Merge branch 'main' into DOCS-1145

Author: kimsauce

blog-service/2025-10-01-manage.md

@@ -0,0 +1,14 @@
+---
+title: Change to SAML Group-to-Role Mapping (Manage)
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - saml
+  - authentication
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+Sumo Logic has introduced a change to the way group-to-role mapping is handled when performing on-demand role provisioning during SAML authentication. Previously, all groups included in a SAML assertion were validated against roles in Sumo Logic. Going forward, only the groups that match existing roles in Sumo Logic will be applied to the authenticating user. Any non-matching groups will be ignored. Only if no roles match with the groups passed in the assertion will an authentication fail.
+
+For more information about SAML configuration for roles provisioning, see [Configure on-demand roles provisioning](/docs/manage/security/saml/set-up-saml/#configure-on-demand-roles-provisioning).

docs/apm/traces/search-query-language-support-for-traces.md

@@ -35,6 +35,8 @@ To search your tracing data do the following:
 
 A Keyword Search Expression defines the scope of data for the query. You need to specify `_index=_trace_spans` in the scope to reference your trace data.
 
+Keyword searching is supported for tracing indexes across all fields, unlike other indexes where only the `_raw` field is searched.
+
 #### _any option
 
 In scenarios where users are not familiar with the schema and would like to search across all the fields, `_any` modifier provides a means to search for a specified value from all of the Ingest Time Fields in your data. For example, to search for data with any field that has a value of success you would put `_any=success` in the scope of your query.

docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md

@@ -162,6 +162,8 @@ You can search Cloud SIEM fields by keyword, for example:
 
 `_index=sec_record_authentication kerberos`
 
+Keyword searching is supported for security indexes across all fields, unlike other indexes where only the `_raw` field is searched.
+
 ### Referencing nested JSON fields
 
 The **Security Record Details** field contains a JSON object with all of the fields from the underlying record or signal. Some of the data is nested in one or more sub-objects, like the `fields` object for record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/duo-source.md

@@ -5,21 +5,25 @@ sidebar_label: Duo
 tags:
   - cloud-to-cloud
   - duo
-description: The Duo Source provides a secure endpoint to receive authentication logs from the Duo Authentication Logs API.
+description: The Duo Source provides a secure endpoint to receive logs from multiple API endpoints.
 ---
 
 import ForwardToSiem from '/docs/reuse/forward-to-siem.md';
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/duo.png')} alt="thumbnail icon" width="55"/>
 
-The Duo Source provides a secure endpoint to receive authentication logs from the Duo [Authentication Logs API](https://duo.com/docs/adminapi#logs). It securely stores the required authentication, scheduling, and state tracking information.
+The Duo Source collects logs from multiple Duo API endpoints. It securely stores the required authentication, scheduling, and state tracking information.
 
 ## Data collected
 
 | Polling Interval | Data |
 | :--- | :--- |
-| 5 min |  [Authentication Logs](https://duo.com/docs/adminapi#logs) |
+| 5m  | [Authentication Logs](https://duo.com/docs/adminapi#logs)   |
+| 5m  | [Administrator Logs](https://duo.com/docs/adminapi#administrator-logs)|
+| 5m  | [Telephony Logs](https://duo.com/docs/adminapi#telephony-logs)|
+| 5m  | [Activity Logs](https://duo.com/docs/adminapi#activity-logs)|
+| 24h | [User Inventory Logs](https://duo.com/docs/adminapi#users) |
 
 ## Setup
 
@@ -48,6 +52,8 @@ To configure a Duo Source:
 1. **Duo Domain**. Provide your **API hostname**, such as `api-********.duosecurity.com`.
 1. **Integration Key**. Provide the Duo Integration Key you want to use to authenticate collection requests.
 1. **Secret Key**. Provide the Duo Secret Key you want to use to authenticate collection requests. 
+1. **Supported APIs to Collect**. Choose the API endpoints you wish to collect logs from.
+1. **Collect User Inventory Every 24h**. Check this box if you want to collect user inventory every 24 hours.
 1. (Optional) The **Polling Interval** is set for 300 seconds by default, you can adjust it based on your needs. This sets how often the Source checks for new data.
 1. When you are finished configuring the Source, click **Submit**.
 
@@ -81,6 +87,8 @@ Sources can be configured using UTF-8 encoded JSON files with the Collector Ma
 | domain | String | Yes | `null`  | Provide your API hostname, such as api-********.duosecurity.com.| |
 | integration_key | String | Yes | `null` | Provide the Duo Integration Key you want to use to authenticate collection requests. |  |
 | secret_key | String | Yes | `null` | Provide the Duo Secret Key you want to use to authenticate collection requests. |  |
+| supported_apis| String Array| Yes | All APIs|Add an element for each of the APIs the integration should collect from.|`["authentication", "administrator", "telephony", "activity"]`|
+| collectUserInventory | Boolean | No | True| Set to true if the integration should collect user inventory logs. |`True`|
 | polling_interval | Integer | No | 300 | This sets how often the Source checks for new data. |  |
 
 ### JSON example

static/files/c2c/duo/example.json

@@ -1,21 +1,28 @@
 {
-    "api.version":"v1",
-    "source":{
-      "schemaRef":{
-        "type":"Duo"
+  "api.version": "v1",
+  "source": {
+    "schemaRef": {
+      "type": "Duo"
+    },
+    "config": {
+      "name": "Duo",
+      "description": "East field",
+      "domain": "api-********.duosecurity.com",
+      "integration_key": "********",
+      "secret_key": "********",
+      "supported_apis": [
+        "administrator",
+        "authentication",
+        "telephony",
+        "activity"
+      ],
+      "collectUserInventory": true,
+      "fields": {
+        "_siemForward": false
       },
-      "config":{
-        "name":"Duo",
-        "description":"East field",
-        "domain":"api-********.duosecurity.com",
-        "integration_key":"********",
-        "secret_key":"********",
-        "fields":{
-          "_siemForward":false
-        },
-        "category":"eastTeamF",
-        "polling_interval":300
-      },
-      "sourceType":"Universal"
-    }
-  }
+      "category": "eastTeamF",
+      "polling_interval": 300
+    },
+    "sourceType": "Universal"
+  }
+}

static/files/c2c/duo/example.tf

@@ -9,6 +9,13 @@ resource "sumologic_cloud_to_cloud_source" "duo_source" {
       "domain":"api-********.duosecurity.com",
       "integration_key":"********",
       "secret_key":"********",
+      "supported_apis": [
+        "administrator",
+        "authentication",
+        "telephony",
+        "activity",
+      ],
+      "collectUserInventory": true,
       "fields":{
         "_siemForward":false
       },