DOCS-27 - Update docs for Network Sensor end-of-life (#4662)

* Update Zeek article

* Update screenshots

* Link to eol notice

* Release note

* Updates from reviews

* Remove note on Zeek article

* Change end of support date to April 30 2025

Author: jpipkin1

blog-cse/2024-11-08-application-update.md

@@ -0,0 +1,13 @@
+---
+title: November 8, 2024 - Application Update
+keywords:
+  - cloud siem
+image: https://help.sumologic.com/img/sumo-square.png
+hide_table_of_contents: true  
+---
+
+### Cloud SIEM network sensor end-of-life
+
+The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
+
+Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/).

docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md

@@ -11,11 +11,6 @@ This section has instructions for collecting Corelight Zeek log messages and sen
 
 These instructions are for Corelight Zeek logs sent as JSON over syslog.
 
-:::note
-The [Cloud SIEM Network Sensor](/docs/cse/sensors/network-sensor-deployment-guide/) also utilizes Zeek, so If you're using the sensor, using Corelight Zeek would be redundant.
-:::
-
-
 ## Step 1: Configure collection
 
 In this step, you configure a Syslog Source to collect Corelight Zeek log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.

docs/cse/sensors/index.md

@@ -12,6 +12,12 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 In this section, we'll introduce the following concepts:
 
 <div className="box-wrapper" >
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/cse/sensors/ingest-zeek-logs"><img src={useBaseUrl('img/icons/logs.png')} alt="Document icon" width="40"/><h4>Ingest Zeek Logs</h4></a>
+  <p>Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/sensors/sensor-download-locations"><img src={useBaseUrl('img/icons/operations/sensor.png')} alt="Database icon" width="40"/><h4>Sensor Download Locations</h4></a>
@@ -36,10 +42,4 @@ In this section, we'll introduce the following concepts:
   <p>Learn how to collect Log Sensor status and data to support troubleshooting efforts.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/cse/sensors/ingest-zeek-logs"><img src={useBaseUrl('img/icons/logs.png')} alt="Document icon" width="40"/><h4>Ingest Zeek Logs</h4></a>
-  <p>Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.</p>
-  </div>
-</div>
 </div>

docs/cse/sensors/ingest-zeek-logs.md

@@ -12,46 +12,9 @@ This topic has instructions for ingesting Zeek logs into Cloud SIEM. 
 
 Cloud SIEM uses [Zeek](https://zeek.org/) (formerly known as Bro) for network visibility. Zeek is an open source network analysis framework that organizes packets into flows, decodes common protocols, performs file extraction, SSL certificate validation, OS fingerprinting and more. Zeek can be extended through plugins for additional detection capabilities.
 
-## Best collection method: Network Sensor
+## Supported collection method: Sumo Logic Source
 
-Sumo Logic recommends using Cloud SIEM’s Network Sensor to collect Zeek logs and upload them to an HTTP Source on a Sumo Logic Hosted Collector. This is far and away the preferred method: it ensures that supported Bro policies are enabled and that the supported Bro output format is configured. It also results in the creation of Cloud SIEM Records from the raw Zeek log messages. For instructions, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide). 
-
-The Network Sensor extracts files observed over cleartext protocols that match selected MIME types. You can configure what types will be extracted using the [extracted_file_types](/docs/cse/sensors/network-sensor-deployment-guide) property in the Network Sensor’s configuration file, `trident-sensor.cfg`. By default the sensor will upload password-protected zip files and the following types of executables:
-
-* `application/x-dosexec`
-* `application/x-msdownload`
-* `application/x-msdos-program`
-
-:::note
-YARA [file analysis](/docs/cse/rules/import-yara-rules) is supported only for files extracted by the Network Sensor. If you use
-your own Zeek deployment and ingest logs using a Sumo Logic Source you cannot also upload extracted files. 
-:::
-
-### Filtering Zeek logs
-
-This section describes two methods you can use to filter the logs that the Network Sensor sends to Cloud SIEM.
-
-* You can configure a Berkeley Packet Filter (BPF) filter using the [filter](/docs/cse/sensors/network-sensor-deployment-guide) parameter in Network Sensor’s configuration file, `trident-sensor.cfg`. This is the most efficient filtering mechanism as it is performed before Network Sensor processing.
-
-    The value of the `filter` parameter is an expression that begins with `not`. This example expression ensures the that the Network Sensor won't process any traffic involving host `a.b.c.com` or host `d.e.f.com`:
-
-    `not ( host a.b.c.com ) and not ( host d.e.f.com )`
-
-    For information about BPF filter syntax, see https://biot.com/capstats/bpf.html.  
-     
-* You can also filter by Zeek log type using the [skipped_log_types](/docs/cse/sensors/network-sensor-deployment-guide) property in `trident-sensor.cfg`. The default value of `skipped_log_types` is:
-
-   ```
-   dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp
-   ```
-
-    You can add additional Zeek log types to the list to exclude them.
-
-The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.
-
-## Alternative collection method: Sumo Logic Source 
-
-Although the Network Sensor is the preferred method for collecting Zeek logs, there is an alternative. If you already have a Zeek deployment, you can collect logs using a Sumo Logic Collector and Source.
+If you already have a Zeek deployment, you can collect logs using a Sumo Logic Collector and Source.
 
 :::note
 This method requires that your Zeek logs are in JSON format. 
@@ -60,7 +23,6 @@ This method requires that your Zeek logs are in JSON format. 
 ### Configure a Sumo Logic Source
 
 In this step, you configure a Sumo Logic Source on an Sumo Logic Installed Collector. Choose the appropriate Source type based on:
-
 * If you already have a method of forwarding Zeek logs in JSON format in Syslog format to a collector in your environment, you can use a Syslog Source to ingest the logs.
 * If you’re not set up to use Syslog, and have Zeek log files stored on a filesystem, you can use a Local File Source to ingest the logs.
 
@@ -85,8 +47,8 @@ After installing the `json-streaming-logs` package, follow these instructions to
 1. On the **Sumo Logic Ingest Mappings** page, click **Create**.<br/><img src={useBaseUrl('img/cse/ingest-mappings.png')} alt="Ingest mappings" style={{border: '1px solid gray'}} width="800"/>
 1. On the **Create Sumo Logic Mapping** page:
    1. **Source Category**. Enter the Source Category value you assigned to the Source you configured above in [Configure a Sumo Logic Source](#configure-a-sumo-logic-source).
-   1. **Format**. Choose Bro/Zeek JSON.
-   1. **Event ID**. Enter *_path*.
+   1. **Format**. Choose **Bro/Zeek JSON**.
+   1. **Event ID**. Enter `{_path}`.
    1. **Enabled**. Use the slider to enable the mapping if you’re ready to receive Zeek logs.
    1. Click **Create**.<br/><img src={useBaseUrl('img/cse/create-mapping.png')} alt="Create mapping" style={{border: '1px solid gray'}} width="600"/>
 
@@ -141,3 +103,44 @@ Perform these steps for each of the FERs.
    1. **Scope**. Click **Specific Data**.
    1. **Parse Expression**. Enter the parse expression shown in the table above for the field the rule will extract.
 1. Click **Save**.<br/><img src={useBaseUrl('img/cse/example-fer.png')} alt="Example FER" style={{border: '1px solid gray'}} width="400"/>
+
+
+## Unsupported collection method: Network Sensor
+
+:::caution End-of-Life
+This section describes using the Cloud SIEM Network Sensor. [Network Sensor has reached its end of life](/docs/cse/sensors/network-sensor-end-of-life/). Instead, use Zeek. For more information, see [Supported collection method: Sumo Logic Source](#supported-collection-method-sumo-logic-source) above. 
+:::
+
+You can use Cloud SIEM’s Network Sensor to collect Zeek logs and upload them to an HTTP Source on a Sumo Logic Hosted Collector. This method ensures that supported Bro policies are enabled and that the supported Bro output format is configured. It also results in the creation of Cloud SIEM Records from the raw Zeek log messages. For instructions, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide). 
+
+The Network Sensor extracts files observed over cleartext protocols that match selected MIME types. You can configure what types will be extracted using the [extracted_file_types](/docs/cse/sensors/network-sensor-deployment-guide) property in the Network Sensor’s configuration file, `trident-sensor.cfg`. By default the sensor will upload password-protected zip files and the following types of executables:
+
+* `application/x-dosexec`
+* `application/x-msdownload`
+* `application/x-msdos-program`
+
+:::note
+YARA [file analysis](/docs/cse/rules/import-yara-rules) is supported only for files extracted by the Network Sensor. If you use your own Zeek deployment and ingest logs using a Sumo Logic Source you can't also upload extracted files. 
+:::
+
+### Filtering Zeek logs
+
+This section describes two methods you can use to filter the logs that the Network Sensor sends to Cloud SIEM.
+
+* You can configure a Berkeley Packet Filter (BPF) filter using the [filter](/docs/cse/sensors/network-sensor-deployment-guide) parameter in Network Sensor’s configuration file, `trident-sensor.cfg`. This is the most efficient filtering mechanism as it is performed before Network Sensor processing.
+
+    The value of the `filter` parameter is an expression that begins with `not`. This example expression ensures the that the Network Sensor won't process any traffic involving host `a.b.c.com` or host `d.e.f.com`:
+
+    `not ( host a.b.c.com ) and not ( host d.e.f.com )`
+
+    For information about BPF filter syntax, see https://biot.com/capstats/bpf.html.  
+
+* You can also filter by Zeek log type using the [skipped_log_types](/docs/cse/sensors/network-sensor-deployment-guide) property in `trident-sensor.cfg`. The default value of `skipped_log_types` is:
+
+   ```
+   dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp
+   ```
+
+    You can add additional Zeek log types to the list to exclude them.
+
+The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you won't ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you won't ingest DNS data.

docs/cse/sensors/log-sensor-troubleshooting.md

@@ -4,8 +4,9 @@ title: Log Sensor Troubleshooting
 description: Learn how to collect Log Sensor status and data to support troubleshooting efforts.
 ---
 
-
+:::caution end-of-life
 The Cloud SIEM Log Sensor has reached end of life and is no longer supported. Please migrate to a Sumo Logic Hosted Collector or Installed Collector. For more information, see the [end of life notice](https://app.getbeamer.com/cloudsiementerprise/en/end-of-life-notice-_-cloud-siem-enterprise-sensors). 
+:::
 
 The Cloud SIEM Log Sensor collects log data and sends it to the legacy Cloud SIEM server. (The Log Sensor does not send log data to the Sumo Logic platform. Sumo Logic collectors serve that purpose.)
 

docs/cse/sensors/network-sensor-deployment-guide.md

@@ -6,6 +6,11 @@ description: Learn about Network Sensor deployment planning, standard sensor pla
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
+
+:::caution end-of-life
+<SensorEOL/>
+:::
 
 This section has instructions for deploying the Cloud SIEM Network Sensor. It covers deployment planning, standard sensor placement, sensor requirements, installation, general configuration, and helpful commands. 
 

docs/cse/sensors/network-sensor-end-of-life.md

@@ -10,9 +10,9 @@ description: Cloud SIEM Network Sensor has reached its end-of-life and will no l
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-At Sumo Logic, we pride ourselves on being a leading SaaS log analytics company for observability and security solutions. Our strategic focus centers on delivering cloud-based solutions, as we firmly believe that SaaS represents the most effective means to deliver substantial value and a seamless experience to our customer base.
+At Sumo Logic, we pride ourselves on being a leading SaaS log analytics company that helps make the digital world faster, more reliable, and more secure by unifying insights to ignite action through the power of logs.
 
-The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. This end-of-life notification for Sumo Logic's network sensor means the feature will no longer receive support or updates based on the timelines listed below. We believe this to be the best course of action to keep our development focus on delivering world class detection and response capabilities.
+We’re always looking at ways to innovate, drive more value, and provide a seamless experience for our customers. In this vein we are discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. This end-of-life notification for Sumo Logic's network sensor means the feature will no longer receive support or updates based on the timelines listed below. We believe this to be the best course of action to keep our development focus on delivering world class detection and response capabilities.
 
 We fully recognize that this decision may have implications for your business operations, and we are committed to planning with you and your security team to minimize disruptions. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
 
@@ -24,5 +24,5 @@ If you have any questions, please don't hesitate to reach out to your Sumo Logic
 | :-- | :-- | :-- |
 | End-of-life announcement | The date this feature is announced as end-of-life. | November 8, 2024 |
 | End of software release | The last date that Sumo Logic may release any final software maintenance releases or bug fixes. After this date, Sumo Logic will no longer develop, repair, maintain, or test product software. | November 8, 2024 |
-| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditIons. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | January 31, 2025 |
+| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditIons. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | April 30, 2025 |
 

docs/cse/sensors/network-sensor-troubleshooting.md

@@ -5,6 +5,11 @@ description: Learn how to troubleshoot problems with the Cloud SIEM Network Sens
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
+
+:::caution end-of-life
+<SensorEOL/>
+:::
 
 The Cloud SIEM Network Sensor is a flexible network security monitor that monitors IP networks and collects flow and protocol session data, building audit records of network communications. As with all network sensors, performance is a key consideration for proper operation and comprehensive data collection. The installation of the Cloud SIEM network sensor configures the sensor with reasonable defaults for many environments. For other environments, such as high throughput deployments, Sumo Logic advises the use of a supported 3rd party Bro/Zeek sensor offering or a custom Zeek cluster deployment.
 

docs/cse/sensors/sensor-download-locations.md

@@ -4,8 +4,14 @@ title: Sensor Download Locations
 description: The Cloud SIEM Network sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import SensorEOL from '../../reuse/cloud-siem-network-sensor-eol.md';
 
-The Cloud SIEM Network sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
+:::caution end-of-life
+<SensorEOL/>
+:::
+
+The Cloud SIEM Network Sensor can be downloaded from a static URL that is specific to your Cloud SIEM deployment. Each Sumo Logic deployment has URLs used to download sensor software. If you are not sure which endpoint to use, see How can I determine which endpoint I should use?
 
 ## Installing the Network sensor
 

docs/reuse/cloud-siem-network-sensor-eol.md

@@ -0,0 +1 @@
+This article describes using the Cloud SIEM Network Sensor. [Network Sensor has reached its end of life](/docs/cse/sensors/network-sensor-end-of-life/). Instead, use Zeek. For more information, see [Ingest Zeek Logs](/docs/cse/sensors/ingest-zeek-logs/).