Merge branch 'main' into add-traces-info

Author: JV0812

blog-cse/2025-08-15-content.md

@@ -0,0 +1,41 @@
+---
+title: August 15, 2025 - Content Release
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+This content release includes:
+    - New product support for Vectra AI.
+    - Updated parsers and log mappers for Azure Event Hub, Barracuda CloudGen Firewall, Microsoft IIS, and Surepass.
+    - Updated Surepass to the correct vendor name.
+
+Changes are enumerated below.
+
+### Log Mappers
+- [New] Vectra AI Catch All
+- [New] Vectra AI User Login
+- [Updated] Azure Event Hub - Windows Defender Logs
+    - Updated field mappings to include new fields.
+- [Updated] Barracuda CloudGen Firewall Activity
+    - Updated `event_id` criteria to handle abridged event types in some logs.
+- [Updated] Microsoft IIS Parser - Catch All
+    - Updated to support `http_url` and downstream enrichment.
+- [Updated] Surepass Authentication
+- [Updated] Surepass Catch All
+- [Updated] Surepass Network Event
+
+### Parsers
+- [New] /Parsers/System/Vectra/Vectra AI
+- [Updated] /Parsers/System/Barracuda/Barracuda CloudGen
+    - Updated `event_id` criteria to handle abridged event types in some logs and to support additional log formats.
+- [Updated] /Parsers/System/Cylance/Cylance Syslog
+    - Updated timestamp parsing.
+- [Updated] /Parsers/System/DocuSign/DocuSign Monitor
+    - Updated timestamp parsing.
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+    - Updated parser to parse additional nested fields.
+- [Updated] /Parsers/System/Microsoft/Microsoft IIS
+    - Updated to form `http_url` for downstream enrichment.

cid-redirects.json

@@ -2832,7 +2832,7 @@
   "/cid/15633": "/docs/c2c/info/",
   "/cid/14323": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/docusign-source",
   "/cid/14324": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zendesk-source",
-  "/cid/14326": "/docs/integrations/global-intelligence/kubernetes-devops",
+  "/cid/14326": "/docs/integrations/global-intelligence",
   "/cid/30001": "/docs/integrations/microsoft-azure/azure-batch",
   "/cid/30002": "/docs/integrations/microsoft-azure/azure-application-gateway",
   "/cid/30003": "/docs/integrations/microsoft-azure/azure-data-explorer",
@@ -3558,7 +3558,7 @@
   "/Observability_Solution/Kubernetes_Solution/04View_Sumo_Logic_Kubernetes_App_Dashboards": "/docs/observability/kubernetes/monitoring",
   "/Observability_Solution/Kubernetes_Solution/05Kubernetes_Apps": "/docs/observability/kubernetes/apps",
   "/Observability_Solution/Kubernetes_Solution/06Troubleshoot_with_Explore": "/docs/observability/kubernetes/troubleshoot-with-explore",
-  "/Observability_Solution/Kubernetes_Solution/07Global_Intelligence_for_Kubernetes_DevOps_App": "/docs/integrations/global-intelligence/kubernetes-devops",
+  "/Observability_Solution/Kubernetes_Solution/07Global_Intelligence_for_Kubernetes_DevOps_App": "/docs/integrations/global-intelligence",
   "/Observability_Solution/Kubernetes_Solution/06Kubernetes_Alerts": "/docs/observability/kubernetes/alerts",
   "/Observability_Solution/Kubernetes_Solution/08Next_Steps": "/docs/observability/kubernetes",
   "/Observability_Solution/Kubernetes_Solution/09Create_a_New_Dashboard_(New)": "/docs/observability/kubernetes",
@@ -3978,7 +3978,8 @@
   "/Observability_Solution/AWS_Observability_Solution/01_Deploy_and_Use_AWS_Observability/Root_Cause_Explorer": "/docs/observability/root-cause-explorer-deprecation",
   "/docs/observability/root-cause-explorer": "/docs/observability/root-cause-explorer-deprecation",
   "/Observability_Solution/Kubernetes_Solution/01Set_up_collection_for_Kubernetes": "/docs/observability/kubernetes/collection-setup",
-  "/Observability_Solution/Kubernetes_Solution/Global_Intelligence_for_Kubernetes_DevOps_App": "/docs/integrations/global-intelligence/kubernetes-devops",
+  "/Observability_Solution/Kubernetes_Solution/Global_Intelligence_for_Kubernetes_DevOps_App": "/docs/integrations/global-intelligence",
+  "/docs/integrations/global-intelligence/kubernetes-devops": "/docs/integrations/global-intelligence",
   "/Observability_Solution/Kubernetes_Solution/Navigate_your_Kubernetes_environment": "/docs/observability/kubernetes",
   "/Search/Get-Started-with-Search/How-to-Build-a-Search/Best-Practices:-7-Search-Rules-to-Live-By": "/docs/search/get-started-with-search/build-search/best-practices-search",
   "/Search/Get-Started-with-Search/How-to-Build-a-Search/Search_Templates": "/docs/search/get-started-with-search/build-search/search-templates",

docs/api/about-apis/getting-started.md

@@ -15,9 +15,9 @@ Sumo Logic APIs follow Representational State Transfer (REST) patterns and are o
 
 ## Documentation
 
-To view our main docs, click the link below corresponding to your deployment. If you're not sure, see [How to determine your endpoint](#which-endpoint-should-i-should-use).
+To access our API documentation, navigate to the appropriate link based on your Sumo Logic deployment. If you're not sure, see [Which endpoint should I use?](#which-endpoint-should-i-should-use)
 
-| Deployment | API Docs URL                       |
+| Deployment | API documentation URL                       |
 |:-----------|:----------------------------------|
 | AU         | https://api.au.sumologic.com/docs/  |
 | CA         | https://api.ca.sumologic.com/docs/  |

docs/api/about-apis/intro-to-apis.md

@@ -9,14 +9,15 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/icons/operations/advanced-certificates.png')} alt="Thumbnail icon" width="50"/>
 
-Sumo Logic has a host of useful APIs across all products that can add valuable functionality to any organization by providing access to data and activities without going through the website. API calls can be used for data gathering, automation of processes, and custom reports.
+Sumo Logic has a host of useful APIs across all products that let you access data and perform actions without using the Sumo Logic UI. API calls can be used for to gather data, automate processes, and create custom reports.
 
-This article presumes that you have a solid understanding of Sumo Logic functionality: collectors, queries, security offerings, etc. While APIs are typically for "power users" looking for additional customization and access to web service resources, you also don't need a computer science degree to understand and make use of API calls. This article helps walk you through the basics and get you going with important data queries through the API.
+This article is for users who are familiar with Sumo Logic features (collectors, queries, and security tools, for example), but new to working with APIs. You don’t need a development background to follow along. We’ll cover the basics so you can start making API calls to run queries and perform tasks.
 
-In this article, you'll learn about:
-* How to create a Sumo Logic access ID/key.
-* How to access Sumo Logic APIs.
-* How to use APIs with Sumo Logic's Cloud SIEM.
+In this article, you'll learn how to:
+
+* Create a Sumo Logic access ID/key.
+* Access Sumo Logic APIs.
+* Use APIs with Sumo Logic's Cloud SIEM.
 
 ## Create an access key
 
@@ -66,11 +67,9 @@ However, most API users do not use a traditional web browser for API calls, othe
 An open source application such as [Postman](https://www.postman.com/) can be a convenient tool for testing and developing with API calls. To use Postman, download and install the app. Then:
 1. Enter the URL for the API call.
 1. Click the **Authorization** tab.
-1. Fill in the username and password fields with your Sumo Logic access ID and access key respectively. 
+1. Fill in the username and password fields with your Sumo Logic access ID and access key, respectively.
 1. Click **Send** when finished.
-1. You see the JSON output (or error messages if there is a problem) in the bottom panel.
-
-<img src={useBaseUrl('img/api/postman-ui.png')} alt="Postman UI" style={{border: '1px solid gray'}} width="800" />  
+1. You see the JSON output (or error messages if there is a problem) in the bottom panel.<br/><img src={useBaseUrl('img/api/postman-ui.png')} alt="Postman UI" style={{border: '1px solid gray'}} width="800" />  
 
 Most programming and scripting languages provide modules and libraries for making web service and API calls in code. For instance, the following Python code can make the same "get collectors" call programmatically using the `requests` library:
 
@@ -98,6 +97,18 @@ if __name__ == '__main__':
 
 As you are learning how APIs work, we recommend setting up an API test program, then follow along with the API examples shown in the following sections. To execute API commands, you can use Postman as shown above, another API test application, or set up a quick code snippet in Python or the programming language of your choice.
 
+### Download the OpenAPI Specification
+
+Optionally, you can download the OpenAPI Specification for the Sumo Logic API and import it to your API test application. This lets you view the full specification for all Sumo Logic APIs and run them directly from your testing tool.
+
+1. Select the API documentation URL for your deployment from the [Documentation](/docs/api/about-apis/getting-started/#documentation) section of the *API Authentication, Endpoints, and Security* article. For instance, US users would access either https://api.sumologic.com/docs/ or https://api.us2.sumologic.com/docs/. 
+1. Click the **Download** button at the top of the page. <br/><img src={useBaseUrl('img/api/openapi-spec-download-button.png')} alt="Button to download Sumo Logic OpenAPI Specification" style={{border: '1px solid gray'}} width="600" />
+1. Import the downloaded file to your API test application. For example, to [import the file to Postman](https://learning.postman.com/docs/getting-started/importing-and-exporting/importing-data/), select **File > Import**.
+1. The imported specification appears. Select any API to run it.<br/><img src={useBaseUrl('img/api/imported-api.png')} alt="Imported API specification" style={{border: '1px solid gray'}} width="500" />
+1. You can also download the API specification for Cloud SIEM or Cloud SOAR from the following locations. Simply select the API documentation URL for your deployment and click the **Download** button at the top of the page:
+     * [Cloud SIEM API documentation](/docs/api/cloud-siem-enterprise/#documentation)
+     * [Cloud SOAR API documentation](/docs/api/cloud-soar/#documentation)
+
 ## Basic API GET commands
 
 Retrieving system data and configuration is one of the most common use cases for utilizing platform APIs. These data retrieval operations are generally known as GET commands in reference to the "GET" verb used by the HTTP protocol. Data retrieved through API calls can be processed by outside applications and scripts for report generation and advanced analytics, extending functionality beyond that offered by the Sumo Logic website.
@@ -116,7 +127,9 @@ Note the first ID from your list or the sample ID shown above from the Sumo Logi
 
 <img src={useBaseUrl('img/api/collector-id.png')} alt="Collector ID" style={{border: '1px solid gray'}} width="800" />  
 
-Note that the collector data itself also contains a helpful follow-up link to analyze the sources currently configured for our chosen collector. Follow up by clicking on (or copying into the URL field) the given URL for sources:  `https://api.sumologic.com/api/v1/collectors/<collectorID>/sources`
+Note that the collector data itself also contains a helpful follow-up link to analyze the sources currently configured for our chosen collector. Follow up by clicking on (or copying into the URL field) the given URL for sources:
+
+`https://api.sumologic.com/api/v1/collectors/<collectorID>/sources`
 
 <img src={useBaseUrl('img/api/collector-sources.png')} alt="Collector sources" style={{border: '1px solid gray'}} width="800" />  
 
@@ -353,4 +366,4 @@ Or add a new comment to an existing insight by creating comment text in the requ
 
 <img src={useBaseUrl('img/api/insight-comment.png')} alt="Insight comment" style={{border: '1px solid gray'}} width="800" />
 
-All elements of Cloud SIEM functionality are available through the API, including rules, match lists, automations, tags, and custom actions. Users can even use the API to generate their own insights based on a custom selection of signals.
+All elements of Cloud SIEM functionality are available through the API, including rules, match lists, automations, tags, and custom actions. Users can even use the API to generate their own insights based on a custom selection of signals.

docs/cloud-soar/incidents-triage.md

@@ -503,3 +503,7 @@ With the **Report** option, you can create incident reports to share with others
     1. Click **Save**.<br/><img src={useBaseUrl('img/cloud-soar/delivery-2-save-report.png')} alt="Save a report" style={{border: '1px solid gray'}} width="300"/>
 1. Click **Export** to export the report to PDF.
 1. Click **Open** to open available reports.
+
+## Additional resources
+
+Blog: [Want to improve collaboration and reduce incident response time? Try Cloud SOAR War Room](https://www.sumologic.com/blog/want-to-improve-collaboration-and-reduce-incident-response-time-try-cloud-soar-war-room)

docs/cloud-soar/introduction.md

@@ -663,3 +663,15 @@ Let's create a custom automation rule. This rule will pull information from Clou
 1. Leave the other fields as their defaults, then click **Save**. 
 1. As a best practice, you can enable and test the new rule, but then disable it, since it can disrupt your environment. Continue testing your rule until their behavior is expected before deciding to enable it.
 
+## Additional resources
+
+* Blogs: 
+   * [Why you need both SIEM and SOAR to improve SOC efficiencies and increase effectiveness](https://www.sumologic.com/blog/why-you-need-siem-and-soar-to-improve-soc-efficiencies)
+   * [Cloud-native SOAR and SIEM solutions pave the road to the modern SOC](https://www.sumologic.com/blog/cloud-native-soar-and-siem-solutions-pave-the-road-to-the-modern-soc)
+   * [SIEM vs SOAR: Evaluating security tools for the modern SOC](https://www.sumologic.com/blog/soar-vs-siem)
+   * [Overwhelmed: Why SOAR solutions are a game changer](https://www.sumologic.com/blog/overwhelmed-why-soar-solutions-are-a-game-changer)
+   * [How to improve MTTD and MTTR with SOAR](https://www.sumologic.com/blog/how-to-improve-mttd-and-mttr-with-soar)
+   * [How to implement cybersecurity automation in SecOps with SOAR (7 simple steps)](https://www.sumologic.com/blog/how-to-implement-cyber-security-automation-in-secops-with-soar-7-simple-steps)
+* Briefs
+   * [Sumo Logic Cloud SOAR Solutions Brief](https://www.sumologic.com/briefs/sumo-logic-cloud-soar-solutions-brief)
+   * [How to calculate the ROI of Cloud SOAR](https://www.sumologic.com/briefs/how-to-calculate-roi-of-cloud-soar)

docs/cse/administration/cse-data-retention.md

@@ -6,30 +6,17 @@ description: See retention periods for different types of Cloud SIEM data.
 ---
 
 
-This topic lists the Cloud SIEM data that is retained on the Sumo Logic platform and in Cloud SIEM, and the retention period for each type of data.
+This topic describes how long different kinds of Cloud SIEM data are retained.
 
-## Sumo Logic platform
+| Data | Partition location   | Retention in the partition | Viewable in Cloud SIEM|
+| :-- | :-- | :-- | :-- |
+| Insights    | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions. <br/><br/> The [`sumologic_audit_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from user actions. <br/><br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days<br/><br/>This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely <br/><br/>Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years. |
+| Signals     | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).<br/>There is no additional charge for storage of signals.   | 2 years  |  Signals that are attached to insights are viewable in Cloud SIEM indefinitely. <br/><br/>Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed. |
+| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days | Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days. |
+| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention).  | Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) |
 
-This table lists where, and for how long, different types of Cloud SIEM data are retained on the Sumo Logic platform.
+## Custom retention periods
 
-| Data | Location   | Retention  |
-| :-- | :-- | :-- |
-| Raw logs | Raw logs reside in your Default Partition in Sumo Logic | The retention period defined for your Default Partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention).  |
-| Records | Records (normalized logs) are stored in the partitions whose names begin with the string `sec_records`. There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days |
-| Signals     | Stored in the `sec_signal` partition.<br/>There is no additional charge for storage of signals.   | 2 years  |   
-| Insights    | The `sumologic_system_events` partition contains insights and insight-related events that result from system actions. <br/> The `sumologic_audit_events` partition contains insights and insight-related events that result from user actions. <br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | By default, these partitions have a retention period of 30 days.  This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). |
-
-
-### Cloud SIEM  
-
-* Insights and signals that are attached to insights are retained in Cloud SIEM indefinitely.
-* Signals that are not attached to insights are retained in Cloud SIEM:
-    * For 30 days if suppressed. 
-    * For 365 days if unsuppressed.
-* Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years.
-
-### Custom retention periods
-
-You can request retention periods different from those declared in the tables above, as long as the retention period requested is greater than 1 day and less than 5000 days.
+You can request retention periods different from those declared in the table above, as long as the retention period requested is greater than 1 day and less than 5000 days.
 
 In order to do that, open a [Support ticket](/docs/get-started/help#support) with your request.