Updates from Paul Tobia reivew

Author: jpipkin1

blog-cse/2025-04-15-application.md

@@ -12,6 +12,6 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 ### New method for building baselines
 
-We're happy to announce that now when you create or update a first seen or outlier rule, the baseline starts building immediately using data already in the system. Typically, the baseline is done in minutes. Now you don't have to wait days for a baseline learning period to end before a baseline is built and ready to use, allowing you to get value more quickly from your first seen and outlier rules.
+We're happy to announce that now when you create or update a first seen or outlier rule, the baseline starts building immediately using data already in the system. Typically, the baseline is done in minutes. Now you don't have to wait days for a baseline learning period to end before a baseline is built and ready to use, allowing you to get value more quickly from your first seen and outlier rules. This will also allow you to iterate your first seen and outlier rules rapidly, cutting down tuning time from weeks to minutes.
 
-To learn more, see our information about baselines for [first seen rules](/docs/cse/rules/write-outlier-rule/#baselines-for-outlier-rules) and [outlier rules](/docs/cse/rules/write-outlier-rule/#baselines-for-outlier-rules).
+To learn more, see our information about baselines for [first seen rules](/docs/cse/rules/write-first-seen-rule/) and [outlier rules](/docs/cse/rules/write-outlier-rule/#baselines-for-outlier-rules).

docs/cse/rules/write-first-seen-rule.md

@@ -61,9 +61,11 @@ Watch this micro lesson to learn more about first seen rules.
 
 ## Baselines for first seen rules
 
-A first seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a signal. Instead, the rule expression in a first seen rule is simply a filter condition that defines what incoming records the rule will apply to. For each first seen rule, Cloud SIEM automatically creates a baseline model of normal behavior for a defined learning period (by default for the last 30 days) evidenced by records that match the Rule Expression. As soon as you save or update a first seen rule, the baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete.
+A first seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a signal. Instead, the rule expression in a first seen rule is simply a filter condition that defines what incoming records the rule will apply to. For each first seen rule, Cloud SIEM automatically creates a baseline model of normal behavior for a defined time period (by default for the last 30 days) evidenced by records that match the Rule Expression. The activity found during this period is considered normal behavior and will not be alerted on. As soon as you save or update a first seen rule, the baseline is built using existing data collected. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete.
 
-Once the baseline is created, when an incoming record includes matching activity not seen during the baseline learning period, the rule creates a signal. 
+Once the baseline is created, when an incoming record includes matching activity not seen during the baseline learning period, the rule creates a signal identifying the activity as *first seen*. The signal indicates that the activity is first seen:
+ 
+<img src={useBaseUrl('img/cse/first-seen-signal-example.png')} alt="First seen signal example" style={{border: '1px solid gray'}} width="600"/>
 
 For example, for the “First time a user logged in from a new geographic location” use case, Cloud SIEM will build a baseline model of all the geolocations from where a logon event is seen for the entity (user). Once the baseline is created, Cloud SIEM will create a signal for every new geolocation detected and incrementally add to the baseline.
 

docs/cse/rules/write-outlier-rule.md

@@ -64,15 +64,15 @@ Watch this micro lesson to learn more about outlier rules.
 
 ## Baselines for outlier rules
 
-When you create the rule, you can set the amount of time Cloud SIEM analyzes data to create a baseline model of behavior, with the default period being for the last 30 days. You can set the rule to build data hourly or daily, depending on how frequently you believe events of interest will occur, and how much data you want to gather. Data for the baseline is retained by default for 90 days. In the rule, you set the model sensitivity threshold to calculate outlier activity based on the number of standard deviations from the mean (z‑score). 
+When you create the rule, you can set the amount of time Cloud SIEM analyzes data to create a baseline model of behavior, with the default period being for the last 30 days. You can set the rule to build data hourly or daily, depending on how frequently you believe events of interest will occur, and how much data you want to gather. In the rule, you set the model sensitivity threshold to calculate outlier activity based on the number of standard deviations from the mean (z‑score). 
 
 As soon as you save or update an outlier rule, the baseline is built using existing data collected. So if your baseline learning period is for the last 30 days (the default), the system uses data from the last 30 days to build the baseline. If data exists in the system to build the baseline, baseline creation typically takes only minutes to complete.
 
 Once the baseline is created, Cloud SIEM tracks aggregates of count, sum, min, max, and averages of record values, and creates a signal when deviations from the mean occurs. For example, for the [spike in failed logins from a user](#use-case-for-a-spike-in-failed-logins-from-a-user) use case, Cloud SIEM builds a baseline model of counts of authentication failures that are associated with a user over time, and creates a signal when outlier behavior is detected:
 
 <img src={useBaseUrl('img/cse/outlier-signal-example.png')} alt="Outlier signal example" style={{border: '1px solid gray'}} width="600"/>
 
-After your rule starts generating signals, evaluate them to determine if they truly represent outliers of concern, and adjust the rule settings as needed. For example, if too many signals are being generated, the baseline model is too sensitive, and you need to set the model sensitivity threshold higher on the rule; if too few signals are generated, set the threshold lower. Among other things, also evaluate if the signals from outliers are generating enough insights. To [generate an insight](/docs/cse/get-started-with-cloud-siem/insight-generation-process/), by default the combined severity scores of signals need to be 12 or higher. Change the severity level in the outlier rule to ensure that it is high enough to generate enough signals to trigger insights for investigation.
+After your rule starts generating signals, evaluate them to determine if they truly represent outliers of concern, and adjust the rule settings as needed. For example, if too many signals are being generated, the baseline model is too sensitive, and you need to set the model sensitivity threshold higher on the rule; if too few signals are generated, set the threshold lower. Among other things, also evaluate if the signals from outliers are generating enough insights. To [generate an insight](/docs/cse/get-started-with-cloud-siem/insight-generation-process/), by default the combined severity scores of signals need to be 12 or higher or a custom insight can be used. Change the severity level in the outlier rule or create a custom insight to trigger insights based on this rule for investigation.
 
 :::tip
 Sumo Logic ensures that rule processing does not impact the reliability of production environments through the implementation of "circuit breakers." If a rule matches too many records in too short a period of time, the circuit breaker will trip and the rule will move to a degraded state, and outlier rules are no exception.