Merge branch 'main' into docs-613-service-intelligence-beta

Author: jpipkin1

.clabot

@@ -183,7 +183,8 @@
     "justrelax19",
     "dlindelof-sumologic",
     "snyk-bot",
-    "stephenthedev"
+    "stephenthedev",
+    "Apoorvkudesia-sumologic"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

blog-collector/2024/2025-02-18.md renamed to blog-collector/2025-02-18.md

@@ -0,0 +1,17 @@
+---
+title: Version 19.525-42
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+In this release, we've enhanced the security and stability of the Collector with added support for security patches and a bug fix.
+
+## Security Fix
+
+- Upgraded `com.google.crypto.tink` to version 1.16.0 to address protobuf-java DOS vulnerability (CVE-2024-7254).
+
+## Bug Fix
+
+- Fixed the improper filtering of `AD` objects when `Exclude Distinguished Name Suffixes` filter is configured.

blog-collector/2025-05-14.md

@@ -0,0 +1,147 @@
+---
+title: May 9, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This release includes:
+- New rules for monitoring AWS services (see below for tuning guidance).
+- Updated rules for Microsoft O365 and Powershell.
+- Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
+- Updates to Cisco Umbrella mappers to add user_username.
+- Updates to SentinelOne mappers to drop null values.
+- New parsers for Azure Virtual Network and SentinelOne MGMT API.
+- Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.
+
+Changes are enumerated below.
+
+### Rules
+- [New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
+    - [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
+- [New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
+    - [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
+- [New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
+    - [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
+- [New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
+    - [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
+- [Updated] MATCH-S00069 O365 - Users Password Reset
+    - Changed Entity and Summary, replacing user_username with targetUser_username.
+- [Updated] MATCH-S00449 Powershell Execution Policy Bypass
+    - Fixed camel case in commandLine field.
+
+### Log Mappers
+- [New] Azure Virtual Network Flow logs
+- [Updated] Abnormal Security Threats
+- [Updated] Cisco ASA 103001 JSON
+- [Updated] Cisco ASA 103004 JSON
+- [Updated] Cisco ASA 106001 JSON
+- [Updated] Cisco ASA 106002 JSON
+- [Updated] Cisco ASA 106006 JSON
+- [Updated] Cisco ASA 106007 JSON
+- [Updated] Cisco ASA 106010 JSON
+- [Updated] Cisco ASA 106012 JSON
+- [Updated] Cisco ASA 106014 JSON
+- [Updated] Cisco ASA 106015 JSON
+- [Updated] Cisco ASA 106021 JSON
+- [Updated] Cisco ASA 106023 JSON
+- [Updated] Cisco ASA 106027 JSON
+- [Updated] Cisco ASA 106100 JSON
+- [Updated] Cisco ASA 106102-3 JSON
+- [Updated] Cisco ASA 109005-8 JSON
+- [Updated] Cisco ASA 110002 JSON
+- [Updated] Cisco ASA 111008-9 JSON
+- [Updated] Cisco ASA 111010 JSON
+- [Updated] Cisco ASA 113003 JSON
+- [Updated] Cisco ASA 113004 JSON
+- [Updated] Cisco ASA 113005 JSON
+- [Updated] Cisco ASA 113006 JSON
+- [Updated] Cisco ASA 113007 JSON
+- [Updated] Cisco ASA 113008 JSON
+- [Updated] Cisco ASA 113009 JSON
+- [Updated] Cisco ASA 113012-17 JSON
+- [Updated] Cisco ASA 113019 JSON
+- [Updated] Cisco ASA 113021 JSON
+- [Updated] Cisco ASA 113039 JSON
+- [Updated] Cisco ASA 209004 JSON
+- [Updated] Cisco ASA 302010 JSON
+- [Updated] Cisco ASA 302020-1 JSON
+- [Updated] Cisco ASA 303002 JSON
+- [Updated] Cisco ASA 304001 JSON
+- [Updated] Cisco ASA 304002 JSON
+- [Updated] Cisco ASA 305011-12 JSON
+- [Updated] Cisco ASA 313001 JSON
+- [Updated] Cisco ASA 313004 JSON
+- [Updated] Cisco ASA 313005 JSON
+- [Updated] Cisco ASA 314003 JSON
+- [Updated] Cisco ASA 315011 JSON
+- [Updated] Cisco ASA 322001 JSON
+- [Updated] Cisco ASA 322003 JSON
+- [Updated] Cisco ASA 338001-8+338201-4 JSON
+- [Updated] Cisco ASA 4000nn JSON
+- [Updated] Cisco ASA 402117 JSON
+- [Updated] Cisco ASA 402119 JSON
+- [Updated] Cisco ASA 405001 JSON
+- [Updated] Cisco ASA 405002 JSON
+- [Updated] Cisco ASA 406001 JSON
+- [Updated] Cisco ASA 406002 JSON
+- [Updated] Cisco ASA 419001 JSON
+- [Updated] Cisco ASA 419002 JSON
+- [Updated] Cisco ASA 500004 JSON
+- [Updated] Cisco ASA 502101-2 JSON
+- [Updated] Cisco ASA 502103 JSON
+- [Updated] Cisco ASA 602303-4 JSON
+- [Updated] Cisco ASA 605004-5 JSON
+- [Updated] Cisco ASA 609002 JSON
+- [Updated] Cisco ASA 611101-2 JSON
+- [Updated] Cisco ASA 611103 JSON
+- [Updated] Cisco ASA 710002-3 JSON
+- [Updated] Cisco ASA 710005 JSON
+- [Updated] Cisco ASA 713052 JSON
+- [Updated] Cisco ASA 713172 JSON
+- [Updated] Cisco ASA 713228 JSON
+- [Updated] Cisco ASA 716014-7-8 JSON
+- [Updated] Cisco ASA 716038 JSON
+- [Updated] Cisco ASA 716039 JSON
+- [Updated] Cisco ASA 716059 JSON
+- [Updated] Cisco ASA 719022-3 JSON
+- [Updated] Cisco ASA 721016-8 JSON
+- [Updated] Cisco ASA 722034 JSON
+- [Updated] Cisco ASA 722051 JSON
+- [Updated] Cisco ASA 722055 JSON
+- [Updated] Cisco ASA 733100 JSON
+- [Updated] Cisco ASA 751011 JSON
+- [Updated] Cisco ASA 751023 JSON
+- [Updated] Cisco ASA 751025 JSON
+- [Updated] Cisco ASA tcp_udp_sctp_builds JSON
+- [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
+- [Updated] Cisco Umbrella DNS Logs
+- [Updated] Cisco Umbrella IP Logs
+- [Updated] Cisco Umbrella Proxy Logs
+- [Updated] SentinelOne Logs - C2C activities
+- [Updated] SentinelOne Logs - C2C agents
+- [Updated] SentinelOne Logs - C2C alerts
+- [Updated] SentinelOne Logs - C2C threats
+- [Updated] SentinelOne Logs - C2C users
+- [Updated] SentinelOne Logs - Syslog Custom Parser
+
+### Parsers
+- [New] /Parsers/System/Microsoft/Azure Virtual Network
+- [New] /Parsers/System/SentinelOne/SentinelOne MGMT API
+- [Updated] /Parsers/System/Abnormal Security/Abnormal Security
+    - Updated the parser to support new events.
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+    - Updated regex to fix ASA-6-721016 events.
+- [Updated] /Parsers/System/Cisco/Cisco ISE
+    - Updated parser to drop certain non-actionable logs.
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+    - Updated parser to support additional event format variations.
+- [Updated] /Parsers/System/Cylance/Cylance Syslog
+    - Updated parser to support new events.
+- [Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
+    - Updated parser to drop phishing test events.

blog-cse/2025-05-09-content.md

@@ -0,0 +1,51 @@
+---
+title: May 23, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Rule update
+- New support for CommScope Ruckus SmartZone
+- Additional mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
+- Updates for existing mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
+    - Added normalizedAction and action fields to Windows PowerShell mappers
+- Changes to Windows PowerShell JSON parsing to support additional log formats
+
+Changes are enumerated below.
+
+
+### Rules
+- [Updated] MATCH-S00068 O365 - Users Password Changed
+    - Updated to use targetUser_username
+
+### Log mappers
+- [New] CommScope Ruckus SmartZone Default
+- [New] CrowdStrike FDR - DNSRequest
+- [New] Google G Suite - login - risky_sensitive_action_allowed
+- [New] Google G Suite - login challange
+- [New] Windows - Windows PowerShell
+- [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
+    - Added alternate field for threat_name
+- [Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
+    - Added alternate field for threat_name
+- [Updated] Google G Suite - login - password_change/recovery_info_change
+    - Added additional mapped fields
+- [Updated] Google G Suite - login.login
+    - Added additional mapped fields
+- [Updated] Google G Suite - logout
+    - Added additional mapped fields
+- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4103
+- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
+- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
+- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4106
+
+### Parsers
+- [New] /Parsers/System/CommScope/CommScope Ruckus SmartZone
+- [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON

blog-cse/2025-05-23-content.md

@@ -618,13 +618,13 @@ Update - [Scheduled View](/docs/manage/scheduled-views "Scheduled Views") quer
 ---
 ## March 16, 2021 (Alerts)
 
-Update - We have resolved a discrepancy in the notification payload of [Real Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Update - We have resolved a discrepancy in the notification payload of Real-Time Scheduled Searches.
 
 Previously, the payload for subsequent real time alerts in a given time range would incrementally report the results and omit the records that were already present in the previous alert.
 
 For example, if the Scheduled Search initially returned 10 records, the first alert notification would contain 10 records in the payload. If the next run contained the same 10 records plus 1 additional, the notification payload would only contain the single new record.
 
-Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
+Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real-Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
 
 ---
 ## March 12, 2021-12 (Collection)

blog-service/2021/12-31.md

@@ -827,7 +827,7 @@ For information, see [Metrics Explorer](/docs/metrics/metrics-queries/metrics-ex
 
 As part of our ongoing evaluation of the Sumo Logic service, we have decided to deprecate [Real-Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert). In particular, we will remove the option to create new Real-Time Scheduled Searches on May 15, 2024. Existing Real-Time Scheduled Searches will continue to function until May 15, 2025. We believe many use cases for Real-Time Scheduled Searches can be met by [Monitors](/docs/alerts/monitors/overview). Any remaining use cases can be met by executing these searches at 15m intervals.
 
-In 2020, Sumo Logic released Monitors, which provided a new framework to trigger alerts on both metrics and log data in real time and send notifications. Real-Time Scheduled Searches provided a much more limited version of this functionality. Monitors will continue to be the focus area for our Product and Engineering Teams for features and enhancements regarding alerting. Learn more [here](/docs/alerts/scheduled-searches/deprecation).
+In 2020, Sumo Logic released Monitors, which provided a new framework to trigger alerts on both metrics and log data in real time and send notifications. Real-Time Scheduled Searches provided a much more limited version of this functionality. Monitors will continue to be the focus area for our Product and Engineering Teams for features and enhancements regarding alerting.
 
 ### April 26, 2024 (Apps)
 
@@ -1119,4 +1119,4 @@ For more information, see our documentation on how to [monitor credits allocatio
 
 #### Index Field
 
-We're excited to include the **Index** field as metadata at the bottom of every message row, along with other metadata. This allows you to modify the search query by clicking the index name or view surrounding messages by clicking on the dropdown. [Learn more](/docs/search/get-started-with-search/search-basics/built-in-metadata). <br/><img src={useBaseUrl('img/search/get-started-search/search-page/index-filter.png')} alt="index-filter" width="800" style={{border: '1px solid gray'}}/>
+We're excited to include the **Index** field as metadata at the bottom of every message row, along with other metadata. This allows you to modify the search query by clicking the index name or view surrounding messages by clicking on the dropdown. [Learn more](/docs/search/get-started-with-search/search-basics/built-in-metadata). <br/><img src={useBaseUrl('img/search/get-started-search/search-page/index-filter.png')} alt="index-filter" width="800" style={{border: '1px solid gray'}}/>

blog-service/2024/12-31.md

@@ -17,4 +17,4 @@ We've updated the onboarding experience to give you the option to bypass data co
 
 A new **Go to App Catalog** option now appears in the left-hand menu on the data setup page, allowing you to browse integrations and pre-built dashboards before configuring data ingestion. This change makes it easier to explore Sumo Logic’s capabilities without committing to a full setup.
 
-To learn more, check out our [quickstart](/docs/get-started/quickstart) and [signup](/docs/get-started/sign-up/#set-up-data-collection) guides.
+To learn more, check out our [quickstart](/docs/get-started/quickstart) and [signup](/docs/get-started/sign-up) guides.

blog-service/2025-02-25-apps.md

@@ -0,0 +1,17 @@
+---
+title: Real-Time Scheduled Searches Deprecation (Alerts)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - alerts
+  - scheduled searches
+  - monitors
+hide_table_of_contents: true    
+---
+
+The [previously announced](/release-notes-service/2024/12/31/#deprecation-notice---real-time-scheduled-searches) automatic conversion of Real-Time Scheduled Searches to 15-minute scheduled searches will not take place.
+
+- Existing Real-Time Scheduled Searches will continue to operate as-is.
+- Creating new Real-Time Scheduled Searches remains disabled (since May 29, 2024).
+- For new real-time alerting use cases, we recommend using [Monitors](https://help.sumologic.com/docs/alerts/monitors/overview).
+
+[Learn more](/docs/alerts/scheduled-searches/create-real-time-alert).

blog-service/2025-05-05-alerts.md

@@ -0,0 +1,14 @@
+---
+title: SCIM Provisioning (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - saml
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce provisioning for Sumo Logic using SCIM (System for Cross-domain Identity Management). Now you can automatically provision and deprovision users in Sumo Logic with an identity provider like Microsoft Entra ID, Okta, or OneLogin.
+
+[Learn more](/docs/manage/security/scim/).