Add AWS VPC Flow

Author: jpipkin1

docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md

@@ -1,16 +1,16 @@
 ---
 id: auth0
-title: Ingest Auth0 data into Cloud SIEM
+title: Ingest Auth0 Data into Cloud SIEM
 sidebar_label: Auth0
 description: Configure an HTTP source to ingest Auth0 log messages and send them to Cloud SIEM’s Auth0 system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 To ingest Auth0 data into Cloud SIEM:
-1. [Configure a source for Auth0](/docs/integrations/saml/auth0/#configure-a-source) and do the following:
+1. [Configure a source for Auth0](/docs/integrations/saml/auth0/#configure-a-source) on a source. When you configure the source, do the following:
     1. Select the [**Forward to SIEM** option](/docs/c2c/info/#metadata-fields) in the source configuration UI.
-    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value `/Parsers/System/Auth0/Auth0`.
 1. To verify that your logs are successfully making it into Cloud SIEM:
     1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
     1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.<br/><img src={useBaseUrl('img/cse/auth0-reocrd-volume.png')} alt="Record volume" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="800" />

docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md

@@ -9,9 +9,9 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 To ingest AWS Application Load Balancer data into Cloud SIEM:
 1. [Enable ELB logging in AWS](/docs/send-data/hosted-collectors/amazon-aws/aws-elastic-load-balancing-source/#enable-elb-logging-in-aws).
-1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector and do the following:
+1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector. When you configure the source, do the following:
    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-   1. Add another field named `_parser` with value */Parsers/System/AWS/AWS ALB*.
+   1. Add another field named `_parser` with value `/Parsers/System/AWS/AWS ALB`.
 1. To verify that your logs are successfully making it into Cloud SIEM: 
    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
    1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns.

docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md

@@ -1,6 +1,6 @@
 ---
 id: aws-cloudtrail
-title: Ingest AWS CloudTrail data into Cloud SIEM
+title: Ingest AWS CloudTrail Data into Cloud SIEM
 sidebar_label: AWS CloudTrail
 description: Configure a CloudTrail source on a source to ingest CloudTrail log messages to be parsed by Cloud SIEM's CloudTrail system parser.
 ---
@@ -12,13 +12,11 @@ Sumo Logic Cloud SIEM supports the default AWS CloudTrail log format which inclu
 To ingest AWS CloudTrail data into Cloud SIEM:
 1. Unless you’ve already done so, [Configure CloudTrail in AWS](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html).
 1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For more information, see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).
-1. [Configure an AWS CloudTrail Source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/#configure-an-aws-cloudtrail-source) on a collector and do the following:
-     1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-     1. Add another field named `_parser` with value */Parsers/System/AWS/CloudTrail*.
-
-To verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "CloudTrail" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.<br/><img src={useBaseUrl('img/cse/cloudtrail-search.png')} alt="CloudTrail search" style={{border: '1px solid gray'}} width="400"/>
+1. [Configure an AWS CloudTrail source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/#configure-an-aws-cloudtrail-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value `/Parsers/System/AWS/CloudTrail`.
+1. To verify that your logs are successfully making it into Cloud SIEM. 
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "CloudTrail" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.<br/><img src={useBaseUrl('img/cse/cloudtrail-search.png')} alt="CloudTrail search" style={{border: '1px solid gray'}} width="400"/>
 

docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md

@@ -1,15 +1,16 @@
 ---
 id: aws-guardduty
-title: Ingest AWS GuardDuty data into Cloud SIEM
+title: Ingest AWS GuardDuty Data into Cloud SIEM
 sidebar_label: AWS GuardDuty
 description: Configure an HTTP source to ingest AWS GuardDuty log messages and send them to the GuardDuty system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-1. [Configure an HTTP source for GuardDuty](/docs/integrations/amazon-aws/guardduty/#step-1-configure-an-http-source) and do the following:
+To ingest AWS GuardDuty data into Cloud SIEM:
+1. [Configure an HTTP source for GuardDuty](/docs/integrations/amazon-aws/guardduty/#step-1-configure-an-http-source) on a collector. When you configure the source, do the following:
     1. Select the [**Forward to SIEM** option](/docs/c2c/info/#metadata-fields) in the source configuration UI.
-    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/AWS/GuardDuty*.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value `/Parsers/System/AWS/GuardDuty`.
 1. [Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-guardduty-events-processor).
 1. To verify that your logs are successfully making it into Cloud SIEM:
     1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  

docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md

@@ -1,69 +1,20 @@
 ---
 id: aws-network-firewall
-title: AWS Network Firewall - Cloud SIEM
+title: Ingest AWS Network Firewall Data into Cloud SIEM
 sidebar_label: AWS Network Firewall
 description: Configure collection and ingestion of AWS Network Firewall log messages from an S3 bucket to be parsed by Cloud SIEM's AWS Network Firewall system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS Network Firewall log messages from AWS S3 and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Enable AWS Network Firewall logs
-
-1. Follow AWS instructions on [firewall log delivery](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html) for [S3](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html).
-1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For instructions see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).  
-
-## Step 2: Configure collection
-
-In this step, you configure an HTTP Source to collect AWS Network Firewall messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source](#configure-an-aws-s3-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS Network Firewall sources, add an additional field with key `_parser` and value `/Parsers/System/AWS/AWS Network Firewall`.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an AWS S3 Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.   
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select Amazon S3. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/s3-source.png')} alt="S3 source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
-1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS.
-1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
-1. **Source Category**. Enter a string to tag the output collected from  the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields**.
-    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    1. If you are not parsing all sources in the hosted collector with the same parser, add an additional field named `_parser` with value */Parsers/System/AWS/AWS Network Firewall*.
-1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-enable-aws-network-firewall-logs)) is a prerequisite for role-based access.
-    -   **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.<br/><img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN" style={{border: '1px solid gray'}} width="600"/>
-    -   **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details.
-14. In the **Advanced Options for Logs** section, uncheck the **Detect messages spanning multiple lines** option.
-15. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "AWS Network Firewall " and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records. <br/><img src={useBaseUrl('img/cse/AWS-network-firewall-search.png')} alt="AWS Firewall search" style={{border: '1px solid gray'}} width="600"/>
-
-
- 
+To ingest AWS Network Firewall data into Cloud SIEM:
+1. Enable AWS Network Firewall logs:
+    1. Follow AWS instructions on [firewall log delivery](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html) for [S3](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html).
+    1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For instructions see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).  
+1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value `/Parsers/System/AWS/AWS Network Firewall`.
+1. To verify that your logs are successfully making it into Cloud SIEM: 
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "AWS Network Firewall " and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records. <br/><img src={useBaseUrl('img/cse/AWS-network-firewall-search.png')} alt="AWS Firewall search" style={{border: '1px solid gray'}} width="600"/>