Merge branch 'main' into update-dashboard-screenshots

Author: JV0812

blog-service/2025-07-28-alerts.md

@@ -0,0 +1,19 @@
+---
+title: Time range limits for subqueries in scheduled searches (Alerts)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - alerts
+  - scheduled searches
+  - subqueries
+hide_table_of_contents: true    
+---
+
+We've introduced time range limits for subqueries in scheduled searches. This change helps you prevent long-running, inefficient queries, especially those impacting system stability and that drive up costs. While maintaining flexibility, these optimizations protect system health and reduce operational overhead.
+
+Key benefits of this enhancements include:
+
+- Improved query performance and responsiveness.
+- Encourage efficient search practices.
+- Support sustainable resource usage.
+
+[Learn more](/docs/alerts/scheduled-searches/schedule-search/#step-3-time-range).

blog-service/2025-07-31-apps.md

@@ -0,0 +1,15 @@
+---
+title: Apps, Solutions, and Collection Integrations - July Release 
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - july-release
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Enhancements
+
+- **Updated OpenTelemetry apps**. [Oracle - OpenTelemetry](/docs/integrations/databases/opentelemetry/oracle-opentelemetry/), [SQL Server - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-opentelemetry/), and [SQL Server for Linux - OpenTelemetry](/docs/integrations/microsoft-azure/opentelemetry/sql-server-linux-opentelemetry/).
+- **Updated 1 Webhook app**. [Sentry](/docs/integrations/webhooks/sentry/).

blog-service/2025-07-31-collection.md

@@ -0,0 +1,12 @@
+---
+title: OneLogin Source (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - c2c
+  - onelogin-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce the release of our new cloud-to-cloud source for OneLogin. This source aims to collect the user list logs from the OneLogin API and send it to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source).

blog-service/2025-08-01-collection.md

@@ -0,0 +1,23 @@
+---
+title: Cloud Syslog Source Certificate Transition to ACM (Collection)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - certificates
+  - Cloud Syslog Source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce that we are transitioning to AWS Certificate Manager (ACM) certificates for Transport Layer Security (TLS) communication between your cloud syslog sources and Sumo Logic.
+
+Currently, Sumo Logic uses a DigiCert ALB certificate to secure communication with your cloud syslog sources. This certificate is set to expire on October 13, 2025, at which point Sumo Logic will transition to the ACM root certificates. This change provides the following benefits:
+* **Automated certificate renewal and deployment**. ACM eliminates the need for future manual renewals, reducing administrative overhead.
+* **Simplified infrastructure management for AWS customers**. ACM is deeply integrated into the AWS ecosystem, streamlining your overall infrastructure management. Because Sumo Logic is also on AWS, using ACM provides a seamless experience.
+
+If you use cloud syslog sources to send data to Sumo Logic, please prepare for this transition by downloading and configuring the ACM certificate on your system. For more information and setup instructions, see:
+* [Cloud Syslog Source](/docs/send-data/hosted-collectors/cloud-syslog-source/)
+* [rsyslog](/docs/send-data/hosted-collectors/cloud-syslog-source/rsyslog)
+* [syslog-ng](/docs/send-data/hosted-collectors/cloud-syslog-source/syslog-ng/)
+* [Collect Logs for SentinelOne](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/)
+* [Acquia](/docs/integrations/saas-cloud/acquia/#step-2-configure-a-source)

cid-redirects.json

@@ -476,6 +476,7 @@
   "/05Search/Optimize-Search-Performance": "/docs/search/optimize-search-performance",
   "/05Search/Optimize-Search-Performance/Optimizing_Search_with_Partitions": "/docs/search/optimize-search-partitions",
   "/docs/manage/queries/optimize-queries": "/docs/search/optimize-search-performance",
+  "/docs/search/search-across-child-org": "/docs/search/search-across-child-orgs",
   "/05Search/Search-Cheat-Sheets": "/docs/search/search-cheat-sheets",
   "/05Search/Search-Cheat-Sheets/General-Search-Examples-Cheat-Sheet": "/docs/search/search-cheat-sheets/general-search-examples",
   "/05Search/Search-Cheat-Sheets/grep-to-Searching-with-Sumo-Cheat-Sheet": "/docs/search/search-cheat-sheets/grep-searching-with-sumo",
@@ -2911,6 +2912,7 @@
   "/cid/21037": "/docs/integrations/google/cloud-vpn",
   "/cid/21333": "/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint",
   "/cid/21039": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source",
+  "/cid/21059": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/onelogin-source",
   "/cid/21041": "/docs/integrations/google/cloud-security-command-center",
   "/cid/21097": "/docs/integrations/saas-cloud/confluent-cloud",
   "/cid/21040": "/docs/manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers",
@@ -3801,6 +3803,7 @@
   "/03Send-Data/Collect-from-Other-Data-Sources/Collect_Logs_from_AWS_Lambda_using_Lambda_Extension": "/docs/send-data/collect-from-other-data-sources/collect-aws-lambda-logs-extension",
   "/03Send-Data/Collect-from-Other-Data-Sources/Collecting-Logs-from-a-Local-File-System": "/docs/send-data/installed-collectors/sources/local-file-source",
   "/03Send-Data/Hosted-Collectors/GCP_Metrics_Source": "/docs/send-data/hosted-collectors/google-source/gcp-metrics-source",
+  "/03Send-Data/Hosted-Collectors/HTTP-Source": "/docs/send-data/hosted-collectors/http-source/logs-metrics",
   "/03Send-Data/Sources/01Sources-for-Installed-Collectors": "/docs/send-data/installed-collectors/sources",
   "/03Send-Data/Sources/01Sources-for-Installed-Collectors/Local_Windows_Event_Log_Source": "/docs/send-data/installed-collectors/sources/local-windows-event-log-source",
   "/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services": "/docs/send-data/hosted-collectors/amazon-aws",
@@ -3886,6 +3889,7 @@
   "/Apps/Preview_Apps/Cylance/01Collect_Logs_for_Cylance": "/docs/integrations/security-threat-detection/cylance",
   "/Apps/Preview_Apps/Azure_Audit_App": "/docs/integrations/microsoft-azure/audit",
   "/Apps/Preview_Apps/Azure_Audit+App": "/docs/integrations/microsoft-azure/audit",
+  "/Apps/Preview_Apps/Azure_Web_Apps": "/docs/integrations/microsoft-azure/web-apps",
   "/Apps/Windows_App/Windows_App_Dashboards": "/docs/integrations/microsoft-azure",
   "/Beta": "/docs/beta",
   "/Beta/APIs": "/docs/api",

docs/alerts/scheduled-searches/schedule-search.md

@@ -44,6 +44,10 @@ The [time range](../../search/get-started-with-search/search-basics/time-range-e
 This setting is different than the Time Range option configured for the Saved Search. The first time range is only used when you run the Saved Search from the Library. This Time Range applies to your Scheduled Search.
 :::
 
+:::note
+The time range limitations below apply to both parent queries and subqueries in your scheduled search.
+:::
+
 Alternately, type a time range; for example, -15m to run the search against data generated in the past 15 minutes. A time range outside the maximum allowed range for a given frequency is not allowed and presents the message like this: `Invalid query. Max allowed time range for 15 minutes frequency is 1 day`.
 
 The maximum allowed time range for different Scheduled Search frequencies is as below:

docs/cse/rules/write-first-seen-rule.md

@@ -50,7 +50,7 @@ Watch this micro lesson to learn more about first seen rules.
 
 A first seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a signal. Instead, the rule expression in a first seen rule is simply a filter condition that defines what incoming records the rule will apply to. For each first seen rule, Cloud SIEM automatically creates a baseline model of normal behavior for a defined time period (by default for the last 90 days) evidenced by records that match the Rule Expression. The activity found during this period is considered normal behavior and will not be alerted on. 
 
-As soon as you save or update a first seen rule, the baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
+As soon as you save or update a first seen rule (or disable and re-enable it), the full baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
 
 Once the baseline is created, when an incoming record includes matching activity not seen during the baseline retention period, the rule creates a signal identifying the activity as *first seen*. The signal indicates that the activity is first seen:
 
@@ -86,9 +86,9 @@ The settings in the **If Triggered** section determine what records the rule wil
 
 1.  **When a Record matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
 1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
+1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule. (If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.)
     :::note
-    If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
+    The [baseline for a first seen rule](#baselines-for-first-seen-rules) is recalculated if a rule tuning expression that applies to the selected rule is updated. However, the baseline is not recalculated if the rule tuning expression applies to all rules.
     :::
 1. **has a new value for the field(s)**. Select the record field that will be used to build the baseline.
 1. **after building a [global | per Entity] baseline** The settings in this section define the scope of the baseline that will be built.

docs/cse/rules/write-outlier-rule.md

@@ -53,7 +53,7 @@ Watch this micro lesson to learn more about outlier rules.
 
 When you create the rule, you can set the amount of time Cloud SIEM analyzes data to create a baseline model of behavior, with the default period being for the last 90 days. You can set the rule to build data hourly or daily, depending on how frequently you believe events of interest will occur, and how much data you want to gather. In the rule, you set the model sensitivity threshold to calculate outlier activity based on the number of standard deviations from the mean (z‑score). 
 
-As soon as you save or update an outlier rule, the baseline is built using existing data collected. So if your baseline retention period is for the last 90 days (the default), the system uses data from the last 90 days to build the baseline. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
+As soon as you save or update an outlier rule (or disable and re-enable it), the full baseline is built using existing data collected. So if your baseline retention period is for the last 90 days (the default), the system uses data from the last 90 days to build the baseline. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete. If the records gathered for a baseline exceed 50 million, the historical baseline capabilities become inefficient and it’s better to let the baseline gather data over time. You will be notified of this state in the UI, and can either let the baseline gather over the days set in the baseline, or edit the rule to filter more records or reduce the baseline period to keep it under 50 million records.
 
 Once the baseline is created, Cloud SIEM tracks aggregates of count, sum, min, max, and averages of record values, and creates a signal when deviations from the mean occurs. For example, for the [spike in failed logins from a user](#use-case-for-a-spike-in-failed-logins-from-a-user) use case, Cloud SIEM builds a baseline model of counts of authentication failures that are associated with a user over time, and creates a signal when outlier behavior is detected:
 
@@ -91,9 +91,9 @@ The settings in the **If Triggered** section are divided into two subsections, o
 **Baseline Configuration**
 1. **For the records matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
 1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
+1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule. (If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.)
     :::note
-    If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
+    The [baseline for an outlier rule](#baselines-for-outlier-rules) is recalculated if a rule tuning expression that applies to the selected rule is updated. However, the baseline is not recalculated if the rule tuning expression applies to all rules.
     :::
 1. **build a daily/hourly baseline**. Select the time window for building the baseline. It can either be a daily or hourly baseline.
 1. **for the entity(ies)**. Select one or more record fields for which you want baselines built. Selecting multiple fields will build a distinct baseline for a combination of entities.

docs/integrations/amazon-aws/amazon-ec2-auto-scaling.md

@@ -107,8 +107,8 @@ When you create an AWS Source, you'll need to identify the Hosted Collector you
 1. **Metadata**. Click the **+Add Field** link to add custom log metadata [Fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value.
     1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.
     1. Keep in mind:
-       * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
-       * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
+       * <img src={useBaseUrl('img/reuse/green-check-circle.png')} alt="green check circle.png" width="20"/> A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
+       * <img src={useBaseUrl('img/reuse/orange-exclamation-point.png')} alt="orange exclamation point.png" width="20"/> An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**.
 
 ### Collect metrics
 
@@ -118,8 +118,8 @@ When you create an AWS Source, you'll need to identify the Hosted Collector you
 1. **Metadata**. Click the **+Add Field** link to add custom log metadata [fields](/docs/manage/fields). Define the fields you want to associate, each field needs a name (key) and value. 
    1. Add an **account** field and assign it a value which is a friendly name / alias to your AWS account from which you are collecting logs. Logs can be queried via the “account field”.<br/><img src={useBaseUrl('https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/AWS-Lambda/Metadata.png')} alt="Metadata" style={{border: '1px solid gray'}} width="500" />
    1. Keep in mind:
-      * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
-      * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
+      * <img src={useBaseUrl('img/reuse/green-check-circle.png')} alt="green check circle.png" width="20"/> A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
+      * <img src={useBaseUrl('img/reuse/orange-exclamation-point.png')} alt="orange exclamation point.png" width="20"/> An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**.
 :::note
 Namespace for Amazon EC2 Auto Scaling Service is AWS/AutoScaling.
 :::