Merge branch 'main' into docs-696-insight-list-page

Author: jpipkin1

.github/workflows/job_trigger-jenkins-pipeline.yml

@@ -15,26 +15,28 @@ on:
         required: true
       WEBOPS_JENKINS_HOST:
         required: true
-      WEBOPS_AWS_ACCESS_KEY:
-        required: true
-      WEBOPS_AWS_SECRET_KEY:
+      WEBOPS_AWS_ROLE_JENKINS:
         required: true
       WEBOPS_WEBHOOK_TOKEN:
         required: true
 
 jobs:
   trigger-jenkins-pipeline:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Get runner IP
         if: always()
         id: ip
         uses: haythem/[email protected]
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        with:
+          role-to-assume: ${{ secrets.WEBOPS_AWS_ROLE_JENKINS }}
+          aws-region: us-east-1
       - name: Add runner to AWS security group ingress
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.WEBOPS_AWS_REGION }}
         run: aws ec2 authorize-security-group-ingress --group-name ${{ secrets.WEBOPS_AWS_SG_NAME }} --protocol tcp --port ${{ secrets.WEBOPS_JENKINS_PORT }} --cidr ${{ steps.ip.outputs.ipv4 }}/32
       - name: Trigger Jenkins pipeline
         run: |
@@ -43,9 +45,5 @@ jobs:
             -X POST \
             ${{ secrets.WEBOPS_JENKINS_HOST }}:${{ secrets.WEBOPS_JENKINS_PORT || '80' }}/generic-webhook-trigger/invoke?token=${{ secrets.WEBOPS_WEBHOOK_TOKEN }}
       - name: Remove runner from AWS security group ingress
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.WEBOPS_AWS_REGION }}
         if: always()
         run: aws ec2 revoke-security-group-ingress --group-name ${{ secrets.WEBOPS_AWS_SG_NAME }} --protocol tcp --port ${{ secrets.WEBOPS_JENKINS_PORT }} --cidr ${{ steps.ip.outputs.ipv4 }}/32

.github/workflows/workflow_deploy-to-pantheon-prod.yml

@@ -2,6 +2,7 @@ name: Deploy to production
 
 permissions:
   contents: write
+  id-token: write
 
 on:
   push:
@@ -38,8 +39,7 @@ jobs:
       WEBOPS_AWS_SG_NAME: ${{ secrets.WEBOPS_AWS_SG_NAME }}
       WEBOPS_JENKINS_PORT: ${{ secrets.WEBOPS_JENKINS_PORT }}
       WEBOPS_JENKINS_HOST: ${{ secrets.WEBOPS_JENKINS_HOST }}
-      WEBOPS_AWS_ACCESS_KEY: ${{ secrets.WEBOPS_AWS_ACCESS_KEY }}
-      WEBOPS_AWS_SECRET_KEY: ${{ secrets.WEBOPS_AWS_SECRET_KEY }}
+      WEBOPS_AWS_ROLE_JENKINS: ${{ secrets.WEBOPS_AWS_ROLE_JENKINS }}
       WEBOPS_WEBHOOK_TOKEN: ${{ secrets.WEBOPS_WEBHOOK_TOKEN }}
   notify-channel:
     needs: [build-site,deploy-to-pantheon,trigger-jenkins-pipeline]

blog-cse/2025-12-05-content.md

@@ -0,0 +1,96 @@
+---
+title: December 05, 2025 - Content Release
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+This new and updated content is effective as of December 4, 2025.
+
+This content release includes:
+- Updates to product naming from "G Suite" to "Google Workspace" across rules, log mappers, and parsers to reflect the current branding.
+- Update to product naming from "Dell SonicWall" to "SonicWall Firewall" in parsers and log mappers.
+- New support for Asana audit logging.
+
+Additional changes are enumerated below.
+
+## Rules
+- [Updated] MATCH-S00630 GCP Audit IAM DeleteServiceAccount Observed
+- [Updated] MATCH-S00629 GCP Audit IAM DisableServiceAccount Observed
+- [Updated] MATCH-S00117 Google Workspace - Access - Access Transparency
+- [Updated] MATCH-S00115 Google Workspace - Admin - User Settings - Turn Off 2SV
+- [Updated] MATCH-S00133 Google Workspace - Admin Activity
+- [Updated] MATCH-S00125 Google Workspace - Drive - Drive Open To Public
+- [Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
+- [Updated] MATCH-S00128 Google Workspace - Login - Account Warning
+- [Updated] MATCH-S00129 Google Workspace - Login - Government Attack Warning
+- [Updated] MATCH-S00121 Google Workspace - Mobile - Suspicious Activity
+- [Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
+- [Updated] MATCH-S00120 Google Workspace - User Accounts - 2SV Disabled
+
+## Log Mappers
+- [New] Asana Audit Authentication
+- [New] Asana Audit Catch All
+- [Updated] Azure ResourceHealth and ServiceHealth
+- [Updated] AzureActivityLog AuditLogs
+- [Updated] Google Workspace - access_transparency/GSUITE_RESOURCE/ACCESS
+- [Updated] Google Workspace - admin
+- [Updated] Google Workspace - calendar
+- [Updated] Google Workspace - drive.access
+- [Updated] Google Workspace - drive.acl_change
+- [Updated] Google Workspace - gcp
+- [Updated] Google Workspace - gplus
+- [Updated] Google Workspace - groups
+- [Updated] Google Workspace - groups_enterprise
+- [Updated] Google Workspace - login - password_change/recovery_info_change
+- [Updated] Google Workspace - login - risky_sensitive_action_allowed
+- [Updated] Google Workspace - login challenge
+- [Updated] Google Workspace - login-blocked_sender_change
+- [Updated] Google Workspace - login-email_forwarding_change
+- [Updated] Google Workspace - login.account_warning
+- [Updated] Google Workspace - login.gov_attack_warning
+- [Updated] Google Workspace - login.login
+- [Updated] Google Workspace - logout
+- [Updated] Google Workspace - meet
+- [Updated] Google Workspace - mobile
+- [Updated] Google Workspace - rules
+- [Updated] Google Workspace - saml
+- [Updated] Google Workspace - token
+- [Updated] Google Workspace - user_accounts
+- [Updated] Google Workspace Alert Center - AppMaker Editor
+- [Updated] Google Workspace Alert Center - Data Loss Prevention
+- [Updated] Google Workspace Alert Center - Domain wide takeout
+- [Updated] Google Workspace Alert Center - Gmail phishing
+- [Updated] Google Workspace Alert Center - Gmail phishing (Misconfigured whitelist)
+- [Updated] Google Workspace Alert Center - Google Operations
+- [Updated] Google Workspace Alert Center - Google identity
+- [Updated] Google Workspace Alert Center - Mobile device management (Device compromised)
+- [Updated] Google Workspace Alert Center - Mobile device management (Suspicious activity)
+- [Updated] Google Workspace Alert Center - Security Center rules
+- [Updated] Google Workspace Alert Center - Sensitive Admin Action
+- [Updated] Google Workspace Alert Center - State Sponsored Attack
+- [Updated] Google Workspace Alert Center - User Changes
+- [Updated] Netskope - Alerts
+    - Updated action and normalizedAction field mappings.
+- [Updated] SonicWall Firewall - Custom Parser
+- [Updated] SonicWall Flows
+- [Updated] Thinkst Canary Parser - Catch All
+    - Added additional field mappings.
+- [Updated] Windows - Security - 5145
+    - Removes redundant mapping of `baseimage` and `device_ip` fields.
+
+## Parsers
+- [New] /Parsers/System/Asana/Asana Audit
+- [New] /Parsers/System/Google/Google Workspace Alert Center
+- [New] /Parsers/System/Google/Google Workspace Audit
+- [New] /Parsers/System/SonicWall/SonicWall Firewall
+- [Updated] /Parsers/System/Dell/Dell SonicWall
+- [Updated] /Parsers/System/Google/G Suite Alert Center
+- [Updated] /Parsers/System/Google/G Suite Audit
+- [Updated] /Parsers/System/Linux/Linux OS Syslog
+    - Updated parser to drop certain systemd events not useful for security monitoring.
+- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
+    - Modified parser to improve field extraction.

blog-csoar/2025-12-09-application-update.md

@@ -0,0 +1,47 @@
+---
+title: December 9, 2025 - Application Update
+hide_table_of_contents: true
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - automation service
+  - cloud soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## November release
+
+Following are the updates made in November.
+
+### Changes and enhancements
+
+#### Playbooks
+
+* Added user choice variables that let you retrieve user choice data in subsequent playbook actions in a playbook. [Learn more](/docs/platform-services/automation-service/playbooks/create-playbooks/#user-choice-variables).
+* Enhanced the user experience when selecting 'and/or' operators between conditions in both condition and filter nodes.
+
+#### Integrations
+
+* Added new integrations: 
+   * [Google Firebase](/docs/platform-services/automation-service/app-central/integrations/google-firebase/)
+   * [Monday](/docs/platform-services/automation-service/app-central/integrations/monday/)
+* [The Cisco Meraki](/docs/platform-services/automation-service/app-central/integrations/cisco-meraki/) integration has been fully upgraded to align with the latest Meraki Dashboard API (v1) and SDK (v2.0.3).
+* Added the Convert Time action to [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools/).
+* In [Microsoft OneDrive](/docs/platform-services/automation-service/app-central/integrations/microsoft-onedrive/) added support for downloading file from site document library using hostname and site name parameters.
+
+
+### Bug Fixes
+
+#### Playbooks
+
+* Added validation to prevent the creation of condition and filter nodes without defined conditions.
+* Updated the condition node to restrict the deletion of all conditions, avoiding the creation of empty nodes.
+* Fixed the 'split by' functionality in filter nodes to ensure splitting only occurs with array variables.
+
+#### Integrations
+
+In [Microsoft EWS (Graph)](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-graph/) fixed an issue in the Search Emails Extended action.
+
+#### Misc 
+
+Fixed an issue causing duplicate key errors during incident ownership updates.

cid-redirects.json

@@ -380,6 +380,7 @@
   "/05Search/Library/About_AWS_S3_Sources": "/docs/send-data/hosted-collectors/amazon-aws/aws-sources",
   "/05Search/Library/Export-and-Import-Content-in-the-Library": "/docs/get-started/library",
   "/05Search/Library/Favorites": "/docs/get-started/library",
+  "/Search": "/docs/search",
   "/Search/Library/Library_Keyboard_Shortcuts": "/docs/get-started/keyboard-shortcuts",
   "/05Search/Library/Pinned-Searches": "/docs/search/get-started-with-search/search-page/pin-a-search",
   "/05Search/Library/Share-a-Saved-Search-from-the-Library": "/docs/get-started/library",
@@ -1498,7 +1499,7 @@
   "/Dashboards-and-Alerts/Dashboards/Get-Started-with-Dashboards-and-Panels/Markdown-Syntax": "/docs/dashboards/panels/markdown-syntax",
   "/Manage/01Account_Usage": "/docs/manage/manage-subscription",
   "/Manage/Connections-and-Integrations/Webhook-Connections/Set-Up-Webhook-Connections/Webhook_for_Opsgenie": "/docs/integrations/saas-cloud/opsgenie/",
-  "/Manage/01Account_Usage/Beta_Participation_Opt-In": "/docs/manage/manage-subscription/beta-opt-in",
+  "/Manage/01Account_Usage/Beta_Participation_Opt-In": "/docs/beta",
   "/Manage/Search_Optimization_Tools/Manage_Partitions/Create_a_Partition": "/docs/manage/partitions/",
   "/Manage/01Account_Usage/05Manage_Organization": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
   "/Manage/01Account_Usage/01Cloud_Flex_Credits": "/docs/manage/manage-subscription/sumo-logic-credits-accounts",
@@ -3144,7 +3145,7 @@
   "/Knowledge_Base/Parsing/Using_line_breaks_as_an_anchor_within_parse": "/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor",
   "/Knowledge_Base/Search": "/docs/search",
   "/Knowledge_Base/Search/How_to_Prevent_your_Scheduled_Search_from_Timing_Out": "/docs/alerts/scheduled-searches/faq",
-  "/Limited_Availability": "/docs/manage/manage-subscription/beta-opt-in",
+  "/Limited_Availability": "/docs/beta",
   "/Limited_Availability/Lookup_Tables": "/docs/search/search-query-language/search-operators/lookupcontains",
   "/Limited_Availability/Lookup_Tables/lookupContains_Operator": "/docs/search/search-query-language/search-operators/lookupcontains",
   "/Manage": "/docs/manage",
@@ -3165,10 +3166,10 @@
   "/Manage/01Manage_Subscription/10Create_and_Manage_Orgs_(Service_Providers)": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers",
   "/Manage/01Manage_Subscription/Create_and_Manage_Orgs_(Service_Providers)": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers",
   "/Manage/01Manage_Subscription/12Manage_Organizational_Settings": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
-  "/Manage/01Manage_Subscription/13Beta_Participation_Opt-In": "/docs/manage/manage-subscription/beta-opt-in",
+  "/Manage/01Manage_Subscription/13Beta_Participation_Opt-In": "/docs/beta",
   "/Manage/Manage_Subscription/Manage_Organizational_Settings": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
   "/Manage/01Manage_Subscription/14What_to_do_if_Your_Account_is_Locked": "/docs/manage/users-roles/users/account-locked",
-  "/Manage/01Manage_Subscription/16Beta_Participation_Opt-In": "/docs/manage/manage-subscription/beta-opt-in",
+  "/Manage/01Manage_Subscription/16Beta_Participation_Opt-In": "/docs/beta",
   "/Manage/01Manage_Subscription/18Close_or_cancel_a_Sumo_Logic_account": "/docs/manage/manage-subscription/close-cancel-sumo-account",
   "/Manage/01Manage_Subscription/Upgrade_a_Cloudflex_Credits_Free_or_Trial_Account": "/docs/manage/manage-subscription/upgrade-account/upgrade-credits-account",
   "/docs/manage/manage-subscription/upgrade-cloud-flex-credits-account": "/docs/manage/manage-subscription/upgrade-account/upgrade-sumo-logic-flex-account",
@@ -4599,5 +4600,6 @@
   "/docs/get-started/training-certification-faq-new": "/docs/get-started/training-certification-faq",
   "/docs/manage/scheduled-views/pausing-inactive-scheduled-views": "/docs/manage/scheduled-views/pause-disable-scheduled-views",
   "/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps",
-  "/docs/search/mobot-multiturn-beta": "/docs/search/mobot"
+  "/docs/search/mobot-multiturn-beta": "/docs/search/mobot",
+  "/docs/manage/manage-subscription/beta-opt-in": "/docs/beta"
 }

docs/beta/index.md

@@ -9,16 +9,27 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/icons/business/beta.png')} alt="icon" width="55"/>
 
-Learn about our Beta features that are coming soon to general availability. To participate, contact your Sumo account executive.
+Beta features are capabilities that are coming soon to general availability. To participate, contact your Sumo account executive.
 
-Betas are different than our generally available services in that they have additional terms and conditions for participation. You can [opt-in to beta terms and conditions](/docs/manage/manage-subscription/beta-opt-in), so that you only need to agree to the terms once.
-
-* We may make available to you a Preview, Limited Release, Alpha, Beta or other pre-release version of the service, applications, or APIs for non-production use (“Beta”).
+Betas are different than our generally available services in that they have additional terms and conditions for participation:
+* We may make available to you a Preview, Limited Release, Alpha, Beta, or other pre-release version of the service, applications, or APIs for non-production use.
 * Betas may have limited features, functions, indexing capacity, storage, data security, data continuity, data retention or other limitations as determined by Sumo Logic.
-* Sumo Logic may discontinue the Beta at any time.
-* We may also decide never to make the features and functionality in Beta generally available.
-* Betas (by their nature) have not been fully tested as they are still under development – and may be inoperable or incomplete, including more errors and bugs than our generally available offerings.
+* Sumo Logic may discontinue the beta at any time.
+* We may also decide never to make the features and functionality in beta generally available.
+* Betas (by their nature) have not been fully tested as they are still under development, and may be inoperable or incomplete, including more errors and bugs than our generally available offerings.
 * Betas are offered “as is” with no warranties or indemnities.
 
+## Features in open beta
+
+See [Beta Releases](/docs/contributing/style-guide/#beta-releases) for information about how we publish articles for features in closed beta and open beta.
+
+Following are articles for features in open beta:
 
-<DocCardList items={useCurrentSidebarCategory().items}/>
+<div className="box-wrapper" markdown="1">
+<div className="box smallbox card">
+  <div className="container">
+  <a href={useBaseUrl('docs/api/metrics-searches/')}><img src={useBaseUrl('img/icons/metrics.png')} alt="Thumbnail icon" width="40"/><h4>Metrics Search Management APIs</h4></a>
+  <p>Use Metrics Searches (Beta) API endpoints to save metrics searches in your content library, organize them in a folder hierarchy, and share useful queries with users in your organization.</p>
+  </div>
+</div>
+</div>

docs/cse/records-signals-entities-insights/create-custom-entity-type.md

@@ -11,7 +11,7 @@ This topic has instructions for how to create custom entity types in Cloud SIEM.
 
 In Cloud SIEM, *entities* are fundamental to the insight generation process. When a Cloud SIEM rule fires, it generates a signal for each “on-entity” attribute configured for the rule. Cloud SIEM correlates signals by entity to create insights. This process is described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic.
 
-Cloud SIEM has a number of built-in [entity types](/docs/cse/records-signals-entities-insights/view-manage-entities#about-entities), for example, IP Address, Hostname, and Username.
+Cloud SIEM has a number of built-in entity types, for example, IP address, hostname, and username. For a list of fields that Cloud SIEM considers entities and the entity types they map to, see [Schema: Entity Fields](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md) in the Cloud SIEM Content Catalog. 
 
 When you create a rule, in the signal configuration section, the rules editor prompts you to select an “on-entity” attribute from a list of all of the Cloud SIEM schema attributes that hold entities. What if you want to correlate signals by something other than an item that is one of Cloud SIEM standard entity types? That’s what custom entity types are for.
 

docs/cse/records-signals-entities-insights/view-manage-entities.md

@@ -37,29 +37,12 @@ Watch this micro lesson to learn more about entities.
 
 ## About entities
 
-In Cloud SIEM, an entity is a unique actor that a signal fired upon. Cloud SIEM has a number of [built-in entity types](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
-
-* Command
-* Deployment
-* Domain
-* Email
-* File
-* Hash
-* Hostname
-* IP Address
-* MAC Address
-* Pod
-* Process
-* Replica Set
-* Resource
-* URL
-* User Agent
-* Username
-
-You can create custom entity types as well. For more information, see [Create a Custom Entity Type](/docs/cse/records-signals-entities-insights/create-custom-entity-type/).
+In Cloud SIEM, an entity is a unique actor that a signal fired upon, for example, IP address, hostname, or username.
 
 When a signal is fired, if an entity doesn’t already exist in Cloud SIEM for the item that the signal fired on, Cloud SIEM creates an entity for it. For more information about entities and signal and insight generation, see [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process).
 
+For a list of fields that Cloud SIEM considers entities and the entity types they map to, see [Schema: Entity Fields](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md) in the Cloud SIEM Content Catalog. To create custom entity types, see [Create a Custom Entity Type](/docs/cse/records-signals-entities-insights/create-custom-entity-type/).
+
 :::note
 Entity names have a limit of 512 characters. If an entity's name value is 512 characters or longer, the system discards the log, and as a result, no signal is generated.
 :::