Merge branch 'main' into chvik/berry

Author: kimsauce

blog-cse/2024/12-31.md

@@ -16,6 +16,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This is an archive of 2024 Cloud SIEM release notes. To view the full archive, [click here](/release-notes-cse/archive).
 
+<!--truncate-->
+
 ---
 ### December 20, 2024 - Content Release
 
@@ -852,7 +854,7 @@ Other changes are enumerated below.
 
 This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events.
 
-AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/#august-5-2024---content-release) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.
+AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](#august-5-2024---content-release) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.
 
 AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information.
 

blog-cse/2025-01-14-content.md

@@ -0,0 +1,54 @@
+---
+title: January 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - rules
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
+- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.
+
+:::note
+In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion.
+:::
+
+## Log Mappers
+- [New] Azure DevOps Auditing Catch All
+- [New] Check Point Application Control URL Filtering
+- [New] Cisco ISE Radius Diagnostics
+- [New] Linux OS Syslog - KRB5 Child - Authentication Failure
+- [New] Linux OS Syslog - Process systemd - Systemd Session
+- [New] Linux OS Syslog - Process systemd - Systemd Session Scope
+- [New] Linux OS Syslog - Process systemd - session logout
+- [New] Pfsense Firewall filterlog
+- [New] Pfsense Firewall nginx
+- [New] Pfsense Firewall openvpn Authentication
+- [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
+- [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
+- [Updated] Cisco ISE Authentication Failure
+    - Adds `normalizedSeverity` mapping
+- [Updated] Cisco ISE Authentication Success
+    - Adds `normalizedSeverity` mapping
+- [Updated] Cloudflare - Logpush
+    - Adds mapping for `dns_query`, `http_hostname`, `http_response_contentLength`, `http_response_contentType`, and an alternative value for `ipProtocol`.
+- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
+    - Adds mapping for `normalizedActio`n
+- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
+    - Added support for additional events and mapping of `file_path`
+
+## Parsers
+- [New] /Parsers/System/Pfsense/Pfsense Firewall
+- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
+- [Updated] /Parsers/System/Cisco/Cisco ISE
+- [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
+- [Updated] /Parsers/System/Linux/Linux OS Syslog
+- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
+- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

blog-csoar/2024/12-31.md

@@ -14,6 +14,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This is an archive of 2024 Cloud SOAR release notes. To view the full archive, [click here](/release-notes-csoar/archive).
 
+<!--truncate-->
+
 ---
 ### December 31, 2024 - Application Update
 
@@ -312,7 +314,7 @@ This release introduces three new integrations, as well as several updates.
 ---
 ### March 12, 2024 - Content Release
 
-Our Cloud SOAR [application update](/release-notes-csoar/#march-12-2024---application-update) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards.
+Our Cloud SOAR [application update](#march-12-2024---application-update) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards.
 
 The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version.
 
@@ -369,7 +371,7 @@ We strongly encourage all users to review the provided documentation and prepare
 ### March 12, 2024 - Application Update
 
 #### Changes and Enhancements
-* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/#march-12-2024---content-release).
+* Python version updated. If you experience any issues, refer to our [content release note](#march-12-2024---content-release).
 
 ##### Cloud SOAR
 * Playbooks: Test feature now permits you to use internal Incident ID.

cid-redirects.json

@@ -1887,6 +1887,7 @@
   "/cid/2008": "/docs/send-data/installed-collectors/linux",
   "/cid/2009": "/docs/search/behavior-insights/logcompare",
   "/cid/2010": "/docs/search/search-query-language/search-operators/if",
+  "/cid/2110": "/docs/search/search-query-language/search-operators/macro",
   "/cid/2011": "/docs/get-started/help",
   "/cid/2012": "/docs/manage/security/enable-support-account",
   "/cid/2013": "/docs/send-data/installed-collectors/sources/windows-active-directory-inventory-source",

docs/api/search-job.md

@@ -343,6 +343,7 @@ This is the formatted result document:
 
 ```json
 {
+   "warning":"",
    "state":"DONE GATHERING RESULTS",
    "messageCount":90,
    "histogramBuckets":[
@@ -356,7 +357,6 @@ This is the formatted result document:
          "count":1,
          "startTimestamp":1359405480000
       },
-      ...
       {
          "length":60000,
          "count":1,
@@ -367,7 +367,10 @@ This is the formatted result document:
    ],
    "pendingWarnings":[
    ],
-   "recordCount":1
+   "recordCount":1,
+   "usageDetails":{
+      "dataScannedInBytes":0
+      }
 }
 ```
 
@@ -385,12 +388,16 @@ Notice that the state of the sample search job is DONE GATHERING RESULTS. The fo
 
 #### More about results
 
+The **warnings** value contains the detailed information about the warning while obtaining the current status of a search job.
+
 The **messageCount** and **recordCount** values indicate the number of messages and records found or produced so far. Messages are raw log messages and records are aggregated data.
 
 For queries that do not contain an aggregation operator, only messages are returned. If the query contains an aggregation, for example, **count by _sourceCategory**, then the messages are returned along with records resulting from the aggregation (similar to what a SQL database would return).
 
 The **pendingErrors** and **pendingWarnings** values contain any pending error or warning strings that have accumulated since the last time the status was requested.
 
+The **usageDetails** value contains the amount of data scanned in bytes details.
+
 Errors and warnings are not cumulative. If you need to retain the errors and warnings, store them locally.
 
 The **histogramBuckets** value returns a list of histogram buckets. A histogram bucket is defined by its timestamp, which is the start timestamp (in milliseconds) of the bucket, and a length, also in milliseconds, that expressed the width of the bucket. The **timestampplus** length is the end timestamp of the bucket, so the count is the number of messages in the bucket.
@@ -468,6 +475,7 @@ curl -b cookies.txt -c cookies.txt -H 'Accept: application/json'
 
 ```json
 {
+   "warning": "",
    "fields":[
       {
          "name":"_messageid",
@@ -595,6 +603,7 @@ curl -b cookies.txt -c cookies.txt -H 'Accept: application/json'
 
 The result contains two lists, **fields** and **messages**.
 
+* ***warnings** contains the detailed information about the warning while paging through the messages found by a search job.
 * **fields** contains a list of all the fields defined for each of the messages returned. For each field, the field name and field type are returned.
 * **messages** contains a list of maps, one map per message. Each **map** maps from the fields described in the fields list to the actual value for the message.
 
@@ -666,6 +675,7 @@ This is the formatted result document:
 
 ```json
 {
+   "warning": "",
    "fields":[
       {
          "name":"_sourceCategory",
@@ -691,6 +701,8 @@ This is the formatted result document:
 
 The returned document is similar to the one returned for the message paging API. The schema of the records returned is described by the list of fields as part of the fields element. The records themselves are a list of maps.
 
+The ***warnings** contains the detailed information about the warning while paging through the records found by a Search Job.
+
 </details>
 
 ## POST Methods
@@ -828,10 +840,12 @@ Example error response:
 
 ```json
 {
-  "status" : 400,
-  "id" : "IUUQI-DGH5I-TJ045",
-  "code" : "searchjob.invalid.timestamp.from",
-  "message" : "The 'from' field contains an invalid time."
+  "warning": "A 404 status (Page Not Found) on a follow-up request may be due to a cookie not accompanying the request",
+  "id": "IUUQI-DGH5I-TJ045",
+  "link": {
+    "rel": "self",
+    "href": "https://api.sumologic.com/api/v1/search/jobs/IUUQI-DGH5I-TJ045"
+  }
 }
 ```
 

docs/integrations/saas-cloud/cisco-umbrella.md

@@ -56,9 +56,16 @@ The Cisco Umbrella app offers logging to Amazon S3 as it has the ability to uplo
 
  <img src={useBaseUrl('img/integrations/saas-cloud/options-aws-s3.png')} alt="options aws s3 cisco" width="750"/>
 
-:::note
-If you're collecting from a Cisco Umbrella bucket, SNS Subscription Endpoint is not supported. For more information, see important note on using the [Sumo Logic Amazon S3 source for the Cisco-Managed S3 bucket](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#cisco-umbrella)
-:::
+Collection from a Cisco-managed S3 bucket has the following limitations:
+
+* AWS versioned APIs are not supported. The **Use AWS versioned APIs** setting on the Source must be disabled.
+* S3 Event Notifications Integration is not supported, so you cannot use an SNS subscription endpoint.
+* Access must be provided with an Access ID and Key. Role-based access is not supported.
+* Use a prefix in the path expression so it doesn't point to the root directory.
+* Ensure that your path expression ends in `/*`. Otherwise, you will get a ListBucket error. For example:
+  * Bucket Name: `cisco-managed-us-east-1`
+  * Path Expression: `987654321_12e34c..../*`
+
 
 By having all your logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage. Or, ingest the logs through your SIEM or another security tool to determine if any security events in these Umbrella logs coincide with events in other security tools.
 
@@ -99,4 +106,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>

docs/integrations/saas-cloud/jamf.md

@@ -862,15 +862,33 @@ _sourceCategory="Labs/Jamf" computer_management
 | count as num_profiles
 ```
 
-## Set up collection
+## Collection configuration and app installation
 
-Follow the instructions provided to set up [Cloud-to-Cloud Integration for Jamf Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/jamf-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Jamf app is properly integrated and configured to collect and analyze your Jamf data.
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
 
-## Installing the Jamf app
+<CollectionConfiguration/>
 
-import AppInstall2 from '../../reuse/apps/app-install-v2.md';
+:::important
+Use the [Cloud-to-Cloud Integration for Jamf Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/jamf-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Jamf app is properly integrated and configured to collect and analyze your Jamf data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
 
-<AppInstall2/>
+<AppCollectionOPtion3/>
 
 ## Viewing the Jamf dashboards
 

docs/integrations/saas-cloud/symantec-endpoint-security-service.md

@@ -209,15 +209,33 @@ _sourceCategory="Labs/SES" device_uid
 | limit 10
 ```
 
-## Set up collection
+## Collection configuration and app installation
 
-To set up the [Cloud-to-Cloud Integration for Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/), follow the instructions provided. These instructions will guide you through the process of creating a source using the Symantec Endpoint Security Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Symantec Endpoint Security app is properly integrated and configured to collect and analyze your Symantec Endpoint Security data.
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
 
-## Installing the Symantec Endpoint Security app
+<CollectionConfiguration/>
 
-import AppInstall2 from '../../reuse/apps/app-install-v2.md';
+:::important
+Use the [Cloud-to-Cloud Integration for Symantec Endpoint Security Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Symantec Endpoint Security app is properly integrated and configured to collect and analyze your Symantec Endpoint Security data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
 
-<AppInstall2/>
+<AppCollectionOPtion3/>
 
 ## Viewing the Symantec Endpoint Security dashboards
 

docs/manage/content-sharing/index.md

@@ -6,7 +6,7 @@ description: Content Sharing allows you to selectively share and collaborate on
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-Content Sharing allows you to selectively share and collaborate on apps, dashboards, and searches with specific users or roles. As an Admin, you can use content sharing to transfer ownership of searches and dashboards, or to highlight key content to specific users and groups. As a user, you can now choose how widely shared your content is within your Org.
+Content Sharing allows you to selectively share and collaborate on apps, dashboards, and searches with specific users or roles. As an Admin, you can use content sharing to share ownership of searches and dashboards, or to highlight key content to specific users and groups. As a user, you have the flexibility to control how broadly your content is shared within your organization.
 
 You can share log searches, metric searches, dashboards, and folders with a user, a role, or combinations of the two. You can edit the sharing permissions at any time and share and revoke as needed from the **Share** dialog:  
 
@@ -56,15 +56,15 @@ To share content from the left navigation bar or the Library:
 
     <img src={useBaseUrl('img/content-sharing/PermissionsShare.png')} alt="Permissions share" width="600"/>
 
-## Navigate Content Sharing Tabs
+## Navigate content sharing tabs
 
 Sumo provides a few ways to navigate your content based on what you want to view.
 
 import UiElements from '../../reuse/ui-elements.md';
 
 <UiElements/>
 
-## Available Permission Levels
+## Available permission levels
 
 You can share your content with specific users or roles. As a best practice we recommend sharing at the search or dashboard level, or if you want to share a folder, share a subfolder. All contents of the folder are shared, you can’t exclude a particular content item in a folder as private content.
 

docs/platform-services/automation-service/app-central/integrations/darktrace.md

@@ -7,8 +7,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/darktrace.png')} alt="darktrace" width="100"/>
 
-***Version: 1.6  
-Updated: Mar 4, 2024***
+***Version: 1.7  
+Updated: Jan 10, 2025***
 
 Perform threat intelligence evidence gathering with Darktrace.
 
@@ -45,3 +45,4 @@ Perform threat intelligence evidence gathering with Darktrace.
     + Updated resource: Resolved bug related to integration resource
 * February 28, 2024 (v1.5) - Updated code for compatibility with Python 3.12
 * March 4, 2024 (v1.5) - Updated code for compatibility with Python 3.12
+* January 10, 2025 (v1.7) - Fixed timedelta related error in all actions