Merge branch 'main' into docs-448-normalization

Author: jpipkin1

blog-collector/2024-10-31.md

@@ -0,0 +1,21 @@
+---
+title: Version 19.514-1
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-collector/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+In this release, we've enhanced the security and stability of the Collector with added support for security patches and bug fixes.
+
+### Security Fixes
+
+- Upgraded `com.fasterxml.jackson.core` to version 2.15.4 to address jackson-core vulnerability (CVE-2023-0067).
+- Upgraded `org.apache.avro:avro` to version 1.11.4 to address ion-java vulnerability (CVE-2024-47561).
+
+### Bug Fix
+
+- Fixed the intermittent collector crash issue for AD source.
+

blog-cse/2024-10-31-content.md

@@ -17,7 +17,7 @@ We're excited to announce that when you create a role, you can select **Index Ac
 This feature was [previously only available to participants in our beta program](/release-notes-service/2023/12/31/#october-27-2023-manage-account). It is now available for general use.
 
 :::note
-These changes are rolling out across deployments incrementally and will be available on all deployments by October 25, 2024.
+These changes are rolling out across deployments incrementally and will be available on all deployments by November 15, 2024.
 :::
 
 [Learn more](/docs/manage/users-roles/roles/create-manage-roles/#create-a-role).

blog-service/2024-10-14-manage.md

@@ -14,7 +14,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
 
-We're excited to announce the general availability of AI-driven alerts for metrics anomalies, extending our AI-driven alerting to metrics-based monitors. This release helps reduce alert fatigue and enables faster incident resolution with automated playbooks.
+We're excited to announce the preview of AI-driven alerts for metrics anomalies, extending our AI-driven alerting to metrics-based monitors. This preview release helps reduce alert fatigue and enables faster incident resolution with automated playbooks.
 
 ### Key Features
 

blog-service/2024-10-22-alerts.md

@@ -0,0 +1,22 @@
+---
+title: Scan Budgets (Manage) 
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - scan-budgets
+  - manage
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We are happy to introduce our new **Usage Management** tab under the **Accounts** section. This feature allows you to define query spending limits, helping prevent unexpected charges and manage Sumo Logic credits, particularly in pay-per-use scenarios by limiting search volume.
+
+Key features include:
+
+- **Org-wide query budget**. Set a budget for queries that applies to all users in the organization.
+- **User level and role level query budget**. Set limits on query data volume at the user level and role level.
+- **Flexible actions**. Choose what happens when the budget limit is reached. Options include **Display a warning to the user** or **Restrict queries to background scans only**.
+
+Explore our technical documentation [here](/docs/manage/manage-subscription/usage-management/) to learn how to set up and use Scan Budgets.

blog-service/2024-10-29-manage.md

@@ -89,7 +89,7 @@ By default, when an entity’s Activity Score exceeds the threshold of 12, Clou
 
 After Cloud SIEM fires a particular Signal on a particular Entity, it suppresses Signals for that Signal-Entity combination for 12 to 24 hours. For more information, see [Redundant Signal suppression](#redundant-signal-suppression), below. 
 
-### Example of an Entity that has reached Activity Score threshold
+### Example of an Entity that has exceeded Activity Score threshold
 
 In the screenshot below, the **Details** pane on the left shows that the Insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the Signals that contributed to the Insight. You can see each of the Signals relate to the IP address for which the Insight was created; in the Record underlying each of the Signals, is mapped to the `srcDevice_ip` schema attribute. 
 

docs/cse/get-started-with-cloud-siem/insight-generation-process.md

@@ -207,7 +207,7 @@ Cloud SIEM automatically normalizes, enriches, and correlates all your data acro
 
 <img src={useBaseUrl('img/cse/intro-cloud-siem-insight-generation-process-1.png')} alt="Records creation" style={{border: '1px solid gray'}} width="800"/>
 
-When records enter Cloud SIEM, rules analyze Entities on the records to produce Signals. The Signals are correlated, and if an Entity's activity score is 12 or more in a two-week period, [an Insight is generated](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) for that Entity.
+When records enter Cloud SIEM, rules analyze Entities on the records to produce Signals. The Signals are correlated, and if an Entity's activity score exceeds 12 or more in a two-week period, [an Insight is generated](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) for that Entity.
 
 <img src={useBaseUrl('img/cse/intro-cloud-siem-insight-generation-process-2.png')} alt="Insights creation" style={{border: '1px solid gray'}} width="725"/>
 
@@ -273,7 +273,7 @@ On the Cloud SIEM main page, you'll see a panel similar to this one. In this cas
 
 Cloud SIEM takes everything one step further and correlates those Signals into a manageable number of Insights. Here, just one Insight was created out of all those Signals.
 
-An Insight is a group of Signals clustered around a single entity. An Insight is created when the sum of the severity scores of Signals with the same entity goes above a certain activity score within a certain timeframe. By default, this is an activity score of 12 within the last 14 days. For example, if a rule was triggered with a severity of 5, and then ten days later another rule with the same entity and a severity of 5 was triggered, the total activity score would only be 10 in the last 14 days, so an Insight would not be created. However, if those same two rules had a severity score of 7, an Insight would be created.
+An Insight is a group of Signals clustered around a single entity. An Insight is created when the sum of the severity scores of Signals with the same entity goes above a certain activity score within a certain timeframe. By default, this is an activity score of 12 within the last 14 days. For example, if a rule was triggered with a severity of 5, and then ten days later another rule with the same entity and a severity of 5 was triggered, the total activity score would only be 10 in the last 14 days, so an Insight would not be created. However, if those same two rules had a severity score of 7, an Insight would be created because the total activity score exceeds 12.
 
 ## Get started with threat investigation
 
@@ -330,7 +330,7 @@ When you click into a Signal, you’ll have the option to see the full details o
 
 #### Entities
 
-The Entities tab lists all the entities that your rules have detected in the last 14 days, by default. Each entity has an Activity Score associated with it. The activity score is the sum of all the severity scores of all the unique signals associated with that entity. When an entity’s activity score reaches at least 12, an Insight is created. If you have several entities with relatively high activity scores, they might be a good starting point for a threat hunt.
+The Entities tab lists all the entities that your rules have detected in the last 14 days, by default. Each entity has an Activity Score associated with it. The activity score is the sum of all the severity scores of all the unique signals associated with that entity. When an entity’s activity score exceeds 12, an Insight is created. If you have several entities with relatively high activity scores, they might be a good starting point for a threat hunt.
 
 <img src={useBaseUrl('img/cse/intro-cloud-siem-entities.png')} alt="Entities tab" style={{border: '1px solid gray'}} width="800"/>
 

docs/cse/introduction-to-cloud-siem.md

@@ -17,8 +17,8 @@ To change the Insight generation settings:
 <br/>Your current detection settings are displayed on the Insight Detection page.<br/><img src={useBaseUrl('img/cse/detection-threshold-popup.png')} alt="Detection threshold settings" style={{border: '1px solid gray'}} width="600"/>
 1. Enter values for **Detection Threshold** and **Signal Suppression**:
      *  **Standard Threshold**
-         * **Detection Window (Days)**. Enter the duration, in days, during which an Entity's Activity Score must reach the threshold to result in an Insight being generated for the Entity. 
-         * **Threshold**. Enter the threshold Activity Score value that an Entity must reach during the detection window to result in an Insight being generated for the Entity. 
+         * **Detection Window (Days)**. Enter the duration, in days, during which an Entity's Activity Score must exceed the threshold to result in an Insight being generated for the Entity. 
+         * **Threshold**. Enter the threshold Activity Score value that an Entity must exceed during the detection window to result in an Insight being generated for the Entity. 
      * **Global Signal Suppression**
          * **Maximum Period (Hours)**. By default, redundant Signals for a Signal-Entity combination are automatically suppressed for a maximum period of 72 hours to avoid repeated Signals contributing to Insight generation. This setting lets you modify this period based upon your organizational needs. To change this setting, select the number of hours to suppress Signals, anywhere from 24 hours to 72 hours. For additional ways to control signal suppression, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
 1. Click **Save**. 

docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md

@@ -837,6 +837,23 @@ If `<field_name>` isn’t specified, the field dictionary is passed through inst
 
 `r|` syntax can be used here.
 
+:::tip
+`TRANSFORM*` operators only work on fields that contain a value, or a subfield within a JSON structure. 
+
+Suppose you had the following JSON array:
+
+```
+{
+"foo":
+{
+"bar":
+{
+"field":"value"
+```
+
+The `TRANSFORM*` operator must be placed on a subfield that contains a valid string or integer, in this case, `"field"`. Placing it on the top-level field, in this case `"foo"` or `"bar"`, will be ignored by the system.
+:::
+
 ### TRANSFORM_ALL
 
 Applies `<transfer_stanza_nam>` stanza to all fields (that have already been parsed or created by SET) that match the regular expression.

docs/cse/schema/parsing-language-reference-guide.md

@@ -94,7 +94,7 @@ To create a server profile specifying  the log destination, do the following:
 
 To configure syslog forwarding for traffic and threat logs, follow the steps to [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/configure-log-forwarding) as described in the Palo Networks documentation.
 
-As of March 24, 2022, some Palo Alto Network systems have experienced troubles with validating the Sumo Logic certificate due to their OCSP checking logic. Please contact Palo Alto’s support for  a workaround, and if needed, contact Sumo Logic’s support for the related Palo Alto Case number.
+As of March 24, 2022, some Palo Alto Network systems have experienced troubles with validating the Sumo Logic certificate due to their OCSP checking logic. If you encounter this problem, try disabling OCSP checking logic in the firewall. If you continue to have issues, contact Palo Alto’s support, and if needed, contact Sumo Logic’s support for the related Palo Alto case number.
 
 
 ### Step 4. Verify logs in Palo Alto Networks