Merge branch 'main' into docs-613-service-intelligence-beta

Author: jpipkin1

blog-cse/2025-06-12-content.md

@@ -0,0 +1,82 @@
+---
+title: June 12, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
+- New product support for Atlassian audit and login events.
+- Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
+- Cisco ASA updates with new network event support and NAT IP handling improvements.
+- Citrix NetScaler mapping updates to support additional events.
+- Update to Auth0 successful/unsuccessful login mappings to properly classify each.
+- CrowdStrike NextGen SIEM Alert event support.
+- Mimecast security event mapping improvements across several event types.
+- AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
+- Parser updates to support additional event formats for multiple platforms.
+
+Changes are enumerated below.
+
+### Rules
+- [New] MATCH-S00897 Chromium Extension Installed
+    - Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values: `file_path` and/or `changeTarget` depending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
+- [New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
+    - This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
+- [New] MATCH-S00949 GitHub - Vulnerability Alerts
+    - Detects vulnerability alerts created for a GitHub repository.
+- [New] FIRST-S00070 Okta - First Seen Application Accessed by User
+    - This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
+- [New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
+    - This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
+- [New] MATCH-S01020 Threat Intel - Matched Target Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [New] MATCH-S01019 Threat Intel - Matched User Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
+    - Fixed spelling error.
+
+### Log Mappers
+- [New] Altassian audit events
+- [New] Altassian login events
+- [New] Azure Event Hub - Windows Defender Azure Alert
+- [New] Cisco ASA 4180(18|19|44)
+- [New] Cisco ASA 713nnn JSON
+- [New] Cisco ASA Network events
+- [New] Citrix NetScaler - SSL Handshake Failure
+- [New] CrowdStrike NextGen SIEM
+- [Updated] Auth0 Failed Authentication
+- [Updated] Auth0 Successful Authentication
+- [Updated] Azure Event Hub - Windows Defender Logs
+- [Updated] Cisco ASA 106010 JSON
+- [Updated] Cisco ASA 20900(4|5) JSON
+- [Updated] Cisco ASA 50000(4|3) JSON
+- [Updated] Citrix NetScaler - TCP Connection
+- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
+- [Updated] F5 HTTP Request
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Audit Authentication Logs
+- [Updated] Mimecast Audit Hold Messages
+- [Updated] Mimecast Audit Logs
+- [Updated] Mimecast DLP Logs
+- [Updated] Mimecast Email logs
+- [Updated] Mimecast Impersonation Event
+- [Updated] Mimecast Spam Event
+- [Updated] Mimecast Targeted Threat Protection Logs
+
+### Parsers
+- [New] /Parsers/System/Atlassian/Atlassian Audit Events
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
+- [Updated] /Parsers/System/AWS/CloudTrail
+- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
+- [Updated] /Parsers/System/F5/F5 Syslog
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

cid-redirects.json

@@ -470,6 +470,7 @@
   "/05Search/Lookup_Tables/02_Manage_and_Update_Lookup_Tables": "/docs/search/lookup-tables/manage-update-lookup-tables",
   "/05Search/Optimize-Search-Performance": "/docs/search/optimize-search-performance",
   "/05Search/Optimize-Search-Performance/Optimizing_Search_with_Partitions": "/docs/search/optimize-search-partitions",
+  "/docs/manage/queries/optimize-queries": "/docs/search/optimize-search-performance",
   "/05Search/Search-Cheat-Sheets": "/docs/search/search-cheat-sheets",
   "/05Search/Search-Cheat-Sheets/General-Search-Examples-Cheat-Sheet": "/docs/search/search-cheat-sheets/general-search-examples",
   "/05Search/Search-Cheat-Sheets/grep-to-Searching-with-Sumo-Cheat-Sheet": "/docs/search/search-cheat-sheets/grep-searching-with-sumo",
@@ -1086,6 +1087,7 @@
   "/07Sumo-Logic-Apps/16PCI_Compliance/PCI_Compliance_for_Palo_Alto_Networks/Collect_Logs_for_PCI_Compliance_for_Palo_Alto_Networks": "/docs/integrations/pci-compliance/palo-alto-networks-9",
   "/07Sumo-Logic-Apps/16PCI_Compliance/PCI_Compliance_for_Palo_Alto_Networks/Install_the_PCI_for_Palo_Alto_Networks_App_and_View_the_Dashboards": "/docs/integrations/pci-compliance/palo-alto-networks-9",
   "/07Sumo-Logic-Apps/16PCI_Compliance/PCI_Compliance_for_Palo_Alto_Networks": "/docs/integrations/pci-compliance/palo-alto-networks-9",
+  "/07Sumo-Logic-Apps/16PCI_Compliance/Choosing_Between_PCI_Compliance_Apps_and_PCI_Compliance_Professional_Services_App": "/docs/integrations/pci-compliance",
   "/07Sumo-Logic-Apps/18SAAS_and_Cloud_Apps": "/docs/integrations/saas-cloud",
   "/07Sumo-Logic-Apps/18SAAS_and_Cloud_Apps/Acquia": "/docs/integrations/saas-cloud/acquia",
   "/07Sumo-Logic-Apps/18SAAS_and_Cloud_Apps/Acquia/Collect_logs_for_the_Acquia_App": "/docs/integrations/saas-cloud/acquia",
@@ -3601,6 +3603,7 @@
   "/Send_Data/Hosted_Collectors": "/docs/send-data/hosted-collectors",
   "/Send_Data/Hosted_Collectors/Configure_a_Hosted_Collector": "/docs/send-data/hosted-collectors/configure-hosted-collector",
   "/Send_Data/Local_Configuration_File_Management": "/docs/send-data/use-json-configure-sources/local-configuration-file-management/new-collectors-and-sources",
+  "/Send_Data/Sources/01Sources_for_Installed_Collectors/Preconfigure_a_Machine_to_Collect_Remote_Windows_Events": "/docs/send-data/installed-collectors/sources/preconfigure-machine-collect-remote-windows-events",
   "/Send_Data/Sources/01Sources_for_Installed_Collectors/Script_Action": "/docs/send-data/installed-collectors/sources/script-action",
   "/Send_Data/Sources/01Sources_for_Installed_Collectors/Syslog_Source": "/docs/send-data/hosted-collectors/cloud-syslog-source",
   "/Send_Data/Sources/01Sources_for_Installed_Collectors/Local_File_Source": "/docs/send-data/installed-collectors/sources/local-file-source",
@@ -3624,6 +3627,7 @@
   "/Traces/02Working_with_Tracing_data/04Spans": "/docs/apm/spans",
   "/Traces/02Working_with_Tracing_data/05Search_Query_Language_support_for_Traces": "/docs/apm/traces/search-query-language-support-for-traces",
   "/Traces/Real_User_Monitoring": "/docs/apm/real-user-monitoring",
+  "/docs/apm/opentelemetry": "/docs/apm/traces/get-started-transaction-tracing/opentelemetry-instrumentation",
   "/Traces/Service_Map_and_Dashboards": "/docs/apm/services-list-map",
   "/Traces/View_and_investigate_traces": "/docs/apm/traces/view-and-investigate-traces",
   "/Visualizations-and-Alerts": "/docs/alerts",
@@ -3765,6 +3769,7 @@
   "/01Start-Here/01About-Sumo-Logic/System-Requirements/Installed-Collector-Requirements": "/docs/get-started/system-requirements",
   "/01Start-Here/01About-Sumo-Logic/System-Requirements/Supported-Browsers": "/docs/get-started/system-requirements",
   "/03-send-data/installed-collectors": "/docs/send-data/installed-collectors",
+  "/03-Send-Data/Sources/02-Hosted-Collectors/Google-Cloud-Platform-Source/Google-Cloud-Storage-Source": "/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source",
   "/03Send-Data/Collect-from-Other-Data-Sources/Collect_Logs_from_AWS_Lambda_using_Lambda_Extension": "/docs/send-data/collect-from-other-data-sources/collect-aws-lambda-logs-extension",
   "/03Send-Data/Collect-from-Other-Data-Sources/Collecting-Logs-from-a-Local-File-System": "/docs/send-data/installed-collectors/sources/local-file-source",
   "/03Send-Data/Hosted-Collectors/GCP_Metrics_Source": "/docs/send-data/hosted-collectors/google-source/gcp-metrics-source",
@@ -3906,6 +3911,7 @@
   "/Dashboards-and-Alerts/Alerts/03-Create-a-Real-Time-Alert": "/docs/alerts/scheduled-searches/create-real-time-alert",
   "/docs/alerts/scheduled-searches/deprecation": "/docs/alerts/scheduled-searches/create-real-time-alert",
   "/Data_Enrichment": "/docs/send-data/data-enrichment",
+  "/docs/search/enrichment": "/docs/send-data/data-enrichment",
   "/Manage/Connections_and_Integrations/Webhook_Connections": "/docs/alerts/webhook-connections",
   "/Manage/Connections_and_Integrations/Webhook_Connections/About_Webhook_Connections": "/docs/alerts/webhook-connections/set-up-webhook-connections",
   "/Manage/Connections_and_Integrations/Webhook_Connections/Webhook_Connection_for_AWS_Lambda": "/docs/alerts/webhook-connections/aws-lambda",
@@ -3945,6 +3951,7 @@
   "/Search/Get_Started_with_Search/Search_Basics/Export_Search_Results": "/docs/search/get-started-with-search/search-basics/export-search-results",
   "/Search/Get_Started_with_Search/How_to_Use_the_Search_Page/Field_Browser": "/docs/search/get-started-with-search/search-page/field-browser",
   "/Search/Get_Started_with_Search/Search_Basics/Search_Metadata": "/docs/search/get-started-with-search/search-basics",
+  "/Search/Library/Apps-in-Sumo-Logic": "/docs/integrations/sumo-apps",
   "/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Audit-App": "/docs/integrations/sumo-apps/audit",
   "/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Data-Volume-App": "/docs/integrations/sumo-apps/data-volume",
   "/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Data-Volume-App/Data-Volume-App-Dashboards": "/docs/integrations/sumo-apps/data-volume",
@@ -4071,6 +4078,7 @@
   "/Send-Data/Applications-and-Other-Data-Sources/Fastly": "/docs/integrations/saas-cloud/fastly",
   "/Send-Data/Applications-and-Other-Data-Sources/Fastly/01Collect-Logs-for-Fastly": "/docs/integrations/saas-cloud/fastly",
   "/Send-Data/Applications-and-Other-Data-Sources/Fastly/03Fastly-App-Dashboards": "/docs/integrations/saas-cloud/fastly",
+  "/docs/integrations/saas-cloud/google-workspace": "/docs/integrations/google/workspace",
   "/Send-Data/Applications-and-Other-Data-Sources/GitHub": "/docs/integrations/app-development/github",
   "/Send-Data/Applications-and-Other-Data-Sources/GitHub/GitHub-App-Dashboards": "/docs/integrations/app-development/github",
   "/Send-Data/Applications-and-Other-Data-Sources/Google-Cloud-Audit": "/docs/integrations/google/cloud-audit",
@@ -4096,7 +4104,9 @@
   "/Send-Data/Data-Types-and-Applications/Docker/01-Collect-Events-and-Statistics-for-the-Docker-App": "/docs/send-data/installed-collectors/sources/docker-sources",
   "/Send-Data/Data-Types-and-Applications/Amazon-EC2-Container-Service-(ECS)/01-Collect-ECS-Logs-and-Metrics": "/docs/integrations/amazon-aws/elastic-container-service",
   "/Send-Data/Data-Types/Microsoft-SQL-Server/01Collect-Logs-for-Microsoft-SQL-Server": "/docs/integrations/microsoft-azure/sql-server",
+  "/docs/integrations/microsoft-azure/storage": "/docs/integrations/microsoft-azure/azure-storage",
   "/Send-Data/Data-Types/Azure-Web-Apps": "/docs/integrations/microsoft-azure/web-apps",
+  "/Send-Data/Data-Types/Box": "/docs/integrations/saas-cloud/box",
   "/Send-Data/Data-Types/Docker": "/docs/send-data/installed-collectors/sources/docker-sources",
   "/Send-Data/Data-Types/Docker/Docker-App-Dashboards": "/docs/integrations/containers-orchestration/docker-ulm",
   "/Send-Data/Data-Types/Docker/02-Install-the-Docker-App": "/docs/integrations/containers-orchestration/docker-ulm",
@@ -4252,6 +4262,7 @@
   "/docs/cse/get-started-with-cloud-siem/introduction-to-cloud-siem": "/docs/cse/get-started-with-cloud-siem",
   "/docs/cse/cloud-siem-content-catalog": "/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog",
   "/docs/cse/cloud-siem/mapping-map-record-fields-to-schema": "/docs/cse/schema/create-structured-log-mapping",
+  "/docs/cse/cloud-siem/entities": "/docs/cse/records-signals-entities-insights",
   "/docs/cse/introduction-to-cloud-siem": "/docs/cse/get-started-with-cloud-siem",
   "/docs/integrations/sumo-apps/security-foundations": "/docs/integrations/sumo-apps/security-analytics",
   "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-amazon-kinesis": "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs",
@@ -4394,5 +4405,6 @@
   "/docs/manage/manage-subscription/create-manage-orgs-flex": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers",
   "/docs/manage/manage-subscription/manage-org-settings": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
   "/docs/integrations/amazon-aws/elastic-load-balancing": "/docs/integrations/amazon-aws/classic-load-balancer",
-  "/docs/integrations/microsoft-azure/microsoft-defender-for-cloud": "/docs/integrations/microsoft-azure/azure-security-defender-for-cloud"
+  "/docs/integrations/microsoft-azure/microsoft-defender-for-cloud": "/docs/integrations/microsoft-azure/azure-security-defender-for-cloud",
+  "/docs/integrations/azure": "/docs/integrations/microsoft-azure"
 }

docs/apm/real-user-monitoring/dashboards.md

@@ -58,7 +58,7 @@ The **RUM Overview** dashboards (**Application**, **Service**, **Service with En
 
 Use these dashboards to:
 * Analyze load and paint timings for page document loads by application, service, or action.
-* View information about core web vitals, XHR processing times/errors, and log errors.
+* View information about [core web vitals, XHR processing times/errors, and log errors](/docs/apm/real-user-monitoring/metrics/#xhr-monitoring-metrics).
 * Understand what top browsers, operating systems, and geolocations are active with your website.
 
 You can select the timing metric type in the **statistic** dropdown on the dashboard header. This will change the browser time metrics types on charts.
@@ -78,7 +78,7 @@ The **RUM - TopN - Application** and **RUM - TopN - Application Service** dashbo
 Use these dashboards to:
 * Find out top N browsers, operating systems, and geolocations by load or requests.
 * Understand the slowest and fastest browsers from a rendering perspective or geographical locations from a network perspective.
-* Understand XHR and log errors your users are experiencing.
+* Understand [XHR and log errors](/docs/apm/real-user-monitoring/metrics/#xhr-monitoring-metrics) your users are experiencing.
 * Find out which browsers and operating systems are in use by your users and where are they are geographically located.
 
 You can select the timing metric type in the **statistic** dropdown on the dashboard header. This will change the browser time metrics types on charts. You can also define the top N number for all charts.
@@ -91,7 +91,7 @@ The **RUM Performance Analytics** dashboards for **Application**, **Service**, a
 
 Use these dashboards to:
 * Filter data for specific combinations of browser, operating system, and/or geolocation.
-* Understand XHR, load, timing metrics for the selected user cohort.
+* Understand [XHR, load, timing metrics](/docs/apm/real-user-monitoring/metrics/#xhr-monitoring-metrics) for the selected user cohort.
 * Compare your selected timings against data for a different time period by selecting the appropriate option in the compare_with dropdown.
 
 You can click on any data point on the charts to open a details panel and view the **Infrastructure** tab to drill-down to traces representing user transactions from the selected time point. For cross-dimensional metrics, only the average statistic type is available.

docs/apm/real-user-monitoring/metrics.md

@@ -123,11 +123,15 @@ These CWV KPIs are captured and displayed on Overview dashboards for Document Lo
 
 ## XHR monitoring metrics
 
-An XML HTTP Request (XHR) is a form of communication between the browser and the application backend without reloading the page. A typical example is when a page needs to update a price ticker automatically or after pressing the “update price” button next to it.
+:::note
+Currently, XHR metrics extraction in RUM is only supported for applications that use the [`fetch` API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) to perform XHR calls. If your application uses [`XMLHttpRequest`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest), metrics may not be collected at this time. A fix to support `XMLHttpRequest`-based calls is in progress and expected to roll out in mid 2025. We will update this page when that support becomes available.
+:::
+
+An XMLHttpRequest (XHR) is a way for browsers to communicate with a backend server without reloading the page. For example, a page may use XHR to update a price ticker automatically or after clicking an "Update Price" button.
 
-The XHR technique is frequently used in _single-page apps_ — apps that load the page once and then provide all interaction and navigation without loading additional documents. These pages can generate one or more XHR requests, typically in the form of HTTP POSTs/GETs, related to various user actions on a page. Sumo Logic provides the following monitoring coverage for XHR interactions:
+XHR is commonly used in *single-page applications* (SPAs), which load once and then handle all interactions without refreshing the page. These apps often generate multiple XHR requests—typically HTTP `POST` or `GET` calls—based on user actions.
 
-Pages can generate one or more XHR requests, typically in the form of HTTP POSTs, related to various user actions on a page. The following performance timings are measured:
+Sumo Logic provides monitoring coverage for XHR interactions, including the following performance timings:
 
 ### `browser_time_to_first_xhr`