Merge branch 'main' into postgresqlST

Author: sumoanema

blog-service/2025-01-23-manage.md

@@ -0,0 +1,14 @@
+---
+title: Time-Phased Scan Budgets (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - time-phased-scan-budgets
+  - manage
+hide_table_of_contents: true  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to introduce the time-phased scan budgets for advanced usage management, which helps you to set **Daily**, **Weekly**, or **Monthly** budgets for individual user or a single shared budget for an entire group. [Learn more](/docs/manage/manage-subscription/usage-management/#set-scan-budgets).

docs/api/getting-started.md

@@ -42,7 +42,7 @@ See [Access Keys](/docs/manage/security/access-keys) to learn how to generate an
 Because access keys use the permissions of the user running the key, ensure that the user utilizing a key has the [role capabilities](/docs/manage/users-roles/roles/role-capabilities) needed to execute the tasks the key is needed for. 
 :::
 
-### Access ID and Access Key
+### Access ID and access key
 
 When you have an `accessId` and `accessKey`, you can execute requests like the following:
 
@@ -80,7 +80,7 @@ This would yield a Base64 encoded string `QWxhZGRpbjpPcGVuU2VzYW1l` that is used
 ```
 
 
-## Sumo Logic Endpoints by Deployment and Firewall Security
+## Sumo Logic endpoints by deployment and firewall security
 
 <img src={useBaseUrl('img/icons/operations/firewall.png')} alt="icon" width="50"/>
 
@@ -218,17 +218,17 @@ For collection to work, your firewall must allow outbound traffic to Sumo Logic.
 * If your firewall doesn’t allow DNS entries, you must allowlist all of the IP addresses for your deployment region. The addresses to allowlist depend on your Sumo Logic deployment.
    * To determine the IP addresses that require allowlisting, download the JSON object provided by Amazon Web Services (AWS). Amazon advises that this file will change several times a week. For details on how the file is updated, its usage, its syntax, and how to download the JSON file, see [AWS IP Address Ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html).
 
-### FedRAMP Deployment
+### FedRAMP deployment
 
 Sumo Logic's FedRAMP deployment is similar to our other deployments, such as US2, except that FedRAMP is certified to comply with the United States Standards for Security Categorization of Federal Information and Information Systems ([FIPS-199](https://en.wikipedia.org/wiki/FIPS_199)). In this deployment, we adhere to specific security requirements that are required for handling, storing, and transmitting data classified in the "Moderate" impact level.
 
-### AWS Region by Sumo Deployment
+### AWS region by Sumo Logic deployment
 
 import AwsRegion from '../reuse/aws-region-by-sumo-deployment.md';
 
 <AwsRegion/>
 
-## Status Codes
+## Status codes
 
 Generic status codes that apply to all our APIs. See the [HTTP status code registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) for reference.
 
@@ -251,7 +251,7 @@ Generic status codes that apply to all our APIs. See the [HTTP status code regis
 
 If a rate is exceeded, a `rate limit exceeded 429` status code is returned.
 
-## Versioning and Conflict Detection  
+## Versioning and conflict detection  
 
 The [Collector Management API](/docs/api/collector-management) uses optimistic locking to deal with versioning and conflict detection. Any response that returns a single entity will have an ETag header which identifies the version of that entity.
 

docs/cse/administration/create-custom-threat-intel-source.md

@@ -10,25 +10,19 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This topic has information about setting up a *custom threat intelligence source* in Cloud SIEM, which is a threat intelligence list that you can populate manually, as opposed to using an automatic feed. 
 
-You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, hostnames, URLs, email addresses, and file hashes.
+You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes.
 
 ## How Cloud SIEM uses indicators
 
-When Cloud SIEM encounters an indicator from your threat source in an incoming
-record it adds relevant information to the record. Because threat intelligence
-information is persisted within records, you can reference it downstream
-in both rules and search. The built-in rules that come with Cloud SIEM
-automatically create a signal for records that have been enriched in
-this way.
+When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way.
 
-Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
-*About Cloud SIEM Rules* topic.
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic.
 
 ## Create a threat intelligence source from Cloud SIEM UI
 
 1.  [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Click **Add Source** on the **Threat Intelligence** page. 
-1. Click **Custom** on the **Add Source** popup.
+1. In the **Custom** box click **Create**.
 1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. 
 1. Click **Add Custom Source**.
 
@@ -41,13 +35,15 @@ Your new source should now appear on the **Threat Intelligence** page.
 1. On the **Threat Intelligence** page, click the name of the source you want to update.  
 1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**.
 1. On the **New Threat Intelligence Indicator** popup.
-    1. **Value**. Enter an IP address, hostname, URL, or file hash.
-        Your entry must be one of:
-        * A valid IPV4 or IPv6 address  
-        * A valid email address
-        * A valid, complete URL
-        * A hostname (without protocol or path)
-        * A hexadecimal string of 32, 40, 64, or 128 characters 
+    1. **Value**. Enter one of the following:
+        * Domain (valid domain name without protocol or path)
+        * Email (valid email address)
+        * File hash (hexadecimal string of 32, 40, 64, or 128 characters)
+        * IP (valid IPV4 or IPv6 address)  
+        * URL (valid, complete URL)
+        :::note
+        For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below.
+        :::
     1. **Description**. (Optional)
     1. **Expiration**. (Optional) If desired, you can specify an
         expiration date and time for the indicator. When that time is
@@ -58,16 +54,15 @@ Your new source should now appear on the **Threat Intelligence** page.
 
 ### Upload a file of indicators 
 
-If you have a large number of indicators to add to your source, you can
-save time by creating a .csv file and uploading it to Cloud SIEM. 
+If you have a large number of indicators to add to your source, you can save time by creating a .csv file and uploading it to Cloud SIEM. 
 
 #### Create a CSV file
 
 The .csv file can contain up to four columns, which are described below. 
 
 | Column     | Description  |   
 | :-- | :-- |
-| value  | Required. Must be one of the following: <br/>- A valid IPV4 or IPv6 address<br/>- A valid, complete URL <br/>- A valid email address<br/>- A hostname (without protocol or path)<br/>- A hexadecimal string of 32, 40, 64, or 128 characters |
+| value  | Required. Must be one of the following: <br/>- Domain (valid domain name without protocol or path)<br/>- Email (valid email address)<br/>- File hash (hexadecimal string of 32, 40, 64, or 128 characters)<br/>- IP (valid IPV4 or IPv6 address)<br/>- URL (valid, complete URL) <br/>For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below. |
 | description | Optional.  |  
 | expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. |
 | active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. |
@@ -79,7 +74,7 @@ value,description,expires,active
 22.333.22.252,Tante Intel,2022-06-01 01:00 PM,true
 ```
 
-### Upload the file
+#### Upload the file
 
 1. On the **Threat Intelligence** page, click the name of the target custom source.
 1. Click **Import Indicators**.
@@ -91,6 +86,50 @@ value,description,expires,active
 
 You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).
 
+## Target fields for threat indicators
+
+Following are the fields that threat indicators are compared to. 
+
+* Domain:
+      * bro_ntlm_domainname
+      * bro_ssl_serverName_rootDomain
+      * dns_queryDomain
+      * dns_replyDomain
+      * fromUser_authDomain
+      * http_referrerDomain
+      * http_url_rootDomain
+      * http_url_fqdn
+* Email:
+      * email_sender
+      * fromUser_email
+      * fromUser_email_raw
+      * targetUser_email
+      * targetUser_email_raw
+      * user_email
+      * user_email_raw
+* File hash:
+      * file_hash_imphash
+      * file_hash_md5
+      * file_hash_pehash  
+      * file_hash_sha1
+      * file_hash_sha256
+      * file_hash_ssdeep
+* IP:
+      * bro_dhcp_assignedIp
+      * bro_radius_remoteIp
+      * bro_smtp_headers.xOriginatingIp
+      * bro_socks_boundIp
+      * bro_socks_requestIp
+      * device_ip
+      * device_natIp
+      * dns_replyIp
+      * dstDevice_ip
+      * dstDevice_natIp
+      * srcDevice_ip
+      * srcDevice_natIp
+* URL:
+      * http_url
+
 ## Search indicators
 
 To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. 

docs/cse/match-lists-suppressed-lists/create-match-list.md

@@ -18,11 +18,11 @@ Here’s a use case for using a match list to define an allow list:  Vulnerabil
 There’s no reason you can’t use a match list to define “deny lists” of items. However, Cloud SIEM’s threat intel feature is designed for exactly that purpose. Most of the time, but not always, you should use threat intel lists for negative indicators. For more information, see [Match lists or threat intel: which to use?](#match-listor-threat-intel-which-to-use).
 :::
 
-Here’s an example of a match list in the Cloud SIEM UI. It is a list of trusted domains.  
+Here are some match lists in Cloud SIEM.  
 
-<img src={useBaseUrl('img/cse/example-match-list.png')} alt="Example match list" style={{border: '1px solid gray'}} width="800"/>
+<img src={useBaseUrl('img/cse/example-match-lists.png')} alt="Example match list" style={{border: '1px solid gray'}} width="800"/>
 
-Note that the match list has a **Target Column**, which you define when you create the list. The Target Column indicates what type of record fields should be compared to the match list, for example, hostnames, URLs, domains, IP addresses, usernames, and so on. For more information, see [How are match lists Used?](#how-are-match-lists-used)
+Note that each match list has a **Target Column**, which you define when you create the list. The Target Column indicates what type of record fields should be compared to the match list, for example, hostnames, URLs, domains, IP addresses, usernames, and so on. For more information, see [How are match lists Used?](#how-are-match-lists-used)
 
 ## Built-in rules refer to standard match list names
 
@@ -82,24 +82,24 @@ You can also create and manage match lists with Cloud SIEM's REST [API](/docs/cs
 :::
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Match Lists**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Match List**. You can also click the **Go To...** menu at the top of the screen and select **Match List**. 
-1. Click **Create**.
-1. On the **New Match List** popup, enter the following:
+1. Click **Add Match List**.
+1. On the **Add Match List** popup, enter the following:
     1. **Name**. Name of the Match list. If you are creating a standard match list, make sure the name matches the standard match list name. For more information, see [Standard match lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists).   We recommend no embedded spaces in list names. For example, instead of *my list*, use *my_list*.
     1. **Description**. Enter a description for the list. Descriptions for standard match lists can be found in [Standard match lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists).
-    1. **Time to Live (hours)**. (Optional) Enter the number of hours after which the entries on the list should expire.
     1. **Target Column**. The type of message field to which items on the list should be compared. The **Target Column** for standard match lists can be found in [Standard match lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists). <br/>
         :::note
         Once you create a match list, it's not possible to change its **Target Column**.
         :::
-    1. Click **Create**.<br/><img src={useBaseUrl('img/cse/new-match-list.png')} alt="New match list" style={{border: '1px solid gray'}} width="400"/>
+    1. **Time to Live (hours)**. (Optional) Enter the number of hours after which the entries on the list should expire.
+    1. Click **Save**.<br/><img src={useBaseUrl('img/cse/new-match-list.png')} alt="New match list" style={{border: '1px solid gray'}} width="400"/>
 1. The match list now appears on the **Match Lists** page.
 1. Click the name of the match list to open it.
-1. On the **Match List > Details** page, click **Add List Item**.
-1. On the **New Match List Item** popup, enter:
+1. On the **Match Lists > Details** page, click **Add Match List Item**.
+1. On the **Add Match List Item** popup, enter:
    * **Value**. The value of the entity. Make sure the value you enter is of the same type as the type you selected as the Target Column for the list. For example, if the Target Column is `Domain`, enter a domain.
    * **Description**. (Optional) Enter a description of the entity instance you entered.
    * **Expiration**. (Optional) The date and time at which the list item should be removed from the list.
-   * Click **Add** to add the item to the list.
+   * Click **Save** to add the item to the list.
 1. The item now appears in the match list.
 
 ## Import a match list

docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md

@@ -26,25 +26,28 @@ To see the custom columns that have been defined in your environment:
 
 ## Create a Custom Column
 
-1. On the **Custom Columns** page, click **Create**.
-1. The **Create Match List Column** popup appears. <br/><img src={useBaseUrl('img/cse/create-column.png')} alt="Create column" style={{border: '1px solid gray'}} width="400"/>
+1. On the **Custom Columns** page, click **Add Custom Column**.
+1. The **Add Custom Column** popup appears. <br/><img src={useBaseUrl('img/cse/create-column.png')} alt="Create column" style={{border: '1px solid gray'}} width="400"/>
 1. **Name**. Enter a name for the custom column.
-1. **Fields**. Click the chevron icon to display a selector list of Cloud SIEM attributes. You can select multiple attributes. If multiple attributes are selected, the match list will match if the list item value matches a record value for any of the custom column attributes. Click the icon next to Show field guide to view more information, such as data type, about attributes. 
-1. Click **Create** to add the new column.
+1. **Fields**. Click to display a selector list of Cloud SIEM attributes. You can select multiple attributes. If multiple attributes are selected, the match list will match if the list item value matches a record value for any of the custom column attributes. Click **Show Field Guide** to view more information about attributes, such as data type. 
+1. Click **Save** to add the new column.
 
 ## Edit a custom column
 
 1. On the **Custom Columns** page, click the custom column name or the edit icon in the row for the column.
-1. Make your changes on the **Edit Match List Column** popup.
-1. Click **Update** to save the changes.
+1. Click **Edit**. 
+1. Make your changes on the edit popup.
+1. Click **Save** to save the changes.
 
 ## Delete a custom column
 
-1. On the **Custom Columns** page, click the trash can icon in the row for the column you want to delete.
-1. On the **Delete column** popup, click confirmation popup **Yes, Delete Column**.
+1. On the **Custom Columns** page, hover your mouse over a custom column in the list.
+1. Click the three-dot kebab button on the far right of the item. 
+1. Select **Delete**.
+1. On the delete confirmation popup, click **Delete**
 
 ## Create a match list with a custom column
 
-Follow the instructions in [Create a Match List](/docs/cse/match-lists-suppressed-lists/create-match-list), and select the desired column in the **Custom** section of the **Target Column** selector list.
-
-<img src={useBaseUrl('img/cse//target-column-selector.png')} alt="Target column selector" style={{border: '1px solid gray'}} width="400"/>
+1. Follow the instructions in [Create a Match List](/docs/cse/match-lists-suppressed-lists/create-match-list/#create-a-match-list).
+1. In the **Add Match List** dialog, click **Target Column**. A list of available target column values appears.
+1. Select the desired column in the **Custom** section of the selector list.<br/><img src={useBaseUrl('img/cse/target-column-selector.png')} alt="Target column selector" style={{border: '1px solid gray'}} width="400"/>