SumoLogic
diff --git a/‎.clabot‎
Lines changed: 5 additions & 1 deletion b/‎.clabot‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎blog-cse/2025-08-01-content.md‎
Lines changed: 99 additions & 0 deletions b/‎blog-cse/2025-08-01-content.md‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎blog-cse/2025-08-15-content.md‎
Lines changed: 41 additions & 0 deletions b/‎blog-cse/2025-08-15-content.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎blog-cse/2025-08-19-application.md‎
Lines changed: 23 additions & 0 deletions b/‎blog-cse/2025-08-19-application.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎blog-cse/2025-08-20-content.md‎
Lines changed: 15 additions & 0 deletions b/‎blog-cse/2025-08-20-content.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎blog-cse/2025-08-27-content.md‎
Lines changed: 44 additions & 0 deletions b/‎blog-cse/2025-08-27-content.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎blog-service/2025-07-28-alerts.md‎
Lines changed: 19 additions & 0 deletions b/‎blog-service/2025-07-28-alerts.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎blog-service/2025-07-31-apps.md‎
Lines changed: 21 additions & 0 deletions b/‎blog-service/2025-07-31-apps.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎blog-service/2025-07-31-collection.md‎
Lines changed: 12 additions & 0 deletions b/‎blog-service/2025-07-31-collection.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎blog-service/2025-08-01-collection.md‎
Lines changed: 23 additions & 0 deletions b/‎blog-service/2025-08-01-collection.md‎
Lines changed: 23 additions & 0 deletions
@@ -186,7 +186,11 @@
     "stephenthedev",
     "Apoorvkudesia-sumologic",
     "ntanwar-sumo",
-    "aj-sumo"
+    "aj-sumo",
+    "samiura",
+    "naveenrama",
+    "fguimond",
+    "rmeyer-legato"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",
 
@@ -0,0 +1,99 @@
+---
+title: August 1, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+  - parsers
+  - rules
+  - schema
+hide_table_of_contents: true    
+---
+
+This content release includes:
+- New rules to assist in detection of the ToolShell exploit against Microsoft SharePoint Server (CVE-2025-53770, CVE-2025-53771) and other web shell attack activity.
+- Updates to rules.
+- Parsing support for Open Cybersecurity Schema Framework (OCSF) logging.
+    - Designed to support AWS Security Hub Findings via OCSF, but broadly compatible with other OCSF data sources.
+- Mapping support for AWS Security Hub Findings via OCSF.
+    - AWS Security Hub via OCSF mapping support includes mappers which can be easily cloned and repurposed to support additional sources of data which use OCSF. Not all OCSF categories and classes are necessarily pertinent to AWS Security Hub data produced at this time.
+    - Additional mappers for OCSF data sources will be added in future releases.
+- Updates to AWS Security Hub (non-OCSF) mapper to reduce signal volume by using a less granular field for `threat_signalName` and to map general resources into `resource` field.
+- New mappers for Citrix NetScaler and Palo Alto Firewall events.
+- Updates to existing mappers/parsers for AWS, Azure, Citrix NetScaler, Linux Sysmon, Windows Sysmon, and Zscaler to support additional events and field mappings.
+- Allows `resource` to be used as an entity in rules.
+
+Other changes are enumerated below.
+
+
+### Rules
+- [New] MATCH-S01050 IIS - Executable File Added to Directory
+    - Executable files added to Microsoft Internet Information Server (IIS) directories can indicate the installation of a web shell by an attacker. For example, the ToolShell exploit (CVE-2025-53770, CVE-2025-53771) included the installation of spinstall10.aspx in an executable directory.
+- [New] MATCH-S01051 SharePoint Server ToolShell Exploitation (CVE-2025-53770, CVE-2025-53771)
+    - Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
+- [New] MATCH-S01052 SharePoint Server ToolShell Web Shell Interaction (CVE-2025-53771)
+    - Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
+- [Updated] MATCH-S00402 Normalized Security Signal
+    - Adjusted summary to remove `{{device_hostname}}` to avoid `null` values for blank hostnames.
+    - Added `resource` to entity selector
+- [Updated] MATCH-S00061 Zscaler - Allowed Elevated Risk Score Events
+    - Updated rule expression and severity score to use normalized fields.
+
+### Log Mappers
+- [New] AWS Security Hub - OCSF Finding Events
+- [New] AWS Security Hub - Application Activity *
+- [New] AWS Security Hub - Authentication Event*
+- [New] AWS Security Hub - DHCP Activity*
+- [New] AWS Security Hub - DNS Activity*
+- [New] AWS Security Hub - Discovery Event*
+- [New] AWS Security Hub - Email Activity*
+- [New] AWS Security Hub - File System events*
+- [New] AWS Security Hub - HTTP Activity*
+- [New] AWS Security Hub - IAM Account change|Authorize Session|Entity Management|User Access Management|Group Management*
+- [New] AWS Security Hub - Kernel Extension Activity|Kernel Activity|Memory Activity|Module Activity|Scheduled Job Activity|Process Activity|Event Log Activity|Script Activity*
+- [New] AWS Security Hub - Network Activity|RDP Activity|SMB Activity|SMB Activity|SSH Activity|FTP Activity|NTP Activity|Tunnel Activity|Network Remediation Activity*
+- [New] AWS Security Hub - Remediation Activity|Process Remediation Activity*
+- [New] AWS Security Hub - Unmanned Systems*
+- [New] Citrix NetScaler - AAA-AUTH-REQ
+- [New] Palo Alto Audit Authentication logs
+- [New] Palo Alto Audit Catch All
+- [Updated] AWS Security Hub
+- [Updated] Azure Event Hub - Windows Defender Audit file events
+- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
+- [Updated] Citrix NetScaler - Command Executed
+- [Updated] Citrix NetScaler - MESSAGE
+- [Updated] Citrix NetScaler - SSL Handshake Success
+- [Updated] Citrix NetScaler - SSLVPN-LOGIN
+- [Updated] Keeper Authentication
+- [Updated] Keeper Catch All
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Email logs
+- [Updated] Linux-Sysmon/Operational - 11
+    - Added more normalized fields
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+    - Added more normalized fields.
+- [Updated] Zscaler - Nanolog Streaming Service - JSON
+    - Added normalizedAction for allow/deny actions and alternate values for IPs.
+
+\* Security Hub via OCSF is currently limited to the OCSF Findings category. Additional mappers are in place to support potential future Security Hub events that utilize other OCSF categories and classes. These can be cloned and repurposed to support additional sources of data which use OCSF.
+
+### Parsers
+- [Deleted] /Parsers/System/Mindpoint Group/Mindpoint SurePass
+    - Updated erroneous vendor name in parser.
+    - Any existing references to this parser path will need to be updated to the new parser path.
+- [New] /Parsers/System/Keeper/Keeper
+    -  New parser for Keeper with correct vendor name.
+- [New] /Parsers/System/OCSF/OCSF
+- [New] /Parsers/System/SurePass/SurePass
+    - New parser path for Surepass to reflect correct vendor name.
+- [Updated] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
+    - Updated parser to point to new parser path with correct vendor name.
+- [Updated] /Parsers/System/Microsoft/Office 365
+    - Updated to fix issue with `normalizedLogon` field not being populated correctly.
+- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
+    - Updated header regex, added support for new events, and added new time format.
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
+    - Updated to handle new log formats and fields.
+
+### Schema
+- [Updated] resource
+    - Enables `resource` as an entity.
@@ -0,0 +1,41 @@
+---
+title: August 15, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+This content release includes:
+    - New product support for Vectra AI.
+    - Updated parsers and log mappers for Azure Event Hub, Barracuda CloudGen Firewall, Microsoft IIS, and Surepass.
+    - Updated Surepass to the correct vendor name.
+
+Changes are enumerated below.
+
+### Log Mappers
+- [New] Vectra AI Catch All
+- [New] Vectra AI User Login
+- [Updated] Azure Event Hub - Windows Defender Logs
+    - Updated field mappings to include new fields.
+- [Updated] Barracuda CloudGen Firewall Activity
+    - Updated `event_id` criteria to handle abridged event types in some logs.
+- [Updated] Microsoft IIS Parser - Catch All
+    - Updated to support `http_url` and downstream enrichment.
+- [Updated] Surepass Authentication
+- [Updated] Surepass Catch All
+- [Updated] Surepass Network Event
+
+### Parsers
+- [New] /Parsers/System/Vectra/Vectra AI
+- [Updated] /Parsers/System/Barracuda/Barracuda CloudGen
+    - Updated `event_id` criteria to handle abridged event types in some logs and to support additional log formats.
+- [Updated] /Parsers/System/Cylance/Cylance Syslog
+    - Updated timestamp parsing.
+- [Updated] /Parsers/System/DocuSign/DocuSign Monitor
+    - Updated timestamp parsing.
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+    - Updated parser to parse additional nested fields.
+- [Updated] /Parsers/System/Microsoft/Microsoft IIS
+    - Updated to form `http_url` for downstream enrichment.
@@ -0,0 +1,23 @@
+---
+title: August 19, 2025 - Application Update
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - taxii
+  - threat intelligence
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### New TAXII 2 Threat Intelligence Sources
+
+We're excited to announce the following new threat intelligence sources that allow you to collect TAXII feeds with greater ease. These sources are based on the underlying code of our STIX/TAXII 2 Client Source, but are tailored for each of the vendors to facilitate setup:
+* CISA TAXII Client
+* Dragos TAXII Client
+* Nozomi TAXII Client
+* Recorded Future TAXII Client
+* Unit42 TAXII Client
+
+When you set up a source, search for "taxii" and select the tile for the source you want to install:<br/><img src={useBaseUrl('img/security/taxii-sources.png')} alt="TAXII sources" style={{border: '1px solid gray'}} width="800" />
+
+[Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source/#taxii-2-sources).
@@ -0,0 +1,15 @@
+---
+title: August 20, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+hide_table_of_contents: true    
+---
+
+This content release includes new log mappers to cover additional security finding sources collected via AWS Security Hub.
+
+### Log Mappers
+- [New] AWS GuardDuty - OCSF Finding Events
+- [New] AWS Inspector - OCSF Finding Events
+- [New] AWS Security Hub Coverage - OCSF Finding Events
+- [New] AWS Security Hub Exposure Detection - OCSF Finding Events
@@ -0,0 +1,44 @@
+---
+title: August 27, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+hide_table_of_contents: true    
+---
+
+This content release includes:
+- New mappers and parsing support for additional Cisco ASA events and updates to existing Cisco ASA mappers to support additional fields.
+- Updates to AWS Security Hub OCSF Findings mappers to handle username alternate mappings.
+- Updates to McAfee Web Gateway CSV parser and mapper to support additional fields.
+- Fix to Sysdig Policy Detection JSON mapper to correctly map threat signal name and summary.
+
+Changes are enumerated below.
+
+### Log Mappers
+- [New] Cisco ASA 109201|109207|113022
+- [New] Cisco ASA 317077|317078
+- [New] Cisco ASA 725016|771002
+- [Updated] AWS GuardDuty - OCSF Finding Events
+- [Updated] AWS Inspector - OCSF Finding Events
+- [Updated] AWS Security Hub - OCSF Finding Events
+- [Updated] AWS Security Hub Coverage - OCSF Finding Events
+- [Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
+- [Updated] Cisco ASA 113008 JSON
+- [Updated] Cisco ASA 302010 JSON
+- [Updated] Cisco ASA 303002 JSON
+- [Updated] Cisco ASA 313001 JSON
+- [Updated] Cisco ASA 50000(4|3) JSON
+- [Updated] Cisco ASA 602303-4|602101
+- [Updated] Cisco ASA 710005|716058
+- [Updated] Cisco ASA 713nnn JSON
+- [Updated] Cisco ASA 722034
+- [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041 JSON
+- [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
+- [Updated] Cisco ASA 751023|725001|725002|725003|725006|725007|750001|750003|750006|750007|751022 JSON
+- [Updated] Cisco ASA Network events
+- [Updated] McAfee WebGateway - Parser
+- [Updated] Sysdig Policy Detection JSON
+
+### Parsers
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+- [Updated] /Parsers/System/McAfee/McAfee Web Gateway CSV
@@ -0,0 +1,19 @@
+---
+title: Time range limits for subqueries in scheduled searches (Alerts)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - alerts
+  - scheduled searches
+  - subqueries
+hide_table_of_contents: true    
+---
+
+We've introduced time range limits for subqueries in scheduled searches. This change helps you prevent long-running, inefficient queries, especially those impacting system stability and that drive up costs. While maintaining flexibility, these optimizations protect system health and reduce operational overhead.
+
+Key benefits of this enhancements include:
+
+- Improved query performance and responsiveness.
+- Encourage efficient search practices.
+- Support sustainable resource usage.
+
+[Learn more](/docs/alerts/scheduled-searches/schedule-search/#step-3-time-range).
@@ -0,0 +1,21 @@
+---
+title: Apps, Solutions, and Collection Integrations - July Release 
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - july-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Enhancements
+
+- **Updated the following OpenTelemetry apps**:
+  - [Oracle - OpenTelemetry](/docs/integrations/databases/opentelemetry/oracle-opentelemetry/). Updated the dashboards and monitors with new metrics.
+  - [SQL Server - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-opentelemetry/). Fixed the collection form bug.
+  - [SQL Server for Linux - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-linux-opentelemetry/):
+    - Updated the dashboards and monitors with new metrics.
+    - The app now supports metric collection from both Windows and Linux environments.
+- **Updated the following Webhook app**:
+  - Updated the event types for [Sentry](/docs/integrations/webhooks/sentry/).
@@ -0,0 +1,12 @@
+---
+title: OneLogin Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - onelogin-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for OneLogin. This source aims to collect the user list logs from the OneLogin API and send it to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source).
@@ -0,0 +1,23 @@
+---
+title: Cloud Syslog Source Certificate Transition to ACM (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - certificates
+  - Cloud Syslog Source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce that we are transitioning to AWS Certificate Manager (ACM) certificates for Transport Layer Security (TLS) communication between your cloud syslog sources and Sumo Logic.
+
+Currently, Sumo Logic uses a DigiCert ALB certificate to secure communication with your cloud syslog sources. This certificate is set to expire on October 13, 2025, at which point Sumo Logic will transition to the ACM root certificates. This change provides the following benefits:
+* **Automated certificate renewal and deployment**. ACM eliminates the need for future manual renewals, reducing administrative overhead.
+* **Simplified infrastructure management for AWS customers**. ACM is deeply integrated into the AWS ecosystem, streamlining your overall infrastructure management. Because Sumo Logic is also on AWS, using ACM provides a seamless experience.
+
+If you use cloud syslog sources to send data to Sumo Logic, please prepare for this transition by downloading and configuring the ACM certificate on your system. For more information and setup instructions, see:
+* [Cloud Syslog Source](/docs/send-data/hosted-collectors/cloud-syslog-source/)
+* [rsyslog](/docs/send-data/hosted-collectors/cloud-syslog-source/rsyslog)
+* [syslog-ng](/docs/send-data/hosted-collectors/cloud-syslog-source/syslog-ng/)
+* [Collect Logs for SentinelOne](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/)
+* [Acquia](/docs/integrations/saas-cloud/acquia/#step-2-configure-a-source)