Merge branch 'main' into docs-613-service-intelligence-beta

Author: jpipkin1

blog-cse/2025-03-24-content.md

@@ -0,0 +1,39 @@
+---
+title: March 24, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes Threat Intelligence match rules that use the new [`hasThreatMatch`](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) operator to support both global and custom threat intelligence feeds.
+
+To reduce initial signal volume, basic inbound and outbound IP address threat match rules with a low or medium confidence level are disabled by default (see below). We highly recommend tuning these rules before enabling them to reduce signal volume, and therefore entity risk assignment, to manageable levels.
+
+### Rules
+* MATCH-S00999 Threat Intel - IMPHASH Match
+* MATCH-S01000 Threat Intel - MD5 Match
+* MATCH-S01001 Threat Intel - PEHASH Match
+* MATCH-S01002 Threat Intel - SSDEEP Match
+* MATCH-S01003 Threat Intel - SHA1 Match
+* MATCH-S01004 Threat Intel - SHA256 Match
+* MATCH-S01005 Threat Intel - Source Hostname
+* MATCH-S01006 Threat Intel - Device Hostname
+* MATCH-S01007 Threat Intel - Destination Device Hostname
+* MATCH-S01008 Threat Intel - HTTP Hostname
+* MATCH-S01009 Threat Intel - HTTP Referrer Hostname
+* MATCH-S01010 Threat Intel - DNS Query Domain
+* MATCH-S01011 Threat Intel - DNS Reply Domain
+* MATCH-S01012 Threat Intel - HTTP Referrer Domain
+* MATCH-S01013 Threat Intel - HTTP URL Root Domain
+* MATCH-S01014 Threat Intel - HTTP URL FQDN
+* MATCH-S01015 Threat Intel - HTTP URL
+* MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence) - Disabled By Default
+* MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence) - Disabled By Default
+* MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence) - Disabled By Default
+* MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence) - Disabled By Default
+* MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
+* MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
+* MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

docs/api/search-job.md

@@ -941,7 +941,11 @@ https://api.sumologic.com/api/v1/search/jobs/37589506F194FC80
 
 ## Bash this Search Job
 
-You can use the following script to exercise the API.
+You can use the following script to exercise the API. 
+
+:::note
+Ensure that you send ACCESSID/ACCESSKEY pair even if cookies are sent for the Search Job APIs.
+:::
 
 ```bash
 #!/bin/bash

docs/integrations/amazon-aws/elastic-container-service.md

@@ -22,8 +22,8 @@ Sumo Logic Copilot is our AI-powered assistant that accelerates investigations a
 
 With its intuitive interface, Copilot automatically generates log searches from natural language queries, helping you quickly investigate performance issues, anomalies, and security threats. It also guides you through investigations step-by-step with AI-driven suggestions to refine your results for faster, more accurate resolutions. Overall, Copilot enhances incident resolution with expert level insights.
 
-:::sumo Micro Lesson
-Watch this micro lesson to learn about Copilot.
+:::sumo Micro Lesson: Introduction to Copilot
+This short video introduces Copilot and how it can help you with log search and analysis—perfect for getting a quick overview before diving in.
 
 <Iframe url="https://fast.wistia.net/embed/iframe/o9uftxw012?web_component=true&seo=true&videoFoam=false"
   width="854px"
@@ -77,6 +77,22 @@ Copilot is ideal for users of all skill levels:
 
 In this section, you'll learn the recommended workflow for using Copilot effectively, along with best practices to maximize its benefits.
 
+:::sumo Micro Lesson: Using Copilot
+See Copilot in action with a hands-on walkthrough of the UI and prompt-based search.
+
+<Iframe url="https://fast.wistia.net/embed/iframe/t67ovt9hqj?web_component=true&seo=true&videoFoam=false"
+  width="854px"
+  height="480px"
+  id="wistiaVideo"
+  className="video-container"
+  display="initial"
+  position="relative"
+  allow="autoplay; fullscreen"
+  allowfullscreen
+/>
+
+:::
+
 ### Step 1: Open Copilot
 
 To start using Copilot:
@@ -107,26 +123,11 @@ You can pin a suggestion for easy access later. Just hover over a suggestion and
 
 #### Ask a question
 
-In the **Ask Something...** field, you can manually enter a natural language prompt, similar to the prebuilt options under **Suggestions**. You can also use autocompletion—start typing a keyword to see relevant suggestions.
-
-<img src={useBaseUrl('img/search/copilot/manual-entry.png')} alt="Copilot time period" style={{border: '1px solid gray'}} width="600" />
-
-#### Video: Autocomplete in action
-
-<Iframe url="https://player.vimeo.com/video/1034043268?badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479"
-     width="854px"
-     height="480px"
-     id="myId"
-     className="video-container"
-     display="initial"
-     position="relative"
-     allow="accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-     allowfullscreen
-     />
+In the **Ask Something...** field, you can manually enter a natural language prompt, similar to the prebuilt options under **Suggestions**. You can also use autocompletion—start typing a keyword to see relevant suggestions.<br/><img src={useBaseUrl('img/search/copilot/manual-entry.png')} alt="Entering a prompt in the Copilot Ask field" style={{border: '1px solid gray'}} width="600" />
 
-Broad questions may not yield accurate results. For best outcomes, frame your queries around a small, well-defined problem. If Copilot is unable to translate your prompt into a query, it will display "Failed translation".
+To get the best results, focus your queries on a specific, well-defined problem. Broad or vague questions may lead to inaccurate or incomplete results. If Copilot cannot translate your prompt into a valid query, you'll see a "Failed translation" message.
 
-Break your questions into smaller, specific requirements to help Copilot provide more accurate answers.<br/><img src={useBaseUrl('img/search/copilot/periods-query-syntax.gif')} alt="Copilot time period" style={{border: '1px solid gray'}} width="700" />
+Whenever possible, break down complex questions into smaller, clear requirements. This helps Copilot generate more accurate and actionable responses.<br/><img src={useBaseUrl('img/search/copilot/periods-query-syntax.gif')} alt="Copilot time period" style={{border: '1px solid gray'}} width="700" />
 
 #### Tips and tricks
 

docs/search/copilot.md

@@ -79,7 +79,7 @@ To configure the CrowdStrike Threat Intel Source:
 1. In **Region**, choose the region as per your Base URL. See [Region](#region) section to know your region.
 1. In **Client ID**, enter the Client ID you generated and secured from the [API Client](#api-client-and-api-secret) section.
 1. In **Client Secret**, enter the Client Secret you generated and secured from the [API Secret](#api-client-and-api-secret) section.
-1. In **Sumo Logic Threat Intel Source ID**, enter the Sumo Logic namespace in which the indicators are stored.
+1. In **Sumo Logic Threat Intel Source ID**, enter the name you want to use for the CrowdStrike source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The CrowdStrike threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. (Optional) In **Mallicious Confidence**, enter the type of confidence to collect data from. Possible values: `high`, `medium`,`low`, or `unverified`.
 1. The **Polling Interval** is set for one hour by default, you can adjust it based on your needs. This sets how often the integration will fetch complete vulnerability instance data that has been updated within most recent polling interval duration.
 1. When you are finished configuring the Source, click **Save**.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md

@@ -51,7 +51,7 @@ To configure an Intel471 Threat Intel source:
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped. 
 1. **Username**. Enter your login ID or email address.
 1. **API Key**. Enter the API key of the user account collected from the [Intel471 Threat Intel platform](#vendor-configuration).
-1. **Sumo Logic Threat Intel Source ID**. Enter the Sumo Logic namespace where the indicators will be stored.
+1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the Intel 471 source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The Intel 471 threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **Polling Interval**. The polling interval is set for one hour by default. You can adjust it based on your needs. This sets how often the source checks for new data.
 1. **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).
 1. When you are finished configuring the source, click **Save**.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel-471-threat-intel-source.md

@@ -50,7 +50,7 @@ To configure a Mandiant Threat Intel source:
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
 1. **API Key ID**. Enter the API key ID collected from the Mandiant Threat Intel platform.
 1. **API Secret**. Enter the API secret collected from the from the Mandiant Threat Intel platform.
-1. **Sumo Logic Threat Intel Source ID**. Enter your Sumo Logic namespace ID in which the indicators will be stored.
+1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the Mandiant source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The Mandiant threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **Polling Interval**. The polling interval is set for 5 minutes by default. You can adjust it based on your needs. This sets how often the source checks for new data.
 1. **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).
 1. When you are finished configuring the source, click **Save**.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md

@@ -54,7 +54,7 @@ To configure a TAXII 1 Client Source:
 1. (Optional) **Fields**. Click the **+Add** button to define the fields you want to associate. Each field needs a name (key) and value.
    * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
-1. **Sumo Logic Threat Intel Source ID**. Provide your own threat intelligence source ID. This is useful for organizing multiple sources.
+1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **STIX/TAXII Configuration**:
    * **Discovery URL**. Enter the TAXII Discovery URL provided by the vendor (optional).
 1. **Collection Names**. Enter the collections to fetch, using the poll URL.

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md

@@ -53,7 +53,7 @@ To configure a TAXII 2 Client Source:
 1. (Optional) **Fields**. Click the **+Add** button to define the fields you want to associate. Each field needs a name (key) and value.
    * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
-1. **Sumo Logic Threat Intel Source ID**. Provide your own threat intelligence source ID. This is useful for organizing multiple sources.
+1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **Authentication**. Select the authentication type:
    * **Basic**. Provide your vendor username and password.
    * **API Key**. Provide:

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md

@@ -52,7 +52,7 @@ To configure an ZeroFox Threat Intel source:
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped. 
 1. **Username**. Enter your ZeroFox username.
 1. **Password**. Enter your Zerofox password.
-1. **Sumo Logic Threat Intel Source ID**. Enter the Sumo Logic namespace where the indicators will be stored.
+1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the ZeroFox source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The ZeroFox threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **Polling Interval**. The polling interval is set for one hour by default. You can adjust it based on your needs. This sets how often the source checks for new data.
 1. **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).
 1. When you are finished configuring the source, click **Save**.