SumoLogic
diff --git a/‎blog-service/2025-10-16-collection.md‎
Lines changed: 25 additions & 0 deletions b/‎blog-service/2025-10-16-collection.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎blog-service/2025-10-17-apps.md‎
Lines changed: 14 additions & 0 deletions b/‎blog-service/2025-10-17-apps.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cid-redirects.json‎
Lines changed: 2 additions & 0 deletions b/‎cid-redirects.json‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/integrations/amazon-aws/application-load-balancer.md‎
Lines changed: 9 additions & 7 deletions b/‎docs/integrations/amazon-aws/application-load-balancer.md‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎docs/integrations/amazon-aws/network-load-balancer.md‎
Lines changed: 9 additions & 7 deletions b/‎docs/integrations/amazon-aws/network-load-balancer.md‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection.md‎
Lines changed: 196 additions & 0 deletions b/‎docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection.md‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎docs/integrations/microsoft-azure/index.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/integrations/microsoft-azure/index.md‎
Lines changed: 6 additions & 0 deletions
@@ -0,0 +1,25 @@
+---
+title: Cloud Syslog Source Certificate Fully Transitioned to ACM (Collection)
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - certificates
+  - Cloud Syslog Source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce that Sumo Logic has fully transitioned to AWS Certificate Manager (ACM) certificates for Transport Layer Security (TLS) communication between your cloud syslog sources and Sumo Logic.
+
+In [a previous release note](/release-notes-service/2025/08/01/collection/), we announced that we are transitioning from DigiCert to ACM certificates.
+
+This change provides the following benefits:
+* **Automated certificate renewal and deployment**. ACM eliminates the need for future manual renewals, reducing administrative overhead.
+* **Simplified infrastructure management for AWS customers**. ACM is deeply integrated into the AWS ecosystem, streamlining your overall infrastructure management. Because Sumo Logic is also on AWS, using ACM provides a seamless experience.
+
+If you use cloud syslog sources to send data to Sumo Logic, download and configure the ACM certificate on your system. For more information and setup instructions, see:
+* [Cloud Syslog Source](/docs/send-data/hosted-collectors/cloud-syslog-source/)
+* [rsyslog](/docs/send-data/hosted-collectors/cloud-syslog-source/rsyslog)
+* [syslog-ng](/docs/send-data/hosted-collectors/cloud-syslog-source/syslog-ng/)
+* [Collect Logs for SentinelOne](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/)
+* [Acquia](/docs/integrations/saas-cloud/acquia/#step-2-configure-a-source)
@@ -0,0 +1,14 @@
+---
+title: Azure Security - Microsoft Entra ID Protection (Apps)
+image: https://help.sumologic.com/img/reuse/rss-image.jpg
+keywords:
+  - apps
+  - azure
+  - microsoft
+  - azure-security-microsoft-entra-id-protection
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Sumo Logic app for Azure Security - Microsoft Entra ID Protection. This app enhances identity security across Azure environments by proactively detecting, investigating, and mitigating identity-related risks. This integration helps you safeguard user accounts and credentials, ensuring secure access to critical cloud resources. [Learn more](/docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection/).
@@ -2950,6 +2950,8 @@
   "/cid/1111": "/docs/integrations/microsoft-azure/azure-open-ai",
   "/cid/1115": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-cloud-apps",
   "/docs/integrations/microsoft-azure/microsoft-defender-for-cloud-apps/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-cloud-apps",
+  "/cid/1116": "/docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection",
+  "/docs/integrations/microsoft-azure/microsoft-entra-id-protection/": "/docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection",
   "/cid/1113": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/",
   "/Cloud_SIEM_Enterprise": "/docs/cse",
   "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration",
 
@@ -140,14 +140,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama
 ```
 
 ```sql title="Parse Expression"
-json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop 
-|"" as namespace
+json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, loadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop
 | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" 
-| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, loadbalancer, f1 nodrop
-| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace
-| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
-| where namespace="aws/applicationelb" or isEmpty(namespace)
-| toLowerCase(loadbalancer) as loadbalancer  
+| "" as namespace 
+| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, loadbalancer1, f1 nodrop
+| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, loadbalancer2, f1, f2 nodrop
+| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace 
+| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace
+| where namespace="aws/applicationelb" or isEmpty(namespace) 
+| if (!isEmpty(loadbalancer), loadbalancer, if (!isEmpty(loadbalancer1), loadbalancer1, loadbalancer2)) as loadbalancer
+| toLowerCase(loadbalancer) as loadbalancer 
 | fields region, namespace, loadbalancer, accountid
 ```
 
 
@@ -68,14 +68,16 @@ Scope (Specific Data): account=* eventSource eventName "elasticloadbalancing.ama
 ```
 
 ```sql title="Parse Expression"
-json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, api_version nodrop 
-|"" as namespace
+json "eventSource", "awsRegion", "recipientAccountId", "requestParameters.name", "requestParameters.type", "requestParameters.loadBalancerArn", "requestParameters.listenerArn", "apiVersion" as event_source, region, accountid, networkloadbalancer, loadbalancertype, loadbalancerarn, listenerarn, api_version nodrop
 | where event_source = "elasticloadbalancing.amazonaws.com" and api_version matches "2015-12-01" 
-| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype, networkloadbalancer, f1 nodrop
-| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype matches "net", "aws/networkelb", namespace)) as namespace
-| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype matches "app", "aws/applicationelb", namespace)) as namespace
-| where namespace="aws/networkelb" or isEmpty(namespace)
-| toLowerCase(networkloadbalancer) as networkloadbalancer  
+| "" as namespace
+| parse field=loadbalancerarn ":loadbalancer/*/*/*" as balancertype1, networkloadbalancer1, f1 nodrop
+| parse field=listenerarn ":listener/*/*/*/*" as balancertype2, networkloadbalancer2, f1, f2 nodrop
+| if(loadbalancertype matches "network", "aws/networkelb", if(balancertype1 matches "net", "aws/networkelb", if(balancertype2 matches "net", "aws/networkelb", namespace))) as namespace 
+| if(loadbalancertype matches "application", "aws/applicationelb", if(balancertype1 matches "app", "aws/applicationelb", if(balancertype2 matches "app", "aws/applicationelb", namespace))) as namespace
+| where namespace="aws/networkelb" or isEmpty(namespace)  
+| if (!isEmpty(networkloadbalancer), networkloadbalancer, if (!isEmpty(networkloadbalancer1), networkloadbalancer1, networkloadbalancer2)) as networkloadbalancer
+| toLowerCase(networkloadbalancer) as networkloadbalancer 
 | fields region, namespace, networkloadbalancer, accountid
 ```
 
 
@@ -0,0 +1,196 @@
+---
+id: azure-security-microsoft-entra-id-protection
+title: Azure Security - Microsoft Entra ID Protection
+sidebar_label: Azure Security - Microsoft Entra ID Protection
+description: Learn how to collect alerts from the Azure Security - Microsoft Entra ID Protection platform and send them to Sumo Logic for analysis.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection.png')} alt="Thumbnail icon" width="50"/>
+
+The Azure Security – Microsoft Entra ID Protection application strengthens identity security within Azure environments by proactively detecting, investigating, and mitigating identity-related risks. It helps organizations safeguard user accounts and credentials against potential compromise, ensuring secure access to critical cloud resources
+
+The Sumo Logic app for Azure Security - Microsoft Entra ID Protection provides interactive dashboards and visual tools. The app supports incident identification, user activity tracking, and access monitoring for sensitive data. These features enable faster response times and more agile decision-making, ultimately helping organizations enhance their overall security posture. By delivering a comprehensive view of cloud app security, the app empowers you to manage threats efficiently and ensures robust protection of critical Azure-based assets.
+
+## Log Types
+
+The Azure Security – Microsoft Entra ID Protection uses Sumo Logic’s Microsoft Graph Security source to collect [alerts](https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) from the Microsoft Graph Security source.
+
+### Sample log messages
+
+<details>
+<summary>Alert Log</summary>
+
+```json
+{
+  "id": "ad702c56f4e096bad6317188657c055326e564fc89de72328c",
+  "providerAlertId": "efa85202d5d391b6d368c8c985d95a221df17581886575fd8d11666a1d12",
+  "incidentId": "14",
+  "status": "new",
+  "severity": "high",
+  "classification": "truePositive",
+  "determination": "malware",
+  "serviceSource": "azureAdIdentityProtection",
+  "detectionSource": "automatedInvestigation",
+  "detectorId": "AnomalousToken",
+  "tenantId": "3adb963c-8e61-48-a06d-6dbb0dacea39",
+  "title": "Anomalous Token",
+  "description": "Anomalous token indicates that there are abnormal characteristics in the token such as token duration and authentication from unfamiliar IP address",
+  "recommendedActions": "",
+  "category": "Random",
+  "assignedTo": null,
+  "alertWebUrl": "https://566bdd7bcaa08702d6bebe31e2901.serveo.net/alerts/ad702c56f4e096bad66c055326e564fc89de72328c?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39",
+  "incidentWebUrl": "https://566ba0ac28702d6bebe31e2901.serveo.net/incidents/14?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39",
+  "actorDisplayName": null,
+  "threatDisplayName": null,
+  "threatFamilyName": null,
+  "mitreTechniques": [],
+  "createdDateTime": "2025-09-18T15:14:17+0530577Z",
+  "lastUpdateDateTime": "2025-09-18T15:14:17+0530667Z",
+  "resolvedDateTime": null,
+  "firstActivityDateTime": "2025-09-18T15:14:17+0530872Z",
+  "lastActivityDateTime": "2025-09-18T15:14:17+0530872Z",
+  "comments": [
+    {
+      "@odata.type": "#microsoft.graph.security.alertComment",
+      "comment": "Not valid",
+      "createdByDisplayName": "Sam",
+      "createdDateTime": "2025-09-18T15:14:17+053088Z"
+    }
+  ],
+  "evidence": [
+    {
+      "@odata.type": "#microsoft.graph.security.userEvidence",
+      "createdDateTime": "2025-09-18T15:14:17+0530333Z",
+      "verdict": "unknown",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "roles": ["compromised"],
+      "detailedRoles": [],
+      "tags": [],
+      "userAccount": {
+        "accountName": "tseapps",
+        "domainName": null,
+        "userSid": "S-1-12-1-175818657-1758188657-589068932-1758188657",
+        "azureAdUserId": "f5e829f5-4f-4fcf-847a-1c234c1b3b84",
+        "userPrincipalName": "[email protected]",
+        "displayName": null
+      }
+    },
+    {
+      "@odata.type": "#microsoft.graph.security.ipEvidence",
+      "createdDateTime": "2025-09-18T15:14:17+0530333Z",
+      "verdict": "compromised",
+      "remediationStatus": "none",
+      "remediationStatusDetails": null,
+      "roles": [],
+      "detailedRoles": [],
+      "tags": [],
+      "ipAddress": "168.119.168.251",
+      "countryLetterCode": "IN"
+    }
+  ]
+}
+```
+</details>
+
+### Sample queries
+
+```sql title="Total Alerts"
+_sourceCategory=Labs/MicrosoftGraphSecurity 
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+
+| where toLowerCase(service_source) = "azureadidentityprotection"
+
+// global filters
+| where if ("*" = "*", true, severity matches "*")
+| where if ("*" = "*", true, status matches "*")
+| where if ("*" = "*", true, classification matches "*")
+
+// panel specific
+| count by alert_id 
+| count
+```
+
+```sql title="High Severity Alerts"
+_sourceCategory=Labs/MicrosoftGraphSecurity 
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,comments,evidence_info nodrop
+
+| where toLowerCase(service_source) = "azureadidentityprotection"
+
+// global filters
+| where if ("*" = "*", true, severity matches "*")
+| where if ("*" = "*", true, status matches "*")
+| where if ("*" = "*", true, classification matches "*")
+
+// panel specific
+| where toLowerCase(severity) matches ("*high*")
+| count by alert_id
+| count
+```
+
+## Collection configuration and app installation
+
+:::note
+- Skip this step if you have already configured the [Microsoft Graph Security API Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/).
+- Select **Use the existing source and install the app** to install the app using the `sourceCategory` of the Microsoft Graph Security API Source configured above.
+:::
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Azure Security - Microsoft Entra ID Protection is properly integrated and configured to collect and analyze your Azure Security - Microsoft Entra ID Protection data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+## Viewing the Azure Security - Microsoft Entra ID Protection dashboards
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Overview
+
+The **Azure Security - Microsoft Entra ID Protection - Overview** dashboard  provides a comprehensive view of identity-related security risks and anomalies detected across Azure environments. It enables analysts to monitor risky sign-ins, user risk levels, and identity protection trends, ensuring timely detection and mitigation of potential account compromises.
+
+With features like geo-location mapping and top user alerts, the dashboard supports regional risk assessment and detection of insider threats. By combining real-time insights with historical trends, it enhances situational awareness and strengthens incident response strategies.
+<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Entra+-ID-Protection/Azure+Security+-+Microsoft+Entra+ID+Protection+-+Overview.png' alt="Azure Security - Microsoft Entra ID Protection - Overview" />
+
+### Security
+
+The **Azure Security - Microsoft Entra ID Protection - Security** dashboard provides a comprehensive overview of identity-related threats within the organization, enabling teams to pinpoint where identity risks are concentrated and how they evolve over time. Visual trend panels display fluctuations in user and sign-in risk levels, helping analysts assess whether identity-based attacks are increasing and prioritize mitigation accordingly.
+
+Key insights include compromised user accounts, frequently attacked devices, and countries linked to malicious IPs, enabling targeted defense strategies. By combining trend analysis with threat origins and user risk data, the dashboard empowers proactive threat response and strengthens overall security posture.
+<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Azure-Security-Microsoft-Entra+-ID-Protection/Azure+Security+-+Microsoft+Entra+ID+Protection+-+Security.png' alt="Azure Security - Microsoft Entra ID Protection  - Security" />
+
+## Upgrade/Downgrade the Azure Security - Microsoft Entra ID Protection app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Azure Security - Microsoft Entra ID Protection app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>
@@ -307,6 +307,12 @@ This guide has documentation for all of the apps that Sumo Logic provides for Mi
   <p>Learn about the Sumo Logic collection process for the Azure Security - Microsoft Defender for Office 365</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection"><img src={useBaseUrl('img/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection.png')} alt="thumbnail icon" width="55"/><h4>Azure Security - Microsoft Entra ID Protection</h4></a>
+  <p>Learn about the Sumo Logic collection process for the Azure Security - Microsoft Entra ID Protection.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <img src={useBaseUrl('img/integrations/microsoft-azure/azure-service-bus.png')} alt="Thumbnail icon" width="60"/>