Merge branch 'main' into JV0812-patch-2

Author: JV0812

blog-service/2025-06-18-dashboards.md

@@ -0,0 +1,12 @@
+---
+title: Scope-Based Variable (Dashboards)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - dashboard
+  - scope-based-variable
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We’re excited to introduce a new dashboard variable type: Scope-Based Variables. Scope-Based Variables act as log filters that can be automatically applied to all or selected panels within a dashboard. This helps you to easily filter data across multiple panels without needing to manually edit each panel’s query to accept the variable. [Learn more](/docs/dashboards/filter-template-variables). 

docs/alerts/monitors/alert-variables.md

@@ -36,6 +36,7 @@ Variables must be enclosed by double curly brackets (`{{ }}`). Unresolved variab
 | `{{TriggerTimeEnd}}` | The end time of the time range that triggered the monitor in Unix format. For example, `1626190592042`. | ✅| ✅|
 | `{{SourceURL}}` | The URL to the configuration or status page of the monitor in Sumo Logic. | ✅| ❌ |
 | `{{AlertResponseUrl}}` | When your monitor is triggered, it will generate a URL and provide it as the value of this variable where you can use it to open alert response. | ✅| ❌ |
+| `{{AlertResponseId}}` | The unique identifier of the triggered alert. | ✅| ❌ |
 | `{{AlertName}}` | Name of the alert that will be displayed on the alert page.  | ✅| ✅|
 | `{{Playbook}}` | Allows you to access the [playbook content](/docs/alerts/monitors/create-monitor/#step-4-playbook-optional) configured as part of your initial monitor setup. | ✅| ✅|
 

docs/cloud-soar/automation.md

@@ -17,14 +17,30 @@ The **Automation** section contains configuration tools for Cloud SOAR's automat
 
 Because Cloud SOAR provides automation functionality to the [Automation Service](/docs/platform-services/automation-service/), many features are identical between Cloud SOAR and the Automation Service. Therefore, for information about the following Cloud SOAR features, see the Automation Service articles:
 * [App Central](/docs/platform-services/automation-service/app-central/)
-* [Playbooks](/docs/platform-services/automation-service/automation-service-playbooks/)
 * [Integrations](/docs/platform-services/automation-service/automation-service-integrations/)
 * [Automation bridge](/docs/platform-services/automation-service/automation-service-bridge)
 * [Integration framework](/docs/platform-services/automation-service/integration-framework/)
 * [Audit logging](/docs/platform-services/automation-service/automation-service-audit-logging)
+* [Playbooks](/docs/platform-services/automation-service/automation-service-playbooks/). (For information specific to running playbooks in Cloud SOAR, see [Run playbooks in Cloud SOAR](#run-playbooks-in-cloud-soar) below.)
 
 The following sections describe automation features only used in Cloud SOAR.
 
+## Run playbooks in Cloud SOAR
+
+In Cloud SOAR, playbooks are run from [incidents](/docs/cloud-soar/incidents-triage/#incidents). To run playbooks in Cloud SOAR, perform the following steps:
+1. [Create a playbook](/docs/platform-services/automation-service/automation-service-playbooks/#create-a-new-playbook) to use in incident response. When you create the playbook, do the following:
+   1. Click the **Edit** icon on the **Start** node:<br/><img src={useBaseUrl('img/platform-services/automation-service/start-node.png')} alt="Start node" style={{border:'1px solid gray'}} width="100"/>
+   1. Ensure that the **Add one or more params as a playbook input** field is left blank: <br/><img src={useBaseUrl('img/platform-services/automation-service/edit-start-node-input.png')} alt="Edit node dialog" style={{border:'1px solid gray'}} width="500"/><br/>Do *not* click the field to show the dropdown menu: <br/><img src={useBaseUrl('img/platform-services/automation-service/start-node-parameters.png')} alt="Types of start node parameters" style={{border:'1px solid gray'}} width="400"/><br/>The other values in the field are used for automation outside of Cloud SOAR:
+      * **Insight** and **Entity** are for launching a playbook from a Cloud SIEM automation.
+      * **Alert** is for launching a playbook from a monitor. 
+      * **Parse from JSON** is for launching a playbook from another playbook.
+   1. Proceed to create the playbook as needed.
+1. [Create an incident template](#create-a-new-incident-template) to be assigned to incidents. When you create the template, add the playbook to the template and select **Autorun** to run the playbook when the incident is created, or deselect if you want to manually run the playbook from the incident.<br/><img src={useBaseUrl('img/cloud-soar/new-incident-template-add-playbook.png')} alt="New template" style={{border: '1px solid gray'}} width="700"/>
+1. Monitor and run playbooks on [incidents](/docs/cloud-soar/incidents-triage/#incidents):
+   * Within an incident, select **Operations > Playbooks** to see the playbooks assigned to the incident. 
+   * If playbooks haven't been assigned by an incident template, you can add playbooks by clicking the **+** button.
+   * To manually run a playbook for the incident, click the **Run** button at the bottom of the screen.<br/><img src={useBaseUrl('img/cloud-soar/playbook-on-incident.png')} alt="Playbook on an incident" style={{border: '1px solid gray'}} width="700"/>
+
 ## Incident templates
 
 Incident templates define the way in which incidents will be created for a specific alert, incident type or event. They allow you to define a certain number of incident attributes (for example, incident type, severity, assignment, and any other default or custom incident parameters) that will automatically be set each time an incident is generated, based on the template. This may include type, classification, incident assignment, playbooks, knowledge base articles, or any other incident attribute. Since rules are created for generating incidents based on syslog messages, email, SIEM integrations, or other data sources, it is the incident templates that will define how the initial incident will be created.

docs/cse/administration/create-cse-actions.md

@@ -10,8 +10,8 @@ import Iframe from 'react-iframe'; 
 
 This topic has instructions for configuring Cloud SIEM actions.
 
-:::warning
-In the future, Cloud SIEM actions will be deprecated because comparable behavior is available in the Automation Service. Although Cloud SIEM actions are still supported, we recommend you use the Automation Service to perform actions. For more information, see [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
+:::tip
+The Automation Service is a newer way to perform actions. For more information about how to use the Automation Service instead of Cloud SIEM actions, see [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
 :::
 
 ## About Cloud SIEM actions

docs/cse/automation/automations-in-cloud-siem.md

@@ -185,7 +185,9 @@ You can switch to the graphical view by clicking **Graph View** in the upper-rig
 
 ## Migrate from legacy actions and enrichments to the Automation Service
 
-In the future, [Cloud SIEM Actions](/docs/cse/administration/create-cse-actions/) and the [Insight Enrichment Server](/docs/cse/integrations/insight-enrichment-server/) will be deprecated because comparable behavior is available in the Automation Service. To continue using the same functionality found in the legacy actions and enrichments, [use installed playbooks](#use-installed-playbooks) in the Automation Service, or [replace the legacy actions and enrichments](#replace-legacy-actions-and-enrichments) by adding the corresponding actions to playbooks you create in the Automation Service.
+Instead of using [Cloud SIEM Actions](/docs/cse/administration/create-cse-actions/) and the [Insight Enrichment Server](/docs/cse/integrations/insight-enrichment-server/), we recommend you use the Automation Service. The Automation Service is a newer way to perform actions and enrichments. 
+
+To continue using the same functionality found in the legacy actions and enrichments, [use installed playbooks](#use-installed-playbooks) in the Automation Service, or [replace the legacy actions and enrichments](#replace-legacy-actions-and-enrichments) by adding the corresponding actions to playbooks you create in the Automation Service.
 
 Migrating to the Automation Service has many benefits over using legacy actions and enrichments. With the Automation Service, you can:
 * Run actions in playbooks rather than singly.

docs/cse/integrations/insight-enrichment-server.md

@@ -10,8 +10,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 The Cloud SIEM Insight Enrichment Server is a component that automatically enriches Cloud SIEM insights.  
 
-:::warning
-The Insight Enrichment Server is deprecated. Use the Automation Service instead for enrichments. See [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
+:::tip
+The Automation Service is a newer way to perform enrichment. For more information about how to use the Automation Service instead of the Cloud SIEM Insight Enrichment Server, see [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
 :::
 
 :::note

docs/dashboards/filter-template-variables.md

@@ -21,19 +21,21 @@ The web interface autocomplete feature for log search variables has the follow
 * It is updated every night for the last 24 hours starting from 10PM PT to the previous day at 10PM PT. 
 * Only dashboards that were viewed in the last 3 days are updated.
 * Up to 10,000 log values and 1,000 metric values are displayed.
-* Values for template variables are based on the time range of the Dashboard.
+* Values for template variables (except Scope Based Variable) are based on the time range of the dashboard.
+* New panels added to the dashboard will automatically adopt any existing Scope-based Variable to it.
 
 ## Show and hide variables option
 
 In the Dashboard top menu bar, click the filter icon to show the variables option. The filter icon allows you to toggle if the variables option is displayed or hidden.<br/><img src={useBaseUrl('/img/dashboards/filter-template-variables/Show-and-Hide-filters.png')} alt="Show and Hide filters" style={{border: '1px solid gray'}} width="400" />
 
 ## Create a template variable
 
-There are three types of template variables you can use as a dashboard filter:
+There are four types of template variables you can use as a dashboard filter:
 
 * Custom List - a custom set of options
 * Metrics Metadata Search - metrics metadata based options 
 * Log Search - logs query based options
+* Scope-based Variable - define scope variables to automatically apply to all log queries
 
 ### Add a Custom List variable
 
@@ -46,6 +48,7 @@ To add a Custom List variable to a dashboard, do the following:
 1. In the **Create Template Variable** panel, enter a unique **Variable Name**. Spaces and special characters, with the exception of an underscore (_), are not allowed in value names.<br/><img src={useBaseUrl('img/dashboards/filter-template-variables/Create-Template-Variable-dialog.png')} style={{border:'1px solid gray'}} alt="Create-Template-Variable-dialog" width="800"/>
 1. Select **Custom List** as the **Variable Type**.
 1. **List Items** are your variable values. Use a comma separated list for variable options, separating individual options with a comma. For example, `small, medium, large`.
+1. (Optional) **Include the option to select all values (\*)** will be selected by default. This includes a wildcard asterisk (\*) in the available options.
 1. (Optional) Provide a **Default Value** for the variable.
 1. Click **Create Template Variable** to apply the variable to the dashboard. 
 
@@ -61,6 +64,7 @@ To add a Metrics Metadata Search variable to a dashboard, do the following:
 1. Select **Metrics Metadata Search** as the **Variable Type**.
 1. The **Fields (key)** is the metadata field you want to use as the filter.
 1. (Optional) **Filters** allow you to filter the scope of your data before choosing the field you want to use. Click in the **Filter** input, begin typing, and choose a filter from the pop-up list. A list of valid values appears. Select a value for the filter, and add other filters as needed.
+1. (Optional) **Include the option to select all values (\*)** will be selected by default. This includes a wildcard asterisk (\*) in the available options.
 1. (Optional) Provide a **Default Value** for the variable.
 1. Click **Create Template Variable** to apply the variable to the dashboard.
 
@@ -76,6 +80,29 @@ To add a Logs Search variable to a dashboard, do the following:
 1. Select **Logs Search** as the **Variable Type**.
 1. Click in the **Query** field and begin typing your query. Select valid options from the pop-up list as they appear until your query is complete.
 1. The **Key** is the metadata field you want to use as the filter. Once a Key is selected the Preview table will show example values based on the query running for the last 15 minutes.
+1. (Optional) **Include the option to select all values (\*)** will be selected by default. This includes a wildcard asterisk (\*) in the available options.
+1. (Optional) Enter a **Default Value** for the variable.
+1. Click **Create Template Variable** to apply the variable to the dashboard.
+
+### Add a Scope-based Variable 
+
+With a Scope-based Variable, you can define a variable that automatically applies to all log queries within the scope of the dashboard or panels. By setting a key while creating the scope variable, you can select values to enable simple filtering for the dashboard. Additionally, you can specify which panels the scope variable applies to for more granular control.
+
+:::info
+- The fields in the Scope-based Variable are independent of dashboard and panel time range.
+- Fields in the Scope-based Variable will also contain the FER field keys.
+:::
+
+To add a Scope-based Variable to a dashboard, do the following:
+
+1. In the Dashboard top menu bar, click the filter icon to show the variables option. The filter icon allows you to toggle if the variables option is displayed or hidden.<br/><img src={useBaseUrl('img/dashboards/filter-template-variables/Show-and-Hide-filters.png')} style={{border:'1px solid gray'}} alt="Show-and-Hide-filters" width="250"/>
+1. In the Dashboard top menu bar, click the **plus (+) icon**. The **Create Template Variable** panel appears.<br/><img src={useBaseUrl('img/dashboards/filter-template-variables/create-dashboard-filter.png')} style={{border:'1px solid gray'}} alt="create-dashboard-filter" width="800"/>
+1. In the **Create Template Variable** panel, enter a unique **Variable Name**. Spaces and special characters, with the exception of an underscore (_), are not allowed in value names.<br/><img src={useBaseUrl('img/dashboards/filter-template-variables/scope-based-variable.png')} style={{border:'1px solid gray'}} alt="scope-based-variable" width="800"/>
+1. Select **Scope-based Variable** as the **Variable Type**.
+1. The **Filds (key)** is the metadata field you want to use as the filter. Once a Key is selected the Preview table will show example values based on the query running for the last 15 minutes.
+1. (Optional) **Display all values available** will be selected by default. If you want to specify any values, deselect this option and enter the required value(s) in section below.
+1. (Optional) **Apply filter to all panels in dashboard** will be selected by default. If you want to apply this variable to secleted panel, deselect this option and select the panels from the dropdown. You can also click on <img src={useBaseUrl('img/dashboards/filter-template-variables/preview-the-panels.png')} style={{border:'1px solid gray'}} alt="preview-the-panels" width="30"/> to preview and select the dashboard panel to which you want to apply this variable.
+1. (Optional) **Include the option to select all values (\*)** will be selected by default. This includes a wildcard asterisk (\*) in the available options.
 1. (Optional) Enter a **Default Value** for the variable.
 1. Click **Create Template Variable** to apply the variable to the dashboard.
 

docs/integrations/amazon-aws/cloudtrail-pci-compliance.md

@@ -1,45 +1,41 @@
 ---
 id: cloudtrail-pci-compliance
 title: PCI Compliance For AWS CloudTrail
-description: The Sumo Logic App for Payment Card Industry (PCI) Compliance for AWS CloudTrail App offers dashboards to monitor systems, account and users activity to ensure that login activity and privileged users are within the expected ranges.
+description: The Sumo Logic app for Payment Card Industry (PCI) Compliance for AWS CloudTrail app offers dashboards to monitor systems, account and users activity to ensure that login activity and privileged users are within the expected ranges.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/pci-compliance/pci-logo.png')} alt="Thumbnail icon" width="90"/>
 
-The Sumo Logic App for Payment Card Industry (PCI) Compliance for AWS CloudTrail App offers dashboards to monitor systems, account and users activity to ensure that login activity and privileged users are within the expected ranges. The PCI Compliance for AWS CloudTrail App covers PCI requirements 02, 07, 08 and 10.
+The Sumo Logic app for Payment Card Industry (PCI) Compliance for AWS CloudTrail app offers dashboards to monitor systems, account and users activity to ensure that login activity and privileged users are within the expected ranges. The PCI Compliance for AWS CloudTrail app covers PCI requirements 02, 07, 08 and 10.
 
 
+## Collecting logs for the PCI Compliance for AWS CloudTrail app
 
-## Collecting logs for the PCI Compliance for AWS CloudTrail App
-
-This section provides instructions for collecting logs for the the PCI Compliance for AWS CloudTrail App.
+This section provides instructions for collecting logs for the the PCI Compliance for AWS CloudTrail app.
 
 To configure an AWS CloudTrail Source, do the following:
 1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket.
 2. [Configure CloudTrail](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) in your AWS account.
 3. Confirm that logs are being delivered to the Amazon S3 bucket.
 4. Add an [AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source) to Sumo Logic.
-5. Install the Sumo Logic App for [PCI Compliance for AWS CloudTrail](#installing-the-pci-compliance-for-aws-cloudtrail-app).
+5. Install the Sumo Logic app for [PCI Compliance for AWS CloudTrail](#installing-the-pci-compliance-for-aws-cloudtrail-app).
 
 
-## Installing the PCI Compliance for AWS CloudTrail App
+## Installing the PCI Compliance for AWS CloudTrail app
 
-Now that you have set up collection, install the Sumo Logic App for PCI Compliance for AWS CloudTrail to use the preconfigured searches and [dashboards](#viewing-pci-compliance-for-aws-cloudtrail-dashboards) that provide insight into your data.
+Now that you have set up collection, install the Sumo Logic app for PCI Compliance for AWS CloudTrail to use the preconfigured searches and [dashboards](#viewing-pci-compliance-for-aws-cloudtrail-dashboards) that provide insight into your data.
 
-import AppInstall from '../../reuse/apps/app-install.md';
+import AppInstallV2 from '../../reuse/apps/app-install-v2.md';
 
-<AppInstall/>
+<AppInstallV2/>
 
 ## Viewing PCI Compliance for AWS CloudTrail Dashboards
 
-The Sumo Logic PCI Compliance for AWS CloudTrail App provides dashboards and sample queries that you can modify for your specific compliance needs.
-* Access Monitoring
-* Login Activity
-* Account and System Monitoring
-* Privileged Activity
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
 
+<ViewDashboards/>
 
 ### PCI Req 01 - Access Monitoring