Merge branch 'JV0812-patch-2' of https://github.com/SumoLogic/sumologic-documentation into JV0812-patch-2

Author: JV0812

.clabot

@@ -163,7 +163,9 @@
     "ankurch627",
     "yasar-sumologic",
     "ruturajsumo",
-    "bchrobot-mh"
+    "bchrobot-mh",
+    "sachin-sumologic",
+    "Andrew-L-Johnson"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we'll add you to our approved list of contributors.",
   "label": "cla-signed",

.github/CODEOWNERS

@@ -8,7 +8,7 @@
 /docs/send-data/kubernetes/  @SumoLogic/open-source-collection-team @kimsauce @jpipkin1 @JV0812 @mafsumo
 
 # Owners of all files in the `/docs/send-data/opentelemetry-collector` directory and its subdirectories.
-/docs/send-data/opentelemetry-collector/  @SumoLogic/open-source-collection-team @kimsauce @mafsumo @JV0812
+/docs/send-data/opentelemetry-collector/  @SumoLogic/open-source-collection-team @kimsauce @jpipkin1 @mafsumo @JV0812
 
 # GitHub workflow owners
 /.github/workflows/ @SumoLogic/open-source-collection-team @kimsauce

blog-collector/2024-08-23.md

@@ -0,0 +1,19 @@
+---
+title: Version 19.506-1
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+authors:
+- url: https://help.sumologic.com/release-notes-collector/rss.xml
+  image_url: /img/release-notes/rss-orange.png
+---
+
+In this release, we've enhanced the security and stability of the Collector with added support for security patches and bug fixes.
+
+### Security Fixes
+
+- Upgraded collector JRE to **Amazon Corretto Version 8.422.05.1**.
+- Upgraded `com.amazonaws:aws-java-sdk-s3` to version 1.12.767 to address ion-java vulnerability (CVE-2024-21634).
+
+### Bug Fix
+
+- Fixed the Docker duplication data re-ingestion issue.

blog-cse/2023/12-31.md

@@ -156,7 +156,7 @@ This change has no effect on the Rules themselves; they will continue to operate
 
 The Automation Service has been updated to include support for Audit Logging. Events like updates to integrations and playbook execution will now be automatically logged to the standard Sumo Logic Audit Logging indices.
 
-For full details, see the [Cloud SOAR documentation](/docs/cloud-soar/audit-event-index/) (the Automation Service will log a subset of those events).
+For full details, see the [Cloud SOAR documentation](/docs/platform-services/automation-service/automation-service-audit-logging/) (the Automation Service will log a subset of those events).
 
 #### Bug Fixes
 
@@ -1021,7 +1021,7 @@ Automations (and other objects) are accessible through the **Configuration** men
 
 Automation results are accessible from Insight and Entity detail pages.
 
-**The Insight Enrichment Server and the Actions functionality in Cloud SIEM, which is replaced by the Automation Service, will be deprecated on November 30, 2023.** Until then, they will continue to be fully supported and operational. To aid in migration, all current Enrichment Server examples and Actions have equivalent actions and playbooks in the Automation Service. In addition, through the Bridge, customers can execute any existing Powershell script currently connected to the Insight Enrichment Server.
+**The Insight Enrichment Server and the Actions functionality in Cloud SIEM, which is replaced by the Automation Service, will be deprecated on November 30, 2023.** Until then, they will continue to be fully supported and operational. To aid in migration, all current Enrichment Server examples and Actions have equivalent actions and playbooks in the Automation Service. In addition, through the Bridge, customers can execute any existing PowerShell script currently connected to the Insight Enrichment Server.
 
 :::note
 The Automation Service currently has **Limited Availability**. This means that it is fully functional and supported in production environments, but not automatically deployed to every customer. If you would like it deployed to your environment, please contact Sumo Logic and we will enable it for you.

blog-cse/2024-08-05-content.md

@@ -0,0 +1,93 @@
+---
+title: August 05, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - rules
+  - log mappers
+  - parsers
+image: https://help.sumologic.com/img/sumo-square.png
+authors:
+  - url: https://help.sumologic.com/release-notes-cse/rss.xml
+    image_url: /img/release-notes/rss-orange.png
+---
+
+This content release includes:
+* A new Cloud SIEM First Seen rule
+* Consolidation of AWSGuardDuty log mappers
+* CrowdStrike FDR mapping modifications by adding `aid` as a value for `device_hostname` as primary or alternate
+* Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format 
+* Several new log mappers, parsers, and multiple updated parsers
+
+Release specifics are enumerated below.
+
+#### Rules
+
+* NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
+   * This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process.
+
+#### Log Mappers
+
+* [Deleted] AWS GuardDuty Alerts from Sumo CIP
+* [Deleted] AWSGuardDuty_Backdoor
+* [Deleted] AWSGuardDuty_Behavior
+* [Deleted] AWSGuardDuty_Catch_All
+* [Deleted] AWSGuardDuty_CryptoCurrency
+* [Deleted] AWSGuardDuty_Discovery
+* [Deleted] AWSGuardDuty_Exfiltration
+* [Deleted] AWSGuardDuty_PenTest
+* [Deleted] AWSGuardDuty_Persistence
+* [Deleted] AWSGuardDuty_Policy
+* [Deleted] AWSGuardDuty_ResourceConsumption
+* [Deleted] AWSGuardDuty_Stealth
+* [Deleted] AWSGuardDuty_Trojan
+* [Retired] AwsServiceEvent-AWS API Call via CloudTrail
+* [Deleted] Recon_EC2_PortProbeUnprotectedPort
+* [Deleted] Recon_EC2_Portscan
+* [Deleted] Recon_IAMUser
+* [Deleted] UnauthorizedAccess_EC2_SSHBruteForce
+* [Deleted] UnauthorizedAccess_EC2_TorClient
+* [Deleted] UnauthorizedAccess_EC2_TorIPCaller
+* [Deleted] UnauthorizedAccess_EC2_TorRelay
+* [Deleted] UnauthorizedAccess_IAMUser
+* [Updated] AWS GuardDuty Alerts from Sumo CIP
+* [New] AWS Redshift - ACTIVITY_LOG
+* [New] AWS Redshift - Authentication Log
+* [New] AWS Redshift - Connection Log
+* [New] AWS Redshift - USER_LOG
+* [New] AWSGuardDuty - Audit Events
+* [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
+* [New] AWSGuardDuty - Reconnaissance and malicious activity detection
+* [Updated] AWSGuardDuty - Tor Client and Relay
+* [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
+* [Updated] AWSGuardDuty_Catch_All
+* [New] Forescout CounterACT - NAC Policy Log
+* [New] PingFederate - Authentication Event
+* [New] Symantec Endpoint Security - All
+* [Updated] UnauthorizedAccess_EC2_SSHBruteForce
+* [New] VMware NSX - Firewall
+* [Updated] CloudTrail Default Mapping
+   * Added alternate values for `userIdentity.arn`, and `requestParameters.sourceIdentity` applied to `user_role`. Additional mappings for `bytesIn`, and `bytesOut`.
+* [Updated] CrowdStrike FDR - Catch All
+* [Updated] CrowdStrike FDR - CriticalFileAccessed
+* [Updated] CrowdStrike FDR - NetworkConnectIP4
+* [Updated] CrowdStrike FDR - NetworkConnectIP6
+* [Updated] CrowdStrike FDR - ProcessRollup2
+* [Updated] CrowdStrike FDR - SuspiciousDnsRequest
+* [Updated] PingFederate Event
+   * Narrowed the lookup scope where success is true.
+* [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105
+   * Updated keys for: `user_userId`, `user_username`, `commandLine`, `baseImage`, `file_path`, and `severity`.
+
+#### Parsers
+
+* [New] /Parsers/System/AWS/AWS Redshift
+* [Updated] /Parsers/System/Forescout/Forescout CounterACT
+   * Updated the start time field.
+* [New] /Parsers/System/Symantec/Symantec Endpoint Security
+* [New] /Parsers/System/VMware/VMware NSX
+* [Updated] /Parsers/System/Cisco/Cisco Meraki
+   * Added support for URLS new format.
+* [Updated] /Parsers/System/PingIdentity/PingFederate
+   * Added support of new log format.
+* [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
+   * Dropped the redundant message field.

blog-cse/2024-08-16-content.md

@@ -0,0 +1,79 @@
+---
+title: August 16, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - rules
+  - log mappers
+  - parsers
+image: https://help.sumologic.com/img/sumo-square.png
+authors:
+  - url: https://help.sumologic.com/release-notes-cse/rss.xml
+    image_url: /img/release-notes/rss-orange.png
+---
+
+This content release includes:
+* Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator.
+* New Linux OS Syslog mappers.
+* Addition of sessionId mapping to Okta mappers.
+
+Individual changes are enumerated below.
+
+#### Rules
+- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
+- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
+- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
+- [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User)
+
+#### Log Mappers
+- [New] Linux OS Syslog - Process sudo - Authentication Failure
+- [New] Linux OS Syslog - Systemd-user Session Open|Closed
+- [New] Linux OS Syslog - sshd - Postponed publickey
+- [New] Linux OS Syslog - sshd - User not allowed
+- [New] MicrosoftGraphActivityLogs
+- [Updated] AWS Redshift - Authentication Log
+    - Added normalizedAction mapping for logon and a success boolean lookup on event_name
+- [Updated] Aruba ClearPass Guest Access
+    - Added normalizedAction mapping for logon and a success boolean lookup on error codes
+- [Updated] Check Point Failed Log In
+    - Updated record type to Authentication and adjusted normalizedAction mapping to logon
+- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
+    - Added logon normalizedAction and mapped success boolean to checkMfa
+- [Updated] Infoblox NIOS - DNS
+    - Updated mapping for dns_query to fix dns enrichments
+- [Updated] JumpCloud IdP Authentication
+     - Adds logon normalizedAction to mapper
+- [Updated] Linux OS Syslog - Cron - Session Opened
+    - Adds mappings for targetUser_username, targetUser_userId, user_userId
+- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
+     - Adds "check pass" to event ID pattern
+- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
+     - Added description mapping
+- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
+    - Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action.
+- [Updated] Linux OS Syslog - Process sshd - SSH Session Opened
+     - Adds mapping for srcDevice_ip
+- [Updated] Linux OS Syslog - Process sshd - SSH Session Starting
+     - Adds mappings for srcDevice_ip, srcPort
+- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
+     - Adds mapping for description
+- [Updated] PingFederate - Authentication Event
+     - Added logon normalizedAction to mapper
+- [Updated] Pulse Secure Custom Parser - AUT24326
+     - Added logon normalizedAction to mapper
+- [Updated] Windows - Security - 4648
+    - Adds logon normalizedAction mapping
+- [Updated] Okta Authentication - auth_via_AD_agent
+- [Updated] Okta Authentication - auth_via_mfa
+- [Updated] Okta Authentication - auth_via_radius
+- [Updated] Okta Authentication - sso
+- [Updated] Okta Authentication Events
+- [Updated] Okta Catch All
+- [Updated] Okta Security Threat Events
+
+#### Parsers
+- [Updated] /Parsers/System/Linux/Linux OS Syslog
+    - Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns.
+
+#### Schema
+- [New] repository
+    - The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts.

blog-cse/2024-08-23-content.md

@@ -0,0 +1,54 @@
+---
+title: August 23, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - rules
+  - log mappers
+  - parsers
+image: https://help.sumologic.com/img/sumo-square.png
+authors:
+  - url: https://help.sumologic.com/release-notes-cse/rss.xml
+    image_url: /img/release-notes/rss-orange.png
+---
+
+This content release includes:
+* Updates to rules to improve the user experience 
+* Specific updates are enumerated and summarized below
+
+:::note
+Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal.
+:::
+
+### Rules
+- [Updated] MATCH-S00816 Interactive Logon to Domain Controller
+    - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency.
+- [Updated] LEGACY-S00105 Suspicious DC Logon
+    - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency.
+
+#### srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules:
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00825 AWS Secrets Manager Enumeration
+- [Updated] MATCH-S00513 Critical Severity Intrusion Signature
+- [Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks
+- [Updated] MATCH-S00666 High Severity Intrusion Signature
+- [Updated] MATCH-S00669 Informational Severity Intrusion Signature
+- [Updated] MATCH-S00668 Low Severity Intrusion Signature
+- [Updated] MATCH-S00667 Medium Severity Intrusion Signature
+- [Updated] THRESHOLD-S00095 Password Attack
+
+#### Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:
+- [Updated] MATCH-S00429 LSASS Memory Dumping +
+- [Updated] MATCH-S00161 Malicious PowerShell Get Commands + 
+- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands + 
+- [Updated] MATCH-S00198 Malicious PowerShell Keywords +
+- [Updated] MATCH-S00191 Suspicious PowerShell Keywords +
+- [Updated] MATCH-S00431 Suspicious Use of Procdump +
+- [Updated] MATCH-S00583 WCE wceaux.dll Access +
+- [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected +
+- [Updated] MATCH-S00291 Windows Credential Editor (WCE) in use +
+
+#### Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules:
+- [Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
+- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
+- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
+- [Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents

blog-cse/2024-08-27-content.md

@@ -0,0 +1,21 @@
+---
+title: August 27, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+image: https://help.sumologic.com/img/sumo-square.png
+authors:
+  - url: https://help.sumologic.com/release-notes-cse/rss.xml
+    image_url: /img/release-notes/rss-orange.png
+---
+
+This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events.
+
+AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/2024/08/05/content/) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.
+
+AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information.
+
+Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals.
+
+### Log Mappers
+- [Updated] CloudTrail Default Mapping

blog-csoar/2023/12-31.md

@@ -78,7 +78,7 @@ We've also improved multiple integrations and introduced new actions, implemente
 ### November 16, 2023 - Application Update
 
 #### Changes and Enhancements
-* Added documentation for [Cloud SOAR Audit Logging](/docs/cloud-soar/audit-event-index/).
+* Added documentation for [Cloud SOAR Audit Logging](/docs/platform-services/automation-service/automation-service-audit-logging/).
 
 #### Bug fixes
 * Actions: Fixed run action causing page reload when response data is too large.

blog-service/2017/12-31.md

@@ -295,7 +295,7 @@ Bug Fix - In-product notification icons now display correctly.
 ---
 ## September 11, 2017
 
-**Azure Audit**. [The Sumo Logic App for Azure Audit](/docs/integrations/microsoft-azure/audit) is now updated to include the Activity Logs from Event Hub, along with the existing collection from Azure Insight API using Sumo Powershell scripts. For more details, see [collect logs for Azure Audit from Event Hub](/docs/integrations/microsoft-azure/audit). All the pre-configured dashboards in the App, except the Azure Audit - Active Directory dashboard, support logs from both Event Hub and Insight API. This update also includes minor bug fixes and query optimization.
+**Azure Audit**. [The Sumo Logic App for Azure Audit](/docs/integrations/microsoft-azure/audit) is now updated to include the Activity Logs from Event Hub, along with the existing collection from Azure Insight API using Sumo PowerShell scripts. For more details, see [collect logs for Azure Audit from Event Hub](/docs/integrations/microsoft-azure/audit). All the pre-configured dashboards in the App, except the Azure Audit - Active Directory dashboard, support logs from both Event Hub and Insight API. This update also includes minor bug fixes and query optimization.
 
 ---
 ## September 1, 2017