Merge branch 'main' into crowdstrike_alerts

Author: ruturajsumo

.clabot

@@ -5,13 +5,9 @@
     "JV0812",
     "jpipkin1",
     "JainM6",
-    "swiatekm-sumo",
     "docsSeema",
-    "@dependabot[bot]",
-    "dependabot[bot]",
     "angadrandhawa1",
     "kkujawa-sumo",
-    "open-source-collection-team",
     "mat-rumian",
     "perk-sumo",
     "jmartini-sumo",
@@ -28,12 +24,10 @@
     "agaur",
     "bhargavisumo",
     "ravipadala-sumo",
-    "jd-sumo",
     "davidcarltonsumo",
     "pkazmir-sumo",
     "dkarabin-sumo",
     "kevin-sumo",
-    "mgol-sumo",
     "crm6718",
     "mvirga-sumo",
     "tarunk2",
@@ -176,7 +170,7 @@
     "antonymartinsumo",
     "amee-sumo"
   ],
-  "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we'll add you to our approved list of contributors.",
+  "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",
   "recheckComment": "The GitHub CLA Bot is rechecking to see that you have signed our CLA."
 }

.github/CODEOWNERS

@@ -1,14 +1,16 @@
+# More details: https://help.github.com/articles/about-codeowners
+
 # Default owners for everything in the repo.
-* @kimsauce @jpipkin1 @JV0812 @mafsumo
+* @kimsauce @jpipkin1 @JV0812 @mafsumo @amee-sumo
 
-# Owners of all files in the `/docs` directory and its subdirectories.
-/docs/   @kimsauce @jpipkin1 @JV0812 @mafsumo
+# Owners of all files in the `/docs/integrations` directory.
+/docs/integrations/ @SumoLogic/sumoappdev @kimsauce @jpipkin1 @JV0812 @mafsumo @amee-sumo
 
 # Owners of all files in the `/docs/send-data/kubernetes` directory.
-/docs/send-data/kubernetes/  @SumoLogic/open-source-collection-team @kimsauce @jpipkin1 @JV0812 @mafsumo
+/docs/send-data/kubernetes/ @SumoLogic/open-source-collection-team @SumoLogic/k8s-developers @kimsauce @jpipkin1 @JV0812 @mafsumo @amee-sumo
 
 # Owners of all files in the `/docs/send-data/opentelemetry-collector` directory and its subdirectories.
-/docs/send-data/opentelemetry-collector/  @SumoLogic/open-source-collection-team @kimsauce @jpipkin1 @mafsumo @JV0812
+/docs/send-data/opentelemetry-collector/ @SumoLogic/open-source-collection-team @kimsauce @jpipkin1 @mafsumo @JV0812 @amee-sumo
 
 # GitHub workflow owners
 /.github/workflows/ @SumoLogic/open-source-collection-team @kimsauce

blog-collector/2024-11-26.md

@@ -0,0 +1,25 @@
+---
+title: Version 19.516-1
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-collector/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+In this release, we've enhanced the security and stability of the Collector with added support for security patches.
+		
+### Security Fixes
+		
+- Upgraded `Tanuki version` to version 3.5.60 to fix the collector intermittently crashing issue.
+- Upgraded collector JRE to **Amazon Corretto Version 8.432.06.1**.
+		
+### Troubleshooting
+		
+When upgrading this collector version, the collector running as a non-root user (run as mode) or on a Mac operating system cannot be upgraded through the API/Web UI. To resolve these issue, follow the respective steps below:
+	- **Collector running as a non-root user.** An error message will be displayed indicating that the upgrade is not possible. The upgrade must be performed manually on your machine. Refer to [Upgrade Collectors in Sumo Logic](/docs/send-data/collection/upgrade-collectors/#upgrade-collectors-using-the-command-line) to upgrade the collector manually.
+	- **Collector running on Mac.** The process will stop while upgrading, and the collector will need to be restarted manually on your machine. Use the code below to restart manually.
+        ```
+        sudo ./collector start
+        ```

blog-cse/2023/12-31.md

@@ -247,8 +247,6 @@ The new index is automatically generated and retained for a period of 2 years at
 
 As a result, the optional legacy Signal Forwarding feature in Cloud SIEM will be deprecated on **November 15, 2023**. Existing data will not be deleted, but new Signals generated after that date will no longer be forwarded using that feature and the option will no longer be available. (Signals will continue to be forwarded automatically to `sec_signal`.) Customers leveraging data forwarded using the legacy feature to generate dashboards (or for other use cases) will need to modify those applications to use the new `sec_signal` index before then. Note that the content of the `sec_signal` index is not identical to the content in data forwarded using the legacy option.
 
-For more information about this change, and the differences between the two data sets, refer to our [2023 Cloud SIEM Signal Index Migration FAQ](/docs/cse/records-signals-entities-insights/signal-index-migration-faq/).
-
 
 
 ---

blog-cse/2024-11-22-content.md

@@ -0,0 +1,61 @@
+---
+title: November 22, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+* New mapping support for: Qumulo Core, and Teramind Teraserver.
+* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
+* Updates to the existing Okta log mappings to support a new HTTP source log formatting.
+* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.
+
+Changes are enumerated below.
+
+### Rules
+* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
+   * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
+* [New] THRESHOLD-S00116 Password Attack from IP
+   * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
+* [Updated] FIRST-S00095 Password Attack from Host
+   * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
+* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
+   * Baseline retention window size increased from 35 days to the standard 90 day retention.
+   * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application".
+
+### Log Mappers
+* [New] Palo Alto Threat DLP non File - Custom Parser
+   * Mapping support added for event id pattern: threat-dlp-non-file.
+* [New] Qumulo Core - Catch All
+* [New] Qumulo Core - Login
+* [New] Teramind Authentication
+* [New] Teramind Catch All
+* [New] Teramind Email
+* [Updated] Code42 Incydr Alerts C2C
+* [Updated] Okta Authentication - auth_via_AD_agent
+* [Updated] Okta Authentication - auth_via_mfa
+* [Updated] Okta Authentication - auth_via_radius
+* [Updated] Okta Authentication - sso
+* [Updated] Okta Authentication Events
+* [Updated] Okta Catch All
+* [Updated] Okta Security Threat Events
+
+### Parsers
+* [New] /Parsers/System/Qumulo/Qumulo Core
+* [New] /Parsers/System/Salesforce/Salesforce
+* [New] /Parsers/System/Teramind/Teramind Teraserver
+* [Updated] /Parsers/System/Code42/Code42 Incydr
+   * Transform update for a new alert log format for tenantId.
+* [Updated] /Parsers/System/Okta/Okta
+   * Modified event_id from eventType to event_type.
+* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
+   * Additional parsing support for a new Palo Alto Threat event format.

blog-csoar/2024-11-20-content.md

@@ -0,0 +1,46 @@
+---
+title: November 20, 2024 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-csoar/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This release introduces new integrations, new playbooks, and several updates.
+
+### Integrations
+
+* [New] [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat)
+* [New] [Malwarebytes Oneview](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-oneview)
+* [New] [Silent Push](/docs/platform-services/automation-service/app-central/integrations/silent-push)
+* [New] [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools)
+* [New] [VirusTotal V3](/docs/platform-services/automation-service/app-central/integrations/virustotal-v3)
+* [Updated] [APIVoid](/docs/platform-services/automation-service/app-central/integrations/apivoid)
+* [Updated] [Atlassian Jira V2](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-v2)
+* [Updated] [Atlassian Opsgenie](/docs/platform-services/automation-service/app-central/integrations/atlassian-opsgenie)
+* [Updated] [AWS EC2](/docs/platform-services/automation-service/app-central/integrations/aws-ec2)
+* [Updated] [AWS EKS](/docs/platform-services/automation-service/app-central/integrations/aws-eks)
+* [Updated] [Azure AD](/docs/platform-services/automation-service/app-central/integrations/azure-ad)
+* [Updated] [Cloudflare](/docs/platform-services/automation-service/app-central/integrations/cloudflare)
+* [Updated] [ConnectWise Manage](/docs/platform-services/automation-service/app-central/integrations/connectwise-manage)
+* [Updated] [Cortex XDR](/docs/platform-services/automation-service/app-central/integrations/cortex-xdr)
+* [Updated] [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon)
+* [Updated] [Freshservice](/docs/platform-services/automation-service/app-central/integrations/freshservice)
+* [Updated] [Gmail](/docs/platform-services/automation-service/app-central/integrations/gmail)
+* [Updated] [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools)
+* [Updated] [IBM X-Force Exchange](/docs/platform-services/automation-service/app-central/integrations/ibm-x-force-exchange)
+* [Updated] [Microsoft EWS](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews)
+* [Updated] [Microsoft OneDrive](/docs/platform-services/automation-service/app-central/integrations/microsoft-onedrive)
+* [Updated] [Microsoft Sentinel](/docs/platform-services/automation-service/app-central/integrations/microsoft-sentinel)
+* [Updated] [Netskope V2](/docs/platform-services/automation-service/app-central/integrations/netskope-v2)
+* [Updated] [Slack](/docs/platform-services/automation-service/app-central/integrations/slack)
+* [Updated] [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem)
+* [Updated] [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail)
+* [Updated] [URLScan.io](/docs/platform-services/automation-service/app-central/integrations/urlscan.io)
+* [Updated] [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal)

blog-service/2024-11-22-collection.md

@@ -0,0 +1,14 @@
+---
+title: Trend Micro C2C Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - trend-micro
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce the release of our new cloud-to-cloud source for Trend Micro. This source helps you to collect alert details from the Trend Micro platform, and ingest them into Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source).

cid-redirects.json

@@ -2004,6 +2004,8 @@
   "/cid/10220": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/code42-incydr-source",
   "/cid/25618": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cse-aws-ec-inventory-source",
   "/cid/25619": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source",
+  "/cid/25779": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source",
+  "/cid/25719": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source",
   "/cid/25620": "/docs/integrations/security-threat-detection/duo-security",
   "/cid/25621": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source",
   "/cid/25622": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mimecast-source",
@@ -2636,6 +2638,7 @@
   "/cid/16323": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/druva-source",
   "/cid/13428": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/kandji-source",
   "/cid/17343": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/automox-source",
+  "/cid/17344": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/smartsheet-source",
   "/cid/20172": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source",
   "/cid/19880": "/docs/metrics/metrics-operators/predict",
   "/cid/19881": "/docs/metrics/metrics-operators/accum",

docs/alerts/monitors/create-monitor.md

@@ -370,7 +370,9 @@ If your data is coming from the [Amazon CloudWatch Source for Metrics](/docs/s
 
 ## Step 3. Notifications (optional)
 
-Configure who gets notified when the monitor triggers an alert. When a trigger condition is met, you can send notifications to other people and services. Metrics monitors have an option to send notifications either as a group or separately. **Group Notifications** define whether you want single notifications per time series that match the Monitor query or you want group notifications where you receive a single notification for the entire Monitor. Log monitors always group notifications.
+Configure who gets notified when the monitor triggers an alert. When a trigger condition is met, you can send notifications to other people and services. 
+
+Notifications will be sent when the monitor is triggered as configured in the [Alert Grouping](/docs/alerts/monitors/alert-grouping/) section of the monitor.
 
 <img src={useBaseUrl('img/alerts/monitors/new-monitor-notifications.png')} alt="Screenshot of the Notifications section in Sumo Logic's 'New Monitor' setup page. It includes an option to select the preferred notification time zone, set to (GMT-06:00) America/Chicago. Below is a section to configure connection types for notifications, with options for Critical, Alert, Recovery, Warning, and Missing Data. There is also a button to add a new notification." style={{border: '1px solid gray'}} width="800"/>
 

docs/alerts/monitors/settings.md

@@ -116,9 +116,10 @@ Click the **Mute** button mute the monitor. See also: [Muting Schedules](/docs/
 Click the **More Actions** menu to view more options, including:
 
 * **Copy Path**. Copies the path of the monitor to your computer clipboard.
-* **Duplicate**. Makes another monitor based on the same settings.
+* **Duplicate**. Copies the monitor and gives you creator permissions on the duplicated monitor. 
 * **Move**. Moves the monitor to a different path.
 * **Export**. Provides JSON of the monitor, allowing you to transfer content within Sumo Logic by copying this JSON, then pasting it into the import dialog in the [Library](/docs/get-started/library) location you choose. This JSON format may change without notice. 
+* **Copy Link**. Copies a link to the monitor. Provide the link to any Sumo Logic user in your organization so they can view the monitor. While this option doesn't allow you to share the monitor in the same way you can share a dashboard, you can use this option to quickly allow others in your Sumo Logic organization to view the monitor details.
 
 <img src={useBaseUrl('img/alerts/monitors/more-actions.png')} alt="monitor more actions" style={{border: '1px solid gray'}} width="600"/>