Updates from review

Author: jpipkin1

blog-cse/2025-05-09-content.md

@@ -11,17 +11,18 @@ hide_table_of_contents: true
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This release includes:
-- New rules for monitoring AWS services (see below for tuning guidance)
-- Updated rules for Microsoft O365 and Powershell
-- Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity
-- Updates to Cisco Umbrella mappers to add user_username
-- Updates to SentinelOne mappers to drop null values
-- New parsers for Azure Virtual Network and SentinelOne MGMT API
-- Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C
-- Changes are enumerated below
+- New rules for monitoring AWS services (see below for tuning guidance).
+- Updated rules for Microsoft O365 and Powershell.
+- Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
+- Updates to Cisco Umbrella mappers to add user_username.
+- Updates to SentinelOne mappers to drop null values.
+- New parsers for Azure Virtual Network and SentinelOne MGMT API.
+- Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.
 
+Changes are enumerated below.
 
-## Rules
+
+### Rules
 - [New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
     - [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
 - [New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
@@ -31,11 +32,11 @@ This release includes:
 - [New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
     - [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
 - [Updated] MATCH-S00069 O365 - Users Password Reset
-    - changed Entity and Summary, replacing user_username with targetUser_username
+    - Changed Entity and Summary, replacing user_username with targetUser_username.
 - [Updated] MATCH-S00449 Powershell Execution Policy Bypass
-    - Fix camel case in commandLine field
+    - Fixed camel case in commandLine field.
 
-## Log Mappers
+### Log Mappers
 - [New] Azure Virtual Network Flow logs
 - [Updated] Abnormal Security Threats
 - [Updated] Cisco ASA 103001 JSON
@@ -130,18 +131,18 @@ This release includes:
 - [Updated] SentinelOne Logs - C2C users
 - [Updated] SentinelOne Logs - Syslog Custom Parser
 
-## Parsers
+### Parsers
 - [New] /Parsers/System/Microsoft/Azure Virtual Network
 - [New] /Parsers/System/SentinelOne/SentinelOne MGMT API
 - [Updated] /Parsers/System/Abnormal Security/Abnormal Security
-    - pdated the parser to support new events
+    - Updated the parser to support new events.
 - [Updated] /Parsers/System/Cisco/Cisco ASA
-    - Updated regex to fix ASA-6-721016 events
+    - Updated regex to fix ASA-6-721016 events.
 - [Updated] /Parsers/System/Cisco/Cisco ISE
-    - Updated parser to drop certain non-actionable logs
+    - Updated parser to drop certain non-actionable logs.
 - [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
-    - Updated parser to support additional event format variations
+    - Updated parser to support additional event format variations.
 - [Updated] /Parsers/System/Cylance/Cylance Syslog
-    - Updated parser to support new events
+    - Updated parser to support new events.
 - [Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
-    - Updated parser to drop phishing test events
+    - Updated parser to drop phishing test events.