Merge branch 'main' into Update-Timestamp-Autocorrection-and-Historical-Data-Ingestion-Documentation

Author: amee-sumo

.github/workflows/build_and_deploy.yml

@@ -28,7 +28,7 @@ on:
 
 jobs:
   build-and-deploy:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
       url: ${{ inputs.hostname }}${{ inputs.base_url }}

.github/workflows/delete-review.yml

@@ -4,7 +4,7 @@ on: delete
 
 jobs:
   delete-branch-environment:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     environment:
       name: review/${{ github.ref_name }}
     env:

.github/workflows/pr.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
     build-and-deploy:
-      runs-on: ubuntu-22.04
+      runs-on: ubuntu-latest
       env:
           CI: true
           NODE_ENV: production

blog-cse/2025-04-25-content.md

@@ -0,0 +1,32 @@
+---
+title: April 25, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
+- Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.
+
+## Rules
+- [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
+- [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
+- [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
+- [Updated] MATCH-S01000 Threat Intel - MD5 Match
+- [Updated] MATCH-S01001 Threat Intel - PEHASH Match
+- [Updated] MATCH-S01003 Threat Intel - SHA1 Match
+- [Updated] MATCH-S01004 Threat Intel - SHA256 Match
+- [Updated] MATCH-S01002 Threat Intel - SSDEEP Match
+
+## Log Mappers
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+
+## Parsers
+- [Updated] /Parsers/System/Microsoft/Office 365

blog-csoar/2025-04-21-content.md

@@ -0,0 +1,42 @@
+---
+title: April 21, 2025 - Content Release
+hide_table_of_contents: true
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - automation service
+  - cloud soar
+  - soar
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## March and April releases
+
+### Changes and enhancements
+
+#### Integrations
+
+* [NEW] [ThreatDown Oneview](/docs/platform-services/automation-service/app-central/integrations/threatdown-oneview/). The ThreatDown OneView integration has been built from scratch to facilitate seamless security operations management. 
+* [NEW] [Atlassian Jira Cloud](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-cloud/). The Atlassian Jira Cloud integration has been developed from the ground up to streamline issue tracking and project management. 
+* [UPDATED] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/). Added a new Update IP Set action in the AWS WAF integration that allows users to update an existing IP set.
+
+#### Platform 
+
+##### Playbooks
+
+* Improved the user experience in the node popup when loading dynamic fields.
+* Added a confirmation dialog to alert users about pre-existing playbook drafts to avoid accidental overwriting while editing playbooks.
+* Implemented an alert popup to prevent accidental loss of unsaved changes when closing a node popup.
+* Added audit logs for failed nodes due to errors or exceptions during playbook execution.
+
+### Bug fixes
+
+#### General
+
+* Fixed a session timeout issue when the user is active in Automation Service, but inactive in Sumo Logic Log Analytics.
+* Fixed cursor positioning issue while typing in text areas.
+
+#### Integrations
+
+* Resolved a next page token and pageSize related issues in the List Permissions action of the  [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) integration.
+* Added a new `impersonate_user` field in List Permission and Delete Permission actions, allowing actions to be performed on a user's behalf.

blog-service/2024/12-31.md

@@ -425,10 +425,6 @@ We're excited to announce that when you create a role, you can select **Index Ac
 
 This feature was [previously only available to participants in our beta program](/release-notes-service/2023/12/31/#october-27-2023-manage-account). It is now available for general use.
 
-:::note
-These changes are rolling out across deployments incrementally and will be available on all deployments by March 14, 2025.
-:::
-
 [Learn more](/docs/manage/users-roles/roles/create-manage-roles/#create-a-role).
 
 ### October 14, 2024 (Collection)

blog-service/2025-04-21-apps.md

@@ -0,0 +1,13 @@
+---
+title: Sumo Collection (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - sumo-collection
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+
+We're excited to introduce the new Sumo Collection app for Sumo Logic. By leveraging this app, you can get insights into the health and status of Sumo Logic collectors and sources, allowing you to effectively manage and monitor collectors and sources within Sumo Logic. [Learn more](/docs/integrations/saas-cloud/sumo-collection).

blog-service/2025-04-28-manage.md

@@ -0,0 +1,17 @@
+---
+title: Content Sharing for Apps (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - apps
+  - content sharing
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We are happy to announce that authorized users can now control the visibility of  installed app content. This update allows content administrators and the installing user to configure the roles and users who should be allowed to view the dashboards and log searches that are installed with an app.
+
+For more information about sharing apps, see [Content Sharing in Sumo Logic](/docs/manage/content-sharing/).
+
+<img src={useBaseUrl('img/content-sharing/grant-app-access-to-org.png')} alt="<your image description>" style={{border: '1px solid gray'}} width="<insert-pixel-number>" />

cid-redirects.json

@@ -1627,6 +1627,7 @@
   "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
   "/cid/6024": "/docs/integrations/saas-cloud/vmware-workspace-one",
   "/cid/6025": "/docs/integrations/saas-cloud/cisco-vulnerability-management",
+  "/cid/6026": "/docs/integrations/saas-cloud/sumo-collection",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10113": "/docs/observability/root-cause-explorer",
   "/cid/10116": "/docs/manage/fields",
@@ -2673,6 +2674,7 @@
   "/cid/20158": "/docs/integrations/amazon-aws/aws-ground-station",
   "/cid/20159": "/docs/integrations/amazon-aws/aws-healthlake",
   "/cid/20160": "/docs/integrations/amazon-aws/amazon-bedrock",
+  "/cid/20161": "/docs/integrations/microsoft-azure/azure-virtual-machine",
   "/cid/8394": "/docs/search/search-query-language/search-operators/dedup",
   "/cid/85858": "/docs/observability/kubernetes/quickstart",
   "/cid/8595": "/docs/manage/security/set-password-policy",
@@ -4305,6 +4307,7 @@
   "/docs/manage/partitions/flex/estimate-and-actual-scan-data": "/docs/manage/partitions/flex/estimate-scan-data",
   "/docs/manage/partitions/flex/flex-pricing-faqs": "/docs/manage/partitions/flex/faq",
   "/docs/manage/partitions/flex/flex-pricing-faq": "/docs/manage/partitions/flex/faq",
+  "/docs/platform-services/automation-service/app-central/integrations/exana-open-dns": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/platform-services/automation-service/app-central/integrations/snowflake": "/docs/platform-services/automation-service/app-central/integrations",
   "/docs/integrations/security-threat-detection/palo-alto-networks-6": "/docs/integrations/security-threat-detection/palo-alto-networks-9",
   "/docs/integrations/security-threat-detection/palo-alto-networks-8":"/docs/integrations/security-threat-detection/palo-alto-networks-9",

docs/alerts/scheduled-searches/generate-cse-signals.md

@@ -15,6 +15,8 @@ For a more detailed description of the options you can configure for a scheduled
 
 ## Requirements for the search query
 
+When you [create a scheduled search](/docs/alerts/scheduled-searches/schedule-search/) to generate signals in Cloud SIEM, you start by creating a search query.
+
 This section describes the requirements for your scheduled search, which include a minimum set of fields to be returned, and renaming message fields as necessary to match attribute names in the selected Cloud SIEM record type schema.  
 
 ### Required fields
@@ -42,7 +44,6 @@ enable signal generation:
     If the `stage` field contains a Tactic that isn't in the MITRE ATT&CK framework, a signal will not be generated, but a record will be. 
     :::
 * At least one entity field:
-
   * `device_ip`
   * `device_mac`
   * `device_natIp`
@@ -56,16 +57,35 @@ enable signal generation:
   * `srcDevice_ip`
   * `srcDevice_mac`
   * `srcDevice_natIp`
-  * `user_username`        
+  * `user_username`
 
 ### Renaming message fields
 
 When you configure a Scheduled Search to create Cloud SIEM signals, you are prompted to select a [Cloud SIEM record type](/docs/cse/schema/cse-record-types/). The fields returned by your search must match an attribute in the record type you select. A field whose name does not match a Cloud SIEM attribute will not be populated in the record created from the Schedule Search results. For more about Cloud SIEM attribute names, see [Attributes You Can Map to Records](/docs/cse/schema/attributes-map-to-records/).
 
+### Example
+
+Let's suppose that `user_username` is the entity field we want to use, and its value needs to be mapped to `actor.email`. Then you need to add the following line to the query: `actor.email as user_username`.
+
+And because the final output of this query is an aggregate, and Cloud SIEM signals expect `normalizedfield`, `stage`, and `entity`, we need need to add those in the `count` expression. 
+
+This is how the final query might look:
+
+```txt
+((_index=sec_record_* objectType=*)
+AND _sourcename = "Google Apps Audit Event")
+AND _sourcecategory = "GoogleWorkspace/Groups"
+| 5 as normalizedseverity
+| "Initial Access" as stage
+| json auto 
+| actor.email as user_username
+| count by events.name, events.type, actor.email, event.parameters.user_email, event.parameters.group_email, user_username, stage, normalizedseverity
+```
+
 ## Scheduling the search
 
 1. After creating and saving your search, click the save icon.<br/><img src={useBaseUrl('img/alerts/save-as.png')} alt="Save the search" style={{border: '1px solid gray'}} width="800"/>
-1. The **Save Item** popup appears.<br/><img src={useBaseUrl('img/alerts/save-item.png')} alt="Save as scheduled search" width="500"/>
+1. The **Save Item** popup appears.<br/><img src={useBaseUrl('img/alerts/save-item.png')} alt="Save as scheduled search" style={{border: '1px solid gray'}} width="500"/>
    :::note
    The name of your scheduled search will appear as the signal name in Cloud SIEM.
    :::