Merge branch 'main' into patch-4

Author: kimsauce

.clabot

@@ -168,7 +168,8 @@
     "lol3909",
     "Hellfire4959",
     "antonymartinsumo",
-    "amee-sumo"
+    "amee-sumo",
+    "chetanchoudhary-sumo"
   ],
   "message": "Thank you for your contribution! As this is an open source project, we require contributors to sign our Contributor License Agreement and do not have yours on file. To proceed with your PR, please [sign your name here](https://forms.gle/YgLddrckeJaCdZYA6) and we will add you to our approved list of contributors.",
   "label": "cla-signed",

blog-cse/2024-12-06-content.md

@@ -0,0 +1,99 @@
+---
+title: December 6, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release:
+-   Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise.
+-   New and updated log parsing and mapping support for:
+    - AWS VPC Transit Gateways Flow Logs 
+    - Alert Logic 
+    - Google G Suite Alert Center 
+    - Microsoft Defender Advanced Hunting
+    - Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events
+
+Changes are enumerated below.
+
+:::note
+First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning.
+:::
+
+### Rules
+- [New] MATCH-S00952 GitHub - Administrator Added or Invited
+    - Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries.
+- [New] MATCH-S00953 GitHub - Audit Logging Modification
+    - Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity.
+- [New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+    - Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the [acceptable use policy for GitHub](https://docs.github.com/en/site-policy/acceptable-use-policies).
+- [New] FIRST-S00091 GitHub - First Seen Activity From Country for User
+    - Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,.
+- [New] FIRST-S00090 GitHub - First Seen Application Interacting with API
+    - Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API.
+- [New] MATCH-S00950 GitHub - Member Invitation or Addition
+    - Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence.
+- [New] MATCH-S00955 GitHub - Member Permissions Modification
+    - Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary.
+- [New] MATCH-S00956 GitHub - OAuth Application Activity
+    - Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure.
+- [New] MATCH-S00957 GitHub - Organization Transfer
+    - Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization.
+- [New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+    - Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover.
+- [New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User
+    - Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub.
+- [New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+    - Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery.
+- [New] MATCH-S00958 GitHub - PR Review Requirement Removed
+    - Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset.
+- [New] MATCH-S00959 GitHub - Repository Public Key Deletion
+    - Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access.
+- [New] MATCH-S00960 GitHub - Repository Transfer
+    - Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place.
+- [New] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+    - Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
+- [New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+    - Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository.
+- [New] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+    - Detects the creation of an SSH key for a private GitHub repository.  Performed maliciously, creating an SSH key could create a parallel access path for an attacker.
+- [New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+    - Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes.
+- [New] MATCH-S00951 GitHub - Secret Scanning Alert
+    - Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see [Evaluating alerts from secret scanning](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts).
+- [New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+    - Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials.
+- [New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+    - Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication.
+- [Updated] THRESHOLD-S00095 Password Attack from Host
+    - Modified the rule expression to remove the `srcDevice_ip` entity selector and the `isNull` from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent.
+
+### Log Mappers
+- [New] AWS VPC Transit Gateways Flow Logs
+- [New] Alert Logic Catch All
+- [New] Azure ResourceHealth and ServiceHealth
+- [New] Google G Suite Alert Center - User Changes
+- [New] Microsoft Defender Advanced Hunting - Alert
+- [New] Microsoft Defender Advanced Hunting - Audit
+- [New] Microsoft Defender Advanced Hunting - Email events
+- [New] Microsoft Defender Advanced Hunting - Logon
+- [New] Microsoft Defender Advanced Hunting - Network
+- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
+    - Adds support for additional event types and field mappings.
+- [Updated] Trend Micro Vision One Custom Parser
+    - Supports additional field names.
+
+### Parsers
+- [New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs
+- [New] /Parsers/System/Alert Logic/Alert Logic
+- [New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting
+- [Updated] /Parsers/System/Trend Micro/Trend Micro Vision One
+     - Parser updated to support additional event format.

blog-service/2023/12-31.md

@@ -686,7 +686,7 @@ We've increased the maximum number of time series processed by a single aggregat
 
 #### Account Page Improvements
 
-We've enhanced our [**Account** page](/docs/manage/manage-subscription/sumo-logic-credits-accounts/#viewing-the-account-information) to make it easier for you to understand how your credits are being allocated. With **Details of Credit Usage**, you can separate out your ingest, storage, and scan credit burn rates as **Promotional Credits** covers any promotional credits you are using with the account. You can also filter your view by day, week, and month, or view by time period. And you can download these reports as a CSV.
+We've enhanced our [**Account Overview** page](/docs/manage/manage-subscription/sumo-logic-credits-accounts/#account-overview) to make it easier for you to understand how your credits are being allocated. With **Details of Credit Usage**, you can separate out your ingest, storage, and scan credit burn rates as **Promotional Credits** covers any promotional credits you are using with the account. You can also filter your view by day, week, and month, or view by time period. And you can download these reports as a CSV.
 
 
 ---
@@ -1327,7 +1327,7 @@ Multiple metrics queries can be defined from scratch on the SLO editor and the m
 
 #### Metrics Monitors Enhancements
 
-Update - We've enhanced the alerting logic for Metrics Monitors to ensure more accurate alerts. For monitors that alert when all data points are above a given threshold `at all times within`, we've added a customizable parameter for the minimum number of required data points within an alerting window. And, for any existing monitor, the default setting is 2, which means that two data points are required within an alerting window to generate an alert. [Learn more](/docs/alerts/monitors/create-monitor/#alert-and-recovery-window).
+Update - We've enhanced the alerting logic for Metrics Monitors to ensure more accurate alerts. For monitors that alert when all data points are above a given threshold `at all times within`, we've added a customizable parameter for the minimum number of required data points within an alerting window. And, for any existing monitor, the default setting is 2, which means that two data points are required within an alerting window to generate an alert. [Learn more](/docs/alerts/monitors/create-monitor/#static-detection-method-1).
 
 
 ---

blog-service/2024-03-04-manage.md

@@ -12,4 +12,4 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
 
-New - We're happy to introduce you to new accounts page enhancements such as Dynamic Forecasts, Credit Baseline, Total Credits Usage Breakdown, Time Series View, and Usage % Change. [Learn more](/docs/manage/manage-subscription/sumo-logic-flex-accounts/#account-page).
+New - We're happy to introduce you to new accounts page enhancements such as Dynamic Forecasts, Credit Baseline, Total Credits Usage Breakdown, Time Series View, and Usage % Change. [Learn more](/docs/manage/manage-subscription/sumo-logic-flex-accounts/#account-overview).

blog-service/2024-10-02-apps.md

@@ -1,5 +1,5 @@
 ---
-title: Apps Setup Guides - September Release (Apps)
+title: Apps, Solutions, and Collection Integrations - September Release (Observability)
 image: https://help.sumologic.com/img/sumo-square.png
 keywords:
   - apps

blog-service/2024-10-30-apps.md

@@ -1,5 +1,5 @@
 ---
-title: App Guides - October Release (Apps)
+title: Apps, Solutions, and Collection Integrations - October Release (Observability)
 image: https://help.sumologic.com/img/sumo-square.png
 keywords:
   - apps

blog-service/2024-11-28-apps.md

@@ -0,0 +1,46 @@
+---
+title: Apps, Solutions, and Collection Integrations - November Release (Observability)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - releases-notes
+hide_table_of_contents: true  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+### New release
+
+We’re excited to announce the release of the new Azure Database for PostgreSQL, Azure Cosmos DB, and Azure App Service Environment for Sumo Logic.
+
+- **Azure Database for PostgreSQL**. Azure Database for PostgreSQL is a fully managed relational database service in the Microsoft cloud based on the PostgreSQL community edition. This integration helps in monitoring resource utilization and identifying slow queries to optimize your workloads and configure your server for the best performance.
+[Learn more](/docs/integrations/microsoft-azure/azure-database-for-postgresql/).
+- **Azure Cosmos DB**. Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development offering single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. This integration helps in monitoring the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources.
+[Learn more](/docs/integrations/microsoft-azure/azure-cosmos-db/).
+- **Azure Cosmos DB for PostgreSQL**. Azure Cosmos DB for PostgreSQL is a managed service for PostgreSQL powered by the Citus open source extension which enables you to build highly scalable relational apps. This integration helps in identifying configurations errors, analyzing executed statements, and monitoring resource usage of individual nodes in a cluster.
+[Learn more](/docs/integrations/microsoft-azure/azure-cosmos-db-for-postgresql/).
+- **Azure App Service Environment**. An Azure App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for running App Service apps securely at high scale. This integration helps in monitoring your environments operational events such as upgrades, scaling, and suspensions. [Learn more](/docs/integrations/microsoft-azure/azure-app-service-environment).
+
+### Enhancements 
+
+We're excited to announce the release of the enhancements listed below for the Sumo Logic apps:
+
+- **Apache - OpenTelemetry**. Added six new monitors for Apache - OpenTelemetry app that will be triggered for different pre-defined conditions. [Learn more](/docs/integrations/web-servers/opentelemetry/apache-opentelemetry/#apache-alerts).
+- **Apache Tomcat - OpenTelemetry**. Added four new monitors for Apache Tomcat - OpenTelemetry app that will be triggered for different pre-defined conditions. [Learn more](/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry/#apache-tomcat-alerts).
+- **Oracle - OpenTelemetry**.  Updated the collection process to fetch unified audit logs and added new **Unified Audit Syslog** dashboard. This new dashboard offers information on database users, top current users, and trends in logon status. This dashboard can also be used with the unified audit logs exported from both Windows and Linux environments. [Learn more](/docs/integrations/databases/opentelemetry/oracle-opentelemetry/#unified-audit-syslog).
+- **Added CloudTrail Audit dashboard**. The CloudTrail Audit dashboard is added to the [AWS Application Load Balancer](/docs/integrations/amazon-aws/application-load-balancer/#cloudtrail-audit), [AWS Classic Load Balancer](/docs/integrations/amazon-aws/classic-load-balancer/#cloudtrail-audit), and [AWS Network Load Balancer](/docs/integrations/amazon-aws/network-load-balancer/#cloudtrail-audit) apps. This dashboard helps you to visualize the successful and failed events globally, event trends, error details, and user activities, offering insights into load balancer performance, security, and usage patterns. 
+- **Amazon RDS**. Added **Oracle Logs - Alert Logs Analysis**, **Oracle Logs - Audit Logs Analysis**, and **Oracle Logs - Listener Troubleshooting** dashboards. These CloudTrail and CloudWatch Logs dashboard provide monitoring for error logs and essential infrastructure details. [Learn more](/docs/integrations/amazon-aws/rds/#oracle-logs---alert-logs-analysis).
+- **MongoDB Atlas**. New version of the [MongoDB Atlas collection](/docs/integrations/databases/mongodb-atlas/#collecting-logs-and-metrics-for-the-mongodb-atlas-app) was released with `v.1.0.11` in [Pypi](https://pypi.org/project/sumologic-mongodb-atlas/) and `v1.0.18` in [AWS Serverless Repository](https://serverlessrepo.aws.amazon.com/applications/us-east-1/956882708938/sumologic-mongodb-atlas). [Learn more](https://github.com/SumoLogic/sumologic-mongodb-atlas/releases/tag/v2.0.1)
+ 
+### Bug fixes
+
+- Minor *query* fixes in the below [Classic Apps (Legacy)](/docs/get-started/apps-integrations/#classic-apps-legacy):
+  - Amazon CloudTrail - Cloud Security Monitoring and Analytics
+  - Github
+    
+- Minor fixes in the *monitors* for the below [Next-Gen Apps](/docs/get-started/apps-integrations/#next-gen-apps):
+  - Microsoft Azure AD Inventory
+  - Audit
+

blog-service/2024-11-28-search.md

@@ -0,0 +1,28 @@
+---
+title: Logs Query Assist - Preview (Search)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - query
+  - ai
+  - copilot
+  - search
+  - log-search
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This feature is in Preview. To participate, contact your Sumo Logic account representative.
+
+We’re excited to announce the preview release of **Query Assist**, designed to simplify query building by reducing complexity, enabling easier field discovery, minimizing errors, and providing intelligent query-writing assistance. These enhancements deliver real-time syntax suggestions, schema-based recommendations, and a frictionless query experience.
+
+### Key features
+
+* **Real-time syntax suggestions**. Get instant recommendations for syntax and operators to accelerate query creation and reduce errors.  
+* **Schema-based field suggestions**. Automatically discover relevant keys and fields for structured data like JSON logs.  
+* **Partial query prediction**. Anticipate the next operator or receive partial query suggestions based on your input.  
+* **Enhanced user experience**. Real-time error highlighting and intelligent suggestions provide a smooth and seamless query-building process.  
+
+These updates make it easier for both beginners and advanced users to craft accurate queries and analyze data efficiently. [Learn more](/docs/search/query-assist).