Merge branch 'main' into CSOAR-3889

Author: mahendrak-sumo

blog-collector/2025-09-30-installed.md

@@ -0,0 +1,9 @@
+---
+title: Version 19.525-63 (Installed Collector)
+hide_table_of_contents: true
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+In this release, we've resolved the JRE upgrade issue that occurred during [collector upgrades](/docs/send-data/collection/upgrade-collectors/).

blog-service/2025-09-29-apps.md

@@ -0,0 +1,14 @@
+---
+title: Azure Security - Microsoft Defender for Identity (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - azure
+  - microsoft
+  - azure-security-microsoft-defender-for-identity
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Sumo Logic app for Azure Security - Microsoft Defender for Identity. This app offers you enhanced capabilities to protect endpoints and defend against advanced cyber threats. [Learn more](/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity).

blog-service/2025-09-30-apps.md

@@ -0,0 +1,29 @@
+---
+title: Apps, Solutions, and Collection Integrations - September Release 
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - apps
+  - september-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### New release
+
+We’re excited to announce the release of the new Azure Machine Learning app for Sumo Logic.
+
+- **Azure Machine Learning**. The Azure Machine Learning app enables you to track training progress, manage model deployments, and monitor how compute resources are being used within your workspace. [Learn more](/docs/integrations/microsoft-azure/azure-machine-learning/).
+
+### Enhancements
+
+* Updated the following Amazon apps to autocreate fields, FERs, and monitors during app install:
+    * [Amazon Bedrock](/docs/integrations/amazon-aws/amazon-bedrock)
+    * [Amazon EC2 Auto Scaling](/docs/integrations/amazon-aws/amazon-ec2-auto-scaling/) 
+    * [Amazon OpenSearch](/docs/integrations/amazon-aws/amazon-opensearch/)
+* Upgraded the following apps to Node.js v22.x along with CVE fixes:
+    * [Azure Append Blob](/docs/send-data/collect-from-other-data-sources/azure-blob-storage/append-blob/)
+    * [Azure Block Blob Collection](/docs/send-data/collect-from-other-data-sources/azure-blob-storage/block-blob/)
+* **Azure Event Hubs**. Updated the dashboard filters for [Azure Event Hubs](/docs/integrations/microsoft-azure/azure-event-hubs/#viewing-the-azure-event-hubs-dashboards).
+* **Data Volume app**. Enhanced the **Ingest Trend** panel to include a breakdown of data volume by entity. This provides you an insight into the specific entities that contribute to the overall data ingestion trend. [Learn more](/docs/integrations/sumo-apps/data-volume/).
+* **Sumo Logic Lambda Extension**. Upgraded the Sumo Logic Lambda Extension to Golang version 24, including CVE fixes.

cid-redirects.json

@@ -2940,6 +2940,8 @@
   "/cid/1107": "/docs/integrations/saas-cloud/aws-iam-users",
   "/cid/1109": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365",
   "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo",
+  "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity",
+  "/docs/integrations/microsoft-azure/microsoft-defender-for-identity/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity",
   "/Cloud_SIEM_Enterprise": "/docs/cse",
   "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration",
   "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration",

docs/get-started/training-certification-faq-new.md

@@ -10,6 +10,7 @@ title: Sumo Logic Academy - Training and Certification FAQ (Beta)
 <p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import Iframe from 'react-iframe';
 
 :::note
 This program is in Beta. For more information, contact your Sumo Logic account representative.
@@ -19,6 +20,22 @@ We are leveling up our Sumo Logic certification program with the launch of **Sum
 
 With Sumo Logic Academy, you’ll find an expanded and refined course catalog, live remote exam proctoring through our partner Kryterion, and industry-recognized digital badges issued by Credly. These enhancements bring our program in line with best practices across the industry, giving you credentials you can trust and proudly share with peers, employers, and the wider professional community.
 
+:::sumo micro lesson
+
+<Iframe url="https://fast.wistia.net/embed/iframe/35ku33znar?web_component=true&seo=true&videoFoam=false"
+  width="854px"
+  height="480px"
+  title="Sumo Logic Academy Overview - Sumo Logic Video"
+  id="wistiaVideo"
+  className="video-container"
+  display="initial"
+  position="relative"
+  allow="autoplay; fullscreen"
+  allowfullscreen
+/>
+
+:::
+
 ## Getting started
 
 ### How do I access the learning portal?
@@ -95,6 +112,23 @@ Not at this time.
 
 ## Exam logistics
 
+:::sumo micro lesson
+
+
+<Iframe url="https://fast.wistia.net/embed/iframe/8i18wjmdg2?web_component=true&seo=true&videoFoam=false"
+  width="854px"
+  height="480px"
+  title="Sumo Logic Academy certification exams - Sumo Logic Video"
+  id="wistiaVideo"
+  className="video-container"
+  display="initial"
+  position="relative"
+  allow="autoplay; fullscreen"
+  allowfullscreen
+/>
+
+:::
+
 ### How do I get certified and schedule my exam?
 
 We recommend at least six months of hands-on Sumo Logic experience before taking a certification exam.

docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md

@@ -0,0 +1,249 @@
+---
+id: azure-security-microsoft-defender-for-identity
+title: Azure Security - Microsoft Defender for Identity
+description: Learn how to collect alerts from the Azure Security - Microsoft Defender for Identity platform and send them to Sumo Logic for analysis.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/send-data/ms-graph.svg')} alt="Thumbnail icon" width="50"/>
+
+The Sumo Logic app for Azure Security – Microsoft Defender for Identity enhances endpoint protection by centralizing alert data from various devices, enabling faster detection, investigation, and response to cyber threats. It uses advanced analytics and threat intelligence to identify malicious behavior and high-risk activity. With detailed dashboards and visualizations, it helps security teams track recurring incidents, assess vulnerabilities, and reduce response time, offering a comprehensive view of your organization’s endpoint security posture.
+
+:::info
+This app includes [built-in monitors](#azure-security---microsoft-defender-for-identity-alerts). For details on creating custom monitors, refer to [Create monitors for Azure Security - Microsoft Defender for Identity app](#create-monitors-for-azure-security---microsoft-defender-for-identity-app).
+:::
+
+## Log types
+
+The Azure Security – Microsoft Defender for Identity app uses Sumo Logic’s Microsoft Graph Security source to collect [alerts](https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) from the Microsoft Graph Security source.
+
+### Sample log messages
+
+<details>
+<summary>Alert Log</summary>
+
+```json
+{
+  "@odata.type": "#microsoft.graph.security.alert",
+  "id": "da637551227677560813_-961444813",
+  "providerAlertId": "da637551227677560813_-961444813",
+  "incidentId": "28282",
+  "status": "new",
+  "severity": "low",
+  "classification": "unknown",
+  "determination": "unknown",
+  "serviceSource": "microsoftDefenderForIdenity",
+  "detectionSource": "antivirus",
+  "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",
+  "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
+  "title": "Suspicious execution of hidden file",
+  "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
+  "recommendedActions": "Collect artifacts and determine scope Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) Look for the presence of relevant artifacts on other systems.",
+  "category": "DefenseEvasion",
+  "assignedTo": null,
+  "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
+  "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
+  "actorDisplayName": null,
+  "threatDisplayName": null,
+  "threatFamilyName": null,
+  "mitreTechniques": [
+    "T1564.001"
+  ],
+  "createdDateTime": "2021-04-27T12:19:27.7211305Z",
+  "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
+  "resolvedDateTime": null,
+  "firstActivityDateTime": "2021-04-26T07:45:50.116Z",
+  "lastActivityDateTime": "2021-05-02T07:56:58.222Z",
+  "comments": [],
+  "evidence": [
+    {
+      "@odata.type": "#microsoft.graph.security.deviceEvidence",
+      "createdDateTime": "2021-04-27T12:19:27.7211305Z",
+      "verdict": "unknown",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",
+      "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",
+      "azureAdDeviceId": null,
+      "deviceDnsName": "yonif-lap3.middleeast.corp.microsoft.com",
+      "hostName": "yonif-lap3",
+      "ntDomain": null,
+      "dnsDomain": "middleeast.corp.microsoft.com",
+      "osPlatform": "Windows10",
+      "osBuild": 22424,
+      "version": "Other",
+      "healthStatus": "active",
+      "riskScore": "medium",
+      "rbacGroupId": 75,
+      "rbacGroupName": "UnassignedGroup",
+      "onboardingStatus": "onboarded",
+      "defenderAvStatus": "unknown",
+      "ipInterfaces": [
+        "1.1.1.1"
+      ],
+      "loggedOnUsers": [],
+      "roles": [
+        "compromised"
+      ],
+      "detailedRoles": [
+        "Main device"
+      ],
+      "tags": [
+        "Test Machine"
+      ],
+      "vmMetadata": {
+        "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",
+        "cloudProvider": "azure",
+        "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",
+        "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"
+      }
+    }
+    ],
+    "systemTags" : [
+        "Defender Experts"
+  ]
+}
+```
+</details>
+
+### Sample queries
+
+```sql title="Alerts by Status"
+_sourceCategory=MicrosoftGraphSecurityIdentity
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+
+| where toLowerCase(service_source) matches("microsoftdefenderforidentity")
+
+// global filters
+| where if ("{{severity}}" = "*", true, severity matches "{{severity}}")
+| where if ("{{status}}" = "*", true, status matches "{{status}}")
+| where if ("{{classification}}" = "*", true, classification matches "{{classification}}")
+
+// panel specific
+| count by status,alert_id
+| count as frequency by status
+| sort by frequency,status
+```
+
+```sql title="Alerts by Classification"
+_sourceCategory=MicrosoftGraphSecurityIdentity
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+
+| where toLowerCase(service_source) matches("microsoftdefenderforidentity")
+
+// global filters
+| where if ("{{severity}}" = "*", true, severity matches "{{severity}}")
+| where if ("{{status}}" = "*", true, status matches "{{status}}")
+| where if ("{{classification}}" = "*", true, classification matches "{{classification}}")
+
+// panel specific
+| where !isBlank(classification)
+| count by classification,alert_id 
+| count as frequency by classification
+| sort by frequency
+```
+
+```sql title="Top 10 Alert Categories"
+_sourceCategory=MicrosoftGraphSecurityIdentity
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+
+| where toLowerCase(service_source) matches("microsoftdefenderforidentity")
+
+// global filters
+| where if ("{{severity}}" = "*", true, severity matches "{{severity}}")
+| where if ("{{status}}" = "*", true, status matches "{{status}}")
+| where if ("{{classification}}" = "*", true, classification matches "{{classification}}")
+
+// panel specific
+| where !isBlank(category)
+| count by category,alert_id
+| count as frequency by category
+| sort by frequency
+| limit 10
+```
+
+## Collection configuration and app installation
+
+:::note
+- Skip this step if you have already configured the [Microsoft Graph Security API Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/).
+- Select **Use the existing source and install the app** to install the app using the `sourceCategory` of the Microsoft Graph Security API Source configured above.
+:::
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Azure Security - Microsoft Defender for Identity app is properly integrated and configured to collect and analyze your Azure Security - Microsoft Defender for Identity data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+## Viewing the Azure Security - Microsoft Defender for Identity dashboards
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Overview
+
+The **Azure Security - Microsoft Defender for Identity - Overview** dashboard provides a comprehensive view of security threats detected across endpoints, enabling analysts to quickly assess, prioritise, and respond to potential incidents. Through an extensive set of visualisations, it presents key metrics such as total alerts, high-severity alerts, and their breakdown by status, classification, determination, service source, and detection source.
+
+Security teams can easily identify dominant alert categories, monitor the most recent alerts for immediate action, and track analyst assignments to ensure accountability. The dashboard also highlights top users associated with alerts, helping detect insider threats or compromised accounts that may require deeper investigation.
+
+Geo-location mapping adds another layer of insight by showing the origin of alerts, supporting region-specific risk assessments. By combining historical trends with real-time visibility, the dashboard enables security teams to focus on high-impact threats and improve response times.
+<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Defender-for-Identity/Azure-Security-Microsoft-Defender-for-Identity-Overview.png' alt="Azure Security - Microsoft Defender for Identity - Overview" />
+
+### Security
+
+The **Azure Security - Microsoft Defender for Identity - Security** dashboard offers a strategic, high-level view of the organisation’s endpoint threat landscape, enabling security teams to pinpoint risk concentrations and monitor how threats evolve over time. Interactive trend panels display shifts in alert severity, helping teams quickly identify surges in high-risk incidents and prioritise their response accordingly.
+
+Geo-location insights spotlight alerts originating from high-risk regions, supporting threat assessments tied to specific geopolitical contexts. The dashboard also provides critical visibility into top user accounts with compromised or privileged roles—potential indicators of targeted attacks or insider threats.
+
+Additionally, it ranks the most frequently attacked devices and highlights countries linked to malicious or suspicious IP activity, offering clear insight into the most vulnerable assets and regions. This intelligence allows for more focused defences and faster, more effective threat mitigation.
+
+By integrating trend analysis, threat origin mapping, and user risk profiling, the Security dashboard empowers analysts to detect emerging patterns, respond proactively, and strengthen the organisation’s resilience against sophisticated endpoint threats.
+<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Defender-for-Identity/Azure-Security-Microsoft-Defender-for-Identity-Security.png' alt="Azure Security - Microsoft Defender for Identity - Security" />
+
+## Create monitors for Azure Security - Microsoft Defender for Identity app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Azure Security - Microsoft Defender for Identity alerts
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `Alerts Detected from Embargoed Locations` | This alert is triggered when activity is detected from a location flagged as high-risk, enabling you to monitor access attempts from unusual or restricted geographic regions. It enhances your ability to spot suspicious behaviour and potential threats originating from locations outside your organisation’s typical operating areas. | Critical | Count > 0 | 
+| `High Severity Alerts` | This alert is triggered when a high-severity threat is detected, allowing you to promptly monitor and respond to potentially harmful events that may compromise endpoint security. It ensures critical incidents are prioritised for swift investigation and mitigation. | Critical | Count > 0|
+| `Embargoed Device` | This alert is triggered when a single device generates multiple alerts, indicating potentially malicious behaviour. It helps you identify high-risk devices, monitor suspicious activity more effectively, and take swift action to prevent further compromise. | Critical | Count > 5 |
+
+## Upgrade/Downgrade the Azure Security - Microsoft Defender for Identity app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Azure Security - Microsoft Defender for Identity app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>