Merge branch 'main' into docs-824-improve-threat-intel-documentation

Author: kimsauce

blog-cse/2025-04-25-content.md

@@ -0,0 +1,32 @@
+---
+title: April 25, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
+- Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.
+
+## Rules
+- [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
+- [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
+- [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
+- [Updated] MATCH-S01000 Threat Intel - MD5 Match
+- [Updated] MATCH-S01001 Threat Intel - PEHASH Match
+- [Updated] MATCH-S01003 Threat Intel - SHA1 Match
+- [Updated] MATCH-S01004 Threat Intel - SHA256 Match
+- [Updated] MATCH-S01002 Threat Intel - SSDEEP Match
+
+## Log Mappers
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+
+## Parsers
+- [Updated] /Parsers/System/Microsoft/Office 365

cid-redirects.json

@@ -4307,6 +4307,7 @@
   "/docs/manage/partitions/flex/estimate-and-actual-scan-data": "/docs/manage/partitions/flex/estimate-scan-data",
   "/docs/manage/partitions/flex/flex-pricing-faqs": "/docs/manage/partitions/flex/faq",
   "/docs/manage/partitions/flex/flex-pricing-faq": "/docs/manage/partitions/flex/faq",
+  "/docs/platform-services/automation-service/app-central/integrations/exana-open-dns": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/platform-services/automation-service/app-central/integrations/snowflake": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/integrations/security-threat-detection/palo-alto-networks-6": "/docs/integrations/security-threat-detection/palo-alto-networks-9",
   "/docs/integrations/security-threat-detection/palo-alto-networks-8":"/docs/integrations/security-threat-detection/palo-alto-networks-9",

docs/cse/rules/cse-rules-syntax.md

@@ -626,7 +626,7 @@ The following expression returns "10.10.1.0":
 
 ### hasThreatMatch
 
-The `hasThreatMatch` Cloud SIEM rules function matches incoming records in Cloud SIEM to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/).
+Use the `hasThreatMatch` Cloud SIEM rules function to match incoming records in Cloud SIEM to [threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/). The function uses all sources in the **Threat Intelligence** tab, unless you specify a specific source. `hasThreatMatch` can also match values in [custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/).
 
 When an entity is processed by a rule using the `hasThreatMatch` function and is a match, the entity is associated with a known indicator that has a threat type attribute. The entity can be associated with either `threatType` (in normalized JSON format and CSV format), or `indicator_types` (in STIX format).
 
@@ -635,46 +635,31 @@ When an entity is processed by a rule using the `hasThreatMatch` function and is
 `hasThreatMatch([<fields>], <filters>, <indicators>)`
 
 Parameters:
-* `<fields>` is a list of comma-separated [field names](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/full_schema.md). At least one field name is required.
-* `<filters>` is a logical expression using [indicator attributes](/docs/security/threat-intelligence/upload-formats/#normalized-json-format). Allowed in the filtering are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `=>`, `!=`. <br/>You can filter on the following indicator attributes:
-   * `actors`
-   * `confidence`
-   * `id`
-   * `indicator`
-   * `killChain`
-   * `source`
-   * `threatType`
-   * `type`
-   * `validFrom`
-   * `validUntil`
-* `<indicators>` is an optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
+* **`<fields>`**. A list of comma-separated [field names](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/full_schema.md). At least one field name is required.
+* **`<filters>`**. A logical expression using [indicator attributes](/docs/security/threat-intelligence/upload-formats/#normalized-json-format). Allowed in the filtering are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `=>`, `!=`. <br/>You can filter on the following indicator attributes:
+   * `actors`. An identified threat actor such as an individual, organization, or group. 
+   * `confidence` Confidence that the data represents a valid threat, where 100 is highest.  Malicious confidence scores from different sources are normalized and mapped to a 0-100 numerical value.
+   * `id`. ID of the indicator.
+   * `indicator`. Value of the indicator, such as an IP address, file name, email address, etc. 
+   * `killChain`. The various phases an attacker may undertake to achieve their objectives (for example, `reconnaissance`, `weaponization`, `delivery`, `exploitation`, `installation`, `command-and-control`, `actions-on-objectives`).
+   * `source`. The source in the Sumo Logic datastore displayed in the **Threat Intelligence** tab.
+   * `threatType`. The threat type of the indicator (for example, `anomalous-activity`, `anonymization`, `benign`, `compromised`, `malicious-activity`, `attribution`, `unknown`).
+   * `type`. The indicator type (for example, `ipv4-addr`, `domain-name`, `'file:hashes`, etc.)
+   * `validFrom`. Beginning time this indicator is valid.
+   * `validUntil`. Ending time this indicator is valid. 
+* **`<indicators>`**. An optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
    * `active_indicators`. Match active indicators only (default).
    * `expired_indicators`. Match expired indicators only.
    * `all_indicators`. Match all indicators.
 
-**Examples**
-
-* `hasThreatMatch([srcDevice_ip])`
-* `hasThreatMatch([srcDevice_ip, dstDevice_ip])`
-* `hasThreatMatch([srcDevice_ip], type="ipv4-addr")`
-* `hasThreatMatch([srcDevice_ip], confidence > 50)`
-* `hasThreatMatch([srcDevice_ip], confidence > 50 AND source="TAXII2Source")`
-* `hasThreatMatch([srcDevice_ip], source="s1" OR (source="s2" confidence > 50))`
-* `hasThreatMatch([srcDevice_ip], expired_indicators)`
-* `hasThreatMatch([srcDevice_ip], confidence > 50, all_indicators)`
-
 #### Best practice
 
 As a best practice, always include filtering to narrow your match to just the types desired (that is, `type=`). This will ensure that your match expressions are not overly broad.
 
-For example:
-* `hasThreatMatch([dstDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))` 
-* `hasThreatMatch([file_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_ssdeep, file_hash_sha1, file_hash_sha256], confidence > 1 AND type="file:hashes")` 
-* `hasThreatMatch([http_url], confidence > 1 AND type="url")` 
-* `hasThreatMatch([dstDevice_ip, srcDevice_ip], (confidence >1 AND confidence <50) AND (type='ipv4-addr' OR type='ipv6-addr'))`
-
 Following are the standard indicator types you can filter on:
-* `file:hashes`. File hash. (If you want to add the hash algorithm, enter `file:hashes.<HASH-TYPE>`. For example, `[file:hashes.MD5 = '5d41402abc4b2a76b9719d911017c592']` or `[file:hashes.'SHA-256' = '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c']`.)
+* `domain-name`. Domain.
+* `email-addr`. Email.
+* `file:hashes`. File hash.
 * `file`. File name. 
 * `ipv4-addr`. IPv4 IP address. 
 * `ipv6-addr`. IPv6 IP address. 
@@ -685,6 +670,28 @@ Following are the standard indicator types you can filter on:
 
 For more information about indicator types, see [Upload Formats for Threat Intelligence Indicators](/docs/security/threat-intelligence/upload-formats).
 
+**Examples**
+
+:::tip
+For standard rules that use the `hasThreatMatch` function, refer to the [Rules page in the Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md) and search for rules with "Threat Intel" in the name. To see examples of how these rules use `hasThreatMatch`, open and view the rules in Cloud SIEM.
+:::
+
+* `hasThreatMatch([srcDevice_ip], confidence > 1 AND (type='ipv4-addr' OR type='ipv6-addr'))`
+* `hasThreatMatch([device_ip], source="unit_42" AND confidence > 50) AND accountId="testing"`
+* `hasThreatMatch([device_hostname], confidence > 1 AND (type='domain-name' OR type='url'))`
+* `hasThreatMatch([dstDevice_hostname], confidence > 1 AND (type='domain-name' OR type='url'))`
+* `hasThreatMatch([file_hash_md5], confidence > 1 AND type='file:hashes.MD5')`
+* `hasThreatMatch([file_hash_sha1], confidence > 1 AND type="file:hashes.'SHA-1'")`
+* `hasThreatMatch([file_hash_sha256], confidence > 1 AND type="file:hashes.'SHA-256'")`
+* `hasThreatMatch([file_hash_ssdeep], confidence > 1 AND type='file:hashes.ssdeep')`
+* `hasThreatMatch([http_url_rootDomain], confidence > 1 AND (type='domain-name' OR type='url'))`
+* `hasThreatMatch([user_email,targetUser_email], confidence > 1 AND source = "s_global_feed_1")`
+
+You can exclude matches from allowlists such as [standard match lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists/#standard-match-lists). For example:
+```text
+hasThreatMatch([dstDevice_ip], confidence > 74 AND (type='ipv4-addr' OR type='ipv6-addr')) AND NOT (array_contains(listMatches, 'business_asns') OR array_contains(listMatches, 'business_domains') OR array_contains(listMatches, 'business_hostnames') OR array_contains(listMatches, 'business_ips') OR array_contains(listMatches, 'sandbox_ips') OR array_contains(listMatches, 'verified_domains') OR array_contains(listMatches, 'verified_hostnames') OR array_contains(listMatches, 'verified_ips'))
+```
+
 ### haversine
 
 Returns the distance between latitude and longitude values of two coordinates in kilometers.

docs/cse/sensors/network-sensor-end-of-life.md

@@ -24,5 +24,5 @@ If you have any questions, please don't hesitate to reach out to your Sumo Logic
 | :-- | :-- | :-- |
 | End-of-life announcement | The date this feature is announced as end-of-life. | November 8, 2024 |
 | End of software release | The last date that Sumo Logic may release any final software maintenance releases or bug fixes. After this date, Sumo Logic will no longer develop, repair, maintain, or test product software. | November 8, 2024 |
-| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditIons. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | April 30, 2025 |
+| Last date of support | The last date to receive applicable support for the feature as entitled by active support contracts or by applicable warrant terms and conditIons. After this date, all support services for this feature are unavailable and the feature becomes obsolete. | TBD |
 

docs/integrations/microsoft-azure/azure-container-instances.md

@@ -116,7 +116,7 @@ Sumo Logic Metrics source is currently in Beta, to participate, contact your Sum
 
 In the Sumo Logic Azure Metrics source configuration,
 
-- Tag the location field in the source with correct Azure resource location value. <br/><img src={useBaseUrl('img/integrations/microsoft-azure/Azure-Storage-Tag-Location.png')} alt="Azure Container Instance Tag Location" style={{border: '1px solid gray'}} width="400" />
+- To set up the Azure Metrics source in Sumo Logic, refer to the shared beta documentation.
 - Configure namespaces as `Microsoft.ContainerInstance/containerGroups`. <br/><img src={useBaseUrl('img/integrations/microsoft-azure/azure-container-instance-namespaces.png')} alt="Azure Container Instance Namespaces" style={{border: '1px solid gray'}} width="500" />
 
 ### Configure logs collection

docs/integrations/microsoft-azure/kubernetes.md

@@ -258,9 +258,7 @@ tenant_name={{tenant_name}} subscription_id={{subscription_id}} resource_group={
 Sumo Logic Metrics source is currently in Beta, to participate, contact your Sumo Logic account executive.
 :::
 
-In the Sumo Logic Azure Metrics source configuration,
-
-- Tag the location field in the source with correct Azure resource location value. <br/><img src={useBaseUrl('img/integrations/microsoft-azure/Azure-Storage-Tag-Location.png')} alt="Azure Container Instance Tag Location" style={{border: '1px solid gray'}} width="400" />
+- To set up the Azure Metrics source in Sumo Logic, refer to the shared beta documentation.
 - Configure the namespaces as `Microsoft.ContainerService/managedClusters`, `microsoft.kubernetes/connectedClusters`, `microsoft.kubernetesconfiguration/extensions`, and `microsoft.hybridcontainerservice/provisionedClusters`. <br/><img src={useBaseUrl('img/integrations/microsoft-azure/azure-kubernetes-service-namespaces.png')} alt="Azure Container Instance Namespaces" style={{border: '1px solid gray'}} width="500" />
 
 ### Collecting logs for the Azure Kubernetes Cluster  

docs/integrations/product-list/product-list-a-l.md

@@ -217,7 +217,6 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/ermes.png')} alt="Thumbnail icon" width="75"/> | [Ermes](https://www.ermes.company/) | Automation integration: [Ermes](/docs/platform-services/automation-service/app-central/integrations/ermes/) |
 | <img src={useBaseUrl('img/integrations/misc/eset-logo.png')} alt="Thumbnail icon" width="75"/> | [ESET](https://www.eset.com/us/) | Cloud SIEM integration: [ESET](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/ced86de0-64e4-4e7c-ae25-fb5b3dff3cb8.md) |
 | <img src={useBaseUrl('img/integrations/misc/exabeam-logo.svg')} alt="Thumbnail icon" width="75"/> | [Exabeam](https://www.exabeam.com/) | Cloud SIEM integration: [Exabeam](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9d2d799d-2d6c-4894-a46f-0cce00641bcb.md) |
-| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/exana-open-dns.png')} alt="Thumbnail icon" width="100"/> | [Exana](https://www.f6s.com/company/exana.io) | Automation integration: [Exana Open DNS](/docs/platform-services/automation-service/app-central/integrations/exana-open-dns/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/exploit-database.png')} alt="Thumbnail icon" width="75"/> | [Exploit Database](https://www.exploit-db.com/) | Automation integration: [Exploit Database](/docs/platform-services/automation-service/app-central/integrations/exploit-database/) |
 | <img src={useBaseUrl('img/integrations/misc/extrahop-logo.png')} alt="Thumbnail icon" width="100"/>  | [ExtraHop](https://www.extrahop.com/)  | Cloud SIEM integration: [Extrahop](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/a8b03e2e-7497-4104-874d-cafd03aeb4c1.md) <br/>Community app: [Sumo Logic for ExtraHop Reveal(x) 360](https://github.com/SumoLogic/sumologic-content/tree/master/ExtraHop%20Reveal(x)%20360)  |
 

docs/integrations/saas-cloud/sumo-collection.md

@@ -200,4 +200,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>