Merge branch 'DOCS-409' of github.com:SumoLogic/sumologic-documentation into DOCS-409

Author: kimsauce

blog-collector/2024-11-26.md

@@ -0,0 +1,25 @@
+---
+title: Version 19.516-1
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-collector/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+In this release, we've enhanced the security and stability of the Collector with added support for security patches.
+		
+### Security Fixes
+		
+- Upgraded `Tanuki version` to version 3.5.60 to fix the collector intermittently crashing issue.
+- Upgraded collector JRE to **Amazon Corretto Version 8.432.06.1**.
+		
+### Troubleshooting
+		
+When upgrading this collector version, the collector running as a non-root user (run as mode) or on a Mac operating system cannot be upgraded through the API/Web UI. To resolve these issue, follow the respective steps below:
+	- **Collector running as a non-root user.** An error message will be displayed indicating that the upgrade is not possible. The upgrade must be performed manually on your machine. Refer to [Upgrade Collectors in Sumo Logic](/docs/send-data/collection/upgrade-collectors/#upgrade-collectors-using-the-command-line) to upgrade the collector manually.
+	- **Collector running on Mac.** The process will stop while upgrading, and the collector will need to be restarted manually on your machine. Use the code below to restart manually.
+        ```
+        sudo ./collector start
+        ```

cid-redirects.json

@@ -2004,6 +2004,7 @@
   "/cid/10220": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/code42-incydr-source",
   "/cid/25618": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cse-aws-ec-inventory-source",
   "/cid/25619": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source",
+  "/cid/25779": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source",
   "/cid/25719": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source",
   "/cid/25620": "/docs/integrations/security-threat-detection/duo-security",
   "/cid/25621": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source",

docs/integrations/sumo-apps/flex.md

@@ -211,10 +211,18 @@ The **Flex - Capacity Utilization** dashboard displays the subscribed, actual, a
 
 The **Flex - Credits Consumed** dashboard provides visibility into the total amount of [Sumo Logic Credits](/docs/manage/manage-subscription/sumo-logic-credits-accounts) consumed by your organization. This allows you to monitor and control search costs.<br/><img src="https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Flex/Flex-Credits-Consumed.png" alt="Flex-Overview" style={{border:'1px solid gray'}} width="800" /> 
 
+:::note
+The `credits_conversion` parameter indicates the credits consumed per 1 GB of scan. The credits conversion used in the dashboard and saved searches might be different from what is defined in your contract (Credits Table) based on your account subscription type, so update this parameter for accurate calculation. Check with your account executive to determine this value for your account.
+:::
+
 ### Feature Level Scan Volume
 
 The **Flex - Feature Level Scan Volume** dashboard provides visibility into the scan volume at a feature level in order to monitor and control cost at a feature level.<br/><img src="https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Flex/Flex-Feature-Level-Scan-Volume.png" alt="Flex-Overview" style={{border:'1px solid gray'}} width="800" />
 
+:::note
+The `credits_conversion` parameter indicates the credits consumed per 1 GB of scan. The credits conversion used in the dashboard and saved searches might be different from what is defined in your contract (Credits Table) based on your account subscription type, so update this parameter for accurate calculation. Check with your account executive to determine this value for your account.
+:::
+
 ### Log Spikes
 
 The **Flex - Log Spikes** dashboard helps to review details of your data ingested for logs.<br/><img src="https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Flex/Flex-Log-Spikes.png" alt="Flex-Overview" style={{border:'1px solid gray'}} width="800" />

docs/manage/manage-subscription/usage-management.md

@@ -31,7 +31,7 @@ To manage the query size limit using the **Basic** configuration:
 :::info
 Sumo Logic defines scan as two types:
   - **Foreground interactive search**. Search page UI, Copilot, and Dashboards.
-  - **Background search**. API, Scheduled Search, Monitor, and SLO. 
+  - **Background search**. API, Scheduled Search, Monitor, Scheduled Views, and SLO. 
 :::
 
 :::note
@@ -62,7 +62,7 @@ To create the query size limit using the **Advanced** configuration:
     :::info
     Sumo Logic defines scan as two types:
     - **Foreground interactive search**. Search page UI, Copilot, and Dashboards.
-    - **Background search**. API, Scheduled Search, Monitors, and SLO. 
+    - **Background search**. API, Scheduled Search, Monitors, Scheduled Views, and SLO. 
     :::
 1. **Details**. Enter the name for the scan budget.<br/><img src={useBaseUrl('/img/manage/account/create-scan-budget.png')} alt="create-scan-budget" style={{border:'1px solid gray'}} width="650"/>
 1. Click **Save** to create the scan budget.
@@ -85,9 +85,8 @@ To view the selected scan budget:
   - **Deactivate/Activate**. Click the **Deactivate/Activate** button to deactivate/activate the selected scan budget.
   - **Delete**. Click the **Delete** button to delete the selected scan budget.
   - **View violations**. Sumo Logic recommends a GB value per query as per the 95th percentile to be within the safe limits. You can also check the query size of the last 10 queries by clicking on **Click here** to help you determine the appropriate size limit.
-  - **Budget Type**. Defines the type of budget set: **Per Query Budget** or **Time-Based Budgets**(TBA).
+  - **Budget Type**. Defines the type of budget set.
     - **Per Query Budget**. Limits the data (in GBs) that a single query can consume.
-    - **Time-Based Budgets**(TBA). Limits the data or credits consumed over a day, week, or month.
   - **Status**. Describes if the scan budget is active or inactive.
   - **Usage Category**. Describes the type of scan. For Flex this is shown as **Flex Scan** and for Data tier this is shown as **Infrequent Scan**.
   - **Applied to Roles**. Describes the roles for which the selected scan budget is applied for.
@@ -101,7 +100,6 @@ To view the selected scan budget:
   - **Audit Logs**. Records the budget definition changes. Click on **View Details** to view the budget definition changes.
   - **System Audit**. Records the breaches and budget enforcement. Click on **View Details** to view the list of breaches.
 
-
 ## FAQ
 
 ### Handle overlapping budgets

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source.md

@@ -60,18 +60,9 @@ To configure a CyberArk EPM Source, follow the steps below:
     * For the US datacenter, the dispatch server URL is `https://login.epm.cyberark.com`.
     * For the EU datacenter, the dispatch server URL is `https://eu.epm.cyberark.com`.
 1. **Application ID**. An application ID is a unique identifier that helps an API recognize which application or program is accessing it. It's like a name tag that allows the API to keep track of different applications using it. For example, *sumologic*.
-1. **Adjust Rate Limit for Admin Audit Events**. This option allows to customize the number of requests the CyberArk C2C source can make to [AdminAudit](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAdminAuditData.htm) endpoint. By default, it's set to 5 requests every 60 seconds, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm).
-	1. **Number of Calls (optional)**: The number of calls in the given time frame. This field is pre-filled with 5.
-	1. **Per Second(s) (optional)**: The duration of the time frame. This field is pre-filled with 60.
 1. **Collect Detailed Raw Events**. This option enables the CyberArk C2C Source to collect detailed raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Detailed Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetDetailedRawEvents.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings.
-	1. **Number of Calls (optional)**: The number of calls in the given time frame. This field is pre-filled with 1000.
-	1. **Per Second(s) (optional)**: The duration of the time frame. This field is pre-filled with 300.
 1. **Collect Aggregated Policy Audit Events**. This option enables the C2C Source to collect aggregated policy audit events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Aggregated Policy Audit Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAggregatedPolicyAudits.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings.
-	1. **Number of Calls (optional)**: The number of calls in the given time frame. This field is pre-filled with 1000.
-	1. **Per Second(s) (optional)**: The duration of the time frame. This field is pre-filled with 300.
 1. **Collect Policy Audit Raw Events**. This option enables the C2C Source to collect policy audit raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Policy Audit Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetPolicyAuditRawEventDetails.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings.
-	1. **Number of Calls (optional)**: The number of calls in the given time frame. This field is pre-filled with 1000.
-	1. **Per Second(s) (optional)**: The duration of the time frame. This field is pre-filled with 300.
 1. **Polling Interval**. The polling interval is the frequency at which the CyberArk C2C Source will check for updates from the CyberArk EPM (Endpoint Privilege Manager). This field is pre-filled with 600.
 1. When you are finished configuring the Source, click **Save**.
 
@@ -106,11 +97,10 @@ Sources can be configured using UTF-8 encoded JSON files with the Collector Ma
 | password | String | Yes |  `null` | Password for your CyberArk EPM account. |  |
 | epm_server | String | Yes |  `null` | Dispatch Server of the CyberArk EPM. | |
 | application_id | String | Yes |  `null` | Unique identifier of the application who is accessing the API. |  |
-| ratelimit  | boolean | No  | True | Removes the request limitations imposed on the CyberArk C2C source. |  |
 | detailed_raw_events | boolean | No  | False | Collects detailed raw events. |  |
 | aggregated_policy_audits | boolean | No | False | Collects aggregated policy audits events. |  |
 | policy_audit_raw_events | boolean | No | False | Collects policy audit raw events. |  |
-| polling_interval | integer | Yes | 30 | Frequency of C2C updates from EPM. |  |  
+| polling_interval | integer | Yes | 600 | Frequency of C2C updates from EPM. |  |  
 
 ### JSON example
 
@@ -128,7 +118,7 @@ Sources can be configured using UTF-8 encoded JSON files with the Collector Ma
 
 * **Session Timeout**. The session timeout for all APIs is part of the session token and is defined by the Timeout for inactive session Server Configuration parameter.
 
-* **Adjust Request Limitations**. The CyberArk C2C source has default restrictions on the number of requests to the CyberArk EPM Server, as explained in the [CyberArk API Limitations](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm#APIlimitations) documentation. However, if your server has its custom limit for requests per second(s), you can use the provided options when configuring the source.
+* **Adjust Request Limitations**. The CyberArk C2C source has default restrictions on the number of requests to the CyberArk EPM Server per customer, as explained in the [CyberArk API Limitations](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm#APIlimitations) documentation.
 
 :::note
 When setting the poll frequency, it's recommended to consider these limitations and set the frequency to a reasonable value to ensure that the C2C operates efficiently without overwhelming the server.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md

@@ -0,0 +1,101 @@
+---
+id: mandiant-threat-intel-source
+title: Mandiant Threat Intel Source (Beta)
+sidebar_label: Mandiant Threat Intel (Beta)
+tags:
+  - cloud-to-cloud
+  - mandiant-threat-intel
+description: Learn how to collect indicators list from Mandiant Threat Intel platform.
+---
+import CodeBlock from '@theme/CodeBlock';
+import ExampleJSON from '/files/c2c/mandiant-threat-intel/example.json';
+import MyComponentSource from '!!raw-loader!/files/c2c/mandiant-threat-intel/example.json';
+import TerraformExample from '!!raw-loader!/files/c2c/mandiant-threat-intel/example.tf';
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<head>
+  <meta name="robots" content="noindex" />
+</head>
+
+<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
+
+<img src={useBaseUrl('img/send-data/mandiant-threat-intel-logo.png')} alt="icon" width="60" />
+
+Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. By scaling decades of frontline experience, Mandiant helps organizations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is part of Google Cloud. The Mandiant Threat Intel integration ingests the indicators data from Mandiant API and sends it to Sumo Logic as normalized threat indicators.
+
+## Data collected
+
+| Polling Interval | Data |
+| :--- | :--- |
+| 5 min |  Indicators |
+
+## Setup
+
+### Vendor configuration
+
+:::note
+The Mandiant API documentation is not public and can only be accessed by partners or customers.
+:::
+
+The Mandiant Threat Intel source requires you to provide API Key ID and API Secret.
+
+### Source configuration
+
+When you create a Mandiant Threat Intel source, you add it to a Hosted Collector. Before creating the source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector).
+
+To configure a Mandiant Threat Intel source:
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
+1. On the Collection page, click **Add Source** next to a Hosted Collector.
+1. Search for and select **Mandiant Threat Intel**.
+1. Enter a **Name** for the source. The description is optional.
+1. (Optional) For **Source Category**, enter any string to tag the output collected from the source. Category metadata is stored in a searchable field called `_sourceCategory`.
+1. (Optional) **Fields**. Click the **+Add** button to define the fields you want to associate. Each field needs a name (key) and value.
+   * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
+   * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
+1. **API Key ID**. Enter the API key ID collected from the Mandiant Threat Intel platform.
+1. **API Secret**. Enter the API secret collected from the from the Mandiant Threat Intel platform.
+1. **Sumo Logic Threat Intel Source ID**. Enter your Sumo Logic namespace ID in which the indicators will be stored.
+1. **Polling Interval**. The polling interval is set for 5 minutes by default. You can adjust it based on your needs. This sets how often the source checks for new data.
+1. **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).
+1. When you are finished configuring the source, click **Save**.
+
+## JSON schema
+
+Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See [Use JSON to Configure Sources](/docs/send-data/use-json-configure-sources) for details. 
+
+| Parameter | Type | Value | Required | Description |
+|:--|:--|:--|:--|:--|
+| schemaRef | JSON Object  | `{"type":"Mandiant Threat Intel"}` | Yes | Define the specific schema type. |
+| sourceType | String | `"Universal"` | Yes | Type of source. |
+| config | JSON Object | [Configuration object](#configuration-object) | Yes | Source type specific values. |
+
+### Configuration Object
+
+| Parameter | Type | Required | Default | Description | Example |
+|:--|:--|:--|:--|:--|:--|
+| name | String | Yes | `null` | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_source`. | `"mySource"` |
+| description | String | No | `null` | Type a description of the source. | `"Testing source"`
+| category | String | No | `null` | Type a category of the source. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_sourceCategory`. See [best practices](/docs/send-data/best-practices) for details. | `"mySource/test"`
+| fields | JSON Object | No | `null` | JSON map of key-value fields (metadata) to apply to the Collector or source. Use the boolean field `_siemForward` to enable forwarding to SIEM.|`{"_siemForward": false, "fieldA": "valueA"}` |
+| apiKeyId | String | Yes | `null` | API Key ID of the user. |  |
+| apiSecret | String | Yes | `null` | API Secret of the account. |  |
+| userSourceId | String | Yes | `null` | The Sumo Logic namespace in which the indicators will be stored. |  |
+| pollingInterval | integer | Yes | `5 minutes` | Time interval (in minutes) after which the source will check for new data. |  |
+
+### JSON example
+
+<CodeBlock language="json">{MyComponentSource}</CodeBlock>
+
+<a href="/files/c2c/mandiant-threat-intel/example.json" target="_blank">Download example</a>
+
+### Terraform example
+
+<CodeBlock language="json">{TerraformExample}</CodeBlock>
+
+<a href="/files/c2c/mandiant-threat-intel/example.tf" target="_blank">Download example</a>
+
+## FAQ
+
+:::info
+Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources.
+:::

sidebars.ts

@@ -439,6 +439,7 @@ module.exports = {
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/kandji-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/knowbe4-api-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source',
+                //'send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-azure-ad-inventory-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-exchange-trace-logs',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source',