SumoLogic
diff --git a/‎.clabot‎
Lines changed: 2 additions & 1 deletion b/‎.clabot‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/pr.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎blog-cse/2025-06-02-application.md‎
Lines changed: 2 additions & 1 deletion b/‎blog-cse/2025-06-02-application.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎blog-cse/2025-06-12-content.md‎
Lines changed: 82 additions & 0 deletions b/‎blog-cse/2025-06-12-content.md‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎blog-cse/2025-06-26-content.md‎
Lines changed: 41 additions & 0 deletions b/‎blog-cse/2025-06-26-content.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎blog-csoar/2025-02-06-application-update.md‎
Lines changed: 1 addition & 1 deletion b/‎blog-csoar/2025-02-06-application-update.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎blog-csoar/2025-02-24-application-update.md‎
Lines changed: 1 addition & 1 deletion b/‎blog-csoar/2025-02-24-application-update.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎blog-csoar/2025-04-21-content.md‎
Lines changed: 1 addition & 1 deletion b/‎blog-csoar/2025-04-21-content.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎blog-csoar/2025-06-03-application-update.md‎
Lines changed: 56 additions & 0 deletions b/‎blog-csoar/2025-06-03-application-update.md‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎blog-service/2021/12-31.md‎
Lines changed: 1 addition & 1 deletion b/‎blog-service/2021/12-31.md‎
Lines changed: 1 addition & 1 deletion
@@ -184,7 +184,8 @@
     "dlindelof-sumologic",
     "snyk-bot",
     "stephenthedev",
-    "Apoorvkudesia-sumologic"
+    "Apoorvkudesia-sumologic",
+    "ntanwar-sumo"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",
 
@@ -44,5 +44,5 @@ jobs:
         name: Check spelling
         with:
           skip: "*.svg,*.js,*.map,*.css,*.scss"
-          ignore_words_list: "aks,atleast,cros,ddress,fiel,ist,nd,ot,pullrequest,ser,shttp,wast,fo,seldomly,delt,cruzer,plack,secur,te,nginx,Nginx,notin"
+          ignore_words_list: "aks,atleast,cros,ddress,delink,fiel,ist,nd,ot,pullrequest,ser,shttp,wast,fo,seldomly,delt,cruzer,plack,secur,te,nginx,Nginx,notin"
           path: docs
@@ -17,5 +17,6 @@ We're happy to announce that now when you create or update a first seen or outli
 To learn more, see our information about baselines for [first seen rules](/docs/cse/rules/write-first-seen-rule/) and [outlier rules](/docs/cse/rules/write-outlier-rule/#baselines-for-outlier-rules).
 
 :::note
-This change is rolling out across deployments incrementally and will be available on all deployments by June 12, 2025.
+* This feature update applies only to new and changed first seen and outlier rules. Unchanged existing rules will continue to use their existing baselines.
+* This feature update is rolling out across deployments incrementally and will be available on all deployments by June 12, 2025.
 :::
@@ -0,0 +1,82 @@
+---
+title: June 12, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
+- New product support for Atlassian audit and login events.
+- Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
+- Cisco ASA updates with new network event support and NAT IP handling improvements.
+- Citrix NetScaler mapping updates to support additional events.
+- Update to Auth0 successful/unsuccessful login mappings to properly classify each.
+- CrowdStrike NextGen SIEM Alert event support.
+- Mimecast security event mapping improvements across several event types.
+- AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
+- Parser updates to support additional event formats for multiple platforms.
+
+Changes are enumerated below.
+
+### Rules
+- [New] MATCH-S00897 Chromium Extension Installed
+    - Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values: `file_path` and/or `changeTarget` depending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
+- [New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
+    - This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
+- [New] MATCH-S00949 GitHub - Vulnerability Alerts
+    - Detects vulnerability alerts created for a GitHub repository.
+- [New] FIRST-S00070 Okta - First Seen Application Accessed by User
+    - This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
+- [New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
+    - This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
+- [New] MATCH-S01020 Threat Intel - Matched Target Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [New] MATCH-S01019 Threat Intel - Matched User Email
+    - Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
+- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
+    - Fixed spelling error.
+
+### Log Mappers
+- [New] Altassian audit events
+- [New] Altassian login events
+- [New] Azure Event Hub - Windows Defender Azure Alert
+- [New] Cisco ASA 4180(18|19|44)
+- [New] Cisco ASA 713nnn JSON
+- [New] Cisco ASA Network events
+- [New] Citrix NetScaler - SSL Handshake Failure
+- [New] CrowdStrike NextGen SIEM
+- [Updated] Auth0 Failed Authentication
+- [Updated] Auth0 Successful Authentication
+- [Updated] Azure Event Hub - Windows Defender Logs
+- [Updated] Cisco ASA 106010 JSON
+- [Updated] Cisco ASA 20900(4|5) JSON
+- [Updated] Cisco ASA 50000(4|3) JSON
+- [Updated] Citrix NetScaler - TCP Connection
+- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
+- [Updated] F5 HTTP Request
+- [Updated] Mimecast AV Event
+- [Updated] Mimecast Audit Authentication Logs
+- [Updated] Mimecast Audit Hold Messages
+- [Updated] Mimecast Audit Logs
+- [Updated] Mimecast DLP Logs
+- [Updated] Mimecast Email logs
+- [Updated] Mimecast Impersonation Event
+- [Updated] Mimecast Spam Event
+- [Updated] Mimecast Targeted Threat Protection Logs
+
+### Parsers
+- [New] /Parsers/System/Atlassian/Atlassian Audit Events
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
+- [Updated] /Parsers/System/AWS/CloudTrail
+- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
+- [Updated] /Parsers/System/F5/F5 Syslog
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry
@@ -0,0 +1,41 @@
+---
+title: June 26, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+hide_table_of_contents: true    
+---
+
+
+This content release includes:
+- Device support for AWS VPN and VMware Avi Load Balancer.
+- Updates to Cisco ASA and Umbrella parsers to support additional log pattern variations.
+- Bug fix for year timestamp parsing with the potential of creating incorrect timestamps around the new year for records.
+
+## Log Mappers
+- [New] AWS VPN
+- [New] VMware Avi Load Balancer Catch All
+
+## Parsers
+- [New] /Parsers/System/AWS/AWS VPN
+- [New] /Parsers/System/VMware/VMware Avi Load Balancer
+- [Updated] /Parsers/System/Atlassian/Atlassian Audit Events
+- [Updated] /Parsers/System/Microsoft/Azure Storage Analytics
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+- [Updated] /Parsers/System/Cylance/Cylance Syslog
+- [Updated] /Parsers/System/Cylance/Cylance Threat JSON
+- [Updated] /Parsers/System/JumpCloud/JumpCloud Directory Insights
+- [Updated] /Parsers/System/Miro/Miro Audit C2C
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
+- [Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance
+- [Updated] /Parsers/System/RSA/RSA SecurID SinglePoint
+- [Updated] /Parsers/System/Symantec/Symantec Endpoint Protection/Symantec Endpoint Protection-Syslog
+- [Updated] /Parsers/System/Tanium/Tanium CEF
+- [Updated] /Parsers/System/Trellix/Trellix MVision EPO
+- [Updated] /Parsers/System/Twistlock/Twistlock
+- [Updated] /Parsers/System/Zeek/Zeek
+- [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-CEF
+- [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
+- [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF
@@ -9,7 +9,7 @@ hide_table_of_contents: true
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-
+## January release
 
 ### Changes and Enhancements
 
 
@@ -9,7 +9,7 @@ hide_table_of_contents: true
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-
+## February release
 
 ### Changes and Enhancements
 
 
@@ -1,5 +1,5 @@
 ---
-title: April 21, 2025 - Content Release
+title: April 21, 2025 - Application Update
 hide_table_of_contents: true
 image: https://help.sumologic.com/img/sumo-square.png
 keywords:
 
@@ -0,0 +1,56 @@
+---
+title: June 3, 2025 - Application Update
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## May release
+
+### Changes and enhancements
+
+#### New feature: Enable/disable playbooks
+
+This feature allows users to easily enable or disable playbooks without deleting them, offering greater control over their execution.
+
+What's new:
+* Switch playbooks' status to enabled or disabled directly from the playbook details page.
+* The playbooks listing page now shows a status column to display the status of the playbooks.
+* Disabled playbooks will not execute from any linked triggers like monitors, insights, or incident rules, enhancing operational safety.
+* By default, playbooks with any published version are set to enabled, while those that are draft-only or have been deleted remain disabled.
+* Audit logs are generated whenever playbooks are enabled or disabled manually.
+
+For more information, see [Enable or disable playbooks](/docs/platform-services/automation-service/automation-service-playbooks/#enable-or-disable-playbooks).
+
+#### Integrations
+
+* [NEW] [Google Workspace IDP](/docs/platform-services/automation-service/app-central/integrations/google-workspace-idp/) – This integration automates user and group management in Google Workspace, simplifying identity and access control for improved security and efficiency.
+* [UPDATED] [Microsoft EWS Daemon](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-daemon/) - Enhanced the handling of email attachments that may lack file extension, ensuring consistent detection and processing.
+* [UPDATED] [TheHive](/docs/platform-services/automation-service/app-central/integrations/thehive/) - Modified TheHive integration with case and observable enhancements:
+   * Fixed parsing issues for date related inputs with inconsistent formatting.
+   * Fixed SSL-related warning issues.
+   * Added organization name field in resource which will included in the headers.
+   * Enhanced error handling and made the integration more resilient to malformed inputs.
+* [UPDATED] [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools/) - Introduced the new "Scaled Decimal to Percentage" action, which converts a scaled decimal value into a percentage.
+* [UPDATED] [Microsoft Sentinel](/docs/platform-services/automation-service/app-central/integrations/microsoft-sentinel/) - Enhanced the "Microsoft Sentinel Incidents Daemon" action, and added support to seamlessly fetch subsequent paginated data.
+
+### Bug Fixes
+
+#### Playbooks
+
+* Fixed an issue where users were unable to use the "Answer by Email" option when selecting  the authorizer as a playbook input variable.
+* Fixed long text getting cropped in filter and conditions nodes preview.
+
+#### Rules
+
+* Resolved an issue where empty keys within nested list objects were not properly filtered during rule execution. This fix ensures accurate evaluation of `isnot` and `notcontains` conditions by excluding empty keys, resulting in improved data processing accuracy and rule performance.
+
+#### Incidents
+
+* Resolved data loading issue on incidents and triage listing tables.
+* Fixed issue related to user redirection to the logic page on session timeout.
@@ -649,7 +649,7 @@ Update - We have updated our [Enterprise Audit - Security Management App](/docs
 ---
 ## March 4, 2021 (Observability)
 
-Update - We're delighted to announce several enhancements to [Root Cause Explorer](/docs/observability/root-cause-explorer "Root Cause Explorer"). Root Cause Explorer now supports two additional AWS namespaces, as well as Events of Interest detection on Kubernetes and Trace metrics. Cause-impact analysis is now informed by Sumo Logic Tracing's Service Map, AWS X-ray, Kubernetes entities, and AWS inventory relationships. You'll also notice new filters and search builders at the top of the page to correlate Events of Interests at the service, orchestrator, AWS infrastructure, and host levels to speed up the identification of  root causes. You can use the Infrastructure tab for an Event of Interest to pivot to dashboards, logs, metrics and, trace searches to take the next steps in root cause analysis. 
+Update - We're delighted to announce several enhancements to Root Cause Explorer. Root Cause Explorer now supports two additional AWS namespaces, as well as Events of Interest detection on Kubernetes and Trace metrics. Cause-impact analysis is now informed by Sumo Logic Tracing's Service Map, AWS X-ray, Kubernetes entities, and AWS inventory relationships. You'll also notice new filters and search builders at the top of the page to correlate Events of Interests at the service, orchestrator, AWS infrastructure, and host levels to speed up the identification of  root causes. You can use the Infrastructure tab for an Event of Interest to pivot to dashboards, logs, metrics and, trace searches to take the next steps in root cause analysis. 
 
 ---
 ## March 1, 2021 (Metrics)