SumoLogic
diff --git a/‎.clabot‎
Lines changed: 4 additions & 1 deletion b/‎.clabot‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎blog-cse/2025-08-01-content.md‎
Lines changed: 99 additions & 0 deletions b/‎blog-cse/2025-08-01-content.md‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎blog-service/2025-07-28-alerts.md‎
Lines changed: 19 additions & 0 deletions b/‎blog-service/2025-07-28-alerts.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎blog-service/2025-07-31-apps.md‎
Lines changed: 21 additions & 0 deletions b/‎blog-service/2025-07-31-apps.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎blog-service/2025-07-31-collection.md‎
Lines changed: 12 additions & 0 deletions b/‎blog-service/2025-07-31-collection.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎blog-service/2025-08-01-collection.md‎
Lines changed: 23 additions & 0 deletions b/‎blog-service/2025-08-01-collection.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎blog-service/2025-08-04-apps.md‎
Lines changed: 12 additions & 0 deletions b/‎blog-service/2025-08-04-apps.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎blog-service/2025-08-07-collection.md‎
Lines changed: 12 additions & 0 deletions b/‎blog-service/2025-08-07-collection.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎blog-service/2025-08-08-collection.md‎
Lines changed: 12 additions & 0 deletions b/‎blog-service/2025-08-08-collection.md‎
Lines changed: 12 additions & 0 deletions
@@ -185,7 +185,10 @@
     "snyk-bot",
     "stephenthedev",
     "Apoorvkudesia-sumologic",
-    "ntanwar-sumo"
+    "ntanwar-sumo",
+    "aj-sumo",
+    "samiura",
+    "naveenrama"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",
 
@@ -0,0 +1,99 @@
+---
+title: August 1, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+  - parsers
+  - rules
+  - schema
+hide_table_of_contents: true    
+---
+
+This content release includes:
+- New rules to assist in detection of the ToolShell exploit against Microsoft SharePoint Server (CVE-2025-53770, CVE-2025-53771) and other web shell attack activity.
+- Updates to rules.
+- Parsing support for Open Cybersecurity Schema Framework (OCSF) logging.
+    - Designed to support AWS Security Hub Findings via OCSF, but broadly compatible with other OCSF data sources.
+- Mapping support for AWS Security Hub Findings via OCSF.
+    - AWS Security Hub via OCSF mapping support includes mappers which can be easily cloned and repurposed to support additional sources of data which use OCSF. Not all OCSF categories and classes are necessarily pertinent to AWS Security Hub data produced at this time.
+    - Additional mappers for OCSF data sources will be added in future releases.
+- Updates to AWS Security Hub (non-OCSF) mapper to reduce signal volume by using a less granular field for `threat_signalName` and to map general resources into `resource` field.
+- New mappers for Citrix NetScaler and Palo Alto Firewall events.
+- Updates to existing mappers/parsers for AWS, Azure, Citrix NetScaler, Linux Sysmon, Windows Sysmon, and Zscaler to support additional events and field mappings.
+- Allows `resource` to be used as an entity in rules.
+
+Other changes are enumerated below.
+
+
+### Rules
+- [New] MATCH-S01050 IIS - Executable File Added to Directory
+    - Executable files added to Microsoft Internet Information Server (IIS) directories can indicate the installation of a web shell by an attacker. For example, the ToolShell exploit (CVE-2025-53770, CVE-2025-53771) included the installation of spinstall10.aspx in an executable directory.
+- [New] MATCH-S01051 SharePoint Server ToolShell Exploitation (CVE-2025-53770, CVE-2025-53771)
+    - Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
+- [New] MATCH-S01052 SharePoint Server ToolShell Web Shell Interaction (CVE-2025-53771)
+    - Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
+- [Updated] MATCH-S00402 Normalized Security Signal
+    - Adjusted summary to remove `{{device_hostname}}` to avoid `null` values for blank hostnames.
+    - Added `resource` to entity selector
+- [Updated] MATCH-S00061 Zscaler - Allowed Elevated Risk Score Events
+    - Updated rule expression and severity score to use normalized fields.
+
+### Log Mappers
+- [New] AWS Security Hub - OCSF Finding Events
+- [New] AWS Security Hub - Application Activity *
+- [New] AWS Security Hub - Authentication Event*
+- [New] AWS Security Hub - DHCP Activity*
+- [New] AWS Security Hub - DNS Activity*
+- [New] AWS Security Hub - Discovery Event*
+- [New] AWS Security Hub - Email Activity*
+- [New] AWS Security Hub - File System events*
+- [New] AWS Security Hub - HTTP Activity*
+- [New] AWS Security Hub - IAM Account change|Authorize Session|Entity Management|User Access Management|Group Management*
+- [New] AWS Security Hub - Kernel Extension Activity|Kernel Activity|Memory Activity|Module Activity|Scheduled Job Activity|Process Activity|Event Log Activity|Script Activity*
+- [New] AWS Security Hub - Network Activity|RDP Activity|SMB Activity|SMB Activity|SSH Activity|FTP Activity|NTP Activity|Tunnel Activity|Network Remediation Activity*
+- [New] AWS Security Hub - Remediation Activity|Process Remediation Activity*
+- [New] AWS Security Hub - Unmanned Systems*
+- [New] Citrix NetScaler - AAA-AUTH-REQ
+- [New] Palo Alto Audit Authentication logs
+- [New] Palo Alto Audit Catch All
+- [Updated] AWS Security Hub
+- [Updated] Azure Event Hub - Windows Defender Audit file events
+- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
+- [Updated] Citrix NetScaler - Command Executed
+- [Updated] Citrix NetScaler - MESSAGE
+- [Updated] Citrix NetScaler - SSL Handshake Success
+- [Updated] Citrix NetScaler - SSLVPN-LOGIN
+- [Updated] Keeper Authentication
+- [Updated] Keeper Catch All
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Email logs
+- [Updated] Linux-Sysmon/Operational - 11
+    - Added more normalized fields
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+    - Added more normalized fields.
+- [Updated] Zscaler - Nanolog Streaming Service - JSON
+    - Added normalizedAction for allow/deny actions and alternate values for IPs.
+
+\* Security Hub via OCSF is currently limited to the OCSF Findings category. Additional mappers are in place to support potential future Security Hub events that utilize other OCSF categories and classes. These can be cloned and repurposed to support additional sources of data which use OCSF.
+
+### Parsers
+- [Deleted] /Parsers/System/Mindpoint Group/Mindpoint SurePass
+    - Updated erroneous vendor name in parser.
+    - Any existing references to this parser path will need to be updated to the new parser path.
+- [New] /Parsers/System/Keeper/Keeper
+    -  New parser for Keeper with correct vendor name.
+- [New] /Parsers/System/OCSF/OCSF
+- [New] /Parsers/System/SurePass/SurePass
+    - New parser path for Surepass to reflect correct vendor name.
+- [Updated] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
+    - Updated parser to point to new parser path with correct vendor name.
+- [Updated] /Parsers/System/Microsoft/Office 365
+    - Updated to fix issue with `normalizedLogon` field not being populated correctly.
+- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
+    - Updated header regex, added support for new events, and added new time format.
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
+    - Updated to handle new log formats and fields.
+
+### Schema
+- [Updated] resource
+    - Enables `resource` as an entity.
@@ -0,0 +1,19 @@
+---
+title: Time range limits for subqueries in scheduled searches (Alerts)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - alerts
+  - scheduled searches
+  - subqueries
+hide_table_of_contents: true    
+---
+
+We've introduced time range limits for subqueries in scheduled searches. This change helps you prevent long-running, inefficient queries, especially those impacting system stability and that drive up costs. While maintaining flexibility, these optimizations protect system health and reduce operational overhead.
+
+Key benefits of this enhancements include:
+
+- Improved query performance and responsiveness.
+- Encourage efficient search practices.
+- Support sustainable resource usage.
+
+[Learn more](/docs/alerts/scheduled-searches/schedule-search/#step-3-time-range).
@@ -0,0 +1,21 @@
+---
+title: Apps, Solutions, and Collection Integrations - July Release 
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - july-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Enhancements
+
+- **Updated the following OpenTelemetry apps**:
+  - [Oracle - OpenTelemetry](/docs/integrations/databases/opentelemetry/oracle-opentelemetry/). Updated the dashboards and monitors with new metrics.
+  - [SQL Server - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-opentelemetry/). Fixed the collection form bug.
+  - [SQL Server for Linux - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-linux-opentelemetry/):
+    - Updated the dashboards and monitors with new metrics.
+    - The app now supports metric collection from both Windows and Linux environments.
+- **Updated the following Webhook app**:
+  - Updated the event types for [Sentry](/docs/integrations/webhooks/sentry/).
@@ -0,0 +1,12 @@
+---
+title: OneLogin Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - onelogin-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for OneLogin. This source aims to collect the user list logs from the OneLogin API and send it to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source).
@@ -0,0 +1,23 @@
+---
+title: Cloud Syslog Source Certificate Transition to ACM (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - certificates
+  - Cloud Syslog Source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce that we are transitioning to AWS Certificate Manager (ACM) certificates for Transport Layer Security (TLS) communication between your cloud syslog sources and Sumo Logic.
+
+Currently, Sumo Logic uses a DigiCert ALB certificate to secure communication with your cloud syslog sources. This certificate is set to expire on October 13, 2025, at which point Sumo Logic will transition to the ACM root certificates. This change provides the following benefits:
+* **Automated certificate renewal and deployment**. ACM eliminates the need for future manual renewals, reducing administrative overhead.
+* **Simplified infrastructure management for AWS customers**. ACM is deeply integrated into the AWS ecosystem, streamlining your overall infrastructure management. Because Sumo Logic is also on AWS, using ACM provides a seamless experience.
+
+If you use cloud syslog sources to send data to Sumo Logic, please prepare for this transition by downloading and configuring the ACM certificate on your system. For more information and setup instructions, see:
+* [Cloud Syslog Source](/docs/send-data/hosted-collectors/cloud-syslog-source/)
+* [rsyslog](/docs/send-data/hosted-collectors/cloud-syslog-source/rsyslog)
+* [syslog-ng](/docs/send-data/hosted-collectors/cloud-syslog-source/syslog-ng/)
+* [Collect Logs for SentinelOne](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/)
+* [Acquia](/docs/integrations/saas-cloud/acquia/#step-2-configure-a-source)
@@ -0,0 +1,12 @@
+---
+title: AWS Security Hub - OCSF (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - aws-security-hub
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new AWS Security Hub - OCSF app for Sumo Logic, which enables you to gain real-time visibility into your security hub findings data. This app can help security teams identify threats, track compliance violations, and investigate affected resources with speed and clarity. [Learn more](/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf).
@@ -0,0 +1,12 @@
+---
+title: AWS IAM Users Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - aws-iam-users-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for AWS IAM Users. This source collects the IAM User Inventory logs from the AWS SDK and sends them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/aws-iam-users-source).
@@ -0,0 +1,12 @@
+---
+title: GitHub Copilot Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - c2c
+  - github-copilot-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for GitHub Copilot. This source aims to collect the organization and team metrics logs from the Copilot platform and send them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/github-copilot-source).