-on: ubuntu-22.04
+      runs-on: ubuntu-latest
       env:
           CI: true
           NODE_ENV: production

blog-cse/2025-04-03-content.md

@@ -0,0 +1,36 @@
+---
+title: April 3, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes new and updated log mappers and parsers for Bitwarden, CommScope, Mimecast, and Sysdig Secure. Updates to Mimecast mappers are to support additional fields and events with new log parser.  
+
+## Log Mappers
+- [New] Bitwarden Authentication
+- [New] Bitwarden Catch All
+- [New] CommScope Authentication Event
+- [New] CommScope STP and DHCPC Event
+- [New] CommScope System|Security
+- [New] Sysdig Secure Packages
+- [New] Sysdig Secure Vulnerability
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Audit Authentication Logs
+- [Updated] Mimecast Audit Hold Messages
+- [Updated] Mimecast Audit Logs
+- [Updated] Mimecast DLP Logs
+- [Updated] Mimecast Email logs
+- [Updated] Mimecast Impersonation Event
+- [Updated] Mimecast Spam Event
+- [Updated] Mimecast Targeted Threat Protection Logs
+
+## Parsers
+- [New] /Parsers/System/Bitwarden/Bitwarden
+- [New] /Parsers/System/CommScope/CommScope
+- [New] /Parsers/System/Mimecast/Mimecast
+- [New] /Parsers/System/Sysdig/Sysdig Secure

blog-cse/2025-04-08-application.md

@@ -0,0 +1,16 @@
+---
+title: April 8, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intel
+  - security
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### New Threat Intelligence Source
+
+We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.
+
+For more information, [see our release note](/release-notes-service/2025/04/08/security/) in the *Service* release notes section.

blog-cse/2025-04-14-content.md

@@ -0,0 +1,81 @@
+---
+title: April 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Additional data requirements for GitHub rules added to rule descriptions.
+- Spelling corrections for AWS Lambda rules.
+- New Slack Anomaly Event log mapper and supporting parsing changes:
+   - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
+   - Requires parser be defined for passthrough detection.
+- Updates to Sysdig parsing and mapping to support additional events.
+- Support for Microsoft Windows Sysmon-29 event.
+- Additional normalized field mappings for Microsoft Windows Sysmon events.
+- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.
+
+
+### Rules
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
+- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
+- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
+- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
+- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
+- [Updated] MATCH-S00957 GitHub - Organization Transfer
+- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
+- [Updated] MATCH-S00960 GitHub - Repository Transfer
+- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
+- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+
+### Log Mappers
+- [New] Slack Anomaly Event
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
+- [Updated] Sysdig Secure Packages
+- [Updated] Sysdig Secure Vulnerability
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+
+### Parsers
+- [New] /Parsers/System/Slack/Slack Enterprise Audit
+- [Updated] /Parsers/System/Sysdig/Sysdig Secure
+
+### Schema
+- [New] `targetUser_phoneNumber`
+- [New] `user_phoneNumber`

blog-cse/2025-04-25-content.md

@@ -0,0 +1,32 @@
+---
+title: April 25, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
+- Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.
+
+## Rules
+- [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
+- [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
+- [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
+- [Updated] MATCH-S01000 Threat Intel - MD5 Match
+- [Updated] MATCH-S01001 Threat Intel - PEHASH Match
+- [Updated] MATCH-S01003 Threat Intel - SHA1 Match
+- [Updated] MATCH-S01004 Threat Intel - SHA256 Match
+- [Updated] MATCH-S01002 Threat Intel - SSDEEP Match
+
+## Log Mappers
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+
+## Parsers
+- [Updated] /Parsers/System/Microsoft/Office 365

blog-csoar/2025-04-21-content.md

@@ -0,0 +1,42 @@
+---
+title: April 21, 2025 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## March and April releases
+
+### Changes and enhancements
+
+#### Integrations
+
+* [NEW] [ThreatDown Oneview](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview/). The ThreatDown OneView integration has been built from scratch to facilitate seamless security operations management. 
+* [NEW] [Atlassian Jira Cloud](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-cloud/). The Atlassian Jira Cloud integration has been developed from the ground up to streamline issue tracking and project management. 
+* [UPDATED] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/). Added a new Update IP Set action in the AWS WAF integration that allows users to update an existing IP set.
+
+#### Platform 
+
+##### Playbooks
+
+* Improved the user experience in the node popup when loading dynamic fields.
+* Added a confirmation dialog to alert users about pre-existing playbook drafts to avoid accidental overwriting while editing playbooks.
+* Implemented an alert popup to prevent accidental loss of unsaved changes when closing a node popup.
+* Added audit logs for failed nodes due to errors or exceptions during playbook execution.
+
+### Bug fixes
+
+#### General
+
+* Fixed a session timeout issue when the user is active in Automation Service, but inactive in Sumo Logic Log Analytics.
+* Fixed cursor positioning issue while typing in text areas.
+
+#### Integrations
+
+* Resolved a next page token and pageSize related issues in the List Permissions action of the  [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) integration.
+* Added a new `impersonate_user` field in List Permission and Delete Permission actions, allowing actions to be performed on a user's behalf.

blog-developer/2025-04-09-api.md

@@ -0,0 +1,13 @@
+---
+title: April 9, 2025 - Deprecation of Sumo Logic India Data Center
+image: https://help.sumologic.com/img/sumo-square.png
+hide_table_of_contents: true    
+---
+
+As previously communicated to impacted customers, effective as of April 30, 2025, customers will no longer be able to ingest data into the Sumo Logic Mumbai data center (`https://api.in.sumologic.com/`). Customers will retain access to historical data and basic search functionality until April 30, 2026, at which point all access will be terminated.
+
+Historical data will not be migrated to other deployments.
+
+**Reminder**: If you're still referencing the India endpoint, please update your integrations. For supported alternatives, see the [endpoint guide](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security).
+
+For help, contact [Support](https://support.sumologic.com/).