Merge branch 'main' into threat-intel-ga

Author: jpipkin1

docs/cse/administration/create-custom-threat-intel-source.md

@@ -41,7 +41,7 @@ Rule authors can also write rules that look for threat intelligence information
 
 Your new source should now appear on the **Threat Intelligence** page.
 
-## Add indicators
+## Add threat indicators
 
 ### Enter indicators manually
 
@@ -96,5 +96,10 @@ value,description,expires,active
 
 ### Manage sources and indicators using APIs
 
-You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).  
- 
+You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).
+
+## Search indicators
+
+To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. 
+
+You can search using the same functionality available for other Cloud SIEM searches, including regular expressions. For more information, see [Filter and Search Cloud SIEM List Pages](/docs/cse/administration/filter-search).

docs/cse/administration/filter-search.md

@@ -11,18 +11,20 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filters** bar near the top of the page.
+## Search in Cloud SIEM
 
-<img src={useBaseUrl('img/cse/list-page-search.png')} alt="Filters box at the top of the page " width="500" />
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Cloud SIEM**.<br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Search Cloud SIEM**. You can also click the **Go To...** menu at the top of the screen and select **Search Cloud SIEM**. 
+1. Click in the **Find Insights, Signals, Entities and more...** search bar at the top of the page.<br/><img src={useBaseUrl('img/cse/list-page-search.png')} alt="Search box at the top of the page" width="400" />
+1. Enter text to search.
+1. To filter, click the filter icon <img src={useBaseUrl('img/cse/filter-icon.png')} alt="Filter icon" width="20" /> on the right side of the search box.
+1. Select a source to filter on. <br/><img src={useBaseUrl('img/cse/search-sources.png')} alt="Search sources" width="250" />
+1. A dropdown list of filters appears for that source. Select a field to filter on, or pick a suggestion.<br/><img src={useBaseUrl('img/cse/filter-options.png')} alt="List of fields to filter on" width="400"/>
+1. Continue to select options to filter on from the options presented.
 
-## Filter items
-When you click in the **Filters** bar, a dropdown list of filters appears. After you select a filter you’ll be presented with a dialog so you can specify your filtering criteria.
+## Search using regular expressions
 
-<img src={useBaseUrl('img/cse/filter-options.png')} alt="List of fields to filter on" width="250"/>
+You also enter a search string or regex in the search bar, and press Return to run a search. Note that Cloud SIEM's regular expression engine will return items that contain text matching the complete string. The engine implicitly adds anchors  (`^` and `$`) to the beginning and end of your regex.
 
-## Search items
-You also enter a search string or regex in the **Filter** bar, and press Return to run a search. Note that Cloud SIEM's regular expression engine will return items that contain text matching the complete string. The engine implicitly adds anchors  (`^` and `$`) to the beginning and end of your regex.
+Cloud SIEM search uses Elasticsearch. For regular expressions allowed for use in Cloud SIEM search, see [Regular expression syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/regexp-syntax.html) in the Elastic documentation.
 
-You can use `not` to search for items that do not contain a particular keyword, for example:
-
-`not:Initial Access`  
+You can use `not` to search for items that do not contain a particular keyword, for example: `not:Initial Access`  

docs/cse/match-lists-suppressed-lists/suppressed-lists.md

@@ -52,15 +52,17 @@ Match lists are for when you want to use the existence or absence of an indicato
 
 Cloud SIEM uses suppressed lists similar to how it uses [match lists](#suppressed-list-or-match-list). When Cloud SIEM processes an incoming record, it compares the entries in each suppressed list to record fields of the same type as the target column of the suppressed list. For example, given a suppressed list whose target column is **Domain**, Cloud SIEM will compare items on that list only to record fields that contain domains.
 
-When a record contains a value that matches one or more suppressed lists, two fields in the record get populated:
+Keep in mind:
+* Suppression lists will suppress any signal where the suppressed indicator is present, regardless of the primary entity in the signal.
+* Entity suppression will only suppress the signal if the suppressed entity is the primary signal.
+* If any entities within the record match items listed in a suppressed list, suppressed signals will be generated for those entities across all rules. Consequently, these signals will not affect the entity's Activity Score or contribute to insight generation.
 
+When a record contains a value that matches one or more suppressed lists, two fields in the record get populated:
 * `listMatches`. Cloud SIEM adds the names of the suppressed lists that the record matched, and the column values of those lists. For example, if an IP address in a record matches the SourceIP address in the “vuln_scanners” suppressed list, the `listMatches` field would look like this: `listMatches: ['vuln_scanners', 'column:SourceIp']`    
 * `matchedItems`. Cloud SIEM adds the actual key-value pairs that were matched. For example, continuing the example above, if “vuln_scanners” match list contained an entry “5.6.7.8”, and the record’s SourceIp is also “5.6.7.8”, the assuming the SourceIP address in the “vuln_scanners” suppressed list, the `matchedItems` field would look like this: `matchedItems: [ { value: '5.6.7.8', …other metadata about list item } ]`
 
 Because the information about list matches gets persisted within records, you can reference it downstream in both rules and search.
 
-**If any entities within the record match items listed in a suppressed list, suppressed signals will be generated for those entities across all rules**. Consequently, these signals will not affect the entity's Activity Score or contribute to insight generation.
-
 For more information about signal Suppression mechanisms, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
 
 

docs/platform-services/threat-intelligence-indicators.md

@@ -44,6 +44,7 @@ To search logs that contain correlations to threat intelligence indicators, you
    * [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source)
    * [STIX/TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source)  
    * [STIX/TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source)
+   * [ZeroFox Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source)
 * **The API**. See the following APIs in the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) API resource:
    * [uploadNormalizedIndicators API](https://api.sumologic.com/docs/#operation/uploadNormalizedIndicators)
    * [uploadCsvIndicators API](https://api.sumologic.com/docs/#operation/uploadCsvIndicators)

package.json

@@ -15,22 +15,33 @@
     "write-heading-ids": "docusaurus write-heading-ids"
   },
   "dependencies": {
+    "@algolia/client-abtesting": "5.18.0",
+    "@algolia/client-analytics": "5.18.0",
+    "@algolia/client-insights": "5.18.0",
+    "@algolia/client-personalization": "5.18.0",
+    "@algolia/client-query-suggestions": "5.18.0",
+    "@algolia/client-search": "5.18.0",
+    "@algolia/ingestion": "1.18.0",
+    "@algolia/monitoring": "1.18.0",
+    "@algolia/recommend": "5.18.0",
     "@babel/plugin-proposal-decorators": "^7.23.7",
     "@babel/runtime-corejs3": "7.26.0",
     "@braintree/sanitize-url": "^6.0.1",
-    "@docusaurus/bundler": "3.6.3",
-    "@docusaurus/core": "^3.6.3",
-    "@docusaurus/cssnano-preset": "3.6.3",
-    "@docusaurus/plugin-client-redirects": "3.6.3",
-    "@docusaurus/plugin-content-blog": "^3.6.3",
-    "@docusaurus/plugin-debug": "3.6.3",
-    "@docusaurus/plugin-google-analytics": "3.6.3",
-    "@docusaurus/plugin-google-gtag": "3.6.3",
-    "@docusaurus/plugin-google-tag-manager": "3.6.3",
-    "@docusaurus/plugin-sitemap": "3.6.3",
-    "@docusaurus/preset-classic": "3.6.3",
-    "@docusaurus/theme-classic": "3.6.3",
-    "@docusaurus/theme-search-algolia": "3.6.3",
+    "@docsearch/css": "3.8.2",
+    "@docusaurus/bundler": "3.7.0",
+    "@docusaurus/core": "^3.7.0",
+    "@docusaurus/cssnano-preset": "3.7.0",
+    "@docusaurus/plugin-client-redirects": "3.7.0",
+    "@docusaurus/plugin-content-blog": "^3.7.0",
+    "@docusaurus/plugin-debug": "3.7.0",
+    "@docusaurus/plugin-google-analytics": "3.7.0",
+    "@docusaurus/plugin-google-gtag": "3.7.0",
+    "@docusaurus/plugin-google-tag-manager": "3.7.0",
+    "@docusaurus/plugin-sitemap": "3.7.0",
+    "@docusaurus/plugin-svgr": "3.7.0",
+    "@docusaurus/preset-classic": "3.7.0",
+    "@docusaurus/theme-classic": "3.7.0",
+    "@docusaurus/theme-search-algolia": "3.7.0",
     "@emotion/react": "^11.10.5",
     "@emotion/styled": "^11.10.5",
     "@eslint/eslintrc": "^1.3.3",
@@ -117,9 +128,10 @@
     "prismjs": "^1.27.0",
     "punycode": "^2.3.1",
     "raw-loader": "^4.0.2",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
     "react-fast-compare": "^3.2.0",
+    "react-helmet-async": "1.3.0",
     "react-iframe": "^1.8.0",
     "react-json-view-lite": "1.2.1",
     "react-live": "^4.1.5",
@@ -150,7 +162,7 @@
     "yaml": "^2.3.1"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.6.3",
+    "@docusaurus/module-type-aliases": "^3.7.0",
     "@tsconfig/docusaurus": "^1.0.4",
     "@types/react": "^17.0.0",
     "@types/webpack-env": "^1.16.3",