Make terms lowercase

Author: jpipkin1

docs/cse/administration/create-custom-threat-intel-source.md

@@ -36,13 +36,13 @@ import Iframe from 'react-iframe'; 
 ### How Cloud SIEM uses indicators
 
 When Cloud SIEM encounters an indicator from your threat source in an incoming
-Record it adds relevant information to the Record. Because threat intelligence
-information is persisted within Records, you can reference it downstream
+record it adds relevant information to the record. Because threat intelligence
+information is persisted within records, you can reference it downstream
 in both rules and search. The built-in rules that come with Cloud SIEM
-automatically create a Signal for Records that have been enriched in
+automatically create a Signal for records that have been enriched in
 this way.
 
-Rule authors can also write rules that look for threat intelligence information in Records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
 *About Cloud SIEM Rules* topic.
 
 ### Create a threat intelligence source from Cloud SIEM UI
@@ -89,7 +89,7 @@ The .csv file can contain up to four columns, which are described below. 
 | value  | Required. Must be one of the following: <br/>- A valid IPV4 or IPv6 address<br/>- A valid, complete URL <br/>- A valid email address<br/>- A hostname (without protocol or path)<br/>- A hexadecimal string of 32, 40, 64, or 128 characters |
 | description | Optional.  |  
 | expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. |
-| active | Required. Specifies whether the indicator actively looks for threat intelligence in Records. Valid values are `true` or `false`. |
+| active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. |
 
 **Example .csv file**
 

docs/cse/integrations/configuring-threatq-source-in-cse.md

@@ -15,7 +15,7 @@ To do so, [ingest threat intelligence indicators](/docs/security/threat-intellig
 
 ## Looking for ThreatQ indicators using Cloud SIEM rules
 
-Threat Intelligence sources are used at the time of Record ingestion. When a Record is ingested, Cloud SIEM determines whether any of the fields in the Record exist in any of your Threat Intelligence sources. When a Record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming Records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 -->
 
 This topic has information about configuring a ThreatQ source in Cloud SIEM.
@@ -50,15 +50,15 @@ After you set up your ThreatQ source, it will appear on the Threat Intel page in
 
 ## Looking for ThreatQ indicators using Cloud SIEM rules
 
-As with other threat intel sources, Cloud SIEM compares each incoming Record to the indicators provided by your ThreatQ source. 
+As with other threat intel sources, Cloud SIEM compares each incoming record to the indicators provided by your ThreatQ source. 
 
-When a Record contains a value that matches an entry in one or more threat intel lists, two fields in the Record get populated: a `listMatches` field that contains the names of threat intel lists that the Record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  
+When a record contains a value that matches an entry in one or more threat intel lists, two fields in the record get populated: a `listMatches` field that contains the names of threat intel lists that the record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  
 
-For example, give a Record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:
+For example, give a record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:
 
 `listMatches: ['My Threat Intel List', 'column:SourceIp', 'threat']`
 
-Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
+Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
 
 `array_contains(listMatches, "threat_intel_list_name")`
 
@@ -70,5 +70,5 @@ where
 If the name of the list you are referencing with `array_contains` contains any spaces, replace the spaces with underscores. For example, if the list name is *my list*, refer to it as *my_list*.
 :::
 
-For more information, see the [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.  
+For more information, see [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.  
 

docs/cse/integrations/enrichments-and-indicators.md

@@ -8,16 +8,16 @@ description: Learn how enrichments include threat indicators.
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 
- Enrichments can add [threat indicators](#threat-indicators) to show risk level in Insights and Entities. 
+ Enrichments can add [threat indicators](#threat-indicators) to show risk level in insights and entities. 
 
 ## Enrichments
 
-You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the Entity, Signal, and Insight details pages if there are any enrichments to display):
+You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the entity, signal, and insight details pages if there are any enrichments to display):
 
 <img src={useBaseUrl('img/cse/enrichments.png')} alt="Examples of enrichments" width="800"/>
 
 The enhancements include:
-* Enrichments are grouped by Entity, not by enrichment source.
+* Enrichments are grouped by entity, not by enrichment source.
 * Groups can be collapsed and expanded.
 * The list can be filtered.
 * Empty fields (fields with a null or empty value) can be optionally hidden.
@@ -34,7 +34,7 @@ Threat indicators, if set, will be displayed throughout the Cloud SIEM UI either
 | **Suspicious** | <img src={useBaseUrl('img/cse/indicator-suspicious-label.png')} alt="Suspicious label" width="110"/> | <img src={useBaseUrl('img/cse/indicator-suspicious-icon.png')} alt="Suspicious icon" width="30"/> |
 | **Not Flagged** | <img src={useBaseUrl('img/cse/indicator-notflagged-label.png')} alt="Suspicious label" width="125"/> | None |
 
-No icon is displayed for Entities with the **Not Flagged** label.
+No icon is displayed for entities with the **Not Flagged** label.
 
 :::note
 **Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
@@ -46,5 +46,5 @@ For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/s
 
 The enrichment schema includes support for the following optional attributes:
 * `expiresAt`. Defines when the enrichment should be auto-deleted from Cloud SIEM (by default, enrichments will never be auto-deleted).
-* `externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this Entity, put the link in this field).
+* `externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this entity, put the link in this field).
 * `reputation`. Associates a threat indicator with this enrichment data. The allowable values are `malicious`, `suspicious`, and `notflagged`. The default is not to display any reputation.

docs/cse/integrations/integrate-cse-with-taxii-feed.md

@@ -29,13 +29,13 @@ Cloud SIEM supports TAXII 1.x and TAXII 2.x. 
 
 1. Configure the [TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source/) or [TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source/), depending on which you want to use.
 1. The [ingested threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) appear on the [Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). To access the Threat Intelligence tab, go to **Manage Data** > **Logs** > **Threat Intelligence**.
-1. Use the `hasThreatMatch` Cloud SIEM rules language function to search incoming Records for matches to threat intelligence indicators. When matches are found, they appear on Records in Cloud SIEM. For more information, see [`hasThreatMatch`](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch).
+1. Use the `hasThreatMatch` Cloud SIEM rules language function to search incoming records for matches to threat intelligence indicators. When matches are found, they appear on records in Cloud SIEM. For more information, see [`hasThreatMatch`](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch).
 
 ## Leveraging indicators in rules
 
-Threat intelligence indicators allow you to enrich incoming Records with threat intel information. Cloud SIEM uses the the `hasThreatMatch` rules function to compare incoming Records with information from the threat feed. When there is a “match”, for instance, when an IP address in a Record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that Record. 
+Threat intelligence indicators allow you to enrich incoming records with threat intel information. Cloud SIEM uses the the `hasThreatMatch` rules function to compare incoming records with information from the threat feed. When there is a “match”, for instance, when an IP address in a record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that record. 
 
-Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a Signal for any Record with a match from your threat feed. 
+Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a signal for any record with a match from your threat feed. 
 
 For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
@@ -55,7 +55,7 @@ To integrate Cloud SIEM with a TAXII feed, you configure the URL of the TAXII pr
 
 ## Leveraging indicators in rules
 
-The integration allows you to enrich incoming Records with threat intel information, and leverage that information in Cloud SIEM Rules. How does that work? Cloud SIEM compares incoming Records with information from the threat feed. When there is a “match”, for instance when an IP address in a Record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that Record. Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a Signal for any Record with a match from your threat feed. To leverage the information in a rule, you can extend your custom rule expression, or add a [Rule Tuning Expression](/docs/cse/rules/rule-tuning-expressions) to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic.
+The integration allows you to enrich incoming records with threat intel information, and leverage that information in Cloud SIEM Rules. How does that work? Cloud SIEM compares incoming records with information from the threat feed. When there is a “match”, for instance when an IP address in a record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that record. Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a signal for any record with a match from your threat feed. To leverage the information in a rule, you can extend your custom rule expression, or add a [Rule Tuning Expression](/docs/cse/rules/rule-tuning-expressions) to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic.
 
 ## Requirements
 

docs/cse/rules/about-cse-rules.md

@@ -165,7 +165,7 @@ This example below checks a record for a field named `listMatches` that contains
 
 ### Threat Intelligence
 
-Threat Intelligence sources contain values that, when encountered in a Record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/).
+Threat Intelligence sources contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/).
 
-Threat Intelligence sources are used at the time of Record ingestion. When a Record is ingested, Cloud SIEM determines whether any of the fields in the Record exist in any of your Threat Intelligence sources. When a Record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming Records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 

docs/cse/rules/cse-rules-syntax.md

@@ -626,14 +626,14 @@ The following expression returns "10.10.1.0":
 
 ### hasThreatMatch
 
-The `hasThreatMatch` Cloud SIEM rules function searches incoming Records in Cloud SIEM for matches to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [Custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/). 
+The `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [Custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/). 
 
 **Syntax**
 
 `hasThreatMatch([<fields>], <filters>, <indicators>)`
 
 Parameters:
-* `<fields>` is a list of comma separated Entity field names. At least one field name is required.
+* `<fields>` is a list of comma separated entity field names. At least one field name is required.
 * `<filters>` is a logical expression using indicator attributes. (Allowed are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `=>`, `!=`.)
 * `<indicators>` is an optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
    * `active_indicators`. Match active indicators only (default).