Update 2025-06-17-apps.md

Author: amee-sumo

blog-service/2025-06-17-apps.md

@@ -15,24 +15,23 @@ To learn more, see [Important changes to CloudTrail events for AWS IAM Identity
 
 ## Impact following the AWS CloudTrail updates
 
-
 AWS is updating CloudTrail events for IAM Identity Center, affecting how user identity data is structured. So, if you are using the updated fields in your Cloud SIEM content or across the Sumo Logic platform, you need to update any saved queries, dashboards, or detection rules to reflect these changes and ensure continued functionality.
 
 Key actions required while updating the AWS CloudTrail include:
 - Sumo Logic provided apps must be manually reinstalled to incorporate the updated event field mappings.
-- Cloud SIEM parsers have auto updated and require no customer intervention.
+- Cloud SIEM parsers have auto-updated and require no customer intervention.
 
 ## Action plan for Sumo Logic users
 
 ### Step 1: Reinstall the relevant Sumo Logic apps
 
 If you're using any of the following apps that consume CloudTrail data, you must reinstall them:
-- Amazon CloudTrail – Cloud Security Monitoring and Analytics
-- AWS CloudTrail
-- CIS AWS Foundations Benchmark
-- PCI Compliance for AWS CloudTrail
-- Threat Intel for AWS
-- Cloud Infrastructure Security for AWS
+- [Amazon CloudTrail – Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/)
+- [AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail/)
+- [CIS AWS Foundations Benchmark](/docs/integrations/amazon-aws/cis-aws-foundations-benchmark/)
+- [PCI Compliance for AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail-pci-compliance/)
+- [Threat Intel for AWS](/docs/integrations/amazon-aws/threat-intel/)
+- [Cloud Infrastructure Security for AWS](/docs/security/additional-security-features/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/)
 
 To reinstall any of the above apps, follow the steps below:
 
@@ -43,37 +42,24 @@ To reinstall any of the above apps, follow the steps below:
 :::info
 These are Classic apps (V1), and reinstalling them will create a new folder in your Content Library with updated dashboards. 
 :::
-    If you're using any of the following apps that consume CloudTrail data, you must reinstall them:
-    - Amazon CloudTrail – Cloud Security Monitoring and Analytics
-    - AWS CloudTrail
-    - CIS AWS Foundations Benchmark
-    - PCI Compliance for AWS CloudTrail
-    - Threat Intel for AWS
-    - Cloud Infrastructure Security for AWS
-    :::info
-    These are v1 apps, and reinstalling them will create a new folder in your Content Library with updated dashboards.
-    :::
-3. Install to deploy updated content under a new folder.
 
 ### Step 2: Update the custom saved searches and dashboards
 
-If you’ve created custom content based on CloudTrail fields, manual updates as shown in the below table will be required to accommodate the new schema.
-
-- Shifting the `userName` from the `userIdentity` element to `additionalEventData` element.
+If you’ve created custom content based on CloudTrail fields, manual field updates as given below will be required to accommodate the new schema:
+- Move the `userName` field from the `userIdentity` element to the `additionalEventData` element.
+- Remove the `principalId` field from the schema.
+- Move the `userId`, `identityStoreArn`, and `credentialId` fields to the `userIdentity` element.
 
 For more information on field changes, see [AWS Security Blog](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=How%20to%20prepare%20your%20workflows%20for%20the%20upcoming%20changes%20to%20IAM%20Identity%20Center%20user%20identification%20in%20CloudTrail).
 
-
 :::note
 AWS plans to implement these enhancements on [July 14, 2025](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=Effective%20July%2014%2C%202025).
 
 Sumo Logic apps are backward-compatible, allowing you to update the apps ahead of time. For any custom content outside of Sumo Logic’s apps or parsers, ensure your changes are backward compatible and deploy updates before July 14, 2025.
 :::
 
-
-
 ## FAQ
 
 ### What happens if I don’t update my applications or searches?
 
-Failure to update your apps, saved searches, or dashboards will result in user-related fields not being parsed correctly. Consequently, visualizations and panels relying on those fields will appear empty or display inaccurate data.
+Failure to update your apps, saved searches, or dashboards will result in user-related fields not being parsed correctly. Consequently, visualizations and panels relying on those fields will appear empty or display inaccurate data.