Merge branch 'main' into docs-1281-add-back-crowdstrike-threat-intel-info

Author: jpipkin1

blog-cse/2025-12-05-content.md

@@ -0,0 +1,96 @@
+---
+title: December 05, 2025 - Content Release
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+This new and updated content is effective as of December 4, 2025.
+
+This content release includes:
+- Updates to product naming from "G Suite" to "Google Workspace" across rules, log mappers, and parsers to reflect the current branding.
+- Update to product naming from "Dell SonicWall" to "SonicWall Firewall" in parsers and log mappers.
+- New support for Asana audit logging.
+
+Additional changes are enumerated below.
+
+## Rules
+- [Updated] MATCH-S00630 GCP Audit IAM DeleteServiceAccount Observed
+- [Updated] MATCH-S00629 GCP Audit IAM DisableServiceAccount Observed
+- [Updated] MATCH-S00117 Google Workspace - Access - Access Transparency
+- [Updated] MATCH-S00115 Google Workspace - Admin - User Settings - Turn Off 2SV
+- [Updated] MATCH-S00133 Google Workspace - Admin Activity
+- [Updated] MATCH-S00125 Google Workspace - Drive - Drive Open To Public
+- [Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
+- [Updated] MATCH-S00128 Google Workspace - Login - Account Warning
+- [Updated] MATCH-S00129 Google Workspace - Login - Government Attack Warning
+- [Updated] MATCH-S00121 Google Workspace - Mobile - Suspicious Activity
+- [Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
+- [Updated] MATCH-S00120 Google Workspace - User Accounts - 2SV Disabled
+
+## Log Mappers
+- [New] Asana Audit Authentication
+- [New] Asana Audit Catch All
+- [Updated] Azure ResourceHealth and ServiceHealth
+- [Updated] AzureActivityLog AuditLogs
+- [Updated] Google Workspace - access_transparency/GSUITE_RESOURCE/ACCESS
+- [Updated] Google Workspace - admin
+- [Updated] Google Workspace - calendar
+- [Updated] Google Workspace - drive.access
+- [Updated] Google Workspace - drive.acl_change
+- [Updated] Google Workspace - gcp
+- [Updated] Google Workspace - gplus
+- [Updated] Google Workspace - groups
+- [Updated] Google Workspace - groups_enterprise
+- [Updated] Google Workspace - login - password_change/recovery_info_change
+- [Updated] Google Workspace - login - risky_sensitive_action_allowed
+- [Updated] Google Workspace - login challenge
+- [Updated] Google Workspace - login-blocked_sender_change
+- [Updated] Google Workspace - login-email_forwarding_change
+- [Updated] Google Workspace - login.account_warning
+- [Updated] Google Workspace - login.gov_attack_warning
+- [Updated] Google Workspace - login.login
+- [Updated] Google Workspace - logout
+- [Updated] Google Workspace - meet
+- [Updated] Google Workspace - mobile
+- [Updated] Google Workspace - rules
+- [Updated] Google Workspace - saml
+- [Updated] Google Workspace - token
+- [Updated] Google Workspace - user_accounts
+- [Updated] Google Workspace Alert Center - AppMaker Editor
+- [Updated] Google Workspace Alert Center - Data Loss Prevention
+- [Updated] Google Workspace Alert Center - Domain wide takeout
+- [Updated] Google Workspace Alert Center - Gmail phishing
+- [Updated] Google Workspace Alert Center - Gmail phishing (Misconfigured whitelist)
+- [Updated] Google Workspace Alert Center - Google Operations
+- [Updated] Google Workspace Alert Center - Google identity
+- [Updated] Google Workspace Alert Center - Mobile device management (Device compromised)
+- [Updated] Google Workspace Alert Center - Mobile device management (Suspicious activity)
+- [Updated] Google Workspace Alert Center - Security Center rules
+- [Updated] Google Workspace Alert Center - Sensitive Admin Action
+- [Updated] Google Workspace Alert Center - State Sponsored Attack
+- [Updated] Google Workspace Alert Center - User Changes
+- [Updated] Netskope - Alerts
+    - Updated action and normalizedAction field mappings.
+- [Updated] SonicWall Firewall - Custom Parser
+- [Updated] SonicWall Flows
+- [Updated] Thinkst Canary Parser - Catch All
+    - Added additional field mappings.
+- [Updated] Windows - Security - 5145
+    - Removes redundant mapping of `baseimage` and `device_ip` fields.
+
+## Parsers
+- [New] /Parsers/System/Asana/Asana Audit
+- [New] /Parsers/System/Google/Google Workspace Alert Center
+- [New] /Parsers/System/Google/Google Workspace Audit
+- [New] /Parsers/System/SonicWall/SonicWall Firewall
+- [Updated] /Parsers/System/Dell/Dell SonicWall
+- [Updated] /Parsers/System/Google/G Suite Alert Center
+- [Updated] /Parsers/System/Google/G Suite Audit
+- [Updated] /Parsers/System/Linux/Linux OS Syslog
+    - Updated parser to drop certain systemd events not useful for security monitoring.
+- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
+    - Modified parser to improve field extraction.

docs/get-started/sumo-logic-ui-classic.md

@@ -7,12 +7,14 @@ description: Get to know the Sumo Logic platform user interface.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
+:::note 
+This page describes the Classic UI. For the most streamlined navigation and the newest user experience, switch to the [New UI](/docs/get-started/sumo-logic-ui).
+:::
+
 This page provides an overview of the Sumo Logic Classic UI, designed to help you navigate and utilize its features effectively.
 
 <img src={useBaseUrl('img/get-started/overview-classic-ui.png')} alt="Overview screenshot of the Classic UI" style={{border: '1px solid gray'}} width="800" />
 
-The Classic UI will be retired in 2025 and will no longer receive updates. The exact date will be communicated closer to the transition. For the latest features, performance improvements, and future innovations, switch to the [New UI](/docs/get-started/sumo-logic-ui) as soon as possible.
-
 ## Switching between the Classic and New UI
 
 If you're using the New UI and need to navigate back to the Classic UI, click the **Return to classic UI** option in the left navigation menu. And to switch back to the New UI, follow the same steps, selecting **Switch to New UI** instead.

docs/search/search-query-language/search-operators/macro.md

@@ -39,18 +39,18 @@ To create a macro, follow the steps below:
 1.  [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
 1. Click **+ Add Macro**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
 1. Or, in the log search page, select the part of search query language that needs to be reused and click on **Create Macro**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-search-page.png')} alt="macro-search-page" style={{border: '1px solid gray'}} width="800" />
-1. **Macro Details**. Enter the name for the macro. Description is optional.
-1. **Macro Definition**. Enter the definition for the macro. To add arguments use the `{{Arg}}` syntax or select a part of the definition and click on **Add Argument**.
-1. (Optional) **Arguments**. Enter the name and select the data type for the argument selected.
-1. (Optional) **Argument Validation**. Define the validation condition and enter the error message that needs to be shown when the validation expression returns false.
-1. **Usage**. Preview of how you use the macro in the log search.
-1. Click **Submit** to save the macro.
+1. In the **Create Macro** page, enter the following details: <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/create-macro.png')} alt="create-macro" style={{border: '1px solid gray'}} width="800" />
+    1. **Macro Details**. Enter the name for the macro. Description is optional.
+    1. **Macro Definition**. Enter the definition for the macro. To add arguments use the `{{Arg}}` syntax or select a part of the definition and click on **Add Argument**.
+    1. (Optional) **Arguments**. Enter the name and select the data type for the argument selected.
+    1. (Optional) **Argument Validation**. Define the validation condition and enter the error message that needs to be shown when the validation expression returns false.
+    1. **Usage**. Preview of how you use the macro in the log search.
+    1. Click **Submit** to save the macro.
 
 ### Limitations
 
 - You can create a maximum of 50 macros.
 - You can add a maximum of 5 arguments.
-- You cannot edit or delete the macro. Submit a customer request to Sumo Logic if you still need to edit or delete a macro.
 - You are only allowed to use single expression.
 - You can only use the below listed argument validations:
   - `isValidIpV4`
@@ -110,3 +110,18 @@ To view any existing macro, follow the steps below:
 1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Managemenu**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
 1. In the **Macros** page, click on any of the macros that you want to view the macro details.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
 1. To use the selected macro in your log search query, copy the suggested **Usage** of the macro and include it in your query syntax. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-details.png')} alt="view-macro-logs-details" style={{border: '1px solid gray'}} width="400" />
+
+## Edit a macro operator
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
+1. In the **Macros** page, click on any of the macros that you want to edit.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
+1. Click **Edit** button to open the pane for editing. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-edit-button.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />
+1. In the **Edit [macroname] macro** pop-up, click on **Continue**. You can also check where your macros have been used to avoid broken queries by clicking on **check queries that reference this macro**. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-edit-pop-up.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />
+1. In the macro editing pane, perform the required editing and click **Submit**.
+
+## Delete a macro operator
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
+1. In the **Macros** page, click on any of the macros that you want to delete.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
+1. Click **Delete** button to delete the macro. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-delete-button.png')} alt="macro-delete-button" style={{border: '1px solid gray'}} width="400" />
+1. In the **Delete [macroname] macro** pop-up, click on **Delete**. You can also check where your macros have been used to avoid broken queries by clicking on **check queries that reference this macro**. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-delete-pop-up.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />

static/img/search/searchquerylanguage/search-operators/create-macro.png

@@ -9748,9 +9748,9 @@ mdast-util-phrasing@^4.0.0:
     unist-util-is "^6.0.0"
 
 mdast-util-to-hast@^13.0.0:
-  version "13.2.0"
-  resolved "https://registry.yarnpkg.com/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz#5ca58e5b921cc0a3ded1bc02eed79a4fe4fe41f4"
-  integrity sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==
+  version "13.2.1"
+  resolved "https://registry.yarnpkg.com/mdast-util-to-hast/-/mdast-util-to-hast-13.2.1.tgz#d7ff84ca499a57e2c060ae67548ad950e689a053"
+  integrity sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==
   dependencies:
     "@types/hast" "^3.0.0"
     "@types/mdast" "^4.0.0"