Merge branch 'main' into docs-637-mssp-content-management

Author: jpipkin1

.clabot

@@ -173,7 +173,8 @@
     "JamoCA",
     "darshan-sumo",
     "mahendrak-sumo",
-    "chvik"
+    "chvik",
+    "Apoorvkudesia-sumologic"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

blog-cse/2024/12-31.md

@@ -16,6 +16,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This is an archive of 2024 Cloud SIEM release notes. To view the full archive, [click here](/release-notes-cse/archive).
 
+<!--truncate-->
+
 ---
 ### December 20, 2024 - Content Release
 
@@ -852,7 +854,7 @@ Other changes are enumerated below.
 
 This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events.
 
-AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/#august-5-2024---content-release) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.
+AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](#august-5-2024---content-release) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.
 
 AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information.
 

blog-cse/2025-01-14-content.md

@@ -0,0 +1,54 @@
+---
+title: January 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - rules
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
+- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.
+
+:::note
+In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion.
+:::
+
+### Log Mappers
+- [New] Azure DevOps Auditing Catch All
+- [New] Check Point Application Control URL Filtering
+- [New] Cisco ISE Radius Diagnostics
+- [New] Linux OS Syslog - KRB5 Child - Authentication Failure
+- [New] Linux OS Syslog - Process systemd - Systemd Session
+- [New] Linux OS Syslog - Process systemd - Systemd Session Scope
+- [New] Linux OS Syslog - Process systemd - session logout
+- [New] Pfsense Firewall filterlog
+- [New] Pfsense Firewall nginx
+- [New] Pfsense Firewall openvpn Authentication
+- [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
+- [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
+- [Updated] Cisco ISE Authentication Failure
+    - Adds `normalizedSeverity` mapping
+- [Updated] Cisco ISE Authentication Success
+    - Adds `normalizedSeverity` mapping
+- [Updated] Cloudflare - Logpush
+    - Adds mapping for `dns_query`, `http_hostname`, `http_response_contentLength`, `http_response_contentType`, and an alternative value for `ipProtocol`.
+- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
+    - Adds mapping for `normalizedAction`
+- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
+    - Added support for additional events and mapping of `file_path`
+
+### Parsers
+- [New] /Parsers/System/Pfsense/Pfsense Firewall
+- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
+- [Updated] /Parsers/System/Cisco/Cisco ISE
+- [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
+- [Updated] /Parsers/System/Linux/Linux OS Syslog
+- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
+- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

blog-cse/2025-01-28-content.md

@@ -0,0 +1,26 @@
+---
+title: January 28, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
+- Adds parsing and mapping support for additional OpenVPN events.
+- Adds additional timestamp format handling to Azure JSON log parsing.
+
+### Log Mappers
+- [Updated] Azure DevOps Auditing Catch All
+- [Updated] OpenVPN Audit Event
+- [Updated] OpenVPN Network Event
+
+### Parsers
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

blog-cse/2025-01-31-content.md

@@ -0,0 +1,54 @@
+---
+title: January 31, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- Removal and updates to Cloud SIEM rules.
+- Parsing and mapping support for new products.
+- Updates to existing parsing and mappers to support additional events and field mappings.
+
+Changes are enumerated below.
+
+### Rules
+- [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
+- [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
+    - Corrected typo in "MailItemsAccessed".
+- [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
+    - Corrected typo in "MailItemsAccessed".
+
+### Log Mappers
+- [New] Crowdstrike FileVantage Catch All
+- [New] Dragos Communication
+- [New] Dragos Indicator
+- [New] Dragos System|Asset
+- [New] Extrahop JSON Catch All
+- [New] F5 TMM Http Request|TMM Network|TMM Connection error
+- [New] F5 TMSH - Custom Parser
+- [New] Zendesk - Login events
+#### Updated Field Mappings
+- [Updated] Code42 Incydr Alerts C2C
+- [Updated] Cyber Ark EPM AggregateEvent
+- [Updated] Google G Suite - meet
+- [Updated] Palo Alto GlobalProtect - Custom Parser
+- [Updated] Palo Alto GlobalProtect Auth - Custom Parser
+- [Updated] Zendesk Catch All
+
+### Parsers
+- [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
+- [New] /Parsers/System/Extrahop/Extrahop JSON
+#### Updated parsers to handle additional events and field parsing
+- [Updated] /Parsers/System/Code42/Code42 Incydr
+- [Updated] /Parsers/System/Dragos/Dragos
+- [Updated] /Parsers/System/F5/F5 Syslog
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/Microsoft/Office 365
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

blog-csoar/2024/12-31.md

@@ -14,6 +14,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This is an archive of 2024 Cloud SOAR release notes. To view the full archive, [click here](/release-notes-csoar/archive).
 
+<!--truncate-->
+
 ---
 ### December 31, 2024 - Application Update
 
@@ -312,7 +314,7 @@ This release introduces three new integrations, as well as several updates.
 ---
 ### March 12, 2024 - Content Release
 
-Our Cloud SOAR [application update](/release-notes-csoar/#march-12-2024---application-update) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards.
+Our Cloud SOAR [application update](#march-12-2024---application-update) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards.
 
 The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version.
 
@@ -369,7 +371,7 @@ We strongly encourage all users to review the provided documentation and prepare
 ### March 12, 2024 - Application Update
 
 #### Changes and Enhancements
-* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/#march-12-2024---content-release).
+* Python version updated. If you experience any issues, refer to our [content release note](#march-12-2024---content-release).
 
 ##### Cloud SOAR
 * Playbooks: Test feature now permits you to use internal Incident ID.

blog-service/2021/12-31.md

@@ -76,7 +76,7 @@ Update - The [Mimecast Source](/docs/send-data/hosted-collectors/cloud-to-cloud
 ---
 ## October 27, 2021 (Traces)
 
-New - Build custom Dashboards with [new panels](/docs/apm/traces/services-list-map) to view Service Maps filtered by service and application and Trace Lists filtered by a query to directly access trace views. Add panels to existing or new dashboards, setting filters and customized options.
+New - Build custom Dashboards with [new panels](/docs/apm/services-list-map) to view Service Maps filtered by service and application and Trace Lists filtered by a query to directly access trace views. Add panels to existing or new dashboards, setting filters and customized options.
 
 ---
 ## October 27, 2021 (Apps)
@@ -102,7 +102,7 @@ Update - We are delighted to release the additional Logs and Metrics dashboards
 ---
 ## October 14, 2021 (Traces)
 
-New - Operation level health metrics describe performance and availability on the level of a single SQL query or API call. They are automatically generated from tracing data real time for the most active operations, enabling you to understand application service health on one level below: what operations is this service executing towards its peers and what's the performance of each of them individually. See [Service Map and Dashboards](/docs/apm/traces/services-list-map).
+New - Operation level health metrics describe performance and availability on the level of a single SQL query or API call. They are automatically generated from tracing data real time for the most active operations, enabling you to understand application service health on one level below: what operations is this service executing towards its peers and what's the performance of each of them individually. See [Service Map and Dashboards](/docs/apm/services-list-map).
 
 ---
 ## October 6, 2021 (Collection)
@@ -230,7 +230,7 @@ Update - We are delighted to announce the availability of enhanced search functi
 ---
 ## August 12, 2021 (Traces)
 
-New - We are excited to introduce a new [Span Analytics](/docs/apm/traces/spans) experience to help you explore your trace data at the raw span level so you can understand the performance and behavior of your infrastructure.
+New - We are excited to introduce a new [Span Analytics](/docs/apm/spans) experience to help you explore your trace data at the raw span level so you can understand the performance and behavior of your infrastructure.
 
 ---
 ## August 12, 2021 (Collection)
@@ -596,7 +596,7 @@ Update - Explore now offers the ability to [filter your view](/docs/dashboards
 ---
 ## March 24, 2021 (Traces)
 
-New - We're excited to announce our [Service Map and Dashboards](/docs/apm/traces/services-list-map). A Service Map is a high-level out-of-the-box overview of your environment created from distributed tracing data. Service Maps provide you a real-time view of:
+New - We're excited to announce our [Service Map and Dashboards](/docs/apm/services-list-map). A Service Map is a high-level out-of-the-box overview of your environment created from distributed tracing data. Service Maps provide you a real-time view of:
 
 -   Your microservices and connections between them, to give you insight into their dependencies and relations.
 -   Health and load of each microservice reflected in size and color, so you can immediately ascertain potential problems and bottlenecks in your application infrastructure.

blog-service/2022/12-31.md

@@ -558,7 +558,7 @@ Update - The [Tenable Source](/docs/send-data/hosted-collectors/cloud-to-cloud-i
 ---
 ## April 26, 2022 (Traces)
 
-New - You can now add the results of Spans queries directly to Dashboards from the [Spans analytics](/docs/apm/traces/spans#add-to-dashboard) window. You'll use the same easy query builder to [modify your panels](/docs/dashboards/panels/modify-chart) later. You can still use [Log Search](/docs/apm/traces/search-query-language-support-for-traces) to add span results to Dashboards by running queries in the `_trace_spans` index. The same limitations of Log Search still apply, your query scan volume should not exceed 200x of your tracing ingest.
+New - You can now add the results of Spans queries directly to Dashboards from the [Spans analytics](/docs/apm/spans#add-to-dashboard) window. You'll use the same easy query builder to [modify your panels](/docs/dashboards/panels/modify-chart) later. You can still use [Log Search](/docs/apm/traces/search-query-language-support-for-traces) to add span results to Dashboards by running queries in the `_trace_spans` index. The same limitations of Log Search still apply, your query scan volume should not exceed 200x of your tracing ingest.
 
 ---
 ## April 17, 2022 (Apps)
@@ -678,7 +678,7 @@ Update - We’ve made an improvement to the [Sumo Logic Organizations](/docs/man
 ---
 ## February 10, 2022 (Traces)
 
-New - Number of [spans](/docs/apm/traces/spans) per Trace has been increased by 10 times to 10000 spans per trace to better support monitoring for long running and complex transactions. Please note that new spans can increase credits consumption.
+New - Number of [spans](/docs/apm/spans) per Trace has been increased by 10 times to 10000 spans per trace to better support monitoring for long running and complex transactions. Please note that new spans can increase credits consumption.
 
 Update - Traces logs and data includes a new `duration` field that holds the difference between `endTimestamp` and `startTimestamp` in nanoseconds.
 

blog-service/2023/12-31.md

@@ -57,7 +57,7 @@ Here are some of the key features the new solution offers:
 * **Misconfigurations**. See areas in your environment that need to be addressed because they fail best practice security controls.
 * **Suspicious activity assessment**. See suspicious activity across users, web interactions, networks, and Identity Access Management (IAM).
 
-To learn how you can set up and use Cloud Infrastructure Security for AWS, and for preview limitations, check out our technical documentation [here](/docs/security/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/).
+To learn how you can set up and use Cloud Infrastructure Security for AWS, and for preview limitations, check out our technical documentation [here](/docs/security/additional-security-features/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/).
 
 :::note
 To use the solution, you are required to sign up and activate Amazon GuardDuty and AWS Security Hub.
@@ -758,7 +758,7 @@ We're excited to announce the release of our new cloud-to-cloud source for Trell
 
 We’re happy to announce a new security option allowing administrators to set a custom policy for the number of days an API Access Key can go unused before being automatically deactivated. This setting allows administrators to tailor the feature to suit their organization’s specific security requirements. This enhances the security of your account by reducing the risk of unauthorized access through abandoned access keys. This ensures that only active access keys can be used to access your account and its resources.
 
-[Learn more](/docs/manage/security/access-keys#edit-deactivate-or-delete-an-access-key).
+[Learn more](/docs/manage/security/access-keys#access-keys-deactivation-policy).
 
 
 ---
@@ -1012,7 +1012,7 @@ We're excited to introduce an improved approach to calculating and aggregating p
 
 What's New?
 * All APM metrics on dashboards now use the recently released [Metrics Histograms](/docs/metrics/introduction/metric-histograms/).
-* The Service List panel replaces the existing timeseries table in the Application Details panel and is now included in out-of-the-box dashboards for APM views. This change leverages the new and useful visualization for [Services List](/docs/apm/traces/services-list-map/#services-list-view) released earlier.
+* The Service List panel replaces the existing timeseries table in the Application Details panel and is now included in out-of-the-box dashboards for APM views. This change leverages the new and useful visualization for [Services List](/docs/apm/services-list-map/#services-list-view) released earlier.
 * The top bar selector for latency type has been renamed to `latency_type`, which now automatically drives all latency percentile metrics in all panels that support pct metrics.
 
 [Learn more](/docs/apm/traces/tracing-dashboards/).
@@ -1359,7 +1359,7 @@ Update - We have updated the **Reuse Password After** password policy. Previousl
 
 #### Tracing Services List
 
-New - Our new tracing **Services List** view provides a high-level summary of your service health insights and important KPIs in one compact table, allowing you to spot potential issues in your application infrastructure. [Learn more](/docs/apm/traces/services-list-map).
+New - Our new tracing **Services List** view provides a high-level summary of your service health insights and important KPIs in one compact table, allowing you to spot potential issues in your application infrastructure. [Learn more](/docs/apm/services-list-map).
 
 ---
 ### January 17, 2023 (Metrics)