Merge branch 'main' into DOCS-712-Remove-RSS-image-in-all-Release-Notes

Author: kimsauce

.clabot

@@ -5,6 +5,8 @@
     "JV0812",
     "jpipkin1",
     "JainM6",
+    "@dependabot[bot]",
+    "dependabot[bot]",
     "docsSeema",
     "angadrandhawa1",
     "kkujawa-sumo",
@@ -176,7 +178,10 @@
     "chvik",
     "Apoorvkudesia-sumologic",
     "akesle",
-    "ankitgoelcmu"
+    "ankitgoelcmu",
+    "Deklin",
+    "justrelax19",
+    "dlindelof-sumologic"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

blog-cse/2025-02-27-content.md

@@ -0,0 +1,28 @@
+---
+title: February 27, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes updates to mapping and parsing to support additional AWS CloudTrail, F5 Firewall, and modify behavior in Microsoft Office 365 login events. 
+
+Changes are enumerated below.
+
+## Log Mappers
+- [New] CloudTrail Batch get Partition
+- [New] F5 Tmm Audit and APMD Audit - Custom Parser
+- [New] F5 Session and adfs proxy - Custom Parser
+- [Updated] F5 SSHD and Apmd - Custom Parser
+    - Expands scope of existing mapper to include Apmd events.
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+    - Adds exclusion for invalid user ID `00000000-0000-0000-0000-000000000000`.
+
+## Parsers
+- [Updated] /Parsers/System/F5/F5 Syslog

blog-cse/2025-03-03-application.md

@@ -0,0 +1,18 @@
+---
+title: March 3, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intel
+  - security
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+### Threat Intelligence
+
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.
+
+For more information, [see our release note](/release-notes-service/2025/03/03/security/) in the *Service* release notes section.

blog-cse/2025-03-10-application.md

@@ -0,0 +1,20 @@
+---
+title: March 10, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - custom insights
+  - insights
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+### Strict signal configuration
+
+We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response. 
+
+[Learn more](/docs/cse/records-signals-entities-insights/configure-custom-insight/#for-only-signals-defined-in-the-custom-insight).
+
+<img src={useBaseUrl('img/cse/strict-signal-configuration-checkbox.png')} alt="Strict Signal Configuration checkbox" style={{border: '1px solid gray'}} width="400"/>

blog-cse/2025-03-13-content.md

@@ -0,0 +1,87 @@
+---
+title: March 13, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+
+This release includes:
+- New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
+- New support for Barracuda WAF and CloudGen Firewall
+- Support for CyberArk Audit events
+- Updates to 1Password mappers to realign field mappings to reflect proper directionality
+- Fix for normalizedActions in AWS CloudTrail Policy Change mapper
+- Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
+- Support for additional events from Kubernetes and Linux OS logs
+
+## Rules
+- [New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
+    - This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
+- [New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
+    - This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
+- [New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
+    - This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
+- [New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
+    - This detection monitors for when a user performs a pull request bypass for the first time.
+- [New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
+    - This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
+- [New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
+    - This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
+- [New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
+    - This detection monitors for a user modifying a variable group for the first time.
+- [New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
+    - This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
+- [New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
+    - This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
+- [New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
+    - This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
+- [New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
+    - This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
+- [New] FIRST-S00094 Azure DevOps - New Extension Installed
+    - This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
+- [New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
+    - This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window. 
+- [New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
+    - This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
+- [New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
+    - This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
+- [New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
+    - This detection monitors for any reduction in the pipeline retention settings.
+
+
+## Log Mappers
+- [New] Barracuda Authentication
+- [New] Barracuda Catch All
+- [New] Barracuda CloudGen Auth Service dcclient and events
+- [New] Barracuda CloudGen Firewall Activity
+- [New] Barracuda CloudGen Settings DNS
+- [New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
+- [New] Barracuda System Event
+- [New] CyberArk Audit Authentication
+- [New] CyberArk Audit Catch All
+- [Updated] 1Password Item Audit Actions
+- [Updated] 1Password Item Usage Actions
+- [Updated] 1Password Item Usage C2C
+- [Updated] 1Password Signin C2C
+- [Updated] CloudTrail - iam.amazonaws.com - Policy Change
+- [Updated] CrowdStrike Audit Logs
+- [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
+- [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
+- [Updated] CrowdStrike UserActivity Logs
+- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
+- [Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event
+
+## Parsers
+- [New] /Parsers/System/Barracuda/Barracuda CloudGen
+- [New] /Parsers/System/Barracuda/Barracuda WAF
+- [New] /Parsers/System/Cyber-Ark/CyberArk Audit
+- [Updated] /Parsers/System/Kubernetes/Kubernetes
+- [Updated] /Parsers/System/Linux/Linux OS Syslog

blog-csoar/2024/12-31.md

@@ -35,7 +35,7 @@ This release introduces new integrations, new playbooks, and several updates.
 #### Integrations
 
 * [New] [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat)
-* [New] [Malwarebytes Oneview](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-oneview)
+* [New] [Malwarebytes ThreatDown OneView](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview)
 * [New] [Silent Push](/docs/platform-services/automation-service/app-central/integrations/silent-push)
 * [New] [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools)
 * [New] [VirusTotal V3](/docs/platform-services/automation-service/app-central/integrations/virustotal-v3)

blog-service/2025-02-27-apps.md

@@ -0,0 +1,15 @@
+---
+title: Automox (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - automox
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to introduce the new Automox app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Automox source to collect audit and event logs from the Automox platform. It provides security and IT teams with visibility into endpoint management and security. By using this app, teams can improve their security monitoring, streamline endpoint management, and strengthen operational resilience. [Learn more](/docs/integrations/saas-cloud/automox/).
+

blog-service/2025-02-27-collection.md

@@ -0,0 +1,14 @@
+---
+title: CyberArk Audit Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - cyberark-audit-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce the release of our new cloud-to-cloud source for CyberArk Audit. This source aims to collect the audit events from the CyberArk platform using the CyberArk SIEM integrations API and send them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source).

blog-service/2025-02-28-apps.md

@@ -0,0 +1,36 @@
+---
+title: Apps, Solutions, and Collection Integrations - February Release 
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - february-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+### New release
+
+We’re excited to announce the release of the new Azure Container Instance app and three OpenTelemetry Remote Management source templates for Sumo Logic.
+
+- **Azure Container Instance app**. Azure Container Instances is a fully managed serverless container service that enables you to deploy and manage containers in Azure without the need for virtual machines. This integration allows you to analyse logs and metrics pertaining to Azure Container Instances. [Learn more](/docs/integrations/microsoft-azure/azure-container-instances/).
+
+- **OpenTelemetry Remote Management**. Released [MySQL](/docs/send-data/opentelemetry-collector/remote-management/source-templates/mysql/), [PostgreSQL](/docs/send-data/opentelemetry-collector/remote-management/source-templates/postgresql/), and [ElasticSearch](/docs/send-data/opentelemetry-collector/remote-management/source-templates/elasticsearch/) OpenTelemetry Remote Management source templates.
+
+### Enhancements
+
+- **AWS Serverless Application Models and CloudFormation templates**. Updated the following AWS Serverless Application Models (SAMs) and CloudFormation templates with the latest [Lambda runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html):
+    - **[Node.js 22](https://github.com/SumoLogic/sumologic-aws-lambda/releases/tag/v1.2.18)**
+        - [sumologic-loggroup-connector](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/loggroup-lambda-connector) - SAM SemanticVersion: 1.0.15.
+        - [sumologic-guardduty-events-processor](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudwatchevents/guardduty) - SAM SemanticVersion: 1.0.6.
+        - [sumologic-guardduty-benchmark](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudwatchevents/guarddutybenchmark) - SAM SemanticVersion: 1.0.17.
+        - [AWS CloudWatch Logs With Dead Letter Queue](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudwatchlogs-with-dlq)
+    - **[Python 3.13](https://github.com/SumoLogic/sumologic-aws-lambda/releases/tag/v1.2.19)**
+        - [sumologic-s3-logging-auto-enable](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/awsautoenableS3Logging) - SAM SemanticVersion: 1.0.17.
+        - [sumologic-aws-cloudtrail-benchmark](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudtrailbenchmark) - SAM SemanticVersion: 1.0.20.
+        - [sumologic-app-utils](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/sumologic-app-utils) - SAM SemanticVersion: 2.0.20.
+        - [sumologic-securityhub-collector](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/securityhub-collector/sam) - SAM SemanticVersion: 1.0.10.
+        - [sumologic-securityhub-forwarder](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/securityhub-forwarder) - SAM SemanticVersion: 1.0.11.
+        - [Kinesis Metric Collection](https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/kinesis-firehose-cloudwatch-collection/metrics)

blog-service/2025-03-03-copilot-search.md

@@ -0,0 +1,41 @@
+---
+title: New in Copilot - Dynamic Titles, Alert Troubleshooting, and Pinned Suggestions (Copilot)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - copilot
+  - log-search
+  - search
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We've introduced three new features to improve your Copilot experience:  
+
+### Dynamic Conversation Titles
+
+Copilot now automatically updates conversation titles based on your query, making it easier to track and revisit past investigations. You can also customize it by clicking the pencil icon next to the title.  
+
+* **Better organization**. Conversations now have meaningful names for easy navigation.  
+* **Faster troubleshooting**. Quickly find and resume previous investigations.  
+* **More control**. Rename conversations to match your workflow.  
+
+
+### "Open in Copilot" for Alerts
+
+We've added an **Open in Copilot** button to the Alert Response page, allowing you to troubleshoot alerts directly in Copilot. This preserves the alert context, making it seamless to investigate and resolve issues.
+
+* **Faster root cause analysis**. Jump into Copilot instantly from an alert.  
+* **Context-aware troubleshooting**. Maintain alert details while searching logs.  
+
+
+### Suggestion Pinning
+
+Now you can pin Copilot suggestions for easy reference. Just hover over a suggestion and click the pin icon to save it within your conversation.
+
+* **Quick access**. Keep important suggestions handy for ongoing investigations.  
+* **Improved workflow**. No need to scroll back to find key recommendations.
+
+[Learn more](/docs/search/copilot).