Merge branch 'main' into app_central_update_malware

ruturajsumo · web-flow · commit 580661ba870b · 2025-04-15T10:52:32.000+05:30
diff --git a/blog-cse/2025-04-14-content.md b/blog-cse/2025-04-14-content.md
@@ -0,0 +1,81 @@
+---
+title: April 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Additional data requirements for GitHub rules added to rule descriptions.
+- Spelling corrections for AWS Lambda rules.
+- New Slack Anomaly Event log mapper and supporting parsing changes:
+   - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
+   - Requires parser be defined for passthrough detection.
+- Updates to Sysdig parsing and mapping to support additional events.
+- Support for Microsoft Windows Sysmon-29 event.
+- Additional normalized field mappings for Microsoft Windows Sysmon events.
+- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.
+
+
+### Rules
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
+- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
+- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
+- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
+- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
+- [Updated] MATCH-S00957 GitHub - Organization Transfer
+- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
+- [Updated] MATCH-S00960 GitHub - Repository Transfer
+- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
+- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+
+### Log Mappers
+- [New] Slack Anomaly Event
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
+- [Updated] Sysdig Secure Packages
+- [Updated] Sysdig Secure Vulnerability
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+
+### Parsers
+- [New] /Parsers/System/Slack/Slack Enterprise Audit
+- [Updated] /Parsers/System/Sysdig/Sysdig Secure
+
+### Schema
+- [New] `targetUser_phoneNumber`
+- [New] `user_phoneNumber`
diff --git a/blog-service/2025-03-31-apps.md b/blog-service/2025-03-31-apps.md
@@ -13,7 +13,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 We’re excited to announce the release of the new Azure Key Vault and AWS Auto scaling apps for Sumo Logic.
 
-- **Azure Key Vault**. Azure Key Vault is a managed service, hosted in the cloud that acts as a central message hub for communication between an IoT application and its attached devices. This integration helps in comprehensive monitoring of your key vaults requests, performance, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
+- **Azure Key Vault**. Azure Key Vault is a cloud service that helps you securely store and manage secrets, keys, and certificates. You can use it to protect data for cloud apps and services. This integration helps in comprehensive monitoring of your Key Vault operations, requests, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
 - **AWS Auto scaling**. Amazon EC2 Auto Scaling helps you maintain application availability and lets you automatically add or remove EC2 instances using scaling policies that you define. Dynamic or predictive scaling policies let you add or remove EC2 instance capacity to service established or real-time demand patterns. [Learn more](/docs/integrations/amazon-aws/amazon-ec2-auto-scaling/).
 
 ### Enhancements
diff --git a/docs/cse/administration/mitre-coverage.md b/docs/cse/administration/mitre-coverage.md
@@ -211,3 +211,10 @@ You can use the following Cloud SIEM APIs to obtain information about your MITRE
 * [MitreAttackCoverageExportJson](https://api.sumologic.com/docs/sec/#operation/MitreAttackCoverageExportJson). Get a JSON representation of the Mitre ATT&CK coverage.
 
 To find the Cloud SIEM API documentation for your endpoint, see [Cloud SIEM APIs](/docs/api/cloud-siem-enterprise/).
+
+## Additional resources
+
+* Blog: [Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack/)
+* Glossary: [MITRE ATT&CK - definition & overview](https://www.sumologic.com/glossary/mitre-attack/)
+* Demo: [MITRE ATT&CK Coverage Explorer](https://www.sumologic.com/demo/cloud-siem-mitre-attack-coverage-explorer/)
+* Cloud SIEM Content Catalog: [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md)
diff --git a/docs/cse/rules/about-cse-rules.md b/docs/cse/rules/about-cse-rules.md
@@ -185,3 +185,9 @@ Threat Intelligence sources contain values that, when encountered in a record, a
 
 Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
+## Additional resources
+
+* Blogs: 
+   * [Secure your CI/CD pipelines from supply chain attacks with Sumo Logic’s Cloud SIEM rules](https://www.sumologic.com/blog/secure-azure-devops-github-supply-chain-attacks/)
+   * [Rule tuning – supercharge Cloud SIEM for better alerts](https://www.sumologic.com/blog/rule-tuning-cloud-siem-alert-fatigue/)
+* Cloud SIEM Content Catalog: [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md)
diff --git a/docs/get-started/ai-machine-learning.md b/docs/get-started/ai-machine-learning.md
@@ -100,12 +100,16 @@ Sumo Logic's Cloud SIEM leverages AI-driven rules for security management, inclu
 Our Global Intelligence Service apps provide security teams with valuable real-time security intelligence to scale detection, prioritization, investigation, and workflow to prevent potentially harmful service configurations that could lead to a costly data breach. [Learn more](/docs/integrations/global-intelligence).
 
 
-## More information
+## Additional resources
+
+* Guide: [Understanding artificial intelligence for log analytics](https://www.sumologic.com/guides/machine-data-analytics)
+* Blogs: 
+   * [What are the differences between artificial intelligence, machine learning, deep learning and generative AI?](https://www.sumologic.com/blog/machine-learning-deep-learning)
+   * [DevSecOps in an AI world requires disruptive log economics](https://www.sumologic.com/blog/devsecops-ai-disruptive-log-economics)
+   * [Generative AI: The latest example of systems of insight](https://www.sumologic.com/blog/generative-ai-latest-example-systems-of-insight)
+   * [Harnessing the power of artificial intelligence in log analytics](https://www.sumologic.com/blog/power-ai-log-analytics/)
+   * [Reduce alert noise, automate incident response and keep coding with AI-driven alerting](https://www.sumologic.com/blog/ai-driven-low-noise-alerts/)
 
-* [What are the differences between artificial intelligence, machine learning, deep learning and generative AI?](https://www.sumologic.com/blog/machine-learning-deep-learning)
-* [Understanding artificial intelligence for log analytics](https://www.sumologic.com/guides/machine-data-analytics)
-* [DevSecOps in an AI world requires disruptive log economics](https://www.sumologic.com/blog/devsecops-ai-disruptive-log-economics)
-* [Generative AI: The latest example of systems of insight](https://www.sumologic.com/blog/generative-ai-latest-example-systems-of-insight)
 <!--
 -Bashyam's blog about how we trained our AI
 -Flex Pricing? The more log data ingested, the sharper your analytics and ML/AI insights become. By eliminating ingest limitations and empowering an ML/AI-driven single source of truth for analytics, Flex enables DevOps and DevSecOps teams to troubleshoot faster, accelerate release velocity, and ensure reliable, secure digital experiences.
diff --git a/docs/integrations/amazon-aws/cloudtrail.md b/docs/integrations/amazon-aws/cloudtrail.md
@@ -305,3 +305,8 @@ See information about S3 public objects and buckets, including counts of new pub
 **Modified Public Objects-Bucket**. Displays modified public objects per object on a timeline using the `timeslices` of one hour as a stacked column chart for the last 24 hours.
 
 **Modified Public Objects Table**. Displays a table with modified public objects in your S3 bucket, with time, key, bucket name, account ID, region, username, and access key ID for the last 24 hours.
+
+## Additional resources
+
+* Blog: [What is AWS CloudTrail?](https://www.sumologic.com/blog/what-is-aws-cloudtrail/)
+* App description: [Logs for Security app for AWS CloudTrail](https://www.sumologic.com/application/aws-cloudtrail/)
diff --git a/docs/integrations/amazon-aws/waf.md b/docs/integrations/amazon-aws/waf.md
@@ -60,7 +60,7 @@ _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
 | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
 ```
-<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
+<!-- Per DOCS-643, replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
diff --git a/docs/integrations/databases/postgresql.md b/docs/integrations/databases/postgresql.md
@@ -691,3 +691,9 @@ postgresql_index_size<br/>
 postgresql_table_size<br/>
 
 </details>
+
+## Additional resources
+
+* Blogs: 
+   * [How to use Kubernetes to deploy Postgres](https://www.sumologic.com/blog/kubernetes-deploy-postgres/)
+   * [PostgreSQL vs MySQL](https://www.sumologic.com/blog/postgresql-vs-mysql/) 
diff --git a/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md b/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md
@@ -370,3 +370,8 @@ import CreateMonitors from '../../../reuse/apps/create-monitors.md';
 | `HAProxy - Backend Server Down` | This alert is triggered when a backend server for a given HAProxy server is down. | Count > 0 | Count < = 0 |
 | `HAProxy - High Client (HTTP 4xx) Error Rate` | This alert is triggered when there are too many HTTP requests (>5%) with a response status of 4xx. | Count > 0 | Count < = 0 |
 | `HAProxy - High Server (HTTP 5xx) Error Rate` | This alert fires when there are too many HTTP requests (>5%) with a response status of 5xx. | Count > 0 | Count < = 0 |
+
+## Additional resources
+
+* Blog: [Everything you need to know about HAProxy log format](https://www.sumologic.com/blog/haproxy-log-format/)
+* App description: [HAProxy App for Sumo Logic](https://www.sumologic.com/application/haproxy/)
diff --git a/docs/observability/aws/about.md b/docs/observability/aws/about.md
@@ -106,3 +106,9 @@ The following Sumo Logic [AWS Observability Solution apps](/docs/observability/a
 * [AWS Observability Classic Load Balancer](/docs/observability/aws/integrations/aws-classic-load-balancer). The [AWS Observability Classic Load Balancer](/docs/observability/aws/integrations/aws-classic-load-balancer) is a unified logs and metrics app that provides visibility into the health of your [AWS Classic Load Balancer](https://aws.amazon.com/elasticloadbalancing/classic-load-balancer/). The preconfigured dashboards provide insights into latency, request and host status, threat intel, and HTTP backend codes by Availability Zones.
 * [Amazon SNS](/docs/observability/aws/integrations/amazon-sns). The [Amazon SNS](/docs/observability/aws/integrations/amazon-sns) app provides insight into the operations and utilization of your [Amazon SNS](https://aws.amazon.com/sns) service. The preconfigured dashboards help you monitor the key metrics by application, platform, region, and topic name, view the SNS events for activities, and help you plan the capacity of your SNS service.
 * [Amazon SQS](/docs/observability/aws/integrations/amazon-sqs). The [Amazon SQS](/docs/observability/aws/integrations/amazon-sqs) app provides insight into the operations and utilization of your [Amazon SQS](https://aws.amazon.com/sqs) service. The preconfigured dashboards help you monitor the key metrics, view the SQS events for queue activities, and help you plan the capacity of your SQS service utilization.
+
+## Additional resources
+
+* Blog: [Lightning-fast troubleshooting for AWS: How to find the root cause fast with Sumo Logic](https://www.sumologic.com/blog/aws-observability-fast-troubleshooting/)
+* White paper: [Advancing Observability on AWS with Sumo Logic](https://www.sumologic.com/brief/advancing-observability-on-aws-with-sumo-logic/)
+* Demo: [AWS Logs for Monitoring and Troubleshooting](https://www.sumologic.com/demo/aws-logs-for-monitoring-and-troubleshooting/)
diff --git a/docs/observability/aws/integrations/aws-dynamodb.md b/docs/observability/aws/integrations/aws-dynamodb.md
@@ -69,7 +69,7 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | sum (ip_count) as threat_count
 ```
 
-<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
+<!-- Per DOCS-643, replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql title="All IP Threat Count"
 _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynamodb.amazonaws.com\""
 | json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, ip_address, user
diff --git a/docs/observability/kubernetes/about.md b/docs/observability/kubernetes/about.md
@@ -100,3 +100,9 @@ The kube-proxy is a network proxy that runs on each node in your cluster. The ku
 Pods reside on a given node, and a pod can contain several containers. For pods, you should monitor:
 * Scheduler health for individual pods - so they do not get stuck in a restart loop
 * Pod health - availability, resource consumption, and performance
+
+## Additional resources
+
+* Blogs: 
+   * [Kubernetes DevSecOps](https://www.sumologic.com/blog/kubernetes-devsecops/)
+   * [Logging and monitoring Kubernetes](https://www.sumologic.com/blog/kubernetes-logs/)
diff --git a/docs/search/copilot.md b/docs/search/copilot.md
@@ -413,3 +413,12 @@ We want your feedback! Let us know what you think by clicking the thumbs up or t
 You can also leave feedback on specific errors.
 
 <img src={useBaseUrl('img/search/copilot/feedback-error.png')} alt="Copilot feedback icons" style={{border: '1px solid gray'}} width="800" />
+
+## Additional resources
+
+* Blogs:
+   * [Sumo Logic Mo Copilot: AI assistant for faster incident response and simplified troubleshooting](https://www.sumologic.com/blog/mo-copilot-ai-assistant/)
+   * [Designing Sumo Logic Mo Copilot for success](https://www.sumologic.com/blog/designing-mo-copilot-success/)
+   * [Differentiating Sumo Logic Mo Copilot using Amazon Bedrock](https://www.sumologic.com/blog/copilot-amazon-bedrock/)
+* Brief: [Sumo Logic's Mo Copilot speeds up response](https://www.sumologic.com/brief/sumo-logics-mo-copilot-speeds-up-response/)
+* Webinar: [Revolutionizing Incident Management with AI: Meet Mo Copilot](https://www.sumologic.com/webinar/revolutionizing-incident-management-with-ai-meet-mo-copilot/)
diff --git a/docs/search/search-query-language/search-operators/threatip.md b/docs/search/search-query-language/search-operators/threatip.md
@@ -6,7 +6,7 @@ sidebar_label: threatip
 
 The `threatip` operator correlates data in the [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
 
-<!-- 
+<!-- Add this per DOCS-815:
 You can also use the [`threatlookup`](/docs/search/search-query-language/search-operators/threatlookup/) search operator to search threat intelligence indicators.
 -->
 
diff --git a/docs/search/search-query-language/search-operators/tolowercase-touppercase.md b/docs/search/search-query-language/search-operators/tolowercase-touppercase.md
@@ -55,7 +55,7 @@ which provides results like:
 | lookup raw from sumo://threat/cs on threat = hash{code}
 ```
 
-<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
+<!-- Per DOCS-643, replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql
 *
 | limit 1
diff --git a/docs/search/subqueries.md b/docs/search/subqueries.md
@@ -389,7 +389,7 @@ _sourceCategory=weblogs
 | where threatlevel = "high"
 | compose src_ip]
 ```
-<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
+<!-- Per DOCS-643, replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql
 _sourceCategory=weblogs
 [subquery:_sourceCategory="Labs/SecDemo/guardduty" "EC2 Instance" "communicating on an unusual server port 22"
diff --git a/docs/security/additional-security-features/audit-and-compliance.md b/docs/security/additional-security-features/audit-and-compliance.md
@@ -177,3 +177,7 @@ To use Sumo Logic to start an audit of AWS root for compliance, perform these st
 1. Click the magnifying glass icon or press Enter to start the search.
 1. Click the **Aggregates** tab in the results. In the results, see API calls using the root account type. You can work with your AWS administrators to find out if this use of root is necessary and legitimate or not.
 
+## Additional resources
+
+* Blog: [What to expect when you’re expecting a cybersecurity audit for compliance](https://www.sumologic.com/blog/what-to-expect-when-youre-expecting-a-cybersecurity-audit-for-compliance/)
+* Guide: [NIS2 compliance guide](https://www.sumologic.com/brief/nis2-compliance-guide/)
diff --git a/docs/security/additional-security-features/cloud-infrastructure-security/introduction-to-cloud-infrastructure-security.md b/docs/security/additional-security-features/cloud-infrastructure-security/introduction-to-cloud-infrastructure-security.md
diff --git a/docs/security/additional-security-features/introduction-to-additional-security-features.md b/docs/security/additional-security-features/introduction-to-additional-security-features.md
diff --git a/docs/security/additional-security-features/threat-detection-and-investigation.md b/docs/security/additional-security-features/threat-detection-and-investigation.md
diff --git a/docs/security/threat-intelligence/find-threats.md b/docs/security/threat-intelligence/find-threats.md
diff --git a/docs/send-data/collect-from-other-data-sources/collect-prometheus-metrics.md b/docs/send-data/collect-from-other-data-sources/collect-prometheus-metrics.md
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source.md
diff --git a/docs/send-data/opentelemetry-collector/index.md b/docs/send-data/opentelemetry-collector/index.md
