Merge branch 'main' into DOCS-362

kimsauce · web-flow · commit b3fb6171a933 · 2024-12-12T09:20:57.000-08:00
diff --git a/blog-service/2024-12-11-new-ui.md b/blog-service/2024-12-11-new-ui.md
@@ -0,0 +1,20 @@
+---
+title: New UI Improvements
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - UI
+hide_table_of_contents: true  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to share some updates to the new UI based on feedback we've received from our customers. These updates were implemented to enhance your navigation experience and improve your workflow.
+
+- **Tree position memory**. The Library navigation now remembers where you left off within the tree structure, making it easier to return to your exact spot when re-opening the subnavigation.
+- **Remembered menu state**. The expand/collapse state of the navigation menu is now persistent when opening new tabs, giving you a consistent experience across multiple browser tabs.
+- **Pin subnavigation**. You can now “pin” a subnavigation menu to keep it open while working within a specific feature area, giving you quicker access to what you need.
+- **Resizable submenu**. Widen the submenu to better view content items with longer names.
+
+You can try the new UI by clicking the **Switch to New UI** link from the Classic UI menu navigation. [Learn more](/docs/get-started/sumo-logic-ui).
diff --git a/blog-service/2024-12-12-collection.md b/blog-service/2024-12-12-collection.md
@@ -0,0 +1,15 @@
+---
+title: Universal Connector (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - universal-collector
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We are excited to announce the release of our new Universal Connector. With this cloud source, you can collect log data from vendor APIs using a modular configuration. This source allows Sumo Logic to expand its configuration modules over time, providing greater compatibility with various vendor APIs. However, it's important to note that complex APIs will still require a specific cloud source and may not be compatible with this universal source. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/universal-connector-source/).
+
diff --git a/docs/alerts/monitors/create-monitor.md b/docs/alerts/monitors/create-monitor.md
@@ -139,10 +139,10 @@ Triggers are evaluated by balancing the requirement of timely alert notification
 * For [static logs monitors](#static-detection-method), triggers are similar to "Alert when the result is greater than _ within Y Minutes". The triggers are evaluated periodically as below.
    | When detection window (Y) is | Evaluate trigger every |
    |:-----------------------------|:-----------------------|
-   | 30m or less  | 1m  |
-   | 30m to 3h    | 2m |
-   | 3hr to 12h   | 10m  |
-   | Greater than 12h  | 20m |
+   | 15m or less | 1m  |
+   | 15m to 1h     | 2m  |
+   | 1h to 6h      | 10m |
+   | Greater than 6h   | 20m |
 * For [anomaly logs monitors](#anomaly-detection-method), triggers are evaluated every `timeslice` as specified in the monitor query. For example, the below query is evaluated every 2 minutes.
    ```
    _sourceCategory=Labs/Apache/Access
diff --git a/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md b/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md
@@ -182,101 +182,9 @@ _sourceCategory=*Crowdstrike*  UserActivityAuditEvent
 ```
 
 
-## Collecting logs for the CrowdStrike app
+## Set up collection
 
-This section shows you how to configure log collection from CrowdStrike Falcon Endpoint Protection and have them sent to Sumo Logic. CrowdStrike Falcon Endpoint Protection provides endpoint detection and response, next-gen antivirus, and threat intelligence services through the cloud. Multiple security functions are consolidated into a single lightweight agent, for visibility across using central security analytics with Sumo Logic.
-
-:::warning
-The sections below are deprecated for non-FedRAMP Sumo Logic deployments.
-
-If you're using the Sumo Logic FedRAMP deployment, use the sections below to configure the collection for this app.
-
-If you are not using the Sumo Logic FedRAMP deployment, use the [Cloud-to-Cloud Integration for Crowdstrike](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source) to collect logs from CrowdStrike Falcon Endpoint Protection. This allows you to create the source and use the same source category while installing the app.
-:::
-
-
-### Collection process overview
-
-SIEMs (Security Information and Event Management) are used to gather data from a variety of security products to detect, investigate, correlate, and remediate security threats. The [Falcon SIEM Connector](https://www.crowdstrike.com/resources/data-sheets/falcon-connector/) provides a fast and efficient way to optimize collection across an extensive number of endpoints.
-
-:::note
-Sumo Logic recommends installing the SIEM Connector and Sumo Logic Collector on the same machine for best performance.
-:::
-
-To set up log collection for CrowdStrike Falcon, you'll download, install, and configure the CrowdStrike SIEM Connector to send data to Sumo Logic, through performing the following tasks.
-
-
-#### Data collection flow
-
-The following graphic illustrates the Sumo Logic collection of CrowdStrike streaming API events using a SIEM Connector.
-
-
-### Prerequisites
-
-It is important that you complete the following tasks before you start to configure log collection for CrowdStrike Falcon:
-
-* Download the SIEM Connector guide, familiarize yourself with [SIEM Connector](https://falcon.crowdstrike.com/support/documentation/14/siem-connector) and its config settings.
-* [Contact CrowdStrike support](https://supportportal.crowdstrike.com/) to enable the streaming APIs in your environment. You must do this before using the SIEM connector.
-
-
-### Step 1. Download and install CrowdStrike SIEM Connector on a host machine
-
-You perform this procedure from the Falcon console. You must have permission to be able to download and install from Falcon to complete this task.
-
-To install a CrowdStrike SIEM Connector on a host machine, do the following:
-1. Login to your Falcon console and go to [Support > Tool Downloads](https://falcon.crowdstrike.com/support/tool-downloads).
-2. Download the **SIEM Connector** installer for your operating system.
-3. Open a terminal window.
-4. Run the following installation command appropriate for your OS, replacing the `<installer package>` variable with the SIEM installer you downloaded:
-* **CentOS**: `sudo rpm -Uvh <installer package>`
-* **Ubuntu**: `sudo dpkg -i <installer package>`
-
-
-### Step 2. Configure CrowdStrike SIEM Connector
-
-This SIEM connector will stream events data from CrowdStrike Falcon Cloud in JSON format into a local file (output). The default location of the **output** file is `/var/log/crowdstrike/falconhoseclient/output`.
-
-To configure CrowdStrike SIEM Connector, do the following:
-
-1. In the Falcon console go to [Support > API Clients & Keys](https://falcon.crowdstrike.com/support/api-clients-and-keys).
-2. [Create an API client](https://falcon.crowdstrike.com/support/documentation/1/crowdstrike-api-introduction#auth_apiclient) to use with the SIEM connector, and record its API client ID and API client secret. In the the **Edit API client** dialog, ONLY select the **Event streams** option, and then click **Save**.
-   1. Open the **/opt/crowdstrike/etc/cs.falconhoseclient.cfg** file in a text editor.
-   2. Edit the following lines in the **cs.falconhoseclient.cfg** file:
-   * Change **app_id** to **SIEM-Connector.**
-   * **client_id** - Add your recorded API Client ID
-   * **client_secret** - Add your recorded API Client Secret
-   * Make sure **output_format** is set to **json**
-   * For **EventTypeCollection** section - Enable all events:
-     * DetectionSummaryEvent = true
-     * AuthActivityAuditEvent = true
-     * UserActivityAuditEvent = true
-     * HashSpreadingEvent = true
-     * RemoteResponseSessionStartEvent = true
-     * RemoteResponseSessionEndEvent = true
-   3. Save your changes.
-   4. Restart the SIEM Connector, as appropriate for your OS:
-     * **CentOS:** `sudo service cs.falconhoseclientd start`
-     * **Ubuntu 14.x:** `sudo start cs.falconhoseclientd`
-     * **Ubuntu 16.4:** `sudo systemctl start cs.falconhoseclientd.service`
-
-
-### Step 3. Set up a Sumo Logic installed collector and local file source
-
-You setup a Sumo Logic installed collector on the same host as the SIEM Connector. Then, set up a local file source on the installed collector to read the output file from [Step 2](#step-2-configure-crowdstrike-siem-connector) and send CrowdStrike Falcon Events to Sumo Logic.
-
-To set up an installed collector and local file source, do the following:
-
-1. Install a Sumo Logic collector on the same host as the SIEM Connector. Follow the instructions for your operating system as described in [Installed Collectors](/docs/send-data/installed-collectors).
-2. Add a local file source to the collector for Streaming API Events. Follow the steps on [Local File Source](/docs/send-data/installed-collectors/sources/local-file-source), with these additional changes:
-* Set the **Filepath** to: `/var/log/crowdstrike/falconhoseclient/output`
-* Set the **Source Category** to: `crowdstrike/falcon`
-* Under **Enable Multiline Processing**, check  **Boundary Regex**  and enter the following regex: `^\{.*`.
-3. Click **Save**.
-
-
-:::info
-For more information about the CrowdStrike Falcon SIEM Connector, see the CrowdStrike documentation, or contact CrowdStrike Customer Support at [info@crowdstrike.com](mailto:info@crowdstrike.com).
-:::
+To set up the [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source) for the CrowdStrike Falcon Endpoint Protection app, follow the instructions provided. These instructions will guide you through the process of creating a source using the CrowdStrike Falcon Endpoint Protection source category, which you will need to use when installing the app. By following these steps, you can ensure that your CrowdStrike Falcon Endpoint Protection app is properly integrated and configured to collect and analyze your CrowdStrike Falcon Endpoint Protection data.
 
 ## Installing the CrowdStrike Falcon Endpoint Protection app
 
@@ -365,4 +273,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>
diff --git a/docs/manage/deletion-requests.md b/docs/manage/deletion-requests.md
@@ -53,26 +53,27 @@ Data cannot be recovered once it gets deleted. Ensure that you have appropriatel
 
 ### From a Log Search
 
-#### Delete audit events
-
-The Audit Event Index has detailed JSON logs. To search for audit events for data deletion logs, use metadata field `_sourceCategory=deletionRule`. For example, to search for data deletion logs you would use the query:
-
-```
-(_index=sumologic_audit_events) AND _sourceCategory=deletionRule
-```
-
-#### Delete system events
+1. In the **Log Search**, search for the required logs that needs to be deleted.
+1. Click the cog icon, then in the dropdown, select **Create Deletion Request**.<br/><img src={useBaseUrl('img/search/get-started-search/deletion-request.png')} alt="deletion request" style={{border: '1px solid gray'}} width="400"/>
+1. In the popup window, enter a **Name** and **Reason** for your data deletion request, then click **Create Request**.
+   
+#### Delete events
 
-The System Event Index has detailed JSON logs. To search for system events for data deletion logs, use metadata field `_sourceCategory=deletionRule`. For example, to search for data deletion logs you would use the query:
+The Audit Event Index and System Event Index has detailed JSON logs. To search for audit events or system events for data deletion logs, use metadata field `_sourceCategory=deletionRule`. 
 
-```
-(_index=sumologic_system_events) AND _sourceCategory=deletionRule
+```sql
+(_index=sumologic_*_events) AND _sourceCategory=deletionRule
+| json field=_raw "resourceIdentity.name" as name nodrop
+| json field=_raw "resourceIdentity.id" as id nodrop
+| json field=_raw "eventName" 
+| json field=_raw "operator.interface" as operator nodrop
+| json field=_raw "operator.email" as email nodrop
 
+| count by _messagetime,eventname,name,id,operator,email,_view
+| sort _messagetime asc
 ```
 
-1. In the **Log Search**, search for the required logs that needs to be deleted.
-1. Click the cog icon, then in the dropdown, select **Create Deletion Request**.<br/><img src={useBaseUrl('img/search/get-started-search/deletion-request.png')} alt="deletion request" style={{border: '1px solid gray'}} width="400"/>
-1. In the popup window, enter a **Name** and **Reason** for your data deletion request, then click **Create Request**.
+The events `DeletionRuleCreated` and `DeletionRuleStateUpdated` are contained in the `sumologic_audit_events` index and `DeletionRuleProcessingConcluded` is in the `sumologic_system_events` index.
 
 ## Cancel a deletion request
 
@@ -100,4 +101,4 @@ Each deletion request is limited to 100,000 messages. This means that any deleti
 
 ### Supported operators
 
-Currently, we only support [`as`](/docs/search/search-query-language/search-operators/as), [`concat`](/docs/search/search-query-language/search-operators/concat), [`contains`](/docs/search/search-query-language/search-operators/contains), [`decToHex`](/docs/search/search-query-language/search-operators/dectohex), [`floor`](/docs/search/search-query-language/math-expressions/floor), [`if`](/docs/search/search-query-language/search-operators/if), [`in`](/docs/search/search-query-language/search-operators/in), [`lookup`](/docs/search/search-query-language/search-operators/lookup), [`toLower`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), [`matches`](/docs/search/search-query-language/search-operators/matches), [`parse`](/docs/search/search-query-language/parse-operators), [`toUpper`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), and [`where`](/docs/search/search-query-language/search-operators/where) search query operators.
+Currently, we only support [`as`](/docs/search/search-query-language/search-operators/as), [`concat`](/docs/search/search-query-language/search-operators/concat), [`contains`](/docs/search/search-query-language/search-operators/contains), [`decToHex`](/docs/search/search-query-language/search-operators/dectohex), [`floor`](/docs/search/search-query-language/math-expressions/floor), [`if`](/docs/search/search-query-language/search-operators/if), [`in`](/docs/search/search-query-language/search-operators/in), [`lookup`](/docs/search/search-query-language/search-operators/lookup), [`toLower`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), [`matches`](/docs/search/search-query-language/search-operators/matches), [`parse`](/docs/search/search-query-language/parse-operators), [`toUpper`](/docs/search/search-query-language/search-operators/tolowercase-touppercase), and [`where`](/docs/search/search-query-language/search-operators/where) search query operators.
diff --git a/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics.md b/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics.md
@@ -7,8 +7,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/sumo-logic.png')} alt="sumo-logic-log-analytics" width="100"/>
 
-***Version: 1.23  
-Updated: Apr 5, 2024***
+***Version: 1.24  
+Updated: Dec 12, 2024***
 
 Integration with Sumo Logic platform for logs, metrics, and monitors.
 
@@ -100,3 +100,8 @@ Integration with Sumo Logic platform for logs, metrics, and monitors.
     + Search Sumo Logic Action updated:
         - If the Aggregates field is selected, the action will fetch only aggregates. If the Aggregates field is not selected, it will fetch only messages.
         - Added a new field *Escape Backslashes* if selected it will Escape all Backslashes in Query
+* December 12, 2024 (v1.24)
+    + Updated Actions: (Fixed Authentication Issue)
+      + **Search Sumo Logic** Action
+      + **Search Sumo Logic Daemon** Action
+      + **Aggregates Sumo Logic Daemon** Action
diff --git a/docs/platform-services/automation-service/automation-service-integrations.md b/docs/platform-services/automation-service/automation-service-integrations.md
diff --git a/static/img/platform-services/automation-service/new-integration-dialog.png b/static/img/platform-services/automation-service/new-integration-dialog.png
