Merge branch 'main' into add-nodrop-to-the-query

Author: JV0812

blog-cse/2025-04-25-content.md

@@ -0,0 +1,32 @@
+---
+title: April 25, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
+- Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.
+
+## Rules
+- [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
+- [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
+- [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
+- [Updated] MATCH-S01000 Threat Intel - MD5 Match
+- [Updated] MATCH-S01001 Threat Intel - PEHASH Match
+- [Updated] MATCH-S01003 Threat Intel - SHA1 Match
+- [Updated] MATCH-S01004 Threat Intel - SHA256 Match
+- [Updated] MATCH-S01002 Threat Intel - SSDEEP Match
+
+## Log Mappers
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+
+## Parsers
+- [Updated] /Parsers/System/Microsoft/Office 365

blog-csoar/2025-04-21-content.md

@@ -0,0 +1,42 @@
+---
+title: April 21, 2025 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## March and April releases
+
+### Changes and enhancements
+
+#### Integrations
+
+* [NEW] [ThreatDown Oneview](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview/). The ThreatDown OneView integration has been built from scratch to facilitate seamless security operations management. 
+* [NEW] [Atlassian Jira Cloud](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-cloud/). The Atlassian Jira Cloud integration has been developed from the ground up to streamline issue tracking and project management. 
+* [UPDATED] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/). Added a new Update IP Set action in the AWS WAF integration that allows users to update an existing IP set.
+
+#### Platform 
+
+##### Playbooks
+
+* Improved the user experience in the node popup when loading dynamic fields.
+* Added a confirmation dialog to alert users about pre-existing playbook drafts to avoid accidental overwriting while editing playbooks.
+* Implemented an alert popup to prevent accidental loss of unsaved changes when closing a node popup.
+* Added audit logs for failed nodes due to errors or exceptions during playbook execution.
+
+### Bug fixes
+
+#### General
+
+* Fixed a session timeout issue when the user is active in Automation Service, but inactive in Sumo Logic Log Analytics.
+* Fixed cursor positioning issue while typing in text areas.
+
+#### Integrations
+
+* Resolved a next page token and pageSize related issues in the List Permissions action of the  [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) integration.
+* Added a new `impersonate_user` field in List Permission and Delete Permission actions, allowing actions to be performed on a user's behalf.

blog-service/2024/12-31.md

@@ -425,10 +425,6 @@ We're excited to announce that when you create a role, you can select **Index Ac
 
 This feature was [previously only available to participants in our beta program](/release-notes-service/2023/12/31/#october-27-2023-manage-account). It is now available for general use.
 
-:::note
-These changes are rolling out across deployments incrementally and will be available on all deployments by March 14, 2025.
-:::
-
 [Learn more](/docs/manage/users-roles/roles/create-manage-roles/#create-a-role).
 
 ### October 14, 2024 (Collection)

blog-service/2025-04-21-apps.md

@@ -0,0 +1,13 @@
+---
+title: Sumo Collection (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - sumo-collection
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+
+We're excited to introduce the new Sumo Collection app for Sumo Logic. By leveraging this app, you can get insights into the health and status of Sumo Logic collectors and sources, allowing you to effectively manage and monitor collectors and sources within Sumo Logic. [Learn more](/docs/integrations/saas-cloud/sumo-collection).

cid-redirects.json

@@ -1627,6 +1627,7 @@
   "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
   "/cid/6024": "/docs/integrations/saas-cloud/vmware-workspace-one",
   "/cid/6025": "/docs/integrations/saas-cloud/cisco-vulnerability-management",
+  "/cid/6026": "/docs/integrations/saas-cloud/sumo-collection",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10113": "/docs/observability/root-cause-explorer",
   "/cid/10116": "/docs/manage/fields",
@@ -2673,6 +2674,7 @@
   "/cid/20158": "/docs/integrations/amazon-aws/aws-ground-station",
   "/cid/20159": "/docs/integrations/amazon-aws/aws-healthlake",
   "/cid/20160": "/docs/integrations/amazon-aws/amazon-bedrock",
+  "/cid/20161": "/docs/integrations/microsoft-azure/azure-virtual-machine",
   "/cid/8394": "/docs/search/search-query-language/search-operators/dedup",
   "/cid/85858": "/docs/observability/kubernetes/quickstart",
   "/cid/8595": "/docs/manage/security/set-password-policy",
@@ -4305,6 +4307,7 @@
   "/docs/manage/partitions/flex/estimate-and-actual-scan-data": "/docs/manage/partitions/flex/estimate-scan-data",
   "/docs/manage/partitions/flex/flex-pricing-faqs": "/docs/manage/partitions/flex/faq",
   "/docs/manage/partitions/flex/flex-pricing-faq": "/docs/manage/partitions/flex/faq",
+  "/docs/platform-services/automation-service/app-central/integrations/exana-open-dns": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/platform-services/automation-service/app-central/integrations/snowflake": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/integrations/security-threat-detection/palo-alto-networks-6": "/docs/integrations/security-threat-detection/palo-alto-networks-9",
   "/docs/integrations/security-threat-detection/palo-alto-networks-8":"/docs/integrations/security-threat-detection/palo-alto-networks-9",

docs/alerts/scheduled-searches/generate-cse-signals.md

@@ -15,6 +15,8 @@ For a more detailed description of the options you can configure for a scheduled
 
 ## Requirements for the search query
 
+When you [create a scheduled search](/docs/alerts/scheduled-searches/schedule-search/) to generate signals in Cloud SIEM, you start by creating a search query.
+
 This section describes the requirements for your scheduled search, which include a minimum set of fields to be returned, and renaming message fields as necessary to match attribute names in the selected Cloud SIEM record type schema.  
 
 ### Required fields
@@ -42,7 +44,6 @@ enable signal generation:
     If the `stage` field contains a Tactic that isn't in the MITRE ATT&CK framework, a signal will not be generated, but a record will be. 
     :::
 * At least one entity field:
-
   * `device_ip`
   * `device_mac`
   * `device_natIp`
@@ -56,16 +57,35 @@ enable signal generation:
   * `srcDevice_ip`
   * `srcDevice_mac`
   * `srcDevice_natIp`
-  * `user_username`        
+  * `user_username`
 
 ### Renaming message fields
 
 When you configure a Scheduled Search to create Cloud SIEM signals, you are prompted to select a [Cloud SIEM record type](/docs/cse/schema/cse-record-types/). The fields returned by your search must match an attribute in the record type you select. A field whose name does not match a Cloud SIEM attribute will not be populated in the record created from the Schedule Search results. For more about Cloud SIEM attribute names, see [Attributes You Can Map to Records](/docs/cse/schema/attributes-map-to-records/).
 
+### Example
+
+Let's suppose that `user_username` is the entity field we want to use, and its value needs to be mapped to `actor.email`. Then you need to add the following line to the query: `actor.email as user_username`.
+
+And because the final output of this query is an aggregate, and Cloud SIEM signals expect `normalizedfield`, `stage`, and `entity`, we need need to add those in the `count` expression. 
+
+This is how the final query might look:
+
+```txt
+((_index=sec_record_* objectType=*)
+AND _sourcename = "Google Apps Audit Event")
+AND _sourcecategory = "GoogleWorkspace/Groups"
+| 5 as normalizedseverity
+| "Initial Access" as stage
+| json auto 
+| actor.email as user_username
+| count by events.name, events.type, actor.email, event.parameters.user_email, event.parameters.group_email, user_username, stage, normalizedseverity
+```
+
 ## Scheduling the search
 
 1. After creating and saving your search, click the save icon.<br/><img src={useBaseUrl('img/alerts/save-as.png')} alt="Save the search" style={{border: '1px solid gray'}} width="800"/>
-1. The **Save Item** popup appears.<br/><img src={useBaseUrl('img/alerts/save-item.png')} alt="Save as scheduled search" width="500"/>
+1. The **Save Item** popup appears.<br/><img src={useBaseUrl('img/alerts/save-item.png')} alt="Save as scheduled search" style={{border: '1px solid gray'}} width="500"/>
    :::note
    The name of your scheduled search will appear as the signal name in Cloud SIEM.
    :::

docs/alerts/webhook-connections/set-up-webhook-connections.md

@@ -47,7 +47,7 @@ To set up a webhook connection:
 1. (Optional) Enter a **Description** for the connection.
 1. Enter the **URL** for the endpoint. This is generated from the remote system’s API.
     :::important
-    Only HTTPS (`port 443`) and HTTP (`port 80`) URLs are supported. 
+    HTTPS URLs can use any port without restriction, while HTTP URLs are limited to only port 80.
     :::
 1. (Optional) If the third-party system requires an **Authorization Header**, enter it here. For more information, see [Example Authorization Header](#example-authorization-header) below.
 1. (Optional) **Custom Headers**, enter up to five comma separated key-value pairs.

docs/contributing/remove-doc.md

@@ -1,12 +1,12 @@
 ---
 id: remove-doc
-title: Remove a Doc
-description: Learn how to properly remove a Sumo Logic doc.
+title: Move or Remove a Doc
+description: Learn how to properly move or remove a Sumo Logic doc.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-When you delete a doc, its URL is also deleted. Visiting the old URL will return a `404 - Page Not Found` error, which negatively impacts customer experience and can damage our SEO.
+When you move a doc or remove it altogether, that deletes its URL. Visiting the old URL will return a `404 - Page Not Found` error, which negatively impacts customer experience and can damage our SEO.
 
 To prevent this, create a 301 redirect. Follow these steps to ensure a smooth transition and maintain the health of our docs site.
 
@@ -31,11 +31,12 @@ As an example, let's say there are two docs called **Nginx App** and **Nginx (Le
 Ensure any internal links pointing to the deleted doc are updated to the new URL.
 
 1. In your GitHub authoring tool, run a search for the URL you're removing. For example, if the legacy URL appears in other documents, replace all instances with the new URL.<br/><img src={useBaseUrl('img/contributing/old-url.png')} alt="Screenshot of a 'Find All' search for the URL to be removed" />
-1. Check with a Sumo Logic subject matter expert to confirm that you can replace all with the new URL.
-
-:::warning
-Never do a "Find All > Replace All", as this can break unrelated items like image paths. Replace each URL on a one-by-one basis.
-:::
+   :::warning
+   Never do a Find All > Replace All, as this can break unrelated items like image paths. Replace each URL on a one-by-one basis.
+   :::
+1. If applicable:
+   * Remove from its parent index.md hub page.
+   * Remove from [Product List](/docs/integrations/product-list/).
 
 ## Step 3: Delete the doc file
 

docs/cse/administration/create-custom-threat-intel-source.md

@@ -31,7 +31,7 @@ You can search using the same functionality available for other Cloud SIEM searc
 
 When Cloud SIEM encounters an indicator from a threat source in an incoming record, it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way.
 
-Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a rule tuning expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a rule tuning expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
 ### Target fields for threat indicators
 

docs/cse/integrations/configuring-threatq-source-in-cse.md

@@ -15,7 +15,7 @@ To do so, [ingest threat intelligence indicators](/docs/security/threat-intellig
 
 ## Looking for ThreatQ indicators using Cloud SIEM rules
 
-Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 -->
 
 This topic has information about configuring a ThreatQ source in Cloud SIEM.