Merge branch 'main' into SEO-optimization-(Pilot)

Author: JV0812

blog-service/2025-08-07-collection.md

@@ -0,0 +1,12 @@
+---
+title: AWS IAM Users Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - aws-iam-users-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for AWS IAM Users. This source collects the IAM User Inventory logs from the AWS SDK and sends them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/aws-iam-users-source).

cid-redirects.json

@@ -2803,6 +2803,7 @@
   "/cid/17343": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/automox-source",
   "/cid/17344": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/smartsheet-source",
   "/cid/20172": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source",
+  "/cid/20173": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/aws-iam-users-source",
   "/cid/19880": "/docs/metrics/metrics-operators/predict",
   "/cid/19881": "/docs/metrics/metrics-operators/accum",
   "/cid/19882": "/docs/metrics/metrics-operators/along",

docs/integrations/amazon-aws/guardduty.md

@@ -178,12 +178,14 @@ _sourceCategory=aws/guardduty
 
 ## Collecting logs for the Amazon GuardDuty app
 
-You can collect the Amazon GuardDuty logs using two methods: 
+You can collect the Amazon GuardDuty logs using the following methods and send them to Sumo Logic via an HTTP endpoint: 
 
-- [Method 1: Collecting Amazon GuardDuty logs using EventBridge](#method-1-collecting-amazon-guardduty-logs-using-eventbridge)
-- [Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint](#method-2-collecting-amazon-guardduty-logs-using-sumo-logic-http-endpoint)
+- [Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP](#method-1-guardduty--eventbridge--sumo-logic-via-http-preferred)
+- [Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP](#method-2-guardduty--lambda-function--sumo-logic-via-http-alternative)
 
-### Method 1: Collecting Amazon GuardDuty logs using EventBridge
+For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process.
+
+### Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP (Preferred)
 
 This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
 
@@ -194,7 +196,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs
 #### Step 2: Configure EventBridge API destination
 
 Follow the steps below to configure the EventBridge API destination:
-1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
 1. In the navigation bar, click **API destinations**.
 1. Click **Create destination**.
 1. Enter a name for the API Destination.
@@ -208,7 +210,7 @@ Follow the steps below to configure the EventBridge API destination:
 #### Step 3: Create the EventBridge rule
 
 Follow the steps below to create the EventBridge rule:
-1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
 1. In the navigation bar, click **Rules**.
 1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
 1. Select **All Events** in Event Type.
@@ -217,9 +219,9 @@ Follow the steps below to create the EventBridge rule:
 1. Select **Create a new role for this specific resource** in the **Execution role**.
 1. Click **Create** to activate the rule.
 
-### Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint
+### Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP (Alternative)
 
-This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
+This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic via an HTTP endpoint. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
 
 - Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
 - A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo `CloudWatchEventFunction` Lambda function.

docs/integrations/amazon-aws/inspector.md

@@ -14,15 +14,75 @@ Amazon Inspector is an automated vulnerability management service that continual
 For information about integrating Amazon Inspector with Security Hub, see [Integration with AWS Security Hub](https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html) in Amazon help.
 :::
 
-## Collecting findings for the Amazon Inspector app
+## Log types
 
-You can collect Security Hub logs using three methods:
+### Sample log messages
+
+```json title="AWS Security Hub log"
+{
+  "SchemaVersion": "2018-10-08",
+  "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default",
+  "AwsAccountId": "123456789012",
+  "Id": "test_finding_123456",
+  "GeneratorId": "TestDetector",
+  "Types": [
+    "Software and Configuration Checks/Vulnerabilities/CVE"
+  ],
+  "CreatedAt": "2018-11- 06T13:22:13.933Z",
+  "UpdatedAt": "2018-11-07T14:22:13.933Z",
+  "Severity": {
+    "Product": 10,
+    "Normalized": 30
+  },
+  "Title": "Unprotected port 22 found on instance i-01234567890abcefb",
+  "Description": "Test finding was found on instance i- 01234567890afbcefa",
+  "Resources": [
+    {
+      "Type": "AwsEc2::Instance",
+      "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"
+    }
+  ],
+  "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them",
+  "Process": {
+    "Name": "My Process",
+    "Path": "/Process/Path"
+  },
+  "RecordState": "ACTIVE",
+  "Note": {
+    "Text": "User1 will address this finding",
+    "UpdatedBy": "User1",
+    "UpdatedAt": "2018-11-03T13:22:13.933Z"
+  }
+}
+```
+
+### Sample queries
+
+```sql title="Findings by resource type and severity query"
+(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub")
+| json  "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources",
+ "Severity.Normalized", "SourceUrl",
+"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at,
+ updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop
+| parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi
+| parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi
+| parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi
+| parse regex field=product_arn "product/(?<finding_provider>.*?)$"
+| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75),
+  max(severity_normalized) by resource_type
+```
+
+## Collecting logs for the Amazon Inspector app
+
+You can collect the Amazon Inspector logs using the following methods:
 
-- [Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge)
-- [Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-2-collect-security-hub-logs-using-sumo-logic-http-endpoint)
--[Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source)
+- [Method 1: Inspector > EventBridge > Sumo Logic via HTTP](#method-1-inspector--eventbridge--sumo-logic-via-http-preferred)
+- [Method 2: Inspector > Lambda Function > Sumo Logic via HTTP](#method-2-inspector--eventbridge--sumo-logic-via-http-alternative)
+- [Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source](#method-3-inspector--lambda-function--amazon-s3--sumo-logic-via-s3-source-alternative)
 
-### Method 1: Collecting Security Hub logs using EventBridge
+For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process.
+
+### Method 1: Inspector > EventBridge > Sumo Logic via HTTP (Preferred)
 
 This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
 
@@ -33,7 +93,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs
 #### Step 2: Configure EventBridge API destination
 
 Follow the steps below to configure the EventBridge API destination:
-1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
 1. In the navigation bar, click **API destinations**.
 1. Click **Create destination**.
 1. Enter a name for the API Destination.
@@ -47,7 +107,7 @@ Follow the steps below to configure the EventBridge API destination:
 #### Step 3: Create the EventBridge rule
 
 Follow the steps below to create the EventBridge rule:
-1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/).
 1. In the navigation bar, click **Rules**.
 1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
 1. Select **All Events** in Event Type.
@@ -56,7 +116,7 @@ Follow the steps below to create the EventBridge rule:
 1. Select **Create a new role for this specific resource** in the **Execution role**.
 1. Click **Create** to activate the rule.
 
-### Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint
+### Method 2: Inspector > EventBridge > Sumo Logic via HTTP (Alternative)
 
 This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
 
@@ -94,7 +154,7 @@ To deploy an AWS Security Hub app collector:
 5. In the **AWS Lambda > Functions > Application Settings** panel, enter the endpoint **HTTP endpoint** of the source that you configured.
 6. Scroll to the bottom of the window and click **Deploy**.
 
-### Method 3: Collect Security Hub logs using Amazon S3 source
+### Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source (Alternative)
 
 This method uses a Lambda function to process findings, store them in an S3 bucket, and retrieve them through Sumo Logic's S3 Source. It is ideal for scenarios that require data archiving.
 
@@ -127,62 +187,6 @@ To deploy an AWS Security Hub app collector:
 5. In the **AWS Lambda > Functions > Application Settings** panel, enter the name of the **S3SourceBucketName** for the bucket you configured (when you defined the S3 source).
 6. Scroll to the bottom of the window and click **Deploy**.
 
-### Sample log messages
-
-```json title="AWS Security Hub log"
-{
-  "SchemaVersion": "2018-10-08",
-  "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default",
-  "AwsAccountId": "123456789012",
-  "Id": "test_finding_123456",
-  "GeneratorId": "TestDetector",
-  "Types": [
-    "Software and Configuration Checks/Vulnerabilities/CVE"
-  ],
-  "CreatedAt": "2018-11- 06T13:22:13.933Z",
-  "UpdatedAt": "2018-11-07T14:22:13.933Z",
-  "Severity": {
-    "Product": 10,
-    "Normalized": 30
-  },
-  "Title": "Unprotected port 22 found on instance i-01234567890abcefb",
-  "Description": "Test finding was found on instance i- 01234567890afbcefa",
-  "Resources": [
-    {
-      "Type": "AwsEc2::Instance",
-      "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"
-    }
-  ],
-  "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them",
-  "Process": {
-    "Name": "My Process",
-    "Path": "/Process/Path"
-  },
-  "RecordState": "ACTIVE",
-  "Note": {
-    "Text": "User1 will address this finding",
-    "UpdatedBy": "User1",
-    "UpdatedAt": "2018-11-03T13:22:13.933Z"
-  }
-}
-```
-
-### Sample queries
-
-```sql title="Findings by resource type and severity query"
-(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub")
-| json  "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources",
- "Severity.Normalized", "SourceUrl",
-"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at,
- updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop
-| parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi
-| parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi
-| parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi
-| parse regex field=product_arn "product/(?<finding_provider>.*?)$"
-| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75),
-  max(severity_normalized) by resource_type
-```
-
 ## Installing the Amazon Inspector app
 
 Once you've set up ingestion of findings from AWS Security Hub, you can install the Sumo Logic app for Amazon Inspector and use the pre-configured searches and dashboards.