Merge branch 'main' into stfaqchangelogentry

Author: sumoanema

blog-cse/2025-04-14-content.md

@@ -0,0 +1,81 @@
+---
+title: April 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Additional data requirements for GitHub rules added to rule descriptions.
+- Spelling corrections for AWS Lambda rules.
+- New Slack Anomaly Event log mapper and supporting parsing changes:
+   - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
+   - Requires parser be defined for passthrough detection.
+- Updates to Sysdig parsing and mapping to support additional events.
+- Support for Microsoft Windows Sysmon-29 event.
+- Additional normalized field mappings for Microsoft Windows Sysmon events.
+- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.
+
+
+### Rules
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
+- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
+- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
+- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
+- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
+- [Updated] MATCH-S00957 GitHub - Organization Transfer
+- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
+- [Updated] MATCH-S00960 GitHub - Repository Transfer
+- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
+- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+
+### Log Mappers
+- [New] Slack Anomaly Event
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
+- [Updated] Sysdig Secure Packages
+- [Updated] Sysdig Secure Vulnerability
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+
+### Parsers
+- [New] /Parsers/System/Slack/Slack Enterprise Audit
+- [Updated] /Parsers/System/Sysdig/Sysdig Secure
+
+### Schema
+- [New] `targetUser_phoneNumber`
+- [New] `user_phoneNumber`

blog-csoar/2025-04-21-content.md

@@ -0,0 +1,42 @@
+---
+title: April 21, 2025 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## March and April releases
+
+### Changes and enhancements
+
+#### Integrations
+
+* [NEW] [ThreatDown Oneview](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview/). The ThreatDown OneView integration has been built from scratch to facilitate seamless security operations management. 
+* [NEW] [Atlassian Jira Cloud](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-cloud/). The Atlassian Jira Cloud integration has been developed from the ground up to streamline issue tracking and project management. 
+* [UPDATED] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/). Added a new Update IP Set action in the AWS WAF integration that allows users to update an existing IP set.
+
+#### Platform 
+
+##### Playbooks
+
+* Improved the user experience in the node popup when loading dynamic fields.
+* Added a confirmation dialog to alert users about pre-existing playbook drafts to avoid accidental overwriting while editing playbooks.
+* Implemented an alert popup to prevent accidental loss of unsaved changes when closing a node popup.
+* Added audit logs for failed nodes due to errors or exceptions during playbook execution.
+
+### Bug fixes
+
+#### General
+
+* Fixed a session timeout issue when the user is active in Automation Service, but inactive in Sumo Logic Log Analytics.
+* Fixed cursor positioning issue while typing in text areas.
+
+#### Integrations
+
+* Resolved a next page token and pageSize related issues in the List Permissions action of the  [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) integration.
+* Added a new `impersonate_user` field in List Permission and Delete Permission actions, allowing actions to be performed on a user's behalf.

blog-service/2025-03-31-apps.md

@@ -13,15 +13,15 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 We’re excited to announce the release of the new Azure Key Vault and AWS Auto scaling apps for Sumo Logic.
 
-- **Azure Key Vault**. Azure Key Vault is a managed service, hosted in the cloud that acts as a central message hub for communication between an IoT application and its attached devices. This integration helps in comprehensive monitoring of your key vaults requests, performance, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
+- **Azure Key Vault**. Azure Key Vault is a cloud service that helps you securely store and manage secrets, keys, and certificates. You can use it to protect data for cloud apps and services. This integration helps in comprehensive monitoring of your Key Vault operations, requests, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
 - **AWS Auto scaling**. Amazon EC2 Auto Scaling helps you maintain application availability and lets you automatically add or remove EC2 instances using scaling policies that you define. Dynamic or predictive scaling policies let you add or remove EC2 instance capacity to service established or real-time demand patterns. [Learn more](/docs/integrations/amazon-aws/amazon-ec2-auto-scaling/).
 
 ### Enhancements
 
 - **Added metrics collection capability for OpenTelemetry collectors**. [RabbitMQ](/docs/send-data/opentelemetry-collector/remote-management/source-templates/rabbitmq/#for-metrics-collection) and [Redis](/docs/send-data/opentelemetry-collector/remote-management/source-templates/redis/#for-metrics-collection).
 - **Added use cases to monitor EBS volume and snapshots in AWS EC2 apps**. [AWS EC2](/docs/integrations/amazon-aws/ec2-cloudwatch-metrics/#events).
 - **Updated the metric collection and dashboard for Google apps**. [Google BigQuery](/docs/integrations/google/bigquery/) and [Google Cloud Load Balancing](/docs/integrations/google/cloud-load-balancing/).
-- Added new dashboards to the [Sumo Logic Kickstart Data(Beta)](/docs/integrations/sumo-apps/kickstart-data/) app.
+- Added new dashboards to the [Sumo Logic Kickstart Data (Beta)](/docs/integrations/sumo-apps/kickstart-data/) app.
 - **Updated the queries to accommodate the new threat intel feed**. [Apache - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/apache-opentelemetry/), [Apache Tomcat - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry/), [HAProxy - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry/), [IIS 10 - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/iis-10-opentelemetry/), [Ngin - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry/), [PostgreSQL - OpenTelemetry](/docs/integrations/databases/opentelemetry/postgresql-opentelemetry/), [Varnish - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/varnish-opentelemetry/), [Acquia](/docs/integrations/saas-cloud/acquia/), [Azure Web Apps](/docs/integrations/microsoft-azure/web-apps/), [JFrog Xray](/docs/integrations/app-development/jfrog-xray/), and [MongoDB Atlas 6](/docs/integrations/databases/mongodb-atlas/).
 - Updated Azure integration from` Node.js v18` to `Node.js v20`. [Learn more](https://github.com/SumoLogic/sumologic-azure-function/releases/tag/v4.1.6).
 

blog-service/2025-04-08-security.md

@@ -11,10 +11,6 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 We’re excited to announce a new `SumoLogic_ThreatIntel` source incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis.
 
-:::warning
-On April 30, 2025, we will discontinue our legacy `_sumo_global_feed_cs` source. If you have rules that explicitly point to this source, update them to use the new `SumoLogic_ThreatIntel` source.
-:::
-
 [Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources).
 
 <img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />

blog-service/2025-04-09-manage.md

@@ -0,0 +1,16 @@
+---
+title: Kickstart Data Onboarding (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - onboarding
+  - trial
+hide_table_of_contents: true    
+---
+
+We’re excited to announce the general availability of Kickstart Data, a streamlined onboarding experience that includes sample data and prebuilt dashboards. Whether you're starting a free trial or simply spinning up a new account, Kickstart Data makes it easy to understand Sumo Logic's capabilities without needing to ingest your own data first.
+
+* **Instant insights**. Preloaded data and dashboards show platform value right away.
+* **No setup required**. Skip config steps like firewalls or security permissions.
+* **Easy handoff**. Start using your own data anytime—Kickstart deactivates automatically.
+
+[Learn more](/docs/get-started/quickstart/#getting-started-with-kickstart-data-in-your-trial).

blog-service/2025-04-21-apps.md

@@ -0,0 +1,13 @@
+---
+title: Sumo Collection (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - sumo-collection
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+
+We're excited to introduce the new Sumo Collection app for Sumo Logic. By leveraging this app, you can get insights into the health and status of Sumo Logic collectors and sources, allowing you to effectively manage and monitor collectors and sources within Sumo Logic. [Learn more](/docs/integrations/saas-cloud/sumo-collection).

cid-redirects.json

@@ -438,8 +438,10 @@
   "/05Search/Get-Started-with-Search/Visualizations/Group-By-Operator": "/docs/search/search-query-language/search-operators",
   "/05Search/Live-Tail": "/docs/search/live-tail",
   "/05Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
+  "/Search/Anomaly_Detection": "/docs/alerts/monitors/create-monitor",
   "/Search/Live-Tail": "/docs/search/live-tail/about-live-tail",
   "/Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
+  "/Search/Live_Tail/Live_Tail_CLI": "/docs/search/live-tail/live-tail-cli",
   "/05Search/Live-Tail/Filter-Live-Tail": "/docs/search/live-tail/filter-live-tail",
   "/05Search/Live-Tail/Live-Tail-CLI": "/docs/search/live-tail/live-tail-cli",
   "/05Search/Live-Tail/Live-Tail-Highlighting": "/docs/search/live-tail/live-tail-highlighting",
@@ -1563,7 +1565,6 @@
   "/cid/0100": "/docs/manage/security/installation-tokens",
   "/cid/0020": "/docs/manage/health-events",
   "/cid/0020001": "/docs/security/threat-intelligence/upload-formats",
-  "/cid/20002": "/docs/search/search-query-language/search-operators/threatlookup",
   "/cid/0020003": "/docs/security/threat-intelligence",
   "/cid/0523": "/docs/manage/manage-subscription/upgrade-account/upgrade-sumo-logic-flex-account",
   "/cid/0524": "/docs/manage/manage-subscription/cloud-flex-legacy-accounts",
@@ -1626,6 +1627,7 @@
   "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
   "/cid/6024": "/docs/integrations/saas-cloud/vmware-workspace-one",
   "/cid/6025": "/docs/integrations/saas-cloud/cisco-vulnerability-management",
+  "/cid/6026": "/docs/integrations/saas-cloud/sumo-collection",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10113": "/docs/observability/root-cause-explorer",
   "/cid/10116": "/docs/manage/fields",
@@ -2672,6 +2674,7 @@
   "/cid/20158": "/docs/integrations/amazon-aws/aws-ground-station",
   "/cid/20159": "/docs/integrations/amazon-aws/aws-healthlake",
   "/cid/20160": "/docs/integrations/amazon-aws/amazon-bedrock",
+  "/cid/20161": "/docs/integrations/microsoft-azure/azure-virtual-machine",
   "/cid/8394": "/docs/search/search-query-language/search-operators/dedup",
   "/cid/85858": "/docs/observability/kubernetes/quickstart",
   "/cid/8595": "/docs/manage/security/set-password-policy",
@@ -3034,6 +3037,7 @@
   "/Knowledge_Base/APIs": "/docs/api",
   "/Knowledge_Base/Apps": "/docs/integrations",
   "/Knowledge_Base/Parsing/Using_line_breaks_as_an_anchor_within_parse": "/docs/search/search-query-language/parse-operators/parse-predictable-patterns-using-an-anchor",
+  "/Knowledge_Base/Search": "/docs/search",
   "/Knowledge_Base/Search/How_to_Prevent_your_Scheduled_Search_from_Timing_Out": "/docs/alerts/scheduled-searches/faq",
   "/Limited_Availability/Lookup_Tables": "/docs/search/search-query-language/search-operators/lookupcontains",
   "/Limited_Availability/Lookup_Tables/lookupContains_Operator": "/docs/search/search-query-language/search-operators/lookupcontains",
@@ -3047,6 +3051,7 @@
   "/Manage/01Manage_Subscription/03Upgrade_a_Cloud_Flex_Credits_Account": "/docs/manage/manage-subscription/upgrade-account/upgrade-sumo-logic-flex-account",
   "/Manage/01Manage_Subscription/04Upgrade_Your_Account": "/docs/manage/manage-subscription/upgrade-account/upgrade-cloud-flex-legacy-account",
   "/Manage/01Manage_Subscription/05Manage_Organization": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
+  "/Manage/01Manage_Subscription/05Manage_Organizational_Settings": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-org-settings",
   "/docs/manage/manage-subscription/upgrade-cloud-flex-account": "/docs/manage/manage-subscription/upgrade-account/upgrade-cloud-flex-legacy-account",
   "/Manage/01Manage_Subscription/06Manage_Billing_Information": "/docs/manage/manage-subscription/manage-billing-information",
   "/Manage/01Manage_Subscription/08Create_and_Manage_Orgs": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs",
@@ -4091,6 +4096,7 @@
   "/Send-Data/Sources/04Reference-Information-for-Sources/Collecting_Multiline_Logs": "/docs/send-data/reference-information/collect-multiline-logs",
   "/Solutions/AWS_Observability_Solution/01_About_the_AWS_Observability_Solution": "/docs/observability/aws/about",
   "/Solutions/AWS_Observability_Solution/05_Monitor_Control_Tower-Managed_Accounts": "/docs/observability/aws/other-configurations-tools/integrate-control-tower-accounts",
+  "/Solutions/AWS_Observability_Solution/AWS_Observability_Application_Load_Balancer": "/docs/observability/aws/integrations/aws-application-load-balancer",
   "/Solutions/AWS_Observability_Solution/View_AWS_Observability_Solution_Dashboards": "/docs/observability/aws/deploy-use-aws-observability/view-dashboards",
   "/Solutions/AWS_Observability_Solution/Root_Cause_Explorer": "/docs/observability/root-cause-explorer",
   "/Solutions/AWS_Observability_Solution/03_Set_Up_the_AWS_Observability_Solution": "/docs/observability/aws/about",
@@ -4211,6 +4217,7 @@
   "/docs/dashboards/chart-panel-types/string-single-value-charts": "/docs/dashboards/panels/single-value-charts",
   "/docs/dashboards/get-started": "/docs/dashboards",
   "/docs/dashboards/get-started/add-links-text-panels": "/docs/dashboards/about",
+  "/docs/dashboards/get-started/dashboard-optimization": "/docs/dashboards/advanced",
   "/docs/dashboards/get-started/launch-search-data-panel": "/docs/dashboards/about",
   "/docs/dashboards/get-started/markdown-syntax": "/docs/dashboards/panels/markdown-syntax",
   "/docs/dashboards/get-started/move-panel-dashboard": "/docs/dashboards/about",

docs/cse/administration/mitre-coverage.md

@@ -211,3 +211,10 @@ You can use the following Cloud SIEM APIs to obtain information about your MITRE
 * [MitreAttackCoverageExportJson](https://api.sumologic.com/docs/sec/#operation/MitreAttackCoverageExportJson). Get a JSON representation of the Mitre ATT&CK coverage.
 
 To find the Cloud SIEM API documentation for your endpoint, see [Cloud SIEM APIs](/docs/api/cloud-siem-enterprise/).
+
+## Additional resources
+
+* Blog: [Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack/)
+* Glossary: [MITRE ATT&CK - definition & overview](https://www.sumologic.com/glossary/mitre-attack/)
+* Demo: [MITRE ATT&CK Coverage Explorer](https://www.sumologic.com/demo/cloud-siem-mitre-attack-coverage-explorer/)
+* Cloud SIEM Content Catalog: [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md)

docs/cse/rules/about-cse-rules.md

@@ -185,3 +185,9 @@ Threat Intelligence sources contain values that, when encountered in a record, a
 
 Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
+## Additional resources
+
+* Blogs: 
+   * [Secure your CI/CD pipelines from supply chain attacks with Sumo Logic’s Cloud SIEM rules](https://www.sumologic.com/blog/secure-azure-devops-github-supply-chain-attacks/)
+   * [Rule tuning – supercharge Cloud SIEM for better alerts](https://www.sumologic.com/blog/rule-tuning-cloud-siem-alert-fatigue/)
+* Cloud SIEM Content Catalog: [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md)