Merge branch 'main' into AWS-Security-Hub-OCSF-app-docs

Author: parth-sumo

blog-service/2025-07-28-alerts.md

@@ -0,0 +1,19 @@
+---
+title: Time range limits for subqueries in scheduled searches (Alerts)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - alerts
+  - scheduled searches
+  - subqueries
+hide_table_of_contents: true    
+---
+
+We've introduced time range limits for subqueries in scheduled searches. This change helps you prevent long-running, inefficient queries, especially those impacting system stability and that drive up costs. While maintaining flexibility, these optimizations protect system health and reduce operational overhead.
+
+Key benefits of this enhancements include:
+
+- Improved query performance and responsiveness.
+- Encourage efficient search practices.
+- Support sustainable resource usage.
+
+[Learn more](/docs/alerts/scheduled-searches/schedule-search/#step-3-time-range).

blog-service/2025-07-31-apps.md

@@ -0,0 +1,15 @@
+---
+title: Apps, Solutions, and Collection Integrations - July Release 
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - july-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Enhancements
+
+- **Updated OpenTelemetry apps**. [Oracle - OpenTelemetry](/docs/integrations/databases/opentelemetry/oracle-opentelemetry/), [SQL Server - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-opentelemetry/), and [SQL Server for Linux - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-linux-opentelemetry/).
+- **Updated 1 Webhook app**. [Sentry](/docs/integrations/webhooks/sentry/).

blog-service/2025-07-31-collection.md

@@ -0,0 +1,12 @@
+---
+title: OneLogin Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - onelogin-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for OneLogin. This source aims to collect the user list logs from the OneLogin API and send it to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source).

cid-redirects.json

@@ -476,6 +476,7 @@
   "/05Search/Optimize-Search-Performance": "/docs/search/optimize-search-performance",
   "/05Search/Optimize-Search-Performance/Optimizing_Search_with_Partitions": "/docs/search/optimize-search-partitions",
   "/docs/manage/queries/optimize-queries": "/docs/search/optimize-search-performance",
+  "/docs/search/search-across-child-org": "/docs/search/search-across-child-orgs",
   "/05Search/Search-Cheat-Sheets": "/docs/search/search-cheat-sheets",
   "/05Search/Search-Cheat-Sheets/General-Search-Examples-Cheat-Sheet": "/docs/search/search-cheat-sheets/general-search-examples",
   "/05Search/Search-Cheat-Sheets/grep-to-Searching-with-Sumo-Cheat-Sheet": "/docs/search/search-cheat-sheets/grep-searching-with-sumo",
@@ -2911,6 +2912,7 @@
   "/cid/21037": "/docs/integrations/google/cloud-vpn",
   "/cid/21333": "/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint",
   "/cid/21039": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source",
+  "/cid/21059": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source",
   "/cid/21041": "/docs/integrations/google/cloud-security-command-center",
   "/cid/21097": "/docs/integrations/saas-cloud/confluent-cloud",
   "/cid/21040": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers",
@@ -3802,6 +3804,7 @@
   "/03Send-Data/Collect-from-Other-Data-Sources/Collect_Logs_from_AWS_Lambda_using_Lambda_Extension": "/docs/send-data/collect-from-other-data-sources/collect-aws-lambda-logs-extension",
   "/03Send-Data/Collect-from-Other-Data-Sources/Collecting-Logs-from-a-Local-File-System": "/docs/send-data/installed-collectors/sources/local-file-source",
   "/03Send-Data/Hosted-Collectors/GCP_Metrics_Source": "/docs/send-data/hosted-collectors/google-source/gcp-metrics-source",
+  "/03Send-Data/Hosted-Collectors/HTTP-Source": "/docs/send-data/hosted-collectors/http-source/logs-metrics",
   "/03Send-Data/Sources/01Sources-for-Installed-Collectors": "/docs/send-data/installed-collectors/sources",
   "/03Send-Data/Sources/01Sources-for-Installed-Collectors/Local_Windows_Event_Log_Source": "/docs/send-data/installed-collectors/sources/local-windows-event-log-source",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services": "/docs/send-data/hosted-collectors/amazon-aws",
@@ -3887,6 +3890,7 @@
   "/Apps/Preview_Apps/Cylance/01Collect_Logs_for_Cylance": "/docs/integrations/security-threat-detection/cylance",
   "/Apps/Preview_Apps/Azure_Audit_App": "/docs/integrations/microsoft-azure/audit",
   "/Apps/Preview_Apps/Azure_Audit+App": "/docs/integrations/microsoft-azure/audit",
+  "/Apps/Preview_Apps/Azure_Web_Apps": "/docs/integrations/microsoft-azure/web-apps",
   "/Apps/Windows_App/Windows_App_Dashboards": "/docs/integrations/microsoft-azure",
   "/Beta": "/docs/beta",
   "/Beta/APIs": "/docs/api",

docs/alerts/scheduled-searches/schedule-search.md

@@ -44,6 +44,10 @@ The [time range](../../search/get-started-with-search/search-basics/time-range-e
 This setting is different than the Time Range option configured for the Saved Search. The first time range is only used when you run the Saved Search from the Library. This Time Range applies to your Scheduled Search.
 :::
 
+:::note
+The time range limitations below apply to both parent queries and subqueries in your scheduled search.
+:::
+
 Alternately, type a time range; for example, -15m to run the search against data generated in the past 15 minutes. A time range outside the maximum allowed range for a given frequency is not allowed and presents the message like this: `Invalid query. Max allowed time range for 15 minutes frequency is 1 day`.
 
 The maximum allowed time range for different Scheduled Search frequencies is as below:

docs/cse/rules/write-first-seen-rule.md

@@ -50,7 +50,7 @@ Watch this micro lesson to learn more about first seen rules.
 
 A first seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a signal. Instead, the rule expression in a first seen rule is simply a filter condition that defines what incoming records the rule will apply to. For each first seen rule, Cloud SIEM automatically creates a baseline model of normal behavior for a defined time period (by default for the last 90 days) evidenced by records that match the Rule Expression. The activity found during this period is considered normal behavior and will not be alerted on. 
 
-As soon as you save or update a first seen rule, the baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
+As soon as you save or update a first seen rule (or disable and re-enable it), the full baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
 
 Once the baseline is created, when an incoming record includes matching activity not seen during the baseline retention period, the rule creates a signal identifying the activity as *first seen*. The signal indicates that the activity is first seen:
 
@@ -86,9 +86,9 @@ The settings in the **If Triggered** section determine what records the rule wil
 
 1.  **When a Record matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
 1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
+1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule. (If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.)
     :::note
-    If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
+    The [baseline for a first seen rule](#baselines-for-first-seen-rules) is recalculated if a rule tuning expression that applies to the selected rule is updated. However, the baseline is not recalculated if the rule tuning expression applies to all rules.
     :::
 1. **has a new value for the field(s)**. Select the record field that will be used to build the baseline.
 1. **after building a [global | per Entity] baseline** The settings in this section define the scope of the baseline that will be built.

docs/cse/rules/write-outlier-rule.md

@@ -53,7 +53,7 @@ Watch this micro lesson to learn more about outlier rules.
 
 When you create the rule, you can set the amount of time Cloud SIEM analyzes data to create a baseline model of behavior, with the default period being for the last 90 days. You can set the rule to build data hourly or daily, depending on how frequently you believe events of interest will occur, and how much data you want to gather. In the rule, you set the model sensitivity threshold to calculate outlier activity based on the number of standard deviations from the mean (z‑score). 
 
-As soon as you save or update an outlier rule, the baseline is built using existing data collected. So if your baseline retention period is for the last 90 days (the default), the system uses data from the last 90 days to build the baseline. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
+As soon as you save or update an outlier rule (or disable and re-enable it), the full baseline is built using existing data collected. So if your baseline retention period is for the last 90 days (the default), the system uses data from the last 90 days to build the baseline. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
 
 Once the baseline is created, Cloud SIEM tracks aggregates of count, sum, min, max, and averages of record values, and creates a signal when deviations from the mean occurs. For example, for the [spike in failed logins from a user](#use-case-for-a-spike-in-failed-logins-from-a-user) use case, Cloud SIEM builds a baseline model of counts of authentication failures that are associated with a user over time, and creates a signal when outlier behavior is detected:
 
@@ -91,9 +91,9 @@ The settings in the **If Triggered** section are divided into two subsections, o
 **Baseline Configuration**
 1. **For the records matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
 1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
+1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule. (If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.)
     :::note
-    If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
+    The [baseline for an outlier rule](#baselines-for-outlier-rules) is recalculated if a rule tuning expression that applies to the selected rule is updated. However, the baseline is not recalculated if the rule tuning expression applies to all rules.
     :::
 1. **build a daily/hourly baseline**. Select the time window for building the baseline. It can either be a daily or hourly baseline.
 1. **for the entity(ies)**. Select one or more record fields for which you want baselines built. Selecting multiple fields will build a distinct baseline for a combination of entities.

docs/integrations/product-list/product-list-m-z.md

@@ -60,7 +60,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 |  <img src={useBaseUrl('img/integrations/security-threat-detection/Observable.png')} alt="Thumbnail icon" width="50"/>   | [Observable Networks](https://www.cisco.com/c/en/us/services/acquisitions/observable-networks.html)  | 	App: [Observable Networks](/docs/integrations/security-threat-detection/observable-networks/)	 |
 | <img src={useBaseUrl('img/integrations/misc/oisf-logo.png')} alt="Thumbnail icon" width="75"/>  | [OISF](https://oisf.net/) | Cloud SIEM integration: [OISF](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9c138edd-dc14-43a6-b751-52e41a8bd105.md) |
 |  <img src={useBaseUrl('img/integrations/saml/okta.png')} alt="Thumbnail icon" width="50"/>   | [Okta](https://www.okta.com/)  | 	App: [Okta](/docs/integrations/saml/okta/)	<br/>Automation integration: [Okta](/docs/platform-services/automation-service/app-central/integrations/okta/) <br/>Cloud SIEM integration: [Okta](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/d8d14556-180c-4463-90da-d8b8600f7362.md) <br/>Collectors: <br/>- [Okta Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/okta-source/) |
-|  <img src={useBaseUrl('img/integrations/saml/onelogin.png')} alt="Thumbnail icon" width="50"/>   | [OneLogin](https://www.onelogin.com/)  | 	App: [OneLogin](/docs/integrations/saml/onelogin/)	<br/>Automation integration: [OneLogin](/docs/platform-services/automation-service/app-central/integrations/onelogin/) <br/>Cloud SIEM integration: [OneLogin](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e34a3430-613f-47c0-9ddd-a320bc3e5c4d.md) |
+|  <img src={useBaseUrl('img/integrations/saml/onelogin.png')} alt="Thumbnail icon" width="50"/>   | [OneLogin](https://www.onelogin.com/)  | 	App: [OneLogin](/docs/integrations/saml/onelogin/)	<br/>Automation integration: [OneLogin](/docs/platform-services/automation-service/app-central/integrations/onelogin/) <br/>Cloud SIEM integration: [OneLogin](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e34a3430-613f-47c0-9ddd-a320bc3e5c4d.md) <br/>Collector: [OneLogin Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source) |
 | <img src={useBaseUrl('img/integrations/1password/1password.png')} alt="Thumbnail icon" width="50"/> | [1Password](https://1password.com/) | App: [1Password](/docs/integrations/saas-cloud/1password/) <br/>Cloud SIEM integration: [1Password](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/d0455ea1-e901-4999-b047-0533d16adfdc.md) <br/>Collector: [1Password Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/1password-source/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/onetrust.png')} alt="Thumbnail icon" width="75"/> | [OneTrust](https://www.onetrust.com/) | Automation integration: [OneTrust](/docs/platform-services/automation-service/app-central/integrations/onetrust/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/openai-chatgpt.png')} alt="Thumbnail icon" width="75"/> | [OpenAI](https://openai.com/) | Automation integration: [OpenAI ChatGPT](/docs/platform-services/automation-service/app-central/integrations/openai-chatgpt/) |

docs/platform-services/automation-service/app-central/integrations/censys-v2.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/censys.png')} alt="censys" width="100"/>
 
-***Version: 2.2  
-Updated: Jul 07, 2023***
+***Version: 2.3  
+Updated: Jul 31, 2025***
 
 Censys reduces your Internet attack surface by continually discovering unknown assets and helping remediate Internet facing risks.   
 
@@ -49,3 +49,4 @@ For information about Censys V2, see [Censys documentation](https://docs.censys.
 * July 7, 2023 (v2.2)
 	+ Updated the integration with Environmental Variables
 	+ Integration renamed from Censys 2.0 to Censys V2
+* July 31, 2025 (v2.3) - Updated the integration logo.

docs/platform-services/automation-service/app-central/integrations/censys.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/censys.png')} alt="censys" width="100"/>
 
-***Version: 1.1  
-Updated: Jul 11, 2023***
+***Version: 1.2  
+Updated: Jul 31, 2025***
 
 Search Censys for enrichment data during active investigation.
 
@@ -49,3 +49,4 @@ For information about Censys, see [Censys documentation](https://docs.censys.com
 
 * January 31, 2020 - First upload
 * July 11, 2023 (v1.1) - Updated the integration with Environmental Variables
+* July 31, 2025 (v1.2) - Updated the integration logo.