Merge branch 'main' into faster

Author: kimsauce

blog-cse/2024-12-20-content.md

@@ -0,0 +1,58 @@
+---
+title: December 20, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management).
+- AWS Cloudtrail updates.
+    - Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/).
+- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower.
+- Rule updates.
+
+Changes are are enumerated below.
+
+## Rules
+- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
+    - Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
+- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
+    - Updated "First Seen" value from ClientInfoString to Client to reduce false positives.
+- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
+    - Replaces FIRST-S00029.
+
+## Log Mappers
+- [New] Dragos Catch All
+- [New] Mindpoint Group Keeper Authentication
+- [New] Mindpoint Group Keeper Catch All
+- [New] Trust Login Authentication
+- [New] Trust Login Catch All
+- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
+- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
+- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
+- [Updated] CloudTrail Default Mapping
+- [Updated] Firepower Catch All
+    - Additional new field mappings to support Firepower events and improve records classification.
+- [Updated] Palo Alto Config - Custom Parser
+    - Adds alternate field mappings.
+- [Updated] Palo Alto System - Custom Parser
+    - Adds alternate field mappings.
+- [Updated] Palo Alto System Auth - Custom Parser
+     - Support additional panorama-auth-success and alternate fields for mapped fields.
+
+## Parsers
+- [New] /Parsers/System/Dragos/Dragos
+- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
+- [New] /Parsers/System/Trust Login/Trust Login
+- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
+    - Adds support for FTD 430002 and 430003 events.
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
+    - Adds support for 'panorama-auth-success' events and improves timestamp handling.

docs/manage/deletion-requests.md

@@ -87,6 +87,14 @@ To cancel a data deletion request:
 
 ## Limitations
 
+- You can have up to 2 active deletion requests at a time.   
+- Each deletion request can include up to 1 petabyte (PB) of scanned data.   
+- You can delete up to 100,000 messages per request.   
+- The maximum time range for each deletion request is one year.   
+- Your system can support up to 10 active concurrent deletion tasks across different customers. 
+
+## FAQ
+
 ### Handling future ingestion of sensitive data
 
 Customers must manage the future ingestion of sensitive data using [processing rules](/docs/send-data/collection/processing-rules). Deletion requests will only apply to data that has already been indexed, not to data that will be ingested in the future.
@@ -95,10 +103,6 @@ Customers must manage the future ingestion of sensitive data using [processing r
 
 Deletion is restricted to partitions and the default view (sumologic_default) in Sumo Logic. Deletion is currently not supported for other view types, such as [Scheduled Views](/docs/manage/scheduled-views) or ad hoc views created using the save view operator. Sensitive data may still be present in these unsupported views.
 
-### Deletion request limit
-
-Each deletion request is limited to 100,000 messages. This means that any deletion operation can only target up to 100,000 messages at a time.
-
 ### Supported operators
 
 Currently, we only support [`as`](/docs/search/search-query-language/search-operators/as), [`concat`](/docs/search/search-query-language/search-operators/concat), [`contains`](/docs/search/search-query-language/search-operators/contains), [`decToHex`](/docs/search/search-query-language/search-operators/dectohex), [`floor`](/docs/search/search-query-language/math-expressions/floor), [`if`](/docs/search/search-query-language/search-operators/if), [`in`](/docs/search/search-query-language/search-operators/in), [`lookup`](/docs/search/search-query-language/search-operators/lookup), [`toLower`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), [`matches`](/docs/search/search-query-language/search-operators/matches), [`parse`](/docs/search/search-query-language/parse-operators), [`toUpper`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), and [`where`](/docs/search/search-query-language/search-operators/where) search query operators.

docs/search/get-started-with-search/search-page/log-level.md

@@ -35,7 +35,15 @@ Sumo Logic detects five log levels out of the box: FATAL, ERROR, WARN, INFO, and
 
 </details>
 
-Log-Level pattern detection is automatic, meaning you do not need to parse log levels manually or write specific queries to see your distribution of error logs. Just execute a log search, and you'll see:
+Log-Level pattern detection is automatic, meaning you do not need to parse log levels manually or write specific queries to see your distribution of error logs. 
+
+If the log message is in JSON format, the log level detection method searches for the presence of keys such as "level", "Level", "loglevel", "logLevel", "Loglevel", "LogLevel", "log_level", "log-level", "Log_Level", "Log_level", "severity", or "_loglevel." If any of these keys are identified in the log message, their corresponding values will be considered and displayed in the results. And if the log message is in a non-JSON format, the log level detection method looks for keywords such as "debug", "info/information", "warn/warning", and "error." If any of these keywords are found in the log message, their corresponding values will be considered and displayed in the results. 
+
+:::info
+If multiple log levels are detected in the message, they will be prioritized in the following order: ERROR > WARN > INFO > DEBUG.
+:::
+
+Just execute a log search to see the `_loglevel` field:
 
 <img src={useBaseUrl('img/search/get-started-search/search-page/log-level-legend.png')} width="950" alt="log-level-legend" />