SumoLogic
diff --git a/‎.clabot‎
Lines changed: 2 additions & 1 deletion b/‎.clabot‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 64 additions & 20 deletions b/‎README.md‎
Lines changed: 64 additions & 20 deletions
diff --git a/‎blog-cse/2022/12-31.md‎
Lines changed: 2 additions & 2 deletions b/‎blog-cse/2022/12-31.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎blog-cse/2023/12-31.md‎
Lines changed: 2 additions & 2 deletions b/‎blog-cse/2023/12-31.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎blog-cse/2024-12-06-content.md‎
Lines changed: 99 additions & 0 deletions b/‎blog-cse/2024-12-06-content.md‎
Lines changed: 99 additions & 0 deletions
@@ -169,7 +169,8 @@
     "Hellfire4959",
     "antonymartinsumo",
     "amee-sumo",
-    "chetanchoudhary-sumo"
+    "chetanchoudhary-sumo",
+    "JamoCA"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",
 
@@ -8,36 +8,80 @@
   <a href="https://help.sumologic.com/release-notes-service"><img src="https://img.shields.io/badge/RSS-FFA500?style=for-the-badge&logo=rss&logoColor=white" alt="RSS Follow" width="50"/></a>
 </p>
 
-Share your knowledge with the Sumo Logic community by contributing to our docs! You can contribute by creating an issue or pull request (PR) on our GitHub repository. We welcome all types of contributions; from minor typo fixes to new topics.
+Sumo Docs is the open-source documentation site for Sumo Logic, an all-in-one cloud data analytics platform built to support security, operations, and business intelligence use cases. Sumo Logic empowers users to monitor, analyze, troubleshoot, and visualize data from their applications and network environments in real time. Its elastic processing capabilities enable seamless log data collection and management from various sources, regardless of type, volume, or location. Learn more at [sumologic.com](https://www.sumologic.com).
 
-Documentation staff members review issues and pull requests on a regular basis. We do our best to address all issues as soon as possible, but working through the backlog takes time. We appreciate your patience.
+## Get involved
 
-## Contributing Content
+We welcome contributions from the community! Whether it's fixing a typo, adding new content, or proposing improvements, your input helps users make the most of Sumo Logic. You can contribute by creating an issue or submitting a pull request in our GitHub repository.
 
-For detailed instructions, including our style guide, see [Contributor Guidelines](https://help.sumologic.com/docs/contributing).
+Here’s how to get started:
+- Fork our repo and create a new branch for your content changes.
+- Preview your edits by building the site locally.
+- Submit a pull request for review.
 
-We recommend forking our repo, creating a new branch for your content changes, and submitting a pull request. We will help review, test, and merge the content for publishing.
+Our team will help review, test, and merge your contributions for publishing.
 
-## Building Locally
+Sumo Docs is built with [Docusaurus 3](https://docusaurus.io/) and supports React, Rehype, and Remark plugins. We also use [cla-bot](https://colineberhardt.github.io/cla-bot/) to manage our Contributor License Agreement (CLA) process.
 
-Docusaurus requires the following to build on locals:
+Before submitting an issue or pull request, we recommend reviewing the sections below.
 
-* [NodeJS](https://nodejs.org/en/download/) version >= 16.14
-* [Yarn](https://yarnpkg.com/en/) version >= 1.5, you can install with [Homebrew](https://brew.sh/) if you have that installed: `brew install yarn`
+## Table of contents
 
-The site includes translations into other languages. To build on your local:
+- [Get involved](#get-involved)
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+- [Contributing content](#contributing-content)
+- [Building locally](#building-locally)
+- [Publishing content](#publishing-content)
 
-1. Clone the repo using Git or tools like GitHub Desktop.
-1. In a terminal, change to the cloned repo folder. Run the install command: `yarn install`.
-1. To serve and review your content, use one of the following:
-   * Use start, hot reloads as you make changes: `yarn start`. Any issues with broken links and images are listed according to file. Locate and update those issues, then run build and start again to verify.
-   * Use npm serve to test and review multi-languages: `npm run serve`. This build does not hot reload and requires a rebuild to test and review.
-1. To build locally and test your links, run `yarn build`.   
+## Prerequisites
 
-The static files are generated in the `build` folder and run on your local machine at: `http://localhost:3000/`. To stop the build or served site, hit Ctrl + C to interrupt. You can enter new commands in terminal, rebuild, and restart.
+To contribute to Sumo Docs, ensure you have the following tools installed:
 
-Sumo Docs was created using [Docusaurus 2](https://docusaurus.io/) with React, Rehype, and Remark plugin support. Our CLA bot was built using [cla-bot](https://colineberhardt.github.io/cla-bot/).
+- [Node.js](https://nodejs.org/en/download/) version 18 or higher
+- [Yarn](https://yarnpkg.com/en/), installable via [Homebrew](https://brew.sh/) (`brew install yarn`)
 
-## Publishing Content
+## Installation
 
-As pull requests are merged to the `main` branch by the Sumo Logic Doc team, the content builds and deploys to a staging site. This allows you to review and test your content thoroughly on a server, rather than a local build, prior to merging your code to production.
+1. Fork and clone the repository using Git or a tool like GitHub Desktop.
+2. Navigate to the cloned repository folder:
+   ```bash
+   cd sumologic-documentation
+   ```
+3. Install dependencies:
+   ```bash
+   yarn install
+   ```
+
+## Apply your changes
+
+Make edits using [Markdown syntax](https://help.sumologic.com/docs/contributing/style-guide/#markdown). Keep contributions concise, informative, and aligned with our guidelines.
+
+Refer to our [Contributor Guidelines](https://help.sumologic.com/docs/contributing/create-edit-doc/#edit-a-doc) for more information on:
+- Markdown editing
+- Proposing bug fixes
+- Testing your changes
+
+All contributions must follow our [Style Guide](https://help.sumologic.com/docs/contributing/style-guide/).
+
+## Building locally
+
+Building the site locally ensures your changes are accurate and functional before submission.
+
+1. Serve and preview your content with hot reloads:
+   ```bash
+   yarn start
+   ```
+   Any issues, such as broken links or images, will be listed. Fix them, rebuild, and verify your changes.
+
+2. Build the site and test locally:
+   ```bash
+   yarn build
+   ```
+   The static files will be generated in the `build` folder and served at `http://localhost:3000/`.
+
+To stop the local server or build process, press `Ctrl + C`. You can rebuild and restart as needed.
+
+## Publishing content
+
+Our documentation team regularly reviews issues and pull requests. While we strive to address contributions promptly, there may be delays as we work through the backlog. Your patience is appreciated.
@@ -453,7 +453,7 @@ Cloud SIEM now supports custom sources of inventory data. Now, if you want to in
 
 #### Standard Match Lists
 
-As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the [previous announcement](https://help.sumologic.com/release-notes-cse/2022/10/13/application-update/). This will continue until January 20, 2023, when the migration will be complete.
+As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the [previous announcement](/release-notes-cse/2022/12/31/#october-13-2022---application-update). This will continue until January 20, 2023, when the migration will be complete.
 
 #### Minor Changes and Enhancements
 
@@ -776,7 +776,7 @@ Labels were not being created properly based on Network Blocks for a small numbe
 #### Read-Only User Capabilities for Cloud SIEM
 New user capabilities (permissions) have been created enabling read-only access to content and configuration features in Cloud SIEM.
 
-These can be used when defining roles in the Sumo Logic platform (at **Administration > Users and Roles > Roles**).
+These can be used when [defining roles](/docs/manage/users-roles/roles/create-manage-roles/) in the Sumo Logic platform.
 
 <img src={useBaseUrl('img/release-notes/cse/Read-Only-Roles.png')} alt="read-only roles" />
 
 
@@ -166,7 +166,7 @@ For full details, see the [Cloud SOAR documentation](/docs/platform-services/aut
 ---
 ### October 26, 2023 - Content Release
 
-This content release includes templates for creating Cloud SIEM parsers. There are two versions of each, one with comments that explain the purpose of each parser component, and “clean” versions that you can use to start quickly creating custom parsers. Further documentation on using these parsers will be available on [Sumo Logic Docs](https://help.sumologic.com/) in the coming weeks. Other changes in this release are enumerated below.
+This content release includes templates for creating Cloud SIEM parsers. There are two versions of each, one with comments that explain the purpose of each parser component, and “clean” versions that you can use to start quickly creating custom parsers. Further documentation on using these parsers will be available on [Sumo Logic Docs](/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog/) in the coming weeks. Other changes in this release are enumerated below.
 
 #### Rules
 
@@ -1325,7 +1325,7 @@ Each node in the graph represents a single Entity. The graph also displays the r
 
 The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.
 
-For more information about how to use the Entity Relationship Graph, see the [online documentation](https://help.sumologic.com/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#about-the-entities-tab-graph-view). You will also see an introduction to the feature the first time you visit an Insight details page.
+For more information about how to use the Entity Relationship Graph, see the [online documentation](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#about-the-entities-tab-graph-view). You will also see an introduction to the feature the first time you visit an Insight details page.
 
 #### Minor Changes and Enhancements
 
 
@@ -0,0 +1,99 @@
+---
+title: December 6, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release:
+-   Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise.
+-   New and updated log parsing and mapping support for:
+    - AWS VPC Transit Gateways Flow Logs 
+    - Alert Logic 
+    - Google G Suite Alert Center 
+    - Microsoft Defender Advanced Hunting
+    - Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events
+
+Changes are enumerated below.
+
+:::note
+First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning.
+:::
+
+### Rules
+- [New] MATCH-S00952 GitHub - Administrator Added or Invited
+    - Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries.
+- [New] MATCH-S00953 GitHub - Audit Logging Modification
+    - Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity.
+- [New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+    - Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the [acceptable use policy for GitHub](https://docs.github.com/en/site-policy/acceptable-use-policies).
+- [New] FIRST-S00091 GitHub - First Seen Activity From Country for User
+    - Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,.
+- [New] FIRST-S00090 GitHub - First Seen Application Interacting with API
+    - Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API.
+- [New] MATCH-S00950 GitHub - Member Invitation or Addition
+    - Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence.
+- [New] MATCH-S00955 GitHub - Member Permissions Modification
+    - Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary.
+- [New] MATCH-S00956 GitHub - OAuth Application Activity
+    - Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure.
+- [New] MATCH-S00957 GitHub - Organization Transfer
+    - Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization.
+- [New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+    - Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover.
+- [New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User
+    - Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub.
+- [New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+    - Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery.
+- [New] MATCH-S00958 GitHub - PR Review Requirement Removed
+    - Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset.
+- [New] MATCH-S00959 GitHub - Repository Public Key Deletion
+    - Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access.
+- [New] MATCH-S00960 GitHub - Repository Transfer
+    - Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place.
+- [New] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+    - Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
+- [New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+    - Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository.
+- [New] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+    - Detects the creation of an SSH key for a private GitHub repository.  Performed maliciously, creating an SSH key could create a parallel access path for an attacker.
+- [New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+    - Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes.
+- [New] MATCH-S00951 GitHub - Secret Scanning Alert
+    - Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see [Evaluating alerts from secret scanning](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts).
+- [New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+    - Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials.
+- [New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+    - Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication.
+- [Updated] THRESHOLD-S00095 Password Attack from Host
+    - Modified the rule expression to remove the `srcDevice_ip` entity selector and the `isNull` from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent.
+
+### Log Mappers
+- [New] AWS VPC Transit Gateways Flow Logs
+- [New] Alert Logic Catch All
+- [New] Azure ResourceHealth and ServiceHealth
+- [New] Google G Suite Alert Center - User Changes
+- [New] Microsoft Defender Advanced Hunting - Alert
+- [New] Microsoft Defender Advanced Hunting - Audit
+- [New] Microsoft Defender Advanced Hunting - Email events
+- [New] Microsoft Defender Advanced Hunting - Logon
+- [New] Microsoft Defender Advanced Hunting - Network
+- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
+    - Adds support for additional event types and field mappings.
+- [Updated] Trend Micro Vision One Custom Parser
+    - Supports additional field names.
+
+### Parsers
+- [New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs
+- [New] /Parsers/System/Alert Logic/Alert Logic
+- [New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting
+- [Updated] /Parsers/System/Trend Micro/Trend Micro Vision One
+     - Parser updated to support additional event format.