SumoLogic
diff --git a/‎.clabot‎
Lines changed: 3 additions & 1 deletion b/‎.clabot‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎blog-cse/2024-10-04-content.md‎
Lines changed: 12 additions & 6 deletions b/‎blog-cse/2024-10-04-content.md‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎blog-service/2023/12-31.md‎
Lines changed: 2 additions & 2 deletions b/‎blog-service/2023/12-31.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎blog-service/2024-05-13-apps.md‎
Lines changed: 4 additions & 4 deletions b/‎blog-service/2024-05-13-apps.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎blog-service/2024-10-14-collection.md‎
Lines changed: 14 additions & 0 deletions b/‎blog-service/2024-10-14-collection.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎blog-service/2024-10-14-manage.md‎
Lines changed: 23 additions & 0 deletions b/‎blog-service/2024-10-14-manage.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎blog-service/2024-10-15-collection.md‎
Lines changed: 14 additions & 0 deletions b/‎blog-service/2024-10-15-collection.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎blog-service/2024-10-21-apps-2.md‎
Lines changed: 16 additions & 0 deletions b/‎blog-service/2024-10-21-apps-2.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎blog-service/2024-10-21-apps.md‎
Lines changed: 22 additions & 0 deletions b/‎blog-service/2024-10-21-apps.md‎
Lines changed: 22 additions & 0 deletions
@@ -170,7 +170,9 @@
     "ishaanahuja29",
     "raunakmandaokar",
     "bradtho",
-    "Misterjohnson87"
+    "Misterjohnson87",
+    "lol3909",
+    "Hellfire4959"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we'll add you to our approved list of contributors.",
   "label": "cla-signed",
 
@@ -23,28 +23,34 @@ This content release includes:
 * Other changes enumerated below.
 
 ## Rules
+- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
+    - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
 - [New] MATCH-S00922 AWS Bedrock Agent Created
     - This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
 - [New] MATCH-S00924 AWS Bedrock Guardrail Deleted
     - AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious.
 - [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User
     - A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field.
-- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
-    - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
-- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
-    - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
 - [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
     - A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions.
+- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
+    - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.    
+- [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User
+    - This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected.
 - [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
     - An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
+- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
+    - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
 - [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
     - AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
-- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
-    - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
 - [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
     - An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
 - [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User 
     - An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
+- [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User
+    - An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function.
+- [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events
+    - This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges.
 - [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
     - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
 
 
@@ -106,7 +106,7 @@ To learn more, see [Updating Your AWS Observability Stack](/docs/observability/a
 
 We're excited to announce that you can use roles to restrict access to specific data in search indexes. When you create a role, you can select **Index based** filters to allow access to data based on indexes, or you can select **Advanced filter** to define a dataset to allow access based on search criteria. This ensures that users only see the data they are supposed to.
 
-[Learn more](/docs/manage/users-roles/roles/rbac-for-indexes).
+[Learn more](/docs/manage/users-roles/roles/create-manage-roles/).
 
 :::note
 This feature is in Beta. To participate, contact your Sumo Logic account executive or our Support Team.
@@ -267,7 +267,7 @@ The new setup guides for AWS services are:
 - [Amazon EventBridge](/docs/integrations/amazon-aws/amazon-eventbridge/)
 - [Amazon GameLift](/docs/integrations/amazon-aws/amazon-gamelift/)
 - [Amazon MSK Prometheus](/docs/send-data/collect-from-other-data-sources/amazon-msk-prometheus-metrics-collection)
-- [Amazon OpenSearch Service](/docs/integrations/amazon-aws/amazon-opensearch-service/)
+- [Amazon OpenSearch Service](/docs/integrations/amazon-aws/amazon-opensearch/)
 - [AWS Amplify](/docs/integrations/amazon-aws/aws-amplify/)
 - [AWS Application Migration Service](/docs/integrations/amazon-aws/aws-application-migration-service/)
 - [AWS App Runner](/docs/integrations/amazon-aws/aws-apprunner/)
 
@@ -16,15 +16,15 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 We're excited to announce increased visibility into your AWS Cloud environment with the following new features:
 * **Out-of-the-box security policy checks**. Sumo Logic Cloud Infrastructure Security is now configured by default to use the out-of-the box policy checks. You can now choose to leverage the out-of-the-box policy checks instead of, or in conjunction with, the policy checks provided by AWS Security Hub.
 * **Additional investigation capabilities**. The update includes the addition of three new dashboards:
-   * [**Infrastructure Overview**](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/#infrastructure-overview). Get deep visibility into your cloud infrastructure to understand how many cloud resources are running and their configurations.
-   * [**Security Control Failures Overview**](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/#security-control-failures-overview). See misconfigurations in your environment that may leave you vulnerable to attackers.
-   * [**Security Control Failures Investigation**](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/#security-control-failures-investigation). Navigate and prioritize the most important misconfigurations in your environment.
+   * **Infrastructure Overview**. Get deep visibility into your cloud infrastructure to understand how many cloud resources are running and their configurations.
+   * **Security Control Failures Overview**. See misconfigurations in your environment that may leave you vulnerable to attackers.
+   * **Security Control Failures Investigation**. Navigate and prioritize the most important misconfigurations in your environment.
 * **AI-powered remediation plans**. You can now use automated remediation playbooks built specifically for Cloud Infrastructure Security for AWS.
 
 This functionality is in preview. To participate, reach out to your Sumo Logic account executive.
 
 [Learn more](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/).
 
 :::note
-As part of the preview, you can use CloudQuery logs with Cloud Infrastructure Security for AWS. To use the logs, configure the CloudQuery source when you [deploy the solution](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/#step-3-deploy-aws).
+As part of the preview, you can use CloudQuery logs with Cloud Infrastructure Security for AWS. To use the logs, configure the CloudQuery source when you deploy the solution.
 :::
@@ -0,0 +1,14 @@
+---
+title: Automox C2C Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - automox
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce the release of our new cloud-to-cloud source for Automox. This source helps you to collect all events objects, audit trail events, and device inventory details from the Automox platform, and ingest them into Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/automox-source).
@@ -0,0 +1,23 @@
+---
+title: Role Based Index Access (Manage)
+image: https://www.sumologic.com/img/logo.svg
+keywords:
+  - rbac
+  - index
+  - roles
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce that when you create a role, you can select **Index Access** to restrict access to data in specific indexes. In addition, when you now select **Search Filter**, you can create filtering to restrict access to log analytics, audit, and security data. These enhancements ensure that users only see the data they are supposed to. 
+
+This feature was [previously only available to participants in our beta program](/release-notes-service/2023/12/31/#october-27-2023-manage-account). It is now available for general use.
+
+:::note
+These changes are rolling out across deployments incrementally and will be available on all deployments by October 25, 2024.
+:::
+
+[Learn more](/docs/manage/users-roles/roles/create-manage-roles/#create-a-role).
@@ -0,0 +1,14 @@
+---
+title: Kandji C2C Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - kandji
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce the release of our new cloud-to-cloud source for Kandji. This source helps you to collect threat details, device lists, activity logs, and device information from the Kandji platform, and ingest them into Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/kandji-source).
@@ -0,0 +1,16 @@
+---
+title: Atlassian (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - atlassian
+  - apps
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to introduce the new Atlassian app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Atlassian source to collect events logs through the Events API, helping you to to monitor critical events such as user activities, policy changes, group and API token creations, and product access.
+
+Explore our technical documentation [here](/docs/integrations/saas-cloud/atlassian/) to learn how to set up and use the Atlassian app for Sumo Logic.
@@ -0,0 +1,22 @@
+---
+title: Enhancements to Cloud Infrastructure Security for AWS (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - app catalog
+  - aws
+  - cloud infrastructure security
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're happy to announce enhancements to Cloud Infrastructure for AWS. These capabilities were [previously only available in a preview form](/release-notes-service/2024/05/13/apps/). They are now available for general use.
+
+You can now more easily configure sources on a simplified screen, allowing you to use existing sources or create new sources. 
+
+<img src={useBaseUrl('img/integrations/amazon-aws/cis-for-aws-install-0.png')} alt="Configure Sources screen" style={{border: '1px solid gray'}} width="700"/>
+
+[Learn more](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/).