Merge branch 'main' into doc_pr_validations

Author: ntanwar-sumo

.github/workflows/pr.yml

@@ -44,5 +44,5 @@ jobs:
         name: Check spelling
         with:
           skip: "*.svg,*.js,*.map,*.css,*.scss"
-          ignore_words_list: "aks,atleast,cros,ddress,fiel,ist,nd,ot,pullrequest,ser,shttp,wast,fo,seldomly,delt,cruzer,plack,secur,te,nginx,Nginx,notin"
+          ignore_words_list: "aks,atleast,cros,ddress,delink,fiel,ist,nd,ot,pullrequest,ser,shttp,wast,fo,seldomly,delt,cruzer,plack,secur,te,nginx,Nginx,notin"
           path: docs

blog-cse/2025-06-12-content.md

@@ -0,0 +1,82 @@
+---
+title: June 12, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
+- New product support for Atlassian audit and login events.
+- Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
+- Cisco ASA updates with new network event support and NAT IP handling improvements.
+- Citrix NetScaler mapping updates to support additional events.
+- Update to Auth0 successful/unsuccessful login mappings to properly classify each.
+- CrowdStrike NextGen SIEM Alert event support.
+- Mimecast security event mapping improvements across several event types.
+- AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
+- Parser updates to support additional event formats for multiple platforms.
+
+Changes are enumerated below.
+
+### Rules
+- [New] MATCH-S00897 Chromium Extension Installed
+    - Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values: `file_path` and/or `changeTarget` depending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
+- [New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
+    - This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
+- [New] MATCH-S00949 GitHub - Vulnerability Alerts
+    - Detects vulnerability alerts created for a GitHub repository.
+- [New] FIRST-S00070 Okta - First Seen Application Accessed by User
+    - This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
+- [New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
+    - This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
+- [New] MATCH-S01020 Threat Intel - Matched Target Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [New] MATCH-S01019 Threat Intel - Matched User Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
+    - Fixed spelling error.
+
+### Log Mappers
+- [New] Altassian audit events
+- [New] Altassian login events
+- [New] Azure Event Hub - Windows Defender Azure Alert
+- [New] Cisco ASA 4180(18|19|44)
+- [New] Cisco ASA 713nnn JSON
+- [New] Cisco ASA Network events
+- [New] Citrix NetScaler - SSL Handshake Failure
+- [New] CrowdStrike NextGen SIEM
+- [Updated] Auth0 Failed Authentication
+- [Updated] Auth0 Successful Authentication
+- [Updated] Azure Event Hub - Windows Defender Logs
+- [Updated] Cisco ASA 106010 JSON
+- [Updated] Cisco ASA 20900(4|5) JSON
+- [Updated] Cisco ASA 50000(4|3) JSON
+- [Updated] Citrix NetScaler - TCP Connection
+- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
+- [Updated] F5 HTTP Request
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Audit Authentication Logs
+- [Updated] Mimecast Audit Hold Messages
+- [Updated] Mimecast Audit Logs
+- [Updated] Mimecast DLP Logs
+- [Updated] Mimecast Email logs
+- [Updated] Mimecast Impersonation Event
+- [Updated] Mimecast Spam Event
+- [Updated] Mimecast Targeted Threat Protection Logs
+
+### Parsers
+- [New] /Parsers/System/Atlassian/Atlassian Audit Events
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
+- [Updated] /Parsers/System/AWS/CloudTrail
+- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
+- [Updated] /Parsers/System/F5/F5 Syslog
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

blog-service/2025-06-16-apps-2.md

@@ -0,0 +1,12 @@
+---
+title: Snyk (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - snyk
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Snyk app for Sumo Logic. This app enables you to gain real-time visibility into security vulnerabilities across your software projects and dependencies. This app also helps security and DevOps teams track risk exposure, prioritize remediation, and maintain a strong security posture. [Learn more](/docs/integrations/webhooks/snyk).

blog-service/2025-06-16-apps.md

@@ -0,0 +1,68 @@
+---
+title: AWS CloudTrail Updates (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - aws-cloudtrail
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+AWS is streamlining [CloudTrail](https://aws.amazon.com/cloudtrail/) events for [IAM Identity Center](https://aws.amazon.com/iam/identity-center/) to retain only the essential fields needed for audit and incident response workflows. These changes improve user identification and integration with directories like Okta and Microsoft Active Directory, and do not impact CloudTrail events from other AWS services.
+
+- To support this AWS update, Sumo Logic has revised several AWS apps and Cloud SIEM parsers. You are requested to reinstall the affected apps.
+- If you use CloudTrail data in the saved searches, dashboards, or detection rules, you are required to update your custom content before AWS enforces the changes on July 14, 2025.
+
+To learn more, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/).
+
+### Impact following the AWS CloudTrail updates
+
+AWS is updating CloudTrail events for IAM Identity Center, affecting how user identity data is structured. So, if you are using the updated fields in your Cloud SIEM content or across the Sumo Logic platform, you need to update any saved queries, dashboards, or detection rules to reflect these changes and ensure continued functionality.
+
+Key actions required while updating the AWS CloudTrail include:
+- Sumo Logic provided apps must be manually reinstalled to incorporate the updated event field mappings.
+- Cloud SIEM parsers have auto-updated and require no customer intervention.
+
+### Action plan for Sumo Logic users
+
+#### Step 1: Reinstall the relevant Sumo Logic apps
+
+If you're using any of the following apps that consume CloudTrail data, you must reinstall them:
+- [Amazon CloudTrail – Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/)
+- [AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail/)
+- [CIS AWS Foundations Benchmark](/docs/integrations/amazon-aws/cis-aws-foundations-benchmark/)
+- [PCI Compliance for AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail-pci-compliance/)
+- [Threat Intel for AWS](/docs/integrations/amazon-aws/threat-intel/)
+- [Cloud Infrastructure Security for AWS](/docs/security/additional-security-features/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/)
+
+To reinstall any of the above apps, follow the steps below:
+
+1. Navigate to the **App Catalog**.
+1. Search for the relevant app.
+1. Install to deploy updated content under a new folder.
+
+:::info
+These are Classic apps (V1), and reinstalling them will create a new folder in your Content Library with updated dashboards. 
+:::
+
+#### Step 2: Update the custom saved searches and dashboards
+
+If you’ve created custom content based on CloudTrail fields, manual field updates as given below will be required to accommodate the new schema:
+- Move the `userName` field from the `userIdentity` element to the `additionalEventData` element.
+- Remove the `principalId` field from the schema.
+- Move the `userId`, `identityStoreArn`, and `credentialId` fields to the `userIdentity` element.
+
+For more information on field changes, see [AWS Security Blog](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=How%20to%20prepare%20your%20workflows%20for%20the%20upcoming%20changes%20to%20IAM%20Identity%20Center%20user%20identification%20in%20CloudTrail).
+
+:::note
+AWS plans to implement these enhancements on [July 14, 2025](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=Effective%20July%2014%2C%202025).
+
+Sumo Logic apps are backward-compatible, allowing you to update the apps ahead of time. For any custom content outside of Sumo Logic’s apps or parsers, ensure your changes are backward compatible and deploy updates before July 14, 2025.
+:::
+
+### FAQ
+
+#### What happens if I don’t update my applications or searches?
+
+Failure to update your apps, saved searches, or dashboards will result in user-related fields not being parsed correctly. Consequently, visualizations and panels relying on those fields will appear empty or display inaccurate data.

blog-service/2025-06-17-apps.md

@@ -0,0 +1,12 @@
+---
+title: Palo Alto Networks 11 (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - palo-alto-networks-11
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Palo Alto Networks 11 app for Sumo Logic. This app enables you to analyze traffic and understand your Palo Alto Networks environments. In addition, you can dive deeper into the data, which is broken down by threat detection indicators, malware type, and so on. [Learn more](/docs/integrations/cloud-security-monitoring-analytics/palo-alto-networks-11).

blog-service/2025-06-18-dashboards.md

@@ -0,0 +1,12 @@
+---
+title: Scope-Based Variable (Dashboards)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - dashboard
+  - scope-based-variable
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We’re excited to introduce a new dashboard variable type: Scope-Based Variables. Scope-Based Variables act as log filters that can be automatically applied to all or selected panels within a dashboard. This helps you to easily filter data across multiple panels without needing to manually edit each panel’s query to accept the variable. [Learn more](/docs/dashboards/filter-template-variables). 

blog-service/2025-06-20-apps.md

@@ -0,0 +1,13 @@
+---
+title: New SaaS and Cloud Apps Release (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - snowflake-logs
+  - akamai-cpc
+hide_table_of_contents: true    
+---
+
+- **Akamai CPC**.We're excited to introduce the new Akamai CPC app for Sumo Logic. This app enables you to monitor threats and respond to them in real time, enforcing compliance for client-side web applications using rich dashboards and Akamai CPC data. [Learn more](/docs/integrations/saas-cloud/akamai-cpc).
+
+- **Snowflake Logs**. We're excited to introduce the new Snowflake Logs app for Sumo Logic. This app enables you to gain real-time insights into key metrics, query performance, and overall health of the Snowflake environments to optimize operations, support informed decisions, and maximize Snowflake's potential. [Learn more](/docs/integrations/saas-cloud/snowflake-logs).

blog-service/2025-06-20-manage.md

@@ -0,0 +1,15 @@
+---
+title: Deactivate and Delink the Child Orgs (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - child-org
+  - deactivate-and-delink
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're happy to introduce the deactivate and delink option to child orgs, this helps you to deactivate the child org when it is no longer needed and eventually delink it after the 48 hours cooling-off period.
+
+[Learn more](/docs/manage/manage-subscription/create-and-manage-orgs/).