Automation second pass

Author: jpipkin1

docs/cse/automation/about-automation-service-and-cloud-siem.md

@@ -52,7 +52,7 @@ Before you can access the Automation Service from Cloud SIEM, you must first [co
      You can also launch the Automation Service by selecting **Automation** from the main menu: <br/><img src={useBaseUrl('img/cse/automation-menu-in-nav-bar.png')} alt="Automation menu option in the nav bar" style={{border: '1px solid gray'}} width="200"/> <br/>If you also have Cloud SOAR installed, a **Cloud SOAR** option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM.
      :::
 1. Now that you are in the Automation Service, let's explore a little to see how playbooks run actions that are provided by integrations. Open a [playbook](/docs/platform-services/automation-service/automation-service-playbooks) to see the actions it runs. Click an action to view the integration resource that provides it. In the example below, notice that in the **Send Insight Slack Notification** playbook, the **Slack resource** provides the **Get User** action.<br/><img src={useBaseUrl('img/cse/automations-action-example.png')} alt="Action example" style={{border: '1px solid gray'}} width="800"/>
-1. Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations) in the left navigation bar.<br/><img src={useBaseUrl('img/cse/automations-integrations-list.png')} alt="Integrations list" style={{border: '1px solid gray'}} width="800"/>
+1. Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click [**Cloud SIEM > Integrations**](/docs/platform-services/automation-service/automation-service-integrations) in the left navigation bar.
 1. If we open the **Slack** integration, we see the **Get User** action used in the **Send Insight Slack Notification** playbook. Now you know how integrations provide actions that are run in playbooks. <br/><img src={useBaseUrl('img/cse/automations-resource-example.png')} alt="Resource example" style={{border: '1px solid gray'}} width="700"/>
 
 To learn how to create automations in Cloud SIEM that run playbooks from the Automation Service, see [Automations in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem).

docs/cse/automation/automations-in-cloud-siem.md

@@ -92,7 +92,7 @@ To view the automations that have run on Insights or Entities, see [View results
 The following procedure provides a brief introduction to how to create an automation. For detailed examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. 
-1. At the top of the automations screen, click **New Automation**.  (To modify an existing automation, click on the edit icon for the corresponding automation.)<br/><img src={useBaseUrl('img/cse/automations-automations-list.png')} alt="Automations list" style={{border: '1px solid gray'}} width="800"/>
+1. At the top of the automations screen, click **Create**.  (To modify an existing automation, click on the edit icon for the corresponding automation.)<br/><img src={useBaseUrl('img/cse/automations-automations-list.png')} alt="Automations list" style={{border: '1px solid gray'}} width="800"/>
 1. In the **New Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation. <br/><img src={useBaseUrl('img/cse/automations-new.png')} alt="New Automation" style={{border: '1px solid gray'}} width="400"/>
 1. In **Expects attributes for** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM.
 1. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
@@ -114,7 +114,7 @@ If an automation is set to run when an Insight is created or closed, it runs aut
 
 Automations can be run manually from the **Actions** drop-down menu on [Insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui#insight-details-page) pages:
 
-<img src={useBaseUrl('img/cse/automations-actions-menu.png')} alt="Automations on the Actions menu" style={{border: '1px solid gray'}} width="200"/>
+<img src={useBaseUrl('img/cse/automations-actions-menu.png')} alt="Automations on the Actions menu" style={{border: '1px solid gray'}} width="300"/>
 
 You will see three sections in the **Actions** menu:
 * **Insight Automation**. Displays a list of all enabled Insight automations configured to run manually.
@@ -125,7 +125,7 @@ You will see three sections in the **Actions** menu:
 
 On [Entity details](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) pages, Entity Automations can be run manually from the **Automations** drop-down menu:
 
-<img src={useBaseUrl('img/cse/automations-entity-automations-menu.png')} alt="Automations menu on an Entity" style={{border: '1px solid gray'}} width="250"/>
+<img src={useBaseUrl('img/cse/automations-entity-automations-menu.png')} alt="Automations menu on an Entity" style={{border: '1px solid gray'}} width="300"/>
 
 :::tip
 You can run the same automation more than once for a given Entity or Insight, but not at the same time. Additional attempts to run an automation while an instance is running will result in an error.
@@ -141,11 +141,6 @@ On an Insight, if you select **Actions** > **Entity Automation > Run Automations
 1. Click **Next**. A list displays of all Entity automations that are enabled, configured to be run manually, and configured for at least one of the Entity types you selected on the previous screen.
 1. Select the automations you wish to run and click **Run Automation**. The system will automatically run the appropriate automations for the appropriate Entity Types.<br/><img src={useBaseUrl('img/cse/automations-entity-menu-2.png')} alt="Entity Automation menu with selections" style={{border: '1px solid gray'}} width="400"/>
 
-In this example:
-   * The CarbonBlack automation is configured for IP Addresses, Email Addresses, and Domain Names, so it will run four times (once for the Email Address and once for each IP Address selected on the previous screen).
-   * The nslookup automation is configured to only run on IP Addresses so it will run three times.
-   * No automation will run on the Hostname.
-
 ## View results of an automation
 
 If an automation is set to run when an Insight is created or closed, it [runs automatically](#run-an-automation-automatically). You can also [run an automation manually](#run-an-automation-manually).
@@ -172,7 +167,7 @@ After [running an automation](#run-an-automation-automatically), you can go to t
 
 <img src={useBaseUrl('img/cse/automations-execution-status.png')} alt="Automations execution status" style={{border: '1px solid gray'}} width="800"/>
 
-On each card you will find:
+For each automation you will find:
 * The time and date when the automation was run.
 * The name and description of the associated playbook.
 * The playbook’s current status.
@@ -184,11 +179,11 @@ You may have to manually refresh this screen to see the most current status.
 
 If you click **View Playbook**, the Automation Service UI will open to the playbook status page:
 
-<img src={useBaseUrl('img/cse/automations-playbook-status.png')} alt="Playbook status" style={{border: '1px solid gray'}} width="600"/>
+<img src={useBaseUrl('img/cse/automations-playbook-status.png')} alt="Playbook status" style={{border: '1px solid gray'}} width="800"/>
 
-You can switch to the graphical view by clicking **Graph** in the upper-right corner:
+You can switch to the graphical view by clicking **Graph View** in the upper-right corner:
 
-<img src={useBaseUrl('img/cse/automations-playbook-status-graph.png')} alt="Playbook status graph" style={{border: '1px solid gray'}} width="600"/>
+<img src={useBaseUrl('img/cse/automations-playbook-status-graph.png')} alt="Playbook status graph" style={{border: '1px solid gray'}} width="800"/>
 
 ## Migrate from legacy actions and enrichments to the Automation Service
 

docs/cse/automation/cloud-siem-automation-examples.md

@@ -19,7 +19,7 @@ Following are examples that show you how to create Cloud SIEM automations using
 The following example shows how to add an enrichment to an Insight using the “IP Reputation V3” action from VirusTotal.
 
 1. Edit the VirusTotal OIF resource:
-   1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui).  In the top menu select **Configuration**, and then under **Integrations** select **Automation**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.. 
+   1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui).  In the top menu select **Configuration**, and then under **Integrations** select **Automation**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. 
    1. From the Automation screen, click **Manage Playbooks**. This opens the [Automation Service UI](/docs/platform-services/automation-service/about-automation-service/#automation-service-ui).
    1. Click **Integrations** in the navigation menu.
    1. Select **VirusTotal OIF**.

docs/cse/integrations/enable-virustotal-enrichment.md

@@ -37,7 +37,7 @@ VirusTotal enrichments are only added to Signals that are part of an Insight.
 ## Configure VirusTotal enrichment
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Enrichment**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Enrichment**. You can also click the **Go To...** menu at the top of the screen and select **Enrichment**.  
-1. On the **Enrichment** page, click the pencil icon for VirusTotal.<br/><img src={useBaseUrl('img/cse/enrichment-page.png')} alt="Edit button on the VirusTotal enrichment" style={{border: '1px solid gray'}} width="800" />
+1. On the **Enrichment** page, click the pencil icon for VirusTotal.<br/><img src={useBaseUrl('img/cse/enrichment-page.png')} alt="Edit button on the VirusTotal enrichment" style={{border: '1px solid gray'}} width="500" />
 2. On the **Edit VirusTotal Configuration** popup, enter your VirusTotal API Key, and click Update.<br/><img src={useBaseUrl('img/cse/edit.png')} alt="Edit VirusTotal Configuration pop-up" style={{border: '1px solid gray'}} width="300" />
 
 ## Example VirusTotal enrichment

docs/cse/match-lists-suppressed-lists/create-match-list.md

@@ -82,7 +82,7 @@ You can also create and manage Match Lists with Cloud SIEM's REST [API](/docs/cs
 :::
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Match Lists**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Match List**. You can also click the **Go To...** menu at the top of the screen and select **Match List**. 
-1. Click **Create**. <br/><img src={useBaseUrl('img/cse/match-list-create-icon.png')} alt="Create match list" style={{border: '1px solid gray'}} width="800"/>
+1. Click **Create**.
 1. On the **New Match List** popup, enter the following:
     1. **Name**. Name of the Match list. If you are creating a standard Match List, make sure the name matches the standard Match List name. For more information, see [Standard Match Lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists).   We recommend no embedded spaces in list names. For example, instead of *my list*, use *my_list*.
     1. **Description**. Enter a description for the list. Descriptions for standard Match Lists can be found in [Standard Match Lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists).
@@ -92,15 +92,15 @@ You can also create and manage Match Lists with Cloud SIEM's REST [API](/docs/cs
         Once you create a Match List, it's not possible to change its **Target Column**.
         :::
     1. Click **Create**.<br/><img src={useBaseUrl('img/cse/new-match-list.png')} alt="New match list" style={{border: '1px solid gray'}} width="400"/>
-1. The Match List now appears on the **Match Lists** page. <br/><img src={useBaseUrl('img/cse/match-list-added.png')} alt="Match list added" style={{border: '1px solid gray'}} width="800"/>
+1. The Match List now appears on the **Match Lists** page.
 1. Click the name of the Match List to open it.
-1. On the **Match List > Details** page, click **ADD LIST ITEM**.<br/><img src={useBaseUrl('img/cse/match-list-add-item-icon.png')} alt="Match list add list item" style={{border: '1px solid gray'}} width="800"/>
+1. On the **Match List > Details** page, click **Add List Item**.
 1. On the **New Match List Item** popup, enter:
    * **Value**. The value of the entity. Make sure the value you enter is of the same type as the type you selected as the Target Column for the list. For example, if the Target Column is `Domain`, enter a domain.
    * **Description**. (Optional) Enter a description of the entity instance you entered.
    * **Expiration**. (Optional) The date and time at which the list item should be removed from the list.
-   * Click **Add** to add the item to the list.<br/><img src={useBaseUrl('img/cse/new-match-list-item.png')} alt="New match list item" style={{border: '1px solid gray'}} width="400"/>
-1. The item now appears in the Match List.<br/><img src={useBaseUrl('img/cse/item-added.png')} alt="Item added" style={{border: '1px solid gray'}} width="800"/>
+   * Click **Add** to add the item to the list.
+1. The item now appears in the Match List.
 
 ## Import a Match List
 

docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md

@@ -22,7 +22,7 @@ To see the custom columns that have been defined in your environment:
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Match Lists**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Match List**. You can also click the **Go To...** menu at the top of the screen and select **Match List**.  
 1. On the **Match Lists** page, click **Custom Columns**.<br/><img src={useBaseUrl('img/cse/match-lists.png')} alt="Match lists" width="800"/>
-1. The **Custom Columns** page lists the custom columns that have been defined in your environment. <br/><img src={useBaseUrl('img/cse/custom-columns.png')} alt="Custom columns" style={{border: '1px solid gray'}} width="800"/>
+1. The **Custom Columns** page lists the custom columns that have been defined in your environment. 
 
 ## Create a Custom Column
 

docs/cse/match-lists-suppressed-lists/suppressed-lists.md

@@ -83,14 +83,14 @@ Perform the steps below to create a Suppressed List and add an indicator to it u
        If you want to create a custom Target Column, click **Manage Custom Columns**. For more information, see [Custom Match List Columns](/docs/cse/match-lists-suppressed-lists/custom-match-list-columns).
        :::
    1. Click **Create**.
-1. The Suppressed List now appears on the **Suppressed Lists** page.  <br/><img src={useBaseUrl('img/cse/suppressed-list-page-2.png')} alt="Suppressed lists page" style={{border: '1px solid gray'}} width="800"/>
+1. The Suppressed List now appears on the **Suppressed Lists** page.
 1. Click the name of the Suppressed List to open it.
-1. On the **Suppressed List > Details** page, click **ADD LIST ITEM**. <br/><img src={useBaseUrl('img/cse/add-list-item.png')} alt="Add list item" style={{border: '1px solid gray'}} width="800"/>
+1. On the **Suppressed List > Details** page, click **Add List Item**. <br/><img src={useBaseUrl('img/cse/add-list-item.png')} alt="Add list item" style={{border: '1px solid gray'}} width="800"/>
 1. On the **New Suppressed List Item** popup, enter:
    1. **Value**. The value of the entity. Make sure the value you enter is of the same type as the type you selected as the Target Column for the list. For example, if the Target Column is Domain, enter a domain.
    1. **Description**. (Optional) Enter a description of the list item.
    1. **Expiration**. (Optional) The date and time at which the list item should be removed from the list.
-   1. Click **Add** to add the item to the list. <br/><img src={useBaseUrl('img/cse/new-item.png')} alt="New item" style={{border: '1px solid gray'}} width="400"/>
+   1. Click **Add** to add the item to the list.
 1. The item now appears on the list.
 
 ## Import a list of indicators