Merge branch 'main' into May-Release-Note-(apps)

Author: amee-sumo

.github/workflows/build_and_deploy.yml

@@ -1,5 +1,8 @@
 name: Build and Deploy
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -13,7 +16,7 @@ on:
         default: "/"
         type: string
       environment:
-        description: GHA environment name
+        description: GitHub Actions environment name (used for scoping secrets and deployment)
         required: true
         type: string
     secrets:
@@ -35,6 +38,7 @@ jobs:
     env:
       CI: true
       NODE_ENV: production
+      NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
       AWS_PAGER: ""
       HOSTNAME: ${{ inputs.hostname }}
       BASE_URL: ${{ inputs.base_url }}
@@ -53,16 +57,14 @@ jobs:
         uses: actions/cache@v3
         with:
           path: node_modules/.cache
-          key: ${{ runner.os }}-webpack-cache
+          key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }}
       - name: Install awscli
         uses: unfor19/install-aws-cli-action@v1
       - name: Install jq
         run: sudo apt-get install -y jq
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Build the Docusaurus site
-        env:
-          NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
         run: yarn build
       - name: Deploy the Docusaurus site
         env:

.github/workflows/delete-review.yml

@@ -1,5 +1,8 @@
 name: delete-review
 
+permissions:
+  contents: read
+
 on: delete
 
 jobs:
@@ -9,6 +12,7 @@ jobs:
       name: review/${{ github.ref_name }}
     env:
       CI: true
+      NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
       AWS_PAGER: ""
       BASE_URL: /${{ github.ref_name }}/
       AWS_DEFAULT_REGION: us-east-1
@@ -23,6 +27,7 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         run: |
+          echo "Removing files at s3://${S3_BUCKET_NAME}${BASE_URL}"
           aws s3 rm --recursive s3://${S3_BUCKET_NAME}${BASE_URL}
           export INVALIDATION_ID=$(
             aws cloudfront create-invalidation \

.github/workflows/pr.yml

@@ -1,40 +1,44 @@
 name: Pull Request Checks
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
-    pull_request:
-      branches:
-        - main
-    merge_group:
-      types:
-        - checks_requested
+  pull_request:
+    branches:
+      - main
+  merge_group:
+    types:
+      - checks_requested
+
+env:
+  CI: true
+  NODE_ENV: production
+  NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
 
 jobs:
-    build-and-deploy:
-      runs-on: ubuntu-latest
-      env:
-          CI: true
-          NODE_ENV: production
-      steps:
-        - uses: actions/checkout@v4
-        - name: Set up Node.js
-          uses: actions/setup-node@v3
-          with:
-            node-version: '20.x'
-            cache: 'yarn'
-        - name: Docusaurus Webpack cache
-          uses: actions/cache@v3
-          with:
-            path: node_modules/.cache
-            key: ${{ runner.os }}-webpack-cache
-        - name: Install dependencies
-          run: yarn install --frozen-lockfile
-        - name: Build the Docusaurus site
-          env:
-            NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
-          run: yarn build
-    spellcheck:
-      runs-on: ubuntu-latest
-      steps:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20.x'
+          cache: 'yarn'
+      - name: Docusaurus Webpack cache
+        uses: actions/cache@v3
+        with:
+          path: node_modules/.cache
+          key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }}
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Build the Docusaurus site
+        run: yarn build
+  spellcheck:
+    runs-on: ubuntu-latest
+    steps:
       - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         name: Check spelling

.github/workflows/production.yml

@@ -1,5 +1,8 @@
 name: deploy-to-production
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

blog-cse/2025-05-30-content.md

@@ -0,0 +1,54 @@
+---
+title: May 30, 2025 - Content Release
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - log mappers
+  - parsers
+  - rules
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This content release includes:
+- Rule updates.
+- New log parsers and mappers to support Akamai CPC and Contrast Security ADR.
+- New and updated log mappers for Azure Event Hub - Windows Defender logs, Cisco ISE, Microsoft Office 365, and Snowflake.
+- Modifications to existing parsers for Microsoft Azure JSON, Nginx Syslog, and Snowflake to support additional formats and events.
+
+Changes are enumerated below.
+
+### Rules
+- [Updated] MATCH-S00068 O365 - Users Password Changed
+    - Updated entity selectors to include both `user_username` and `targetUser_username`
+- [Updated] MATCH-S00069 O365 - Users Password Reset
+    - Updated entity selectors to include both `user_username` and `targetUser_username`
+
+### Log Mappers
+- [New] Akamai CPC
+- [New] Azure Event Hub - Windows Defender Audit events
+- [New] Azure Event Hub - Windows Defender Audit file events
+- [New] Azure Event Hub - Windows Defender Authentication events
+- [New] Azure Event Hub - Windows Defender Email events
+- [New] Azure Event Hub - Windows Defender Endpoint Process events
+- [New] Azure Event Hub - Windows Defender Network events
+- [New] Contrast Security ADR Default Mapping
+- [New] Snowflake Query History
+- [New] Snowflake Session
+- [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
+- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
+- [Updated] Cisco ISE Catch All
+- [Updated] Microsoft Office 365 Active Directory Authentication Events
+- [Updated] Snowflake Catch All
+- [Updated] Snowflake Login
+
+### Parsers
+- [New] /Parsers/System/Akamai/Akamai CPC
+- [New] /Parsers/System/Contrast Security/Contrast ADR
+- [Updated] /Parsers/System/Cisco/Cisco ISE
+- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
+- [Updated] /Parsers/System/Nginx/Nginx Syslog
+- [Updated] /Parsers/System/Microsoft/Office 365
+- [Updated] /Parsers/System/Snowflake/Snowflake
+- [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
+- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

cid-redirects.json

@@ -440,7 +440,6 @@
   "/05Search/Get-Started-with-Search/Visualizations/Group-By-Operator": "/docs/search/search-query-language/search-operators",
   "/05Search/Live-Tail": "/docs/search/live-tail",
   "/05Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
-  "/Search": "/docs/search",
   "/Search/Anomaly_Detection": "/docs/alerts/monitors/create-monitor",
   "/Search/Live-Tail": "/docs/search/live-tail/about-live-tail",
   "/Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",

docs/api/getting-started.md

@@ -87,7 +87,7 @@ Sumo Logic has several deployments that are assigned depending on the geographic
 
 Sumo Logic redirects your browser to the correct login URL and also redirects Collectors to the correct endpoint. However, if you're using an API you'll need to manually direct your API client to the correct Sumo Logic API URL.
 
-<table><small>
+<table>
   <tr>
    <td>Deployment</td>
    <td>Service Endpoint (login URL)</td>
@@ -183,7 +183,6 @@ https://endpoint9.collection.us2.sumologic.com/</td>
    <td>syslog.collection.us2.sumologic.com</td>
    <td>https://open-collectors.us2.sumologic.com</td>
   </tr>
-  </small>
   </table>
 
 ### Which endpoint should I should use?

docs/integrations/amazon-aws/aws-privatelink.md

@@ -37,7 +37,7 @@ With the NLB-created and ALB-registered as a target, requests over AWS PrivateL
 
 Sumo Logic exposes AWS PrivateLink endpoints to different [regions that depend on your Sumo Logic deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security). If you're using the VPC in a different region where the Sumo Logic PrivateLink endpoint service is set up, you need to set up VPC peering. Either way, you need to create an endpoint.
 
-<table><small>
+<table>
   <tr>
     <td><strong>Deployment</strong></td>
     <td><strong>Collection Endpoint</strong></td>
@@ -107,7 +107,7 @@ https://endpoint9.collection.us2.sumologic.com</td>
     <td>https://open-collectors.us2.sumologic.com</td>
     <td>us-west-2</td>
   </tr>
-</small></table>
+</table>
 
 
 ### Create an endpoint to connect with the Sumo Logic endpoint service

docs/integrations/amazon-aws/global-intelligence-cloudtrail-secops.md

@@ -51,7 +51,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
 <details>
 <summary>View the list of Scheduled Searches (<strong>click to expand</strong>)</summary>
 
-<table><small>
+<table>
   <tr>
     <td><strong>Folder</strong></td>
     <td><strong>Scheduled Search Name (prefixed with gis_benchmarks)</strong></td>
@@ -282,7 +282,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
     <td>S3_ListBuckets</td>
     <td>Counts S3 events related to listing buckets.</td>
   </tr>
-</small></table>
+</table>
 
 * To reduce false positives, the benchmarks and application filter out AWS CloudTrail events from legitimate cloud services including AWS itself and CloudHealth by VMware.
 * Security posture requirements may vary between AWS accounts for a given customer. For example, development accounts might have less strict controls than production accounts. The app supports filtering findings by AWS account ID to facilitate AWS account level posture assessment.

docs/integrations/app-development/jfrog-artifactory.md

@@ -114,7 +114,7 @@ In this step, you configure four local file sources, one for each log source lis
 
 The following suffixes are required. For example, you could use `_sourceCategory=<Foo>/artifactory/console`, but the suffix **artifactory/console** must be used.
 
-<table><small>
+<table>
   <tr>
    <td><strong>Log source</strong></td>
    <td><strong>File Path</strong></td>
@@ -139,7 +139,7 @@ The following suffixes are required. For example, you could use `_sourceCategory
    <td>Traffic</td>
    <td>$JFROG_HOME/&#60;product&#62;/var/log/artifactory-traffic.*.log</td>
    <td>artifactory/traffic</td>
-  </tr></small>
+  </tr>
 </table>
 
 :::note