Merge branch 'main' into deprecate_gis

Author: naveenrama

docs/cloud-soar/incidents-triage.md

@@ -503,3 +503,7 @@ With the **Report** option, you can create incident reports to share with others
     1. Click **Save**.<br/><img src={useBaseUrl('img/cloud-soar/delivery-2-save-report.png')} alt="Save a report" style={{border: '1px solid gray'}} width="300"/>
 1. Click **Export** to export the report to PDF.
 1. Click **Open** to open available reports.
+
+## Additional resources
+
+Blog: [Want to improve collaboration and reduce incident response time? Try Cloud SOAR War Room](https://www.sumologic.com/blog/want-to-improve-collaboration-and-reduce-incident-response-time-try-cloud-soar-war-room)

docs/cloud-soar/introduction.md

@@ -663,3 +663,15 @@ Let's create a custom automation rule. This rule will pull information from Clou
 1. Leave the other fields as their defaults, then click **Save**. 
 1. As a best practice, you can enable and test the new rule, but then disable it, since it can disrupt your environment. Continue testing your rule until their behavior is expected before deciding to enable it.
 
+## Additional resources
+
+* Blogs: 
+   * [Why you need both SIEM and SOAR to improve SOC efficiencies and increase effectiveness](https://www.sumologic.com/blog/why-you-need-siem-and-soar-to-improve-soc-efficiencies)
+   * [Cloud-native SOAR and SIEM solutions pave the road to the modern SOC](https://www.sumologic.com/blog/cloud-native-soar-and-siem-solutions-pave-the-road-to-the-modern-soc)
+   * [SIEM vs SOAR: Evaluating security tools for the modern SOC](https://www.sumologic.com/blog/soar-vs-siem)
+   * [Overwhelmed: Why SOAR solutions are a game changer](https://www.sumologic.com/blog/overwhelmed-why-soar-solutions-are-a-game-changer)
+   * [How to improve MTTD and MTTR with SOAR](https://www.sumologic.com/blog/how-to-improve-mttd-and-mttr-with-soar)
+   * [How to implement cybersecurity automation in SecOps with SOAR (7 simple steps)](https://www.sumologic.com/blog/how-to-implement-cyber-security-automation-in-secops-with-soar-7-simple-steps)
+* Briefs
+   * [Sumo Logic Cloud SOAR Solutions Brief](https://www.sumologic.com/briefs/sumo-logic-cloud-soar-solutions-brief)
+   * [How to calculate the ROI of Cloud SOAR](https://www.sumologic.com/briefs/how-to-calculate-roi-of-cloud-soar)

docs/cse/administration/mitre-coverage.md

@@ -201,7 +201,9 @@ To find the Cloud SIEM API documentation for your endpoint, see [Cloud SIEM APIs
 
 ## Additional resources
 
-* Blog: [Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack/)
+* Blogs: 
+   * [Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack/)
+   * [Unique approaches to MITRE ATT&CK—make the most of its potential](https://www.sumologic.com/blog/mitre-attack-how-sumo-logic-makes-it-work-for-you)
 * Glossary: [MITRE ATT&CK - definition & overview](https://www.sumologic.com/glossary/mitre-attack/)
 * Demo: [MITRE ATT&CK Coverage Explorer](https://www.sumologic.com/demo/cloud-siem-mitre-attack-coverage-explorer/)
 * Cloud SIEM Content Catalog: [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md)

docs/cse/automation/about-automation-service-and-cloud-siem.md

@@ -96,3 +96,6 @@ The Automation Service uses the [Cloud SOAR API](/docs/api/cloud-soar/).
 
 Cloud SIEM automation data is retained in accordance with Sumo Logic's policies. For more information, see [Cloud SIEM Data Retention](/docs/cse/administration/cse-data-retention).
 
+## Additional resources
+
+Blog: [Faster security investigation with Cloud SIEM playbooks](https://www.sumologic.com/blog/faster-security-investigation-siem-playbooks)

docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md

@@ -176,16 +176,20 @@ Involved entities are connected to the primary entity with dashed lines. Entitie
 It's possible for a related entity to both be involved and detected. In that case, it typically be displayed as detected unless it is in a number of the insight's signals.
 :::
 
-How does Cloud SIEM detect entity relationships outside of the insight? Within the time range of the insight, described above, Cloud SIEM searches for related entities in the following normalized record fields:
+How does Cloud SIEM detect entity relationships outside of the insight? Within the time range of the insight, described above, Cloud SIEM searches for related [entities in the following normalized record fields](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
 * `*_command`
+* `*_deployment`
 * `*_domain`
 * `*_email`
 * `*_file`
 * `*_hash`
 * `*_hostname`
 * `*_ip`
 * `*_mac`
+* `*_pod`
 * `*_process`
+* `*_replicaset`
+* `*_resource`
 * `*_url`
 * `*_useragent`
 * `*_username`
@@ -272,3 +276,9 @@ When you select an entity on the page, the right pane displays details about tha
 
 You can access related entity information using the Cloud SIEM API. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
 
+## Additional resources
+
+Demos: 
+* [Cloud SIEM: Complete threat detection, investigation and response demo](https://www.sumologic.com/demo/complete-threat-detection-investigation-and-response-demo)
+* [Cloud SIEM: Insight investigation](https://www.sumologic.com/demo/insight-investigation)
+* [Cloud SIEM: Cloud insights triaging and investigation](https://www.sumologic.com/demo/cloud-insights)

docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md

@@ -80,3 +80,7 @@ The card at the top of the pane provides key information about the latest new in
 * **Global Confidence**. [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight, if available.
 * **Most Active Entities**. [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) that are currently appearing the most in activity. Hover your mouse over an entity and click **View Timeline** to see the [entity timeline](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entity-timeline-tab). 
 * **Today**. Shows changes made today, such as insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
+
+## Additional resources
+
+Demo: [Cloud SIEM: Heads up display (HUD)](https://www.sumologic.com/demo/heads-up-display-hud)

docs/cse/get-started-with-cloud-siem/insight-generation-process.md

@@ -31,25 +31,28 @@ Watch this micro lesson to learn how insights are created.
 
 ## Entities in messages are mapped to entity-type schema attributes
 
-During the next step of the [record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following Cloud SIEM schema entity attributes:
-
-| Entity type | Schema attributes |
-|:----- |:----- |
-| Command | `commandLine` |
-| Domain | `http_referer_fqdn`, `http_url_fqdn` |
-| Email | `targetUser_email`, `user_email` |
-| File | `file_path`, `file_basename` |
-| Hash | `file_hash_imphash`, `file_hash_md5`, `file_hash_pehash`, `file_hash_sha1`, `file_hash_sha256`, `file_hash_ssdeep` |
-| Hostname | `device_hostname`, `device_hostname_raw`, `dstDevice_hostname`, `dstDevice_hostname_raw`, `srcDevice_hostname`, `srcDevice_hostname_raw` |
-| IP Address | `device_ip`, `device_natIp`, `dns_replyIp`, `dstDevice_ip`, `dstDevice_natIp`, `srcDevice_ip`, `srcDevice_natIp` |
-| MAC Address | `device_mac`, `dstDevice_mac`, `srcDevice_mac` |
-| Process | `baseImage`, `parentBaseImage` |
-| URL | `http_url` |
-| User Agent | `http_userAgent` |
-| Username | `fromUser_username`, `fromUser_username_raw`, `user_username`, `user_username_raw` |
-
-Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245"
-to `srcDevice_ip`. 
+During the next step of the [record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following [Cloud SIEM schema entity attributes](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
+
+| Entity type | Field | Schema attributes |
+|:-- |:-- |:--|
+| Command | `_command` | `commandLine` |
+| Deployment | `_deployment` | `device_k8s_normalizedDeploymentName`, `dstDevice_k8s_normalizedDeploymentName`, `srcDevice_k8s_normalizedDeploymentName` |
+| Domain | `_domain` | `http_referer_fqdn`, `http_url_fqdn` |
+| Email | `_email` | `targetUser_email`, `user_email` |
+| File | `_file` | `file_path`, `file_basename` |
+| Hash | `_hash` | `file_hash_imphash`, `file_hash_md5`, `file_hash_pehash`, `file_hash_sha1`, `file_hash_sha256`, `file_hash_ssdeep` |
+| Hostname | `_hostname` | `device_hostname`, `device_hostname_raw`, `dstDevice_hostname`, `dstDevice_hostname_raw`, `srcDevice_hostname`, `srcDevice_hostname_raw` |
+| IP Address | `_ip` | `device_ip`, `device_natIp`, `dns_replyIp`, `dstDevice_ip`, `dstDevice_natIp`, `srcDevice_ip`, `srcDevice_natIp` |
+| MAC Address | `_mac` | `device_mac`, `dstDevice_mac`, `srcDevice_mac` |
+| Pod | `_pod` | `device_k8s_normalizedPodName`, `dstDevice_k8s_normalizedPodName`, `srcDevice_k8s_normalizedPodName` |
+| Process | `_process` | `baseImage`, `parentBaseImage` |
+| Replica Set | `_replicaset` | `device_k8s_normalizedReplicaSetName`, `dstDevice_k8s_normalizedReplicaSetName`, `srcDevice_k8s_normalizedReplicaSetName` |
+| Resource | `_resource` | `resource` |
+| URL | `_url` | `http_url` |
+| User Agent | `_useragent` | `http_userAgent` |
+| Username | `_username` | `fromUser_username`, `fromUser_username_raw`, `user_username`, `user_username_raw` |
+
+Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245" to `srcDevice_ip`. 
 
 ## Rules have one or more On Entity attributes
 

docs/cse/get-started-with-cloud-siem/intro-for-administrators.md

@@ -507,4 +507,16 @@ In this section, you'll create a custom automation using the playbook you create
 1. While still on the insight details screen, click on the **Automations** tab on the top of the screen to see the results of executing your automation. This view will show the status of the automations run on that insight, such as "Running", "Success" or "Completed with errors". 1. 
 1. If errors occur, you can click the **View Playbook** link on the right side to see the Playbook view, along with any execution errors that occurred. For help, see [Troubleshoot playbooks](/docs/platform-services/automation-service/automation-service-playbooks/#troubleshoot-playbooks).
 
-You now have a custom automation that can be manually run or attached to an insight upton creation or closing.
+You now have a custom automation that can be manually run or attached to an insight upton creation or closing.
+
+## Additional resources
+
+* Blogs: 
+   * [Securing IaaS, PaaS and SaaS with a Cloud SIEM](https://www.sumologic.com/blog/securing-iaas)
+   * [How using Cloud SIEM dashboards and metrics for daily standups improves SOC efficiency](https://www.sumologic.com/blog/how-using-cloud-siem-dashboards-and-metrics-for-daily-standups-improves-soc-efficiency)
+   * [Weaponizing paranoia: developing a threat detection strategy](https://www.sumologic.com/blog/weaponizing-paranoia-developing-a-threat-detection-strategy)
+   * [Fine-tuning Cloud SIEM detections through machine learning](https://www.sumologic.com/blog/tuning-cloud-siem-machine-learning)
+* Briefs
+   * [8 reasons why you need Sumo Logic for your Cloud SIEM](https://www.sumologic.com/briefs/cloud-siem-8-reasons)
+   * [How to evolve your security with a Cloud SIEM](https://www.sumologic.com/briefs/cloud-siem-enabling-greater-security-maturity-at-every-level)
+* Demo: [Cloud SIEM: MITRE ATT&CK™ coverage explorer](https://www.sumologic.com/demo/mitre-attack-coverage-explorer)

docs/cse/get-started-with-cloud-siem/intro-for-analysts.md

@@ -440,4 +440,19 @@ Rule tuning, custom rules, and custom insights are just a taste of what you can
 * [Log mappings](/docs/cse/schema/create-structured-log-mapping/)
 * [Match lists](/docs/cse/match-lists-suppressed-lists/)
 * [APIs](/docs/cse/administration/cse-apis/) and other [plugins](/docs/cse/integrations/)
-* How much data Cloud SIEM [ingests](/docs/cse/ingestion/)
+* How much data Cloud SIEM [ingests](/docs/cse/ingestion/)
+
+## Additional resources
+
+* Blogs:
+   * [Protecting identities with the Sumo Logic platform](https://www.sumologic.com/blog/protecting-identities-sumo-platform)
+   * [Hunt for cloud session anomalies with Cloud SIEM](https://www.sumologic.com/blog/hunt-cloud-session-anomalies)
+   * [Why your security analytics needs proactive threat hunting](https://www.sumologic.com/blog/why-proactive-threat-hunting-is-a-necessity)
+   * [Threat hunting with Sumo Logic: The Command Line](https://www.sumologic.com/blog/threat-hunting-command-line)
+   * [Responding to remote service appliance vulnerabilities with Sumo Logic](https://www.sumologic.com/blog/appliance-vulnerabilities-sumo)
+   * [Cloudy with a chance of breach: advanced threat hunting strategies for a hyperconnected and SaaSy world](https://www.sumologic.com/blog/threat-hunting-hybrid-cloud-environment)
+* Demos: 
+   * [Cloud SIEM: Complete threat detection, investigation and response demo](https://www.sumologic.com/demo/complete-threat-detection-investigation-and-response-demo)
+   * [Cloud SIEM: Heads up display (HUD)](https://www.sumologic.com/demo/heads-up-display-hud)
+   * [Cloud SIEM: Insight investigation](https://www.sumologic.com/demo/insight-investigation)
+   * [Cloud SIEM: Cloud insights triaging and investigation](https://www.sumologic.com/demo/cloud-insights)

docs/cse/records-signals-entities-insights/create-an-entity-group.md

@@ -122,3 +122,7 @@ array_contains(fieldTags["srcDevice_ip"], "DB Server")
 ## API support
 
 You can use the `/entity-group-configuration` API to create, read, update, and delete entity groups. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
+
+## Additional resources
+
+Blog: [Use new Cloud SIEM Entity Groups to make threat response more efficient](https://www.sumologic.com/blog/cloud-siem-entity-groups)