Merge branch 'main' into add-create-monitors-section-to-otel-apps

Author: JV0812

blog-cse/2024-11-22-content.md

@@ -0,0 +1,61 @@
+---
+title: November 22, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+* New mapping support for: Qumulo Core, and Teramind Teraserver.
+* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
+* Updates to the existing Okta log mappings to support a new HTTP source log formatting.
+* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.
+
+Changes are enumerated below.
+
+### Rules
+* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
+   * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
+* [New] THRESHOLD-S00116 Password Attack from IP
+   * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
+* [Updated] FIRST-S00095 Password Attack from Host
+   * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
+* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
+   * Baseline retention window size increased from 35 days to the standard 90 day retention.
+   * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application".
+
+### Log Mappers
+* [New] Palo Alto Threat DLP non File - Custom Parser
+   * Mapping support added for event id pattern: threat-dlp-non-file.
+* [New] Qumulo Core - Catch All
+* [New] Qumulo Core - Login
+* [New] Teramind Authentication
+* [New] Teramind Catch All
+* [New] Teramind Email
+* [Updated] Code42 Incydr Alerts C2C
+* [Updated] Okta Authentication - auth_via_AD_agent
+* [Updated] Okta Authentication - auth_via_mfa
+* [Updated] Okta Authentication - auth_via_radius
+* [Updated] Okta Authentication - sso
+* [Updated] Okta Authentication Events
+* [Updated] Okta Catch All
+* [Updated] Okta Security Threat Events
+
+### Parsers
+* [New] /Parsers/System/Qumulo/Qumulo Core
+* [New] /Parsers/System/Salesforce/Salesforce
+* [New] /Parsers/System/Teramind/Teramind Teraserver
+* [Updated] /Parsers/System/Code42/Code42 Incydr
+   * Transform update for a new alert log format for tenantId.
+* [Updated] /Parsers/System/Okta/Okta
+   * Modified event_id from eventType to event_type.
+* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
+   * Additional parsing support for a new Palo Alto Threat event format.

docs/cse/administration/cse-audit-logging.md

@@ -37,7 +37,7 @@ Use  `_index=sumologic_system_events` to limit results to events related to sys
 
 You can use the `subsystem` field, which every event log contains, to limit the events returned to Cloud SIEM-related events:
 
-`subsystem=cse`
+`subsystem=cse*`
 
 For information about other fields you can use in Audit Index searches, see auto-generated documentation at the documentation URL for your deployment.
 
@@ -122,7 +122,7 @@ To search the Audit Event Index or System Event Index for logs that describe Clo
     ```sql
     _index=sumologic_system_events
     | json auto
-    | where subsystem="cse"
+    | where subsystem="cse*"
     ```
 3. Choose the time range for your search.
 4. Click **Start** to run the search.

package.json

@@ -16,19 +16,21 @@
   },
   "dependencies": {
     "@babel/plugin-proposal-decorators": "^7.23.7",
+    "@babel/runtime-corejs3": "7.26.0",
     "@braintree/sanitize-url": "^6.0.1",
-    "@docusaurus/core": "^3.5.2",
-    "@docusaurus/cssnano-preset": "^3.5.2",
-    "@docusaurus/plugin-client-redirects": "^3.5.2",
-    "@docusaurus/plugin-content-blog": "^3.5.2",
-    "@docusaurus/plugin-debug": "^3.5.2",
-    "@docusaurus/plugin-google-analytics": "^3.5.2",
-    "@docusaurus/plugin-google-gtag": "^3.5.2",
-    "@docusaurus/plugin-google-tag-manager": "^3.5.2",
-    "@docusaurus/plugin-sitemap": "^3.5.2",
-    "@docusaurus/preset-classic": "^3.5.2",
-    "@docusaurus/theme-classic": "^3.5.2",
-    "@docusaurus/theme-search-algolia": "^3.5.2",
+    "@docusaurus/bundler": "3.6.3",
+    "@docusaurus/core": "^3.6.3",
+    "@docusaurus/cssnano-preset": "3.6.3",
+    "@docusaurus/plugin-client-redirects": "3.6.3",
+    "@docusaurus/plugin-content-blog": "^3.6.3",
+    "@docusaurus/plugin-debug": "3.6.3",
+    "@docusaurus/plugin-google-analytics": "3.6.3",
+    "@docusaurus/plugin-google-gtag": "3.6.3",
+    "@docusaurus/plugin-google-tag-manager": "3.6.3",
+    "@docusaurus/plugin-sitemap": "3.6.3",
+    "@docusaurus/preset-classic": "3.6.3",
+    "@docusaurus/theme-classic": "3.6.3",
+    "@docusaurus/theme-search-algolia": "3.6.3",
     "@emotion/react": "^11.10.5",
     "@emotion/styled": "^11.10.5",
     "@eslint/eslintrc": "^1.3.3",
@@ -48,24 +50,32 @@
     "@svgr/plugin-svgo": "8.1.0",
     "@svgr/webpack": "8.1.0",
     "@swc/core": "^1.6.5",
+    "@types/eslint": "9.6.1",
+    "@types/eslint-scope": "3.7.7",
+    "ansi-escapes": "4.3.2",
     "cacheable-request": "^10.2.7",
     "cheerio": "1.0.0-rc.12",
     "clsx": "^1.1.1",
     "codespell": "^1.1.7",
+    "consola": "3.2.3",
     "css-declaration-sorter": "7.2.0",
     "css-tree": "2.3.1",
+    "cssdb": "8.2.1",
     "cssnano": "6.1.2",
     "csso": "5.0.5",
     "docusaurus-plugin-sass": "^0.2.1",
     "docusaurus2-dotenv": "^1.4.0",
     "electron-to-chromium": "1.4.755",
+    "figures": "3.2.0",
     "file-loader": "^6.2.0",
     "follow-redirects": "^1.15.6",
     "glob-parent": "^5.1.2",
     "got": "^12.5.2",
     "infima": "0.2.0-alpha.42",
+    "jsesc": "3.0.2",
     "json5": "^2.2.3",
     "loader-utils": "^3.2.1",
+    "markdown-table": "2.0.0",
     "mdn-data": "2.0.30",
     "mdx-mermaid": "^2.0.0",
     "mermaid": "^10.9.3",
@@ -74,6 +84,7 @@
     "node-fetch": "^2.6.7",
     "node-forge": "^1.3.0",
     "nth-check": "^2.0.1",
+    "path-to-regexp": "3.3.0",
     "postcss": "^8.4.38",
     "postcss-calc": "9.0.1",
     "postcss-colormin": "6.1.0",
@@ -112,15 +123,19 @@
     "react-iframe": "^1.8.0",
     "react-json-view-lite": "1.2.1",
     "react-live": "^4.1.5",
+    "regjsgen": "0.8.0",
     "remark-code-import": "^1.2.0",
     "remark-emoji": "^4.0.1",
     "remark-import-partial": "^0.0.2",
+    "repeat-string": "1.6.1",
     "sass": "^1.44.0",
     "sass-loader": "^12.4.0",
+    "serve-handler": "6.1.6",
     "shelljs": "^0.8.5",
     "snake-case": "3.0.4",
     "sort-css-media-queries": "2.2.0",
     "staticrypt": "^3.3.0",
+    "std-env": "3.8.0",
     "stylehacks": "6.1.1",
     "svgo": "3.2.0",
     "swc": "^1.0.11",
@@ -129,10 +144,13 @@
     "url-loader": "^4.1.1",
     "use-sync-external-store": "1.2.0",
     "webpack": "^5.94.0",
+    "webpack-bundle-analyzer": "4.10.2",
+    "webpack-merge": "6.0.1",
+    "wildcard": "2.0.1",
     "yaml": "^2.3.1"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.5.2",
+    "@docusaurus/module-type-aliases": "^3.6.3",
     "@tsconfig/docusaurus": "^1.0.4",
     "@types/react": "^17.0.0",
     "@types/webpack-env": "^1.16.3",