Merge branch 'main' into in_removed

Author: amee-sumo

blog-service/2025-03-31-apps.md

@@ -19,15 +19,15 @@ We’re excited to announce the release of the new Azure Key Vault and AWS Auto
 ### Enhancements
 
 - **Added metrics collection capability for OpenTelemetry collectors**. [RabbitMQ](/docs/send-data/opentelemetry-collector/remote-management/source-templates/rabbitmq/#for-metrics-collection) and [Redis](/docs/send-data/opentelemetry-collector/remote-management/source-templates/redis/#for-metrics-collection).
-- **Added use cases to monitor EBS volume and snapshots in AWS EC2 apps**. [Amazon EC2 Auto Scaling](/docs/integrations/amazon-aws/amazon-ec2-auto-scaling/).
+- **Added use cases to monitor EBS volume and snapshots in AWS EC2 apps**. [AWS EC2](/docs/integrations/amazon-aws/ec2-cloudwatch-metrics/#events).
 - **Updated the metric collection and dashboard for Google apps**. [Google BigQuery](/docs/integrations/google/bigquery/) and [Google Cloud Load Balancing](/docs/integrations/google/cloud-load-balancing/).
 - Added new dashboards to the [Sumo Logic Kickstart Data(Beta)](/docs/integrations/sumo-apps/kickstart-data/) app.
-- **Updated the queries to accommodate the new threat intel feed**. [Apache - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/apache-opentelemetry/), [Apache Tomcat - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry/), [HAProxy - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry/), [IIS 10 - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/iis-10-opentelemetry/), [Ngin - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry/), [PostgreSQL - OpenTelemetry Collector](/docs/integrations/databases/opentelemetry/postgresql-opentelemetry/), [Varnish - OpenTelemetry Collector](/docs/integrations/web-servers/opentelemetry/varnish-opentelemetry/), [Acquia](/docs/integrations/saas-cloud/acquia/), [Azure Web Apps](/docs/integrations/microsoft-azure/web-apps/), [JFrog Xray](/docs/integrations/app-development/jfrog-xray/), and [MongoDB Atlas 6](/docs/integrations/databases/mongodb-atlas/).
+- **Updated the queries to accommodate the new threat intel feed**. [Apache - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/apache-opentelemetry/), [Apache Tomcat - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry/), [HAProxy - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry/), [IIS 10 - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/iis-10-opentelemetry/), [Ngin - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry/), [PostgreSQL - OpenTelemetry](/docs/integrations/databases/opentelemetry/postgresql-opentelemetry/), [Varnish - OpenTelemetry](/docs/integrations/web-servers/opentelemetry/varnish-opentelemetry/), [Acquia](/docs/integrations/saas-cloud/acquia/), [Azure Web Apps](/docs/integrations/microsoft-azure/web-apps/), [JFrog Xray](/docs/integrations/app-development/jfrog-xray/), and [MongoDB Atlas 6](/docs/integrations/databases/mongodb-atlas/).
 - Updated Azure integration from` Node.js v18` to `Node.js v20`. [Learn more](https://github.com/SumoLogic/sumologic-azure-function/releases/tag/v4.1.6).
 
 ### Bug Fixes
 
 Bugs for the following apps have been fixed:
-- Filtering the security groups dashoard in [AWS VPC Flow Logs](/docs/integrations/amazon-aws/vpc-flow-logs/#filtering-the-security-groups-dashboard).
+- Filtering the security groups dashboard in [AWS VPC Flow Logs](/docs/integrations/amazon-aws/vpc-flow-logs/#security-groups).
 - [AWS ECS](/docs/integrations/amazon-aws/elastic-container-service/).
-- [JFrog Artifactory 7 app](/docs/integrations/app-development/jfrog-artifactory/).
+- [JFrog Artifactory 7 app](/docs/integrations/app-development/jfrog-artifactory/).

docs/platform-services/automation-service/app-central/integrations/aws-waf.md

@@ -6,8 +6,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/aws.png')} alt="aws" width="50"/>
 
-***Version: 1.0  
-Updated: April 19, 2024***
+***Version: 1.1  
+Updated: March 26, 2025***
 
 AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define.
 
@@ -30,6 +30,7 @@ AWS WAF is a web application firewall that helps protect web applications from a
 * **List Resources for Web ACLs** (*Enrichment*) - Retrieves a list of the Amazon Resource Names (ARNs) for the regional resources that are associated with the specified web ACL.
 * **List Rule Groups** (*Enrichment*) - Retrieves a list of RuleGroupSummary objects for the rule groups that you manage.
 * **List Web ACLs** (*Enrichment*) - Retrieves a list of WebACLSummary objects for the web ACLs that you manage.
+* **Update IP Set** (*Containment*) - Updates the specified IPSet.
 
 
 ## External Libraries
@@ -39,4 +40,5 @@ AWS WAF is a web application firewall that helps protect web applications from a
 
 ## Change Log
 
-* April 19, 2024 - First upload
+* April 19, 2024 (v1.0)- First upload
+* March 26, 2025 (v1.1) - Added **Update IP Set** action: This new action allows users to add or remove IPs from an existing IP Set.

docs/security/additional-security-features/introduction-to-additional-security-features.md

@@ -7,7 +7,15 @@ description: Learn basic concepts about using logs for security use cases.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-"Logs for Security" is Sumo Logic's full set of features that leverage logs for security use cases. These features includes apps, customizable dashboards, and tools to analyze your security data. This allows you to use Sumo Logic's core functionality, including data collection, ingestion, and storage, to produce findings that help protect your attack surfaces from threats.
+Sumo Logic’s Logs for Security provides a comprehensive foundation for security operations, with a unified platform to ingest, store, and analyze security logs in real time. AI-powered search enables teams to quickly find relevant logs, while anomaly detection highlights unusual patterns for further review. 
+
+Unlike fragmented log solutions, Sumo Logic seamlessly integrates across cloud, hybrid, and on-prem environments, reducing complexity and ensuring complete visibility into your infrastructure.
+
+Security teams can quickly access log data for security log management, cloud security monitoring, and compliance reporting. By prioritizing a logs-first approach, Sumo Logic empowers you to move beyond manual log analysis and manage your security posture with greater efficiency.
+
+## What's included?
+
+"Logs for Security" is Sumo Logic's full set of features that leverage logs for security use cases. These features include apps, customizable dashboards, and tools to analyze your security data. This allows you to use Sumo Logic's core functionality, including data collection, ingestion, and storage, to produce findings that help protect your attack surfaces from threats.
 
 You can use Sumo Logic logs for:
 * [Threat detection and investigation](/docs/security/additional-security-features/threat-detection-and-investigation). Identify and explore threats or security-related events within your assets, applications, or networks as quickly and effectively as possible.

docs/security/threat-intelligence/threat-intelligence-vendor-switch.md

@@ -0,0 +1,57 @@
+---
+slug: /security/threat-intelligence/threat-intelligence-vendor-switch
+title: Threat Intelligence Vendor Switch
+description: Learn about the switch of our threat intelligence vendor from CrowdStrike to Intel 471.
+---
+
+<head>
+ <meta name="robots" content="noindex" />
+</head>
+
+<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This article provides guidance on our switching from the legacy **_sumo_global_feed_cs** source supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/) to the **SumoLogic_ThreatIntel** source supplied by [Intel 471](https://intel471.com/).
+
+:::warning
+*The **_sumo_global_feed_cs** source will be discontinued on April 30, 2025*. For more information, see [Sumo Logic Threat Intelligence Sources](/docs/security/threat-intelligence/about-threat-intelligence).
+:::
+
+Switching to the Intel 471 global threat feed from CrowdStrike will introduce differences in the threat indicator content. Namely, the `raw` field from the `lookup` operator, and the `raw_threat` field from the `threatip` operator will contain different JSON-formatted fields. Sophisticated, security-centric Sumo Logic platform queries sometimes use these fields for searches and dashboards.
+
+Importantly, the intel vendors themselves control what appears in these "raw" fields, and each vendor prioritizes different aspects of the intel they provide. For example, CrowdStrike often includes CVEs where applicable, whereas Intel 471 bundles geo-IP data with some of its entries. CrowdStrike reports the publication timestamp of its indicators, whereas Intel 471 reports the recommended expiration timestamp. As such, Sumo Logic strongly encourages customers to review their searches and dashboards for "raw" field handling, and to modify them appropriately.
+
+Beginning April 1, 2025, customers can experiment with the Intel 471 feed by referencing the `sumo://threat/i471` lookup table as a parameter to the [`lookup` search operator](/docs/search/search-query-language/search-operators/lookup). (It isn't possible to do the same for `threatip`, though its `raw_threat` field is the same as the `lookup` operator's `raw` field.)  On April 30, 2025, the global CrowdStrike feed will be fully replaced by Intel 471 in the Sumo Logic platform, and references to the old feed will automatically be updated to point to the new feed.
+
+Sumo Logic's native security applications will be updated to support this vendor change. To take advantage of the new Intel 471 feed, customers only need to update queries in their custom apps by April 30, 2025. For examples of queries using the `lookup` operator, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app.
+
+## How do I know if I need to update a search or dashboard?
+
+If your queries reference `json field=raw` or `parse field=raw` (or `raw_threat`, in the case of the `threatip` operator), you are extracting vendor-specific data that might need to be updated.
+
+Additionally, the Intel 471 source currently does not include domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. 
+
+## How can I translate CrowdStrike-specific fields to Intel 471-specific fields?
+
+In many cases, it may not be possible to translate CrowdStrike-specific fields to Intel 471-specific fields, as the two vendors emphasize different aspects of indicators of compromise. However, the table below provides approximate mappings to help you start adapting your queries.
+
+### Approximate field mappings
+
+As a starting point to analyze field mapping, examine the following translations:
+
+| CrowdStrike | Intel 471 | Translation notes |
+| :-- | :-- | :-- |
+| `indicator` | `data.indicator_data.*` <br/><br/>For example:<br/>`data.indicator_data.address`<br/>`data.indicator_data.file.md5`<br/>`data.indicator_data.file.sha1`<br/>`data.indicator_data.file.sha256`<br/>`data.indicator_data.url` | Depends on the type. Every Intel 471 file hash record includes all hash types. <br/><br/>Intel 471 also includes geoip data for IP addresses under `data.indicator_data.geo_ip`.<br/><br/>Intel 471 has no domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. |
+| `kill_chains` | `data.mitre_tactics` |
+| `labels[*].name` | `data.threat.type`<br/>`data.threat.data.family`<br/>`data.context.description`<br/>`data.mitre_tactics` | CrowdStrike's labels are redundant with other sections in the CrowdStrike record. |
+| `last_updated` | `last_updated` | CrowdStrike's timestamps are in epoch seconds whereas Intel 471's are in milliseconds. |
+| `malicious_confidence` | `data.confidence` | |
+| `malware_families` | `data.threat.data.family` | |
+| `threat_types` | `data.threat.type` | |
+| `type` | `data.indicator_type` | |
+| (none) | `data.expiration` | Intel 471 only. In milliseconds. |
+
+### JSON side-by-side approximate field mappings
+
+<img src={useBaseUrl('img/security/threat-intel-field-mappings.png')} alt="Threat Intelligence field mappings" style={{border: '1px solid gray'}} width="800" />

docs/send-data/opentelemetry-collector/remote-management/index.md

@@ -23,7 +23,11 @@ The [Sumo Logic Distribution for OpenTelemetry Collector](/docs/send-data/opente
   allowfullscreen
 />
 :::
-  
+
+:::note
+If you want to manage the collector using local configuration files, make sure to check the **Locally Manage Collector** box. If left unchecked, the collector will be managed exclusively by remote configuration by default.<br/><img src={useBaseUrl('img/send-data/remote-mgmt-local.png')} alt="Locally Manage Collector checkbox" />
+:::
+
 **Key features**
 
 * **Tagging collectors**. Tag your OpenTelemetry collectors to categorize and group them. These tags enrich your data, allowing you to use them effectively in dashboards and searches.