Merge branch 'main' into sumo_261549

Author: akhil-sumologic

.clabot

@@ -182,7 +182,9 @@
     "Deklin",
     "justrelax19",
     "dlindelof-sumologic",
-    "snyk-bot"
+    "snyk-bot",
+    "stephenthedev",
+    "Apoorvkudesia-sumologic"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

.github/workflows/build_and_deploy.yml

@@ -28,7 +28,7 @@ on:
 
 jobs:
   build-and-deploy:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
       url: ${{ inputs.hostname }}${{ inputs.base_url }}

.github/workflows/delete-review.yml

@@ -4,7 +4,7 @@ on: delete
 
 jobs:
   delete-branch-environment:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     environment:
       name: review/${{ github.ref_name }}
     env:

.github/workflows/pr.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
     build-and-deploy:
-      runs-on: ubuntu-22.04
+      runs-on: ubuntu-latest
       env:
           CI: true
           NODE_ENV: production

blog-cse/2025-04-14-content.md

@@ -0,0 +1,81 @@
+---
+title: April 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Additional data requirements for GitHub rules added to rule descriptions.
+- Spelling corrections for AWS Lambda rules.
+- New Slack Anomaly Event log mapper and supporting parsing changes:
+   - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
+   - Requires parser be defined for passthrough detection.
+- Updates to Sysdig parsing and mapping to support additional events.
+- Support for Microsoft Windows Sysmon-29 event.
+- Additional normalized field mappings for Microsoft Windows Sysmon events.
+- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.
+
+
+### Rules
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
+- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
+- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
+- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
+- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
+- [Updated] MATCH-S00957 GitHub - Organization Transfer
+- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
+- [Updated] MATCH-S00960 GitHub - Repository Transfer
+- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
+- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+
+### Log Mappers
+- [New] Slack Anomaly Event
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
+- [Updated] Sysdig Secure Packages
+- [Updated] Sysdig Secure Vulnerability
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+
+### Parsers
+- [New] /Parsers/System/Slack/Slack Enterprise Audit
+- [Updated] /Parsers/System/Sysdig/Sysdig Secure
+
+### Schema
+- [New] `targetUser_phoneNumber`
+- [New] `user_phoneNumber`

blog-cse/2025-04-25-content.md

@@ -0,0 +1,32 @@
+---
+title: April 25, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
+- Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.
+
+## Rules
+- [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
+- [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
+- [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
+- [Updated] MATCH-S01000 Threat Intel - MD5 Match
+- [Updated] MATCH-S01001 Threat Intel - PEHASH Match
+- [Updated] MATCH-S01003 Threat Intel - SHA1 Match
+- [Updated] MATCH-S01004 Threat Intel - SHA256 Match
+- [Updated] MATCH-S01002 Threat Intel - SSDEEP Match
+
+## Log Mappers
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+
+## Parsers
+- [Updated] /Parsers/System/Microsoft/Office 365

blog-cse/2025-05-09-content.md

@@ -0,0 +1,148 @@
+---
+title: May 9, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This release includes:
+- New rules for monitoring AWS services (see below for tuning guidance).
+- Updated rules for Microsoft O365 and Powershell.
+- Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
+- Updates to Cisco Umbrella mappers to add user_username.
+- Updates to SentinelOne mappers to drop null values.
+- New parsers for Azure Virtual Network and SentinelOne MGMT API.
+- Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.
+
+Changes are enumerated below.
+
+
+### Rules
+- [New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
+    - [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
+- [New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
+    - [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
+- [New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
+    - [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
+- [New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
+    - [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
+- [Updated] MATCH-S00069 O365 - Users Password Reset
+    - Changed Entity and Summary, replacing user_username with targetUser_username.
+- [Updated] MATCH-S00449 Powershell Execution Policy Bypass
+    - Fixed camel case in commandLine field.
+
+### Log Mappers
+- [New] Azure Virtual Network Flow logs
+- [Updated] Abnormal Security Threats
+- [Updated] Cisco ASA 103001 JSON
+- [Updated] Cisco ASA 103004 JSON
+- [Updated] Cisco ASA 106001 JSON
+- [Updated] Cisco ASA 106002 JSON
+- [Updated] Cisco ASA 106006 JSON
+- [Updated] Cisco ASA 106007 JSON
+- [Updated] Cisco ASA 106010 JSON
+- [Updated] Cisco ASA 106012 JSON
+- [Updated] Cisco ASA 106014 JSON
+- [Updated] Cisco ASA 106015 JSON
+- [Updated] Cisco ASA 106021 JSON
+- [Updated] Cisco ASA 106023 JSON
+- [Updated] Cisco ASA 106027 JSON
+- [Updated] Cisco ASA 106100 JSON
+- [Updated] Cisco ASA 106102-3 JSON
+- [Updated] Cisco ASA 109005-8 JSON
+- [Updated] Cisco ASA 110002 JSON
+- [Updated] Cisco ASA 111008-9 JSON
+- [Updated] Cisco ASA 111010 JSON
+- [Updated] Cisco ASA 113003 JSON
+- [Updated] Cisco ASA 113004 JSON
+- [Updated] Cisco ASA 113005 JSON
+- [Updated] Cisco ASA 113006 JSON
+- [Updated] Cisco ASA 113007 JSON
+- [Updated] Cisco ASA 113008 JSON
+- [Updated] Cisco ASA 113009 JSON
+- [Updated] Cisco ASA 113012-17 JSON
+- [Updated] Cisco ASA 113019 JSON
+- [Updated] Cisco ASA 113021 JSON
+- [Updated] Cisco ASA 113039 JSON
+- [Updated] Cisco ASA 209004 JSON
+- [Updated] Cisco ASA 302010 JSON
+- [Updated] Cisco ASA 302020-1 JSON
+- [Updated] Cisco ASA 303002 JSON
+- [Updated] Cisco ASA 304001 JSON
+- [Updated] Cisco ASA 304002 JSON
+- [Updated] Cisco ASA 305011-12 JSON
+- [Updated] Cisco ASA 313001 JSON
+- [Updated] Cisco ASA 313004 JSON
+- [Updated] Cisco ASA 313005 JSON
+- [Updated] Cisco ASA 314003 JSON
+- [Updated] Cisco ASA 315011 JSON
+- [Updated] Cisco ASA 322001 JSON
+- [Updated] Cisco ASA 322003 JSON
+- [Updated] Cisco ASA 338001-8+338201-4 JSON
+- [Updated] Cisco ASA 4000nn JSON
+- [Updated] Cisco ASA 402117 JSON
+- [Updated] Cisco ASA 402119 JSON
+- [Updated] Cisco ASA 405001 JSON
+- [Updated] Cisco ASA 405002 JSON
+- [Updated] Cisco ASA 406001 JSON
+- [Updated] Cisco ASA 406002 JSON
+- [Updated] Cisco ASA 419001 JSON
+- [Updated] Cisco ASA 419002 JSON
+- [Updated] Cisco ASA 500004 JSON
+- [Updated] Cisco ASA 502101-2 JSON
+- [Updated] Cisco ASA 502103 JSON
+- [Updated] Cisco ASA 602303-4 JSON
+- [Updated] Cisco ASA 605004-5 JSON
+- [Updated] Cisco ASA 609002 JSON
+- [Updated] Cisco ASA 611101-2 JSON
+- [Updated] Cisco ASA 611103 JSON
+- [Updated] Cisco ASA 710002-3 JSON
+- [Updated] Cisco ASA 710005 JSON
+- [Updated] Cisco ASA 713052 JSON
+- [Updated] Cisco ASA 713172 JSON
+- [Updated] Cisco ASA 713228 JSON
+- [Updated] Cisco ASA 716014-7-8 JSON
+- [Updated] Cisco ASA 716038 JSON
+- [Updated] Cisco ASA 716039 JSON
+- [Updated] Cisco ASA 716059 JSON
+- [Updated] Cisco ASA 719022-3 JSON
+- [Updated] Cisco ASA 721016-8 JSON
+- [Updated] Cisco ASA 722034 JSON
+- [Updated] Cisco ASA 722051 JSON
+- [Updated] Cisco ASA 722055 JSON
+- [Updated] Cisco ASA 733100 JSON
+- [Updated] Cisco ASA 751011 JSON
+- [Updated] Cisco ASA 751023 JSON
+- [Updated] Cisco ASA 751025 JSON
+- [Updated] Cisco ASA tcp_udp_sctp_builds JSON
+- [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
+- [Updated] Cisco Umbrella DNS Logs
+- [Updated] Cisco Umbrella IP Logs
+- [Updated] Cisco Umbrella Proxy Logs
+- [Updated] SentinelOne Logs - C2C activities
+- [Updated] SentinelOne Logs - C2C agents
+- [Updated] SentinelOne Logs - C2C alerts
+- [Updated] SentinelOne Logs - C2C threats
+- [Updated] SentinelOne Logs - C2C users
+- [Updated] SentinelOne Logs - Syslog Custom Parser
+
+### Parsers
+- [New] /Parsers/System/Microsoft/Azure Virtual Network
+- [New] /Parsers/System/SentinelOne/SentinelOne MGMT API
+- [Updated] /Parsers/System/Abnormal Security/Abnormal Security
+    - Updated the parser to support new events.
+- [Updated] /Parsers/System/Cisco/Cisco ASA
+    - Updated regex to fix ASA-6-721016 events.
+- [Updated] /Parsers/System/Cisco/Cisco ISE
+    - Updated parser to drop certain non-actionable logs.
+- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
+    - Updated parser to support additional event format variations.
+- [Updated] /Parsers/System/Cylance/Cylance Syslog
+    - Updated parser to support new events.
+- [Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
+    - Updated parser to drop phishing test events.

blog-csoar/2025-04-21-content.md

@@ -0,0 +1,42 @@
+---
+title: April 21, 2025 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## March and April releases
+
+### Changes and enhancements
+
+#### Integrations
+
+* [NEW] [ThreatDown Oneview](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview/). The ThreatDown OneView integration has been built from scratch to facilitate seamless security operations management. 
+* [NEW] [Atlassian Jira Cloud](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-cloud/). The Atlassian Jira Cloud integration has been developed from the ground up to streamline issue tracking and project management. 
+* [UPDATED] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/). Added a new Update IP Set action in the AWS WAF integration that allows users to update an existing IP set.
+
+#### Platform 
+
+##### Playbooks
+
+* Improved the user experience in the node popup when loading dynamic fields.
+* Added a confirmation dialog to alert users about pre-existing playbook drafts to avoid accidental overwriting while editing playbooks.
+* Implemented an alert popup to prevent accidental loss of unsaved changes when closing a node popup.
+* Added audit logs for failed nodes due to errors or exceptions during playbook execution.
+
+### Bug fixes
+
+#### General
+
+* Fixed a session timeout issue when the user is active in Automation Service, but inactive in Sumo Logic Log Analytics.
+* Fixed cursor positioning issue while typing in text areas.
+
+#### Integrations
+
+* Resolved a next page token and pageSize related issues in the List Permissions action of the  [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) integration.
+* Added a new `impersonate_user` field in List Permission and Delete Permission actions, allowing actions to be performed on a user's behalf.

blog-service/2021/12-31.md

@@ -618,13 +618,13 @@ Update - [Scheduled View](/docs/manage/scheduled-views "Scheduled Views") quer
 ---
 ## March 16, 2021 (Alerts)
 
-Update - We have resolved a discrepancy in the notification payload of [Real Time Scheduled Searches](/docs/alerts/scheduled-searches/create-real-time-alert).
+Update - We have resolved a discrepancy in the notification payload of Real-Time Scheduled Searches.
 
 Previously, the payload for subsequent real time alerts in a given time range would incrementally report the results and omit the records that were already present in the previous alert.
 
 For example, if the Scheduled Search initially returned 10 records, the first alert notification would contain 10 records in the payload. If the next run contained the same 10 records plus 1 additional, the notification payload would only contain the single new record.
 
-Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
+Going forward, we will ensure that the records sent in the notification payload will always contain all the records returned in the Scheduled Search. Following the above example, the next run of the Real-Time Scheduled Search would return 11 records. This change ensures that the payload will always match the results of the search in Sumo Logic.
 
 ---
 ## March 12, 2021-12 (Collection)