Merge branch 'main' into update-deletion-request-docs

Author: JV0812

blog-cse/2025-04-14-content.md

@@ -0,0 +1,81 @@
+---
+title: April 14, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Additional data requirements for GitHub rules added to rule descriptions.
+- Spelling corrections for AWS Lambda rules.
+- New Slack Anomaly Event log mapper and supporting parsing changes:
+   - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
+   - Requires parser be defined for passthrough detection.
+- Updates to Sysdig parsing and mapping to support additional events.
+- Support for Microsoft Windows Sysmon-29 event.
+- Additional normalized field mappings for Microsoft Windows Sysmon events.
+- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.
+
+
+### Rules
+- [Updated] MATCH-S00874 AWS Lambda Function Recon
+- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
+- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
+- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
+- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
+- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
+- [Updated] MATCH-S00957 GitHub - Organization Transfer
+- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
+- [Updated] MATCH-S00960 GitHub - Repository Transfer
+- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
+- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+
+### Log Mappers
+- [New] Slack Anomaly Event
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
+- [Updated] Sysdig Secure Packages
+- [Updated] Sysdig Secure Vulnerability
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+
+### Parsers
+- [New] /Parsers/System/Slack/Slack Enterprise Audit
+- [Updated] /Parsers/System/Sysdig/Sysdig Secure
+
+### Schema
+- [New] `targetUser_phoneNumber`
+- [New] `user_phoneNumber`

blog-service/2025-03-31-apps.md

@@ -13,7 +13,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 We’re excited to announce the release of the new Azure Key Vault and AWS Auto scaling apps for Sumo Logic.
 
-- **Azure Key Vault**. Azure Key Vault is a managed service, hosted in the cloud that acts as a central message hub for communication between an IoT application and its attached devices. This integration helps in comprehensive monitoring of your key vaults requests, performance, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
+- **Azure Key Vault**. Azure Key Vault is a cloud service that helps you securely store and manage secrets, keys, and certificates. You can use it to protect data for cloud apps and services. This integration helps in comprehensive monitoring of your Key Vault operations, requests, failures, and latency. [Learn more](/docs/integrations/microsoft-azure/azure-key-vault/).
 - **AWS Auto scaling**. Amazon EC2 Auto Scaling helps you maintain application availability and lets you automatically add or remove EC2 instances using scaling policies that you define. Dynamic or predictive scaling policies let you add or remove EC2 instance capacity to service established or real-time demand patterns. [Learn more](/docs/integrations/amazon-aws/amazon-ec2-auto-scaling/).
 
 ### Enhancements

docs/cse/administration/mitre-coverage.md

@@ -211,3 +211,10 @@ You can use the following Cloud SIEM APIs to obtain information about your MITRE
 * [MitreAttackCoverageExportJson](https://api.sumologic.com/docs/sec/#operation/MitreAttackCoverageExportJson). Get a JSON representation of the Mitre ATT&CK coverage.
 
 To find the Cloud SIEM API documentation for your endpoint, see [Cloud SIEM APIs](/docs/api/cloud-siem-enterprise/).
+
+## Additional resources
+
+* Blog: [Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack/)
+* Glossary: [MITRE ATT&CK - definition & overview](https://www.sumologic.com/glossary/mitre-attack/)
+* Demo: [MITRE ATT&CK Coverage Explorer](https://www.sumologic.com/demo/cloud-siem-mitre-attack-coverage-explorer/)
+* Cloud SIEM Content Catalog: [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md)

docs/cse/rules/about-cse-rules.md

@@ -185,3 +185,9 @@ Threat Intelligence sources contain values that, when encountered in a record, a
 
 Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
+## Additional resources
+
+* Blogs: 
+   * [Secure your CI/CD pipelines from supply chain attacks with Sumo Logic’s Cloud SIEM rules](https://www.sumologic.com/blog/secure-azure-devops-github-supply-chain-attacks/)
+   * [Rule tuning – supercharge Cloud SIEM for better alerts](https://www.sumologic.com/blog/rule-tuning-cloud-siem-alert-fatigue/)
+* Cloud SIEM Content Catalog: [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md)

docs/get-started/ai-machine-learning.md

@@ -100,12 +100,16 @@ Sumo Logic's Cloud SIEM leverages AI-driven rules for security management, inclu
 Our Global Intelligence Service apps provide security teams with valuable real-time security intelligence to scale detection, prioritization, investigation, and workflow to prevent potentially harmful service configurations that could lead to a costly data breach. [Learn more](/docs/integrations/global-intelligence).
 
 
-## More information
+## Additional resources
+
+* Guide: [Understanding artificial intelligence for log analytics](https://www.sumologic.com/guides/machine-data-analytics)
+* Blogs: 
+   * [What are the differences between artificial intelligence, machine learning, deep learning and generative AI?](https://www.sumologic.com/blog/machine-learning-deep-learning)
+   * [DevSecOps in an AI world requires disruptive log economics](https://www.sumologic.com/blog/devsecops-ai-disruptive-log-economics)
+   * [Generative AI: The latest example of systems of insight](https://www.sumologic.com/blog/generative-ai-latest-example-systems-of-insight)
+   * [Harnessing the power of artificial intelligence in log analytics](https://www.sumologic.com/blog/power-ai-log-analytics/)
+   * [Reduce alert noise, automate incident response and keep coding with AI-driven alerting](https://www.sumologic.com/blog/ai-driven-low-noise-alerts/)
 
-* [What are the differences between artificial intelligence, machine learning, deep learning and generative AI?](https://www.sumologic.com/blog/machine-learning-deep-learning)
-* [Understanding artificial intelligence for log analytics](https://www.sumologic.com/guides/machine-data-analytics)
-* [DevSecOps in an AI world requires disruptive log economics](https://www.sumologic.com/blog/devsecops-ai-disruptive-log-economics)
-* [Generative AI: The latest example of systems of insight](https://www.sumologic.com/blog/generative-ai-latest-example-systems-of-insight)
 <!--
 -Bashyam's blog about how we trained our AI
 -Flex Pricing? The more log data ingested, the sharper your analytics and ML/AI insights become. By eliminating ingest limitations and empowering an ML/AI-driven single source of truth for analytics, Flex enables DevOps and DevSecOps teams to troubleshoot faster, accelerate release velocity, and ensure reliable, secure digital experiences.

docs/integrations/amazon-aws/amazon-elastic-block-store.md

@@ -12,15 +12,70 @@ Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for
 
 Amazon EBS is recommended for data that must be quickly accessible and requires long-term persistence. EBS volumes are particularly well-suited for use as the primary storage for file systems, databases, or for any applications that require fine granular updates and access to raw, unformatted, block-level storage. Amazon EBS is well suited to both database-style applications that rely on random reads and writes, and to throughput-intensive applications that perform long, continuous reads and writes. For more details, refer to the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html).
 
-## Log and metric types
+## Metric type
 * [CloudWatch Metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using_cloudwatch_ebs.html)
-* [CloudTrail Logs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html)
 
+:::note
+For [CloudTrail log](https://docs.aws.amazon.com/ebs/latest/userguide/logging-ebs-apis-using-cloudtrail.html), Amazon EBS and Amazon EC2 are tightly integrated services. Most EBS-related events are captured and reflected as part of EC2 events, since EBS volumes are typically attached to EC2 instances for storage and compute operations. See the [Amazon EC2 app](https://help.sumologic.com/docs/integrations/amazon-aws/ec2-cloudwatch-metrics/#events) for EBS related captured events.
+:::
 
 ## Setup
-You can collect the logs and metrics for Sumo Logic's Amazon Elastic Block Store (Amazon EBS) integration by following the below steps.
+You can collect the metrics for Sumo Logic's Amazon Elastic Block Store (Amazon EBS) integration by following the below steps.
 
-### Configure metrics collection
-* Collect **CloudWatch Metrics** with namespace `AWS/EBS` using the [AWS Kinesis Firehose for Metrics](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source/) source. For `AWS/EBS` metrics and dimensions, refer to [Amazon Elastic Block Store (Amazon EBS) CloudWatch metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using_cloudwatch_ebs.html).
-### Configure logs collection
-* Collect [AWS CloudTrail Logs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitor-with-cloudtrail.html) using [AWS CloudTrail](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/) source. Amazon EC2 and Amazon EBS are integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or AWS service in Amazon EC2 and Amazon EBS. CloudTrail captures all API calls for Amazon EC2 and Amazon EBS as events, including calls from the console and from code calls to the APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon EC2 and Amazon EBS. Using the information collected by CloudTrail, you can determine the request that was made to Amazon EC2 and Amazon EBS, the IP address from which the request was made, who made the request, when it was made, and additional details.
+### Collect CloudWatch Metrics
+
+Sumo Logic supports collecting metrics using two source types:
+
+* Configure an [AWS Kinesis Firehose for Metrics Source](/docs/send-data/hosted-collectors/amazon-aws/aws-kinesis-firehose-metrics-source) (recommended); or
+* Configure an [Amazon CloudWatch Source for Metrics](/docs/send-data/hosted-collectors/amazon-aws/amazon-cloudwatch-source-metrics)
+
+* The namespace for **Amazon Elastic Block Store** Service is **AWS/EBS**.
+   * ​​​**Metadata**. Add an **account** field to the source and assign it a value that is a friendly name/alias to your AWS account from which you are collecting metrics. Metrics can be queried via the “account field”.
+
+## Installing the Elastic Block Store app  
+
+Now that you have set up a collection for **Amazon Elastic Block Store**, install the Sumo Logic app to use the pre-configured [dashboards](#viewing-the-elastic-block-store-dashboards) that provide visibility into your environment for real-time analysis of overall usage.
+
+import AppInstall from '../../reuse/apps/app-install-v2.md';
+
+<AppInstall/>
+
+## Viewing the Elastic Block Store dashboards  
+
+We highly recommend you view these dashboards in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability) of the AWS Observability solution.
+
+:::note
+Most Amazon EBS metrics shown on the dashboard depend on the volume type and usage conditions. For more details, refer to [CloudWatch Metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using_cloudwatch_ebs.html).
+:::
+
+### Overview
+
+The **Amazon EBS - Overview** dashboard offers a comprehensive view of the performance and utilization throughout the lifecycle of your EBS volumes. It allows you to monitor essential metrics such as volume activity, data throughput, and latency.
+
+Use this dashboard to:
+* Monitor EBS volume performance metrics like IOPS, throughput, and latency.
+* Track burst balance and queue depth to assess I/O efficiency.
+
+<img src={useBaseUrl('img/integrations/amazon-aws/Amazon-EBS-Overview.png')} alt="Elastic Block Store" style={{border: '1px solid gray'}} />
+
+### Performance Monitoring
+
+The **Amazon EBS - Performance** dashboard provides detail visibility into the performance and utilization of your EBS volumes, fast snapshot restore capabilities, and snapshot lifecycle. It enables monitoring of key metrics related to volume activity, latency.
+
+Use this dashboard to:
+* Monitor EBS volume performance metrics like latency, time spent on operations.
+* Track burst balance and queue depth to assess I/O efficiency.
+* Monitor status checks to detect degraded or impaired volumes and snapshot copy progress.
+* Track Fast Snapshot Restore readiness and available restore credits.
+
+<img src={useBaseUrl('img/integrations/amazon-aws/Amazon-EBS-Performance.png')} alt="Elastic Block Store" style={{border: '1px solid gray'}} />
+
+The **Amazon EBS - Throughput and IOPS** dashboard provides detail visibility into the Throughput and IOPS utilization of your EBS volumes, It enables monitoring of key metrics related to volume IOPS activity, data throughput.
+
+Use this dashboard to:
+* Monitor EBS volume performance metrics like IOPS, throughput.
+* Monitor status checks to detect degraded or impaired volumes.
+* Track data transfer activity to understand read/write patterns over time.
+
+
+<img src={useBaseUrl('img/integrations/amazon-aws/Amazon-EBS-Throughput-and-IOPS.png')} alt="Elastic Block Store" style={{border: '1px solid gray'}} />

docs/integrations/amazon-aws/cloudtrail.md

@@ -305,3 +305,8 @@ See information about S3 public objects and buckets, including counts of new pub
 **Modified Public Objects-Bucket**. Displays modified public objects per object on a timeline using the `timeslices` of one hour as a stacked column chart for the last 24 hours.
 
 **Modified Public Objects Table**. Displays a table with modified public objects in your S3 bucket, with time, key, bucket name, account ID, region, username, and access key ID for the last 24 hours.
+
+## Additional resources
+
+* Blog: [What is AWS CloudTrail?](https://www.sumologic.com/blog/what-is-aws-cloudtrail/)
+* App description: [Logs for Security app for AWS CloudTrail](https://www.sumologic.com/application/aws-cloudtrail/)

docs/integrations/amazon-aws/waf.md

@@ -60,7 +60,7 @@ _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
 | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
 ```
-<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
+<!-- Per DOCS-643, replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop

docs/integrations/databases/postgresql.md

@@ -691,3 +691,9 @@ postgresql_index_size<br/>
 postgresql_table_size<br/>
 
 </details>
+
+## Additional resources
+
+* Blogs: 
+   * [How to use Kubernetes to deploy Postgres](https://www.sumologic.com/blog/kubernetes-deploy-postgres/)
+   * [PostgreSQL vs MySQL](https://www.sumologic.com/blog/postgresql-vs-mysql/) 

docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md

@@ -370,3 +370,8 @@ import CreateMonitors from '../../../reuse/apps/create-monitors.md';
 | `HAProxy - Backend Server Down` | This alert is triggered when a backend server for a given HAProxy server is down. | Count > 0 | Count < = 0 |
 | `HAProxy - High Client (HTTP 4xx) Error Rate` | This alert is triggered when there are too many HTTP requests (>5%) with a response status of 4xx. | Count > 0 | Count < = 0 |
 | `HAProxy - High Server (HTTP 5xx) Error Rate` | This alert fires when there are too many HTTP requests (>5%) with a response status of 5xx. | Count > 0 | Count < = 0 |
+
+## Additional resources
+
+* Blog: [Everything you need to know about HAProxy log format](https://www.sumologic.com/blog/haproxy-log-format/)
+* App description: [HAProxy App for Sumo Logic](https://www.sumologic.com/application/haproxy/)