Merge branch 'main' into chvik/berry

Author: kimsauce

.clabot

@@ -172,7 +172,8 @@
     "chetanchoudhary-sumo",
     "JamoCA",
     "darshan-sumo",
-    "mahendrak-sumo"
+    "mahendrak-sumo",
+    "chvik"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

blog-service/2025-01-10-apps.md

@@ -0,0 +1,18 @@
+---
+title: New SaaS and Cloud Apps Release (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - symantec-endpoint-security-service
+  - jamf
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+- **Symantec Endpoint Security Service**. We're excited to introduce the new Symantec Endpoint Security Service app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Symantec Endpoint Security source that collects incident and event logs data from the Symantec Endpoint Security platform. This app provides real-time insights into the log data that allows you to monitor and manage endpoint security in real time, enhancing quick responses to threats. [Learn more](/docs/integrations/saas-cloud/symantec-endpoint-security-service/).
+
+- **Jamf**. We're excited to introduce the new Jamf app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Jamf source that collects inventory data from the Jamf platform. This app helps security analysts with critical insights into their organization's Jamf environment. [Learn more](/docs/integrations/saas-cloud/jamf/).
+

cid-redirects.json

@@ -1578,6 +1578,7 @@
   "/cid/10111": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10188": "/docs/integrations/saas-cloud/miro",
   "/cid/10187": "/docs/integrations/saas-cloud/digital-guardian-arc",
+  "/cid/10114": "/docs/integrations/saas-cloud/jamf",
   "/cid/10208": "/docs/integrations/saas-cloud/cisco-meraki-c2c",
   "/cid/10209": "/docs/integrations/security-threat-detection/cisco-meraki",
   "/cid/10210": "/docs/integrations/saas-cloud/proofpoint-tap",
@@ -1595,6 +1596,7 @@
   "/cid/10198": "/docs/integrations/saas-cloud/microsoft-graph-azure-ad-reporting",
   "/cid/10193": "/docs/integrations/saas-cloud/asana",
   "/cid/10181": "/docs/integrations/saas-cloud/atlassian",
+  "/cid/10207": "/docs/integrations/saas-cloud/symantec-endpoint-security-service",
   "/cid/10197": "/docs/integrations/saas-cloud/symantec-web-security-service",
   "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",

docs/integrations/amazon-aws/cis-aws-foundations-benchmark.md

@@ -34,9 +34,9 @@ The CIS AWS Foundation Benchmark App ingests [AWS CloudTrail](/docs/integrations
 
 Now that you have configured CIS AWS Foundation Benchmark, install the Sumo Logic App for CIS AWS Foundation Benchmark to take advantage of the preconfigured searches and dashboards to analyze your data.
 
-import AppInstall from '../../reuse/apps/app-install.md';
+import AppInstall2 from '../../reuse/apps/app-install-v2.md';
 
-<AppInstall/>
+<AppInstall2/>
 
 For context regarding the CIS AWS Foundation Benchmark App, check out this [blog](https://www.sumologic.com/blog/cis-aws-foundations-benchmark-monitoring/) where we describe the monitoring controls.
 

docs/integrations/app-development/opentelemetry/jfrog-artifactory-opentelemetry.md

@@ -259,10 +259,10 @@ import CreateMonitors from '../../../reuse/apps/create-monitors.md';
 
 | Name | Description | Alert Condition | Recover Condition |
 |:--|:--|:--|:--|
-| `Artifactory - Excessive Denied Login Attempts` | This alert is triggered when there are multiple denied login attempts from the same IP or user. | Count `>` 5 | Count `<=` 5 |
-| `Artifactory - High 4xx Status Codes` | This alert is triggered when there's a high number of HTTP 4xx error responses. | Count `>` 10 | Count `<=` 10 |
-| `Artifactory - High 5xx Status Codes` | This alert is triggered when there's a high number of HTTP 5xx error responses. | Count `>` 10 | Count `<=` 10 |
-| `Artifactory - High Denied Deploys to Cached Repos` | This alert is triggered when there's a high number of denied deploy attempts to cached repositories. | Count `>` 5 | Count `<=` 5 |
-| `Artifactory - High Denied Deploys to Non-Cached Repos` | This alert is triggered when there's a spike in denied deploy attempts to non-cached repositories. | Count `>` 5 | Count `<=` 5 |
-| `Artifactory - High Denied Downloads` | This alert is triggered when there's a high number of denied download attempts. | Count `>` 5 | Count `<=` 5 |
-| `Artifactory - Slow HTTP Response Times` | This alert is triggered when Artifactory response times are high. | Count `>` 5 | Count `<=` 5 |
+| `Artifactory - Excessive Denied Login Attempts` | This alert is triggered when there are multiple denied login attempts from the same IP or user. | Count > 5 | Count \<= 5 |
+| `Artifactory - High 4xx Status Codes` | This alert is triggered when there's a high number of HTTP 4xx error responses. | Count > 10 | Count \<= 10 |
+| `Artifactory - High 5xx Status Codes` | This alert is triggered when there's a high number of HTTP 5xx error responses. | Count > 10 | Count \<= 10 |
+| `Artifactory - High Denied Deploys to Cached Repos` | This alert is triggered when there's a high number of denied deploy attempts to cached repositories. | Count > 5 | Count \<= 5 |
+| `Artifactory - High Denied Deploys to Non-Cached Repos` | This alert is triggered when there's a spike in denied deploy attempts to non-cached repositories. | Count > 5 | Count \<= 5 |
+| `Artifactory - High Denied Downloads` | This alert is triggered when there's a high number of denied download attempts. | Count > 5 | Count \<= 5 |
+| `Artifactory - Slow HTTP Response Times` | This alert is triggered when Artifactory response times are high. | Count > 5 | Count \<= 5 |

docs/integrations/app-development/opentelemetry/jira-opentelemetry.md

@@ -277,3 +277,21 @@ The **Jira - Sprints Events** dashboard provides insights on sprint events in Ji
 The **Jira - User Events** dashboard provides information about user events in Jira, including the number of user events, trends, and users that have been updated, created, and deleted.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Jira-OpenTelemetry/Jira-User-Events.png' alt="User Events" />
+
+
+## Create monitors for Jira app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Jira alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Jira - Abnormal Session Creation Rate Alert` | This alert is triggered when there are unusual patterns in session creation/destruction that might indicate security issues or system problems. | Count >= 1 | Count < 1 |
+| `Jira - High Average Response Time Alert` | This alert is triggered when elevated response times in Jira are detected, indicating potential performance degradation. | Count >= 5000 | Count < 5000 |
+| `Jira - High HTTP 4xx Error Rate Alert` | This alert is triggered when there is increase in HTTP 4xx errors to detect service disruptions. | Count >= 50 | Count < 50 |
+| `Jira - High HTTP 5xx Error Rate Alert` | This alert is triggered when there is increase in HTTP 5xx errors to detect service disruptions. | Count >= 50 | Count < 50 |
+| `Jira - High Priority Issues Unassigned SLA Alert` | This alert is triggered when high-priority issues remain unassigned beyond the Default SLA threshold of 30 minutes (1800000 milliseconds). To adjust the SLA, update the value in the query to the desired time in milliseconds (e.g., 15 minutes = 900000, 1 hour = 3600000). | Count >= 1 | Count < 1 |
+| `Jira - Rapid Authentication Failures Alert` | This alert is triggered when a single user experiences more than 10 failed login attempts within 5 minutes, indicating potential password guessing attempts or account lockout issues. | Count > 10 | Count \<= 10 |

docs/integrations/app-development/opentelemetry/jmx-opentelemetry.md

@@ -251,4 +251,4 @@ import CreateMonitors from '../../../reuse/apps/create-monitors.md';
 | `JMX - High Heap Memory Usage Alert` | This alert gets triggered when heap memory usage exceeds threshold. | Count < 20 | Count >= 20 |
 | `JMX - High Memory Pool Usage Alert` | This alert gets triggered when memory pool usage exceeds threshold. | Count < 20 | Count >= 20 |
 | `JMX - High Non Heap Memory Usage Alert` | This alert gets triggered when non heap memory usage exceeds threshold. | Count < 20 | Count >= 20 |
-| `JMX - High Number Of Classes Loaded Alert` | This alert gets triggered when high number of classes are loaded. | Count > 1000 | Count < = 1000 |
+| `JMX - High Number Of Classes Loaded Alert` | This alert gets triggered when high number of classes are loaded. | Count > 1000 | Count \<= 1000 |

docs/integrations/app-development/opentelemetry/puppet-opentelemetry.md

@@ -276,3 +276,18 @@ This sample query is from the **Puppet - Overview** dashboard > **Node Requests
 ### Node Puppet Runs Analysis: Puppet Node Runs Analysis
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Puppet-OpenTelemetry/Puppet-Node-Puppet-Runs-Analysis.png' alt="Node Puppet Runs Analysis" />
+
+## Create monitors for Puppet app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Puppet alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Puppet - Catalog Compilation Performance` | This alert is triggered when average time taken to compile Puppet catalogs is greater than given value (Default 30 seconds). Extended compilation times can indicate Puppet master performance issues, complex catalogs, or resource constraints. | Count \>= 30 | Count \< 30 |
+| `Puppet - Erroneous Nodes` | This alert is triggered when a node has error more errors then given value (Default 5). | Count \>= 5 | Count \< 5 |
+| `Puppet - Error Pattern Analysis` | This alert is triggered when Puppet error logs show recurring patterns that may indicate issues, helping detect problems that need investigation. | Count \>= 20 | Count \< 20 |
+| `Puppet - Resource Status Failures` | This alert is triggered when there are specific resource failures greater than given value (Default 5). | Count \>= 5 | Count \< 5 |

docs/integrations/cloud-security-monitoring-analytics/opentelemetry/linux-opentelemetry.md

@@ -223,3 +223,19 @@ Use this dashboard to:
 - Monitor service usage and other system activity.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Linux-Cloud-Security-Monitoring-and-Analytics/Opentelemetry/Linux-Security-Analytics-User-Service-and-System-Monitoring.png' style={{border: '1px solid gray'}} alt="Linux-Security-Analytics-User-Service-and-System-Monitoring" />
+
+
+## Create monitors for Linux - Cloud Security Monitoring and Analytics app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Linux - Cloud Security Monitoring and Analytics alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Linux CSMA - Excessive Failed Authentication` | This alert is triggered when multiple failed login attempts from the same source are detected, indicating potential brute force attempts. | Count > 10 | Count \<= 10 |
+| `Linux CSMA - Root Login Detection` | This alert is triggered when direct login attempts using the root account are detected, indicating a potential security concern since root logins should typically be disabled. | Count \>= 1 | Count < 1 |
+| `Linux CSMA - System Shutdown Detection` | This alert is triggered when unexpected system shutdown events are detected through kernel stop messages, which may indicate unauthorized access, malicious activity, power issues, or system failures. | Count > 0 | Count \<= 0 |
+| `Linux CSMA - User Account Creation Spike` | This alert is triggered when multiple user accounts are created in a short time period, which may indicate automated account creation, compromised systems, or unauthorized bulk user provisioning. | Count > 3 | Count \<= 3 |

docs/integrations/microsoft-azure/microsoft-graph-identity-protection.md

@@ -120,16 +120,33 @@ _sourceCategory=msgip-app-src riskEventType
 | count(risk_id) by risk_level
 | sort by _count
 ```
+## Collection configuration and app installation
 
-## Collecting logs for Microsoft Graph Identity Protection API
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
 
-This section explains how to collect logs from Microsoft Graph Identity Protection API and ingest them into Sumo Logic. For details, see [Cloud-to-Cloud-Integration for Microsoft Graph Identity Protection Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-identity-protection-source/) to create the source and use the same source category while installing the app.
+<CollectionConfiguration/>
 
-## Installing the Microsoft Graph Identity Protection app
+:::important
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Identity Protection](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-identity-protection-source) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Microsoft Graph Identity Protection app is properly integrated and configured to collect and analyze your Microsoft Graph Identity Protection data.
+:::
 
-import AppInstall2 from '../../reuse/apps/app-install-v2.md';
+### Create a new collector and install the app
 
-<AppInstall2/>
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
 
 ## Viewing Microsoft Graph Identity Protection dashboards