Merge branch 'main' into docs-888-more-improvements-to-automation-integrations

Author: jpipkin1

blog-service/2025-05-29-manage.md

@@ -0,0 +1,15 @@
+---
+title: Access Key Rotation (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - organizations
+  - mssps
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're happy to introduce a new way to rotate access keys, as well as a new access keys expiration policy. Together these help to make your account more secure by encouraging regular API key updates.
+
+[Learn more](/docs/manage/security/access-keys/#access-keys-expiration-policy).

cid-redirects.json

@@ -440,7 +440,6 @@
   "/05Search/Get-Started-with-Search/Visualizations/Group-By-Operator": "/docs/search/search-query-language/search-operators",
   "/05Search/Live-Tail": "/docs/search/live-tail",
   "/05Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
-  "/Search": "/docs/search",
   "/Search/Anomaly_Detection": "/docs/alerts/monitors/create-monitor",
   "/Search/Live-Tail": "/docs/search/live-tail/about-live-tail",
   "/Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
@@ -3116,6 +3115,8 @@
   "/Manage/Collection/Processing-Rules/Metrics_Include_and_Exclude_Rules": "/docs/send-data/collection/processing-rules/metrics-include-and-exclude-rules",
   "/Manage/Collection/Restart_Collectors": "/docs/send-data/collection/restart-collectors",
   "/Manage/Collectors_and_Sources/Processing_Rules": "/docs/send-data/collection/processing-rules",
+  "/Manage/Collectors_and_Sources/Manage_Collectors/Edit_a_Collector": "/docs/send-data/collection/edit-collector",
+  "/Manage/Collectors_and_Sources/Manage_Sources": "/docs/send-data/collection",
   "/Manage/Connections-and-Integrations": "/docs/alerts/webhook-connections",
   "/docs/manage/connections-integrations/webhook-connections": "/docs/alerts/webhook-connections",
   "/docs/manage/connections-integrations/webhook-connections/set-up-webhook-connections": "/docs/alerts/webhook-connections/set-up-webhook-connections",
@@ -3309,6 +3310,7 @@
   "/Manage/Security/Access_Keys": "/docs/manage/security/access-keys",
   "/Manage/Security/Access_Keys/Create_Access_Keys": "/docs/manage/security/access-keys",
   "/Manage/Security/Audit_Event_Index": "/docs/manage/security/audit-indexes/audit-event-index",
+  "/docs/audit/audit-events": "/docs/manage/security/audit-indexes",
   "/Manage/Security/Audit-Index": "/docs/manage/security/audit-indexes/audit-index",
   "/Manage/Security/Create-an-Allowlist-for-IP-or-CIDR-Addresses": "/docs/manage/security/create-allowlist-ip-cidr-addresses",
   "/Manage/Security/Create-a-Whitelist-for-IP-or-CIDR-Addresses": "/docs/manage/security/create-allowlist-ip-cidr-addresses",
@@ -3582,6 +3584,7 @@
   "/Send_Data/Sources/Script_Source/Cron_Examples_and_Reference": "/docs/send-data/installed-collectors/sources/script-source/cron-examples-reference",
   "/Send_Data/Sources/Source_timestamp_and_time_zone_options/Timestamp_conventions": "/docs/send-data/reference-information/time-reference",
   "/Send_Data/Sources/AWS_S3_Source": "/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source",
+  "/Send_Data/Sources/Amazon_S3_Audit_Source": "/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source",
   "/Send_Data/01_Design_Your_Deployment/Best_Practices:_Good_Source_Category,_Bad_Source_Category": "/docs/send-data/best-practices",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon_Web_Services": "/docs/send-data/hosted-collectors/amazon-aws",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon_Web_Services/AWS_S3_Source": "/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source",
@@ -3874,6 +3877,7 @@
   "/Beta/Installation_Tokens": "/docs/manage/security/installation-tokens",
   "/Beta/Metadata_Ingest_Budgets": "/docs/manage/ingestion-volume/ingest-budgets/daily-volume",
   "/Beta/Metrics-Rules": "/docs/metrics/metric-rules-editor",
+  "/Beta/Monitors": "/docs/alerts/monitors",
   "/Beta/Saved_beta_content/Beta---Library/Apps_in_Sumo_Logic/01_Sumo_Logic_Apps": "/docs/integrations",
   "/Beta/SLO_Reliability_Management": "/docs/observability/reliability-management-slo",
   "/Beta/SLO_Reliability_Management/Access_and_Create_SLOs": "/docs/observability/reliability-management-slo",
@@ -3888,6 +3892,7 @@
   "/Dashboards_and_Alerts/Alerts/Create_a_Real_Time_Alert": "/docs/alerts/scheduled-searches/create-real-time-alert",
   "/Dashboards_and_Alerts/Alerts/Save_to_Index": "/docs/alerts/scheduled-searches/save-to-index",
   "/Dashboards-and-Alerts/Alerts": "/docs/alerts",
+  "/Dashboards-and-Alerts/Alerts/01-Scheduled-Searches": "/docs/alerts/scheduled-searches",
   "/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search": "/docs/alerts/scheduled-searches/schedule-search",
   "/Dashboards-and-Alerts/Alerts/Create-an-Email-Alert": "/docs/alerts/scheduled-searches/create-email-alert",
   "/Dashboards-and-Alerts/Alerts/04-Create-an-Email-Alert": "/docs/alerts/scheduled-searches/create-email-alert",

docs/api/getting-started.md

@@ -87,7 +87,7 @@ Sumo Logic has several deployments that are assigned depending on the geographic
 
 Sumo Logic redirects your browser to the correct login URL and also redirects Collectors to the correct endpoint. However, if you're using an API you'll need to manually direct your API client to the correct Sumo Logic API URL.
 
-<table><small>
+<table>
   <tr>
    <td>Deployment</td>
    <td>Service Endpoint (login URL)</td>
@@ -183,7 +183,6 @@ https://endpoint9.collection.us2.sumologic.com/</td>
    <td>syslog.collection.us2.sumologic.com</td>
    <td>https://open-collectors.us2.sumologic.com</td>
   </tr>
-  </small>
   </table>
 
 ### Which endpoint should I should use?

docs/cse/get-started-with-cloud-siem/intro-for-administrators.md

@@ -59,7 +59,7 @@ As a Cloud SIEM admin, you'll use both the Sumo Logic UI and the Cloud SIEM UI.
 
 | Sumo Logic UI | Cloud SIEM UI |
 | :-- | :-- |
-| <ul><li>Add collectors and data sources.</li><li>Write field extraction rues.</li><li>Configure partitions and data tiers</li><li>Forward data to Cloud SIEM.</li><li>Configure RBAC controls.</li></ul> | <ul><li>Configure log and ingest mappings.</li><li>Create custom content, such as rules, match lists, and insights.</li><li>Customize actions, context actions, and other workflows.</li></ul>|
+| <ul><li>Add collectors and data sources.</li><li>Write field extraction rules.</li><li>Configure partitions and data tiers</li><li>Forward data to Cloud SIEM.</li><li>Configure RBAC controls.</li></ul> | <ul><li>Configure log and ingest mappings.</li><li>Create custom content, such as rules, match lists, and insights.</li><li>Customize actions, context actions, and other workflows.</li></ul>|
 
 In the Sumo Logic UI, you'll add the collectors and data sources that will be used in Cloud SIEM. You can write field extraction rules, which help parse your logs so they can be better used as records in Cloud SIEM. You can also configure partitions and data tiers in Sumo Logic, and decide which data gets forwarded to Cloud SIEM. Finally, you configure users and roles for both Sumo Logic and Cloud SIEM using the Sumo Logic interface. 
 

docs/integrations/amazon-aws/aws-privatelink.md

@@ -37,7 +37,7 @@ With the NLB-created and ALB-registered as a target, requests over AWS PrivateL
 
 Sumo Logic exposes AWS PrivateLink endpoints to different [regions that depend on your Sumo Logic deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security). If you're using the VPC in a different region where the Sumo Logic PrivateLink endpoint service is set up, you need to set up VPC peering. Either way, you need to create an endpoint.
 
-<table><small>
+<table>
   <tr>
     <td><strong>Deployment</strong></td>
     <td><strong>Collection Endpoint</strong></td>
@@ -107,7 +107,7 @@ https://endpoint9.collection.us2.sumologic.com</td>
     <td>https://open-collectors.us2.sumologic.com</td>
     <td>us-west-2</td>
   </tr>
-</small></table>
+</table>
 
 
 ### Create an endpoint to connect with the Sumo Logic endpoint service

docs/integrations/amazon-aws/global-intelligence-cloudtrail-secops.md

@@ -51,7 +51,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
 <details>
 <summary>View the list of Scheduled Searches (<strong>click to expand</strong>)</summary>
 
-<table><small>
+<table>
   <tr>
     <td><strong>Folder</strong></td>
     <td><strong>Scheduled Search Name (prefixed with gis_benchmarks)</strong></td>
@@ -282,7 +282,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
     <td>S3_ListBuckets</td>
     <td>Counts S3 events related to listing buckets.</td>
   </tr>
-</small></table>
+</table>
 
 * To reduce false positives, the benchmarks and application filter out AWS CloudTrail events from legitimate cloud services including AWS itself and CloudHealth by VMware.
 * Security posture requirements may vary between AWS accounts for a given customer. For example, development accounts might have less strict controls than production accounts. The app supports filtering findings by AWS account ID to facilitate AWS account level posture assessment.

docs/integrations/app-development/jfrog-artifactory.md

@@ -114,7 +114,7 @@ In this step, you configure four local file sources, one for each log source lis
 
 The following suffixes are required. For example, you could use `_sourceCategory=<Foo>/artifactory/console`, but the suffix **artifactory/console** must be used.
 
-<table><small>
+<table>
   <tr>
    <td><strong>Log source</strong></td>
    <td><strong>File Path</strong></td>
@@ -139,7 +139,7 @@ The following suffixes are required. For example, you could use `_sourceCategory
    <td>Traffic</td>
    <td>$JFROG_HOME/&#60;product&#62;/var/log/artifactory-traffic.*.log</td>
    <td>artifactory/traffic</td>
-  </tr></small>
+  </tr>
 </table>
 
 :::note

docs/integrations/security-threat-detection/threat-intel-quick-analysis.md

@@ -46,7 +46,7 @@ _sourceCategory=cylance "IP Address"
 
 <!-- Per DOCS-643, replace section content with this after `sumo://threat/cs` is replaced by `threatlookup`:
 
-The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
+The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**.
 
 You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your threat intel queries:
 
@@ -58,14 +58,14 @@ You can further optimize and enhance these queries for the log and events types
 For example, here is the query used for the **Threat Count** panel in the [Threat Intel Quick Analysis - IP](#ip) dashboard:
 
 ```
-_sourceCategory=<source-category-name> 
-| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
+_sourceCategory=<source-category-name>
+| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
 | count as ip_count by ip_address
 
 | threatlookup singleIndicator ip_address
 
-// normalize confidence level to a string 
+// normalize confidence level to a string
 | if (_threatlookup.confidence >= 85, "high", if (_threatlookup.confidence >= 50, "medium", if (_threatlookup.confidence >= 15, "low", if (_threatlookup.confidence >= 0, "unverified", "unknown")))) as threat_confidence
 
 // filter for threat confidence
@@ -106,7 +106,7 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
    | sort by threat_count
-   ``` 
+   ```
 <!-- Per DOCS-643, replace the preceding step with the following after `sumo://threat/cs` is replaced by `threatlookup`:   
 1. Customize your query so you can use parsed fields from the Field Extraction Rule with the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/), where `src_ip` is the parsed field from the FER. For example:
    ```
@@ -140,7 +140,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
   _view=cylance_threat
   | count by src_ip
   ```
-  
+
 ## Threat Intel FAQ
 
 #### What is the CrowdStrike Integration for Sumo Logic?
@@ -399,7 +399,7 @@ Once an indicator has been marked with a malicious confidence level, it continue
         </tr>
         <tr>
             <td class="mt-column-width-20" data-th="IOC Type"><br/><strong>Vulnerability</strong></td>
-            <td class="mt-column-width-80" data-th="Values"><br/>The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g. <a href="https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158" rel="freelink" title="https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158">https://intelapi.crowdstrike.com/ind.../CVE-2012-0158</a> )</td>
+            <td class="mt-column-width-80" data-th="Values"><br/>The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g., https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158).</td>
         </tr>
     </tbody>
 </table>
@@ -506,4 +506,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>

docs/manage/field-extractions/create-field-extraction-rule.md

@@ -5,6 +5,7 @@ description: Field Extraction Rules (FER) tell Sumo Logic which fields to parse
 ---
 
 import Iframe from 'react-iframe';
+import FerLimit from '../../reuse/fer-limitations.md';
 
 You can create a field extraction rule of your own from scratch by following the instructions below. We also provide [data-source-specific templates](/docs/manage/field-extractions/fer-templates/index.md) for AWS, Apache, and more.
 
@@ -71,9 +72,9 @@ To create a Field Extraction Rule:
     :::
 
     :::sumo Best Practices
-    If you are not using Partitions we recommend using [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) fields like `_sourceCategory`, `_sourceHost` or `_collector` to define the scope.
+    If you are not using Partitions we recommend using [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) fields like `_sourceCategory`, `_sourceHost` or `_collector` to define the scope.
 
-    We recommend creating a separate Partition for your JSON dataset and use that Partition as the scope for run time field extraction. For example, let's say you have AWS CloudTrail logs, and they are stored in `_view=cloudtrail` Partition in Sumo. You can create a Run Time FER with the scope `_view=cloudtrail`. Creating a separate Partition and using it as scope for a run time field extraction ensures that auto parsing logic only applies to necessary Partitions.
+    We recommend creating a separate Partition for your JSON dataset and use that Partition as the scope for run time field extraction. For example, let's say you have AWS CloudTrail logs, and they are stored in `_view=cloudtrail` Partition in Sumo. You can create a Run Time FER with the scope `_view=cloudtrail`. Creating a separate Partition and using it as scope for a run time field extraction ensures that auto parsing logic only applies to necessary Partitions.
     :::
 
    * **Parsed template** (Optional for Ingest Time rules).
@@ -153,6 +154,4 @@ The **multi** and **auto** options are not supported in FERs.
 
 The `parse multi` operator is not supported in FERs.
 
-import FerLimit from '../../reuse/fer-limitations.md';
-
-<FerLimit/> 
+<FerLimit/>

docs/manage/partitions/flex/create-edit-partition-flex.md

@@ -21,7 +21,11 @@ To create or edit a Partition, you must be an account Administrator or have th
 
 ## Create a Partition
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu select **Manage Data > Logs > Partitions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**. 
+:::important
+The search modifier `dataTier` is not supported for Flex queries.
+:::
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu select **Manage Data > Logs > Partitions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**.
 1. Click **+ Add Partition**.
 1. The **Create New Partition** pane appears.<br/><img src={useBaseUrl('img/manage/partitions-data-tiers/create-new-partition-flex.png')} alt="create-new-partition-flex.png"  style={{border:'1px solid gray'}} width="300"/>
 1. **Name**. Enter a name for the Partition. Partitions must be named alphanumerically, with no special characters, with the exception of underscores (`_`). However, a Partition name cannot start with `sumologic_` or an underscore `_`.
@@ -70,15 +74,15 @@ You can make some changes to an existing partition:  
   :::
 * You can change the data forwarding configuration.
 * You cannot change the name of a partition, the routing expression, or reuse a partition name.
-* You cannot edit the audit index partition to include it in the default scope. 
+* You cannot edit the audit index partition to include it in the default scope.
 * Security partitions can’t be edited. Sumo Logic stores Cloud SIEM Records in seven partitions, one for each [Cloud SIEM Record type](/docs/cse/schema/cse-record-types). The names of the Sumo Logic partitions that contain Cloud SIEM Records begin with the string `sec_record_`. If you have a role that grants you the **View Partitions** capability, you can view the security partitions in the Sumo Logic UI. Note, however, that no user can edit or remove a security partition.
 
 ### How to edit a partition
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu select **Manage Data > Logs > Partitions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**. 
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu select **Manage Data > Logs > Partitions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**.
 1. To refine the table results, use the **Add a filter** section located above the table. *AND* logic is applied when filtering between different sections, while *OR* logic is applied when filtering within the same section.
-  :::note 
-  You can see the suggestions only if there are two or more responses for the same column or section. 
+  :::note
+  You can see the suggestions only if there are two or more responses for the same column or section.
   :::
 1. Click the row with the partition you want to edit.
 1. The partition details are displayed on the right side of the page.