Merge branch 'main' into DOCS-988

Author: kimsauce

blog-cse/2025-06-02-application.md

@@ -17,6 +17,5 @@ We're happy to announce that now when you create or update a first seen or outli
 To learn more, see our information about baselines for [first seen rules](/docs/cse/rules/write-first-seen-rule/) and [outlier rules](/docs/cse/rules/write-outlier-rule/#baselines-for-outlier-rules).
 
 :::note
-* This feature update applies only to new and changed first seen and outlier rules. Unchanged existing rules will continue to use their existing baselines.
-* This feature update is rolling out across deployments incrementally and will be available on all deployments by June 12, 2025.
+This feature update applies only to new and changed first seen and outlier rules. Unchanged existing rules will continue to use their existing baselines.
 :::

blog-service/2025-07-16-apps.md

@@ -0,0 +1,13 @@
+---
+title: Microsoft Defender for Endpoint (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - palo-alto-networks-11
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+
+We're excited to introduce the new Microsoft Defender for Endpoint app for Sumo Logic. This app enables you to gain real-time visibility into security alert data across your software projects and dependencies. This app also helps security and DevOps teams track risk exposure, prioritize remediation, and maintain a strong security posture. [Learn more](/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint).

cid-redirects.json

@@ -173,6 +173,7 @@
   "/03Send-Data/Collect-from-Other-Data-Sources/Sumo-Logic-Open-Source-Projects": "/docs/send-data/collect-from-other-data-sources/sumo-logic-open-source-projects",
   "/03Send-Data/Collector-FAQs": "/docs/send-data/collector-faq",
   "/Send-Data/Collector-FAQs": "/docs/send-data/collector-faq",
+  "/Send-Data/Collector-FAQs/How-can-I-tell-if-I'm-collecting-data": "/docs/send-data/collector-faq",
   "/03Send-Data/Collector-FAQs/Collector-fails-to-connect-to-Sumo%3A-Target-server-failed-to-respond-or-HTTP-504-or-HTTP-408-errors": "/docs/send-data/collector-faq",
   "/03Send-Data/Collector-FAQs/Collector-fails-to-connect-to-Sumo:-Target-server-failed-to-respond-or-HTTP-504-or-HTTP-408-errors": "/docs/send-data/collector-faq",
   "/03Send-Data/Collector-FAQs/Collector-locking-log-files-on-Windows-servers": "/docs/send-data/collector-faq",
@@ -188,6 +189,7 @@
   "/03Send-Data/Collector-Installation-and-Configuration/Linux": "/docs/send-data/installed-collectors/linux",
   "/03Send-Data/Collector-FAQs/Troubleshooting-time-discrepancies": "/docs/send-data/collector-faq",
   "/03Send-Data/Collector-FAQs/Windows%3A-%22This-Collector-does-not-seem-to-have-tanuki-wrapper-integration-enabled.%22": "/docs/send-data/collector-faq",
+  "/docs/send-data/collectors/docker-collector": "/docs/send-data/collect-from-other-data-sources/docker-collection-methods",
   "/03Send-Data/Hosted-Collectors": "/docs/send-data/hosted-collectors",
   "/03Send-Data/Hosted-Collectors/Configure-a-Hosted-Collector": "/docs/send-data/hosted-collectors/configure-hosted-collector",
   "/03Send-Data/Hosted-Collectors/Configure-Hosted-Collectors-for-Partitioning": "/docs/send-data/hosted-collectors/configure-hosted-collector",
@@ -266,6 +268,7 @@
   "/03Send-Data/Sources/01Sources-for-Installed-Collectors/Windows_Active_Directory_Inventory_Source": "/docs/send-data/installed-collectors/sources/windows-active-directory-inventory-source",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors": "/docs/send-data/hosted-collectors",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Amazon-CloudFront-Source": "/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudfront-source",
+  "/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source": "/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Amazon-CloudWatch-Source-for-Metrics": "/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Amazon-Path-Expressions": "/docs/send-data/hosted-collectors/amazon-aws/amazon-path-expressions",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Amazon-S3-Audit-Source": "/docs/send-data/hosted-collectors/amazon-aws/amazon-s3-audit-source",
@@ -1469,6 +1472,8 @@
   "/Dashboards-and-Alerts/Dashboards": "/docs/dashboards",
   "/Dashboards-and-Alerts/Dashboards/01-About-Dashboards": "/docs/dashboards/about",
   "/Dashboards-and-Alerts/Dashboards/Chart-Panel-Types": "/docs/dashboards/panels",
+  "/Dashboards-and-Alerts/Dashboards/Chart-Panel-Types/Area-Charts": "/docs/dashboards/panels/area-charts",
+  "/Dashboards_and_Alerts/Dashboards/Chart_Panel_Types/Line_Charts": "/docs/dashboards/panels/line-charts",
   "/Dashboards-and-Alerts/Dashboards/Edit-Dashboards-and-Panels/Change-the-Color-of-a-Chart-by-Value-Range-on-the-Search-Page": "/docs/dashboards",
   "/Dashboards-and-Alerts/Dashboards/Edit-Dashboards-and-Panels/Change-the-Color-of-a-Chart": "/docs/dashboards",
   "/Dashboards-and-Alerts/Dashboards/Get-Started-with-Dashboards-and-Panels/03Share-Dashboards": "/docs/manage/security/create-allowlist-ip-cidr-addresses",
@@ -1487,6 +1492,7 @@
   "/Manage/Search-Optimization-Tools/Manage-Partitions/About-Partitions": "/docs/manage/partitions",
   "/Manage/Search-Optimization-Tools/Manage-Scheduled-Views": "/docs/manage/scheduled-views",
   "/Manage/Search-Optimization-Tools/Manage-Scheduled-Views/Add-a-Scheduled-View": "/docs/manage/scheduled-views",
+  "/Manage/Search_Optimization_Tools/Manage_Scheduled_Views/Add_a_Scheduled_View": "/docs/manage/scheduled-views",
   "/Manage/Search_Optimization_Tools/Manage_Scheduled_Views/Scheduled_Views_Best_Practices_and_Examples": "/docs/manage/scheduled-views",
   "/Manage/Search_Optimization_Tools/Manage_Field_Extractions/Create_Field_Extraction_Templates": "/docs/manage/field-extractions/fer-templates",
   "/Manage/Search_Optimization_Tools/Manage_Field_Extractions/Create_a_Field_Extraction_Rule": "/docs/manage/field-extractions/create-field-extraction-rule",
@@ -1679,7 +1685,7 @@
   "/cid/10128": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vmware-workspace-one-source",
   "/cid/10129": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/dragos-source",
   "/cid/10731": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/akamai-cpc-source",
-  "/cid/10732": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source", 
+  "/cid/10732": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zimperium-mtd-source",
   "/cid/10135": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
   "/cid/10136": "/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-logs-source",
   "/cid/10234": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source",
@@ -2900,6 +2906,7 @@
   "/cid/21035": "/docs/integrations/google/cloud-traffic-director",
   "/cid/21036": "/docs/integrations/google/cloud-vertex-ai",
   "/cid/21037": "/docs/integrations/google/cloud-vpn",
+  "/cid/21333": "/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint",
   "/cid/21039": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source",
   "/cid/21041": "/docs/integrations/google/cloud-security-command-center",
   "/cid/21097": "/docs/integrations/saas-cloud/confluent-cloud",
@@ -3564,6 +3571,7 @@
   "/Other_Solutions/Software_Development_Optimization_Solution/02_Supported_Tools_and_Schema": "/docs/observability/sdo/supported-tools-schema",
   "/docs/sdo/about-sdo": "/docs/observability/sdo/about-sdo",
   "/docs/sdo/integrate-tools-with-sdo": "/docs/observability/sdo/integrate-tools-with-sdo",
+  "/docs/sdo/set-up-sdo/sdo-manual-configuration": "/docs/observability/sdo/set-up-sdo/sdo-manual-configuration",
   "/docs/sdo/supported-tools-schema": "/docs/observability/sdo/supported-tools-schema",
   "/docs/sdo": "/docs/observability/sdo",
   "/Other_Solutions/Software_Development_Optimization_Solution/03_Set_up_the_Software_Development_Optimization_Solution": "/docs/observability/sdo/set-up-sdo",
@@ -3625,6 +3633,7 @@
   "/Send_Data/Sources/01Sources_for_Installed_Collectors/Local_File_Source": "/docs/send-data/installed-collectors/sources/local-file-source",
   "/Send_Data/Sources/01Sources_for_Installed_Collectors/Local_File_Source/Define_Boundary_Regex_for_Multiline_Messages": "/docs/send-data/installed-collectors/sources/define-boundary-regex-multiline-messages",
   "/Search/Search-FAQs/Compare-Log-Messages-by-Day-of-the-Week": "/docs/search/faq",
+  "/Search/Search-FAQs/Export-the-Results-of-a-Saved-File": "/docs/search/faq",
   "/Search/Search_Cheat_Sheets/Search-Operators-Cheat-Sheet": "/docs/search/search-cheat-sheets",
   "/Search/Search_Cheat_Sheets/Search_Operators_Cheat_Sheet": "/docs/search/search-cheat-sheets",
   "/Search/Search_Job_API/Search_Job_API": "/docs/api/search-job",
@@ -3858,6 +3867,7 @@
   "/Apps/Artifactory_App": "/docs/integrations/app-development/jfrog-artifactory",
   "/Apps/AWS_Lambda": "/docs/integrations/amazon-aws/lambda",
   "/Apps/AWS_Lambda/AWS_Lambda_App_Dashboards": "/docs/integrations/amazon-aws/lambda",
+  "/Apps/AWS_Lambda/Collect_Logs_for_AWS_Lambda": "/docs/integrations/amazon-aws/lambda",
   "/Apps/Docker_App/01_Collect_Events_and_Statistics_for_the_Docker_App": "/docs/integrations/containers-orchestration/docker-community-edition",
   "/Apps/GitHub_App": "/docs/integrations/app-development/github",
   "/Apps/IIS_App/Collect_Logs_for_IIS": "/docs/integrations/web-servers/iis-10",
@@ -3894,6 +3904,7 @@
   "/Beta/Cloud-to-Cloud_Integration_Framework/Workday_Source": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/workday-source",
   "/Beta/Dashboard-Data-API": "/docs/api/dashboard",
   "/Beta/Dashboard_(New)": "/docs/dashboards",
+  "/Beta/Dashboard_(Beta)": "/docs/dashboards",
   "/Beta/Dashboard_(Beta)/01Sumo_Logic's_New_Dashboard_(Beta)": "/docs/dashboards",
   "/Beta/Dashboard_(Beta)/Create_a_New_Dashboard_(Beta)": "/docs/dashboards",
   "/Beta/Fields": "/docs/manage/fields",
@@ -4287,6 +4298,7 @@
   "/docs/cse/cloud-siem/entities": "/docs/cse/records-signals-entities-insights",
   "/docs/cse/introduction-to-cloud-siem": "/docs/cse/get-started-with-cloud-siem",
   "/docs/integrations/sumo-apps/security-foundations": "/docs/integrations/sumo-apps/security-analytics",
+  "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch": "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs",
   "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-amazon-kinesis": "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs",
   "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs/collect-with-collector-script": "/docs/send-data/collect-from-other-data-sources/amazon-cloudwatch-logs",
   "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/ms-graph-azure-ad-reporting-source": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source",
@@ -4319,6 +4331,7 @@
   "/docs/manage/security/audit-index": "/docs/manage/security/audit-indexes/audit-index",
   "/docs/manage/security/audit-event-index": "/docs/manage/security/audit-indexes/audit-event-index",
   "/docs/manage/security/search-audit-index": "/docs/manage/security/audit-indexes/search-audit-index",
+  "/docs/manage/users-roles/single-sign-on/sso-saml": "/docs/manage/security/saml",
   "/docs/manage/security/audit-index-access": "/docs/manage/users-roles/roles/create-manage-roles",
   "/docs/manage/security/audit-indexes/audit-index-access/": "/docs/manage/users-roles/roles/create-manage-roles",
   "/docs/manage/users-roles/roles/rbac-for-indexes": "/docs/manage/users-roles/roles/create-manage-roles",

docs/cse/match-lists-suppressed-lists/create-match-list.md

@@ -14,10 +14,6 @@ Match lists are lists of important indicators and identifiers configured by a Cl
 
 Here’s a use case for using a match list to define an allow list:  Vulnerability scanners often set off false alarms in security data, as they intentionally mimic the behavior of an attacker. Given that this behavior is safe and expected, you don’t want scanner activities to fire a rule. That’s what a match list is for. You can create a match list called “vuln_scanners” that contains the IP addresses of your scanners.
 
-:::tip
-There’s no reason you can’t use a match list to define “deny lists” of items. However, Cloud SIEM’s threat intel feature is designed for exactly that purpose. Most of the time, but not always, you should use threat intel lists for negative indicators. For more information, see [Match lists or threat intel: which to use?](#match-listor-threat-intel-which-to-use).
-:::
-
 Here are some match lists in Cloud SIEM.  
 
 <img src={useBaseUrl('img/cse/example-match-lists.png')} alt="Example match list" style={{border: '1px solid gray'}} width="800"/>
@@ -54,14 +50,6 @@ If any of the IP addresses within the record match one of the “vuln_scanner”
 
 For more information about referring to match list data in rules, see [Match lists](/docs/cse/rules/about-cse-rules#match-lists) in the *About Cloud SIEM Rules* topic.
 
-## Match list or threat intel: which to use?
-
-Cloud SIEM has another feature that is similar to match lists: threat intel. Like match lists, threat intel lists are lists of indicators and identifiers configured by a Cloud SIEM analyst. When deciding whether to put an indicator on a match list or a threat intel list, consider the following.
-
-Threat intel lists are intended specifically for negative identifiers that should definitely fire a signal. So, whenever a rule detects a record field that matches an item on a threat intel list, it *always* results in a signal. If that’s what you want to occur when a particular identifier is encountered in a record, you should put that identifier on an threat intel list. But, if you *don’t* want a match to invariably result in a signal, the item should be on a match list. For example, you might use a match list for negative indicators that should fire a signal only if a secondary condition is also met.
-
-Another difference between match lists and threat intel lists is the **Target Column** types they support. For instance, you can’t create a threat intel list that contains email addresses. So, although typically a threat intel list is what you’d use for suspicious indicators, in some cases, a match list is the answer.
-
 ## Match list limitations
 
 A match list can contain up to 100,000 items.

docs/integrations/microsoft-azure/index.md

@@ -337,6 +337,13 @@ This guide has documentation for all of the apps that Sumo Logic provides for Mi
       <p>A guide to the Sumo Logic app for Azure Kubernetes Service Control Plane.</p>
       </div>
     </div>
+    <div className="box smallbox card">
+      <div className="container">
+      <img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-identity.png')} alt="Thumbnail icon" width="40"/>
+      <h4><a href="/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint">Microsoft Defender for Endpoint</a></h4>
+      <p>A guide to the Sumo Logic app for Microsoft Defender for Endpoint.</p>
+      </div>
+    </div>
     <div className="box smallbox card">
       <div className="container">
       <img src={useBaseUrl('img/integrations/microsoft-azure/network-watcher.png')} alt="Thumbnail icon" width="50"/>