}){kind=icon}
**Go To...**})
1. The **Tag Schema** popup appears.
1. **Key**. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the **Label** field blank.
diff --git a/docs/cse/administration/create-cse-actions.md b/docs/cse/administration/create-cse-actions.md
index 042725ad76..2ff2e27091 100644
--- a/docs/cse/administration/create-cse-actions.md
+++ b/docs/cse/administration/create-cse-actions.md
@@ -72,7 +72,7 @@ The notification sent by a Rule Action contains the name of the rule and the re
## Create an Action
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Actions**. })
1. **Name**. Enter a name that communicates what the Action does.
diff --git a/docs/cse/administration/create-cse-context-actions.md b/docs/cse/administration/create-cse-context-actions.md
index dd8e88b3c6..9b9aa78a29 100644
--- a/docs/cse/administration/create-cse-context-actions.md
+++ b/docs/cse/administration/create-cse-context-actions.md
@@ -57,7 +57,7 @@ import Iframe from 'react-iframe';
## Configure a Context Action
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Context Actions**. })
1. **Enter Context Action Name**. Enter a name for the Context Action.
diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md
index 862b248f7b..d326d155d0 100644
--- a/docs/cse/administration/create-custom-threat-intel-source.md
+++ b/docs/cse/administration/create-custom-threat-intel-source.md
@@ -41,7 +41,7 @@ Rule authors can also write rules that look for threat intelligence information
### Create a threat intelligence source from Cloud SIEM UI
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. }){kind=icon}
1. To move a status to a different location on the list, use your mouse to drag it to the desired location.
diff --git a/docs/cse/administration/mitre-coverage.md b/docs/cse/administration/mitre-coverage.md
index 705c56160c..ec868f5a7d 100644
--- a/docs/cse/administration/mitre-coverage.md
+++ b/docs/cse/administration/mitre-coverage.md
@@ -37,9 +37,9 @@ Watch this micro lesson to learn about the MITRE ATT&CK Threat Coverage Explorer
## User interface
-[**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). To open the MITRE ATT&CK Threat Coverage Explorer, in the top menu select **Content > MITRE ATT&CK Coverage**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To open the MITRE ATT&CK Threat Coverage Explorer, in the top menu select **Content > MITRE ATT&CK Coverage**.
-[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). To open the MITRE ATT&CK Threat Coverage Explorer, in the main Sumo Logic menu select **Cloud SIEM > MITRE ATT&CK Coverage**. You can also click the **Go To...** menu at the top of the screen and select **MITRE ATT&CK Coverage**.
+[**New UI**](/docs/get-started/sumo-logic-ui). To open the MITRE ATT&CK Threat Coverage Explorer, in the main Sumo Logic menu select **Cloud SIEM > MITRE ATT&CK Coverage**. You can also click the **Go To...** menu at the top of the screen and select **MITRE ATT&CK Coverage**.
})
diff --git a/docs/cse/automation/about-automation-service-and-cloud-siem.md b/docs/cse/automation/about-automation-service-and-cloud-siem.md
index 57c619764a..0a55a55aeb 100644
--- a/docs/cse/automation/about-automation-service-and-cloud-siem.md
+++ b/docs/cse/automation/about-automation-service-and-cloud-siem.md
@@ -46,7 +46,7 @@ Before you can access the Automation Service from Cloud SIEM, you must first [co
:::
1. To access the Automation Service from Cloud SIEM:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. })
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
1. At the top of the screen, click **Manage Playbooks**.})
})
:::note
You can also launch the Automation Service by selecting **Automation** from the main menu: })
To view the automations that have run on Insights or Entities, see [View results of an automation](#view-results-of-an-automation).
@@ -91,7 +91,7 @@ To view the automations that have run on Insights or Entities, see [View results
The following procedure provides a brief introduction to how to create an automation. For detailed examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
1. In the **New Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation. })
1. In **Expects attributes for** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM.
diff --git a/docs/cse/automation/cloud-siem-automation-examples.md b/docs/cse/automation/cloud-siem-automation-examples.md
index 4946f98a18..98790f86d5 100644
--- a/docs/cse/automation/cloud-siem-automation-examples.md
+++ b/docs/cse/automation/cloud-siem-automation-examples.md
@@ -62,7 +62,7 @@ The following example shows how to add an enrichment to an Insight using the “
1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
1. Create an automation in Cloud SIEM to run the playbook:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu of Cloud SIEM select **Configuration**, and then under **Integrations** select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**. })
1. Edit the Sumo Logic resource:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. })
1. Create an automation in Cloud SIEM to run the playbook:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**. })
+
+Cloud SIEM must be enabled by Sumo Logic before it is accessible to users in your organization. For more information, see [Onboarding Checklist for Cloud SIEM Administrators](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/).
+
+## Theme
+
+})
+
+Use the top menu to access:
+* }){kind=icon}
[**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* }){kind=icon}
[**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
+* }){kind=icon}
[**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* }){kind=icon}
[**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* }){kind=icon}
[**Content**](#content-menu). Create Cloud SIEM content, such as rules.
+* }){kind=icon}
[**Configuration**](#configuration-menu). Configure Cloud SIEM.
+* }){kind=icon}
**Help**. Access feature guides, documentation, release notes, and system status.
+* }){kind=icon}
**Switch Apps**. Access the Sumo Logic [Log Analytics Platform](/docs/get-started/sumo-logic-ui/) or [Cloud SOAR](/docs/cloud-soar/) (if enabled in your organization).
+* }){kind=icon}
**Profile**. View your Cloud SIEM username and time zone.
+
+#### Content menu
+
+The **Content** menu allows you to create elements to customize Cloud SIEM. To access the menu, click **Content** on the [top menu](#top-menu). })
+
+Use the **Content** menu to access:
+* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
+* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
+* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
+* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
+* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
+
+#### Configuration menu
+
+The **Configuration** menu allows you to configure Cloud SIEM. To access this menu, click on the [top menu](#top-menu).})
+
+Use the **Configuration** menu to access:
+* **Incoming Data**
+ * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+* **Entities**
+ * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
+ * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
+ * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
+ * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+* **Workflow**
+ * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
+ * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
+ * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
+ * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
+* **Integrations**
+ * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to Record attributes.
+ * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
+ * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
+ * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
+ * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
+
+### New UI
+
+The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui).
+
+#### Sidebar menu
+
+Click **Cloud SIEM** in the main Sumo Logic menu to open the sidebar menu. })
+
+Use the **Cloud SIEM** sidebar menu to access:
+* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
+* **Security Events**
+ * [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
+ * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+ * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
+ * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+ * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* **Security Detection**
+ * [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
+ * [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
+ * [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
+ * [**Match List**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
+ * [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
+ * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+ * [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules
+ * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+ * [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
+
+#### Top menu
+
+This menu appears at the top of the screen:})
+
+Use the top menu to access:
+* **Go To...** Launch Sumo Logic features, including for Cloud SIEM.
+* }){kind=icon}
**Help**. Access links to documentation, support, community, release notes, and system status.
+* }){kind=icon}
[**Configuration**](#configuration-menu-1). Configure Sumo Logic features, including for Cloud SIEM.
+* }){kind=icon}
**Administration**. Access Sumo Logic administration settings, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/).
+* }){kind=icon}
**Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings.
+
+#### Go To... menu
+
+The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SIEM. To access this menu, click on the [top menu](#top-menu-1). })
+
+Use the **Go To...** menu to access these Cloud SIEM features:
+* [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
+* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
+* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
+* [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
+* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
+* [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
+* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
+* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
+* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
+* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
+* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
+* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
+* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
+* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
+* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
+* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
+* [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
+* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
+* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
+
+#### Configuration menu
+
+The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SIEM. To access this menu, click the configuration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SIEM configuration options.})
+
+Use the **Configuration** menu to access:
+
+* **Cloud SIEM Integrations**
+ * [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
+ * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+ * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
+ * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
+ * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
+ * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
+* **Cloud SIEM Entities**
+ * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
+ * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
+ * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
+ * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+* **Cloud SIEM Workflow**
+ * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
+ * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
+ * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
+ * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
diff --git a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
index c8fdcf505d..30d1706c8b 100644
--- a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
+++ b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
@@ -1,6 +1,7 @@
---
id: cse-heads-up-display
title: Cloud SIEM Heads Up Display
+sidebar_label: Heads Up Display
description: Learn about Cloud SIEM's Heads Up Display (HUD), a UI that provides an at-a-glance overview of Insight status and activity.
---
@@ -8,9 +9,9 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
This topic describes Cloud SIEM *Heads Up Display (HUD)*, the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of Insight status and activity.
-[**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM**.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM**.
-[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM > SIEM Overview**. You can also click **Go To...** at the top of the screen and select **SIEM Overview**.
+[**New UI**](/docs/get-started/sumo-logic-ui). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM > SIEM Overview**. You can also click **Go To...** at the top of the screen and select **SIEM Overview**.
:::note
Data on the HUD is generated by internal searches that may result in slightly different results than a [log search query](/docs/search/) for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of Records, Signals, and Insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/) app.
diff --git a/docs/cse/get-started-with-cloud-siem/index.md b/docs/cse/get-started-with-cloud-siem/index.md
index f458a47099..6e4ba3c5fc 100644
--- a/docs/cse/get-started-with-cloud-siem/index.md
+++ b/docs/cse/get-started-with-cloud-siem/index.md
@@ -6,9 +6,26 @@ description: Learn how to get started using Cloud SIEM for threat hunting.
import useBaseUrl from '@docusaurus/useBaseUrl';
-This guide helps you get started using Cloud SIEM for threat hunting.
+The following articles help you get started using Cloud SIEM.
}){kind=icon}
Learn about the Cloud SIEM user interface.
+Learn basic concepts about Cloud SIEM for security analysts.
+Learn basic concepts about Cloud SIEM for administrators.
+Get up and running quickly with Cloud SIEM administrator tasks.
}){kind=icon}
See the out-of-the-box Rules, Schema, Mappings, and Parsers for Cloud SIEM.
+})
+
+* A. **Count**. A count of the records created from incoming messages, and the signals and insights that have been generated.
+* B. **Insights by Status**. An overview of recent insights and their statuses: New, In Progress, Closed, or Other.
+* C. **Radar**. Visualizes the last 24 hours of security activity. Dark blue lines represent records, light blue bars represent signals, and red triangles represent insights.
+* D. **Recent Activity**. Displays a feed of the latest insights that have been generated.
+
+Sumo Logic collects and ingests millions of your company's log messages. However, you may choose to send only a portion of these to Cloud SIEM. Cloud SIEM takes these messages and parses, maps, and enriches them into records. These records are compared to rules and, if there's a match, entities are extracted from them and Cloud SIEM uses that information to create signals. These signals and entities are correlated, and used in security detection use cases. Then, if a certain severity threshold is crossed, they become an insight. Some of these insights have actions available right in the Cloud SIEM platform, like alerting your SOC teammates.
+
+})
+
+As a Cloud SIEM administrator, it's your job to make sure that this pipeline flows smoothly. In this section, you'll learn how to partition your data in Sumo Logic, forward it to Cloud SIEM, customize the schema mappings, and tune the SOC content to support the analysts on your SOC team. All these customizations and optimizations will help reduce false positives and enable your SOC analyst teammates to investigate and hunt threats faster.
+
+### Ingest the right data
+
+The first part of the security data pipeline is collection and ingestion in Sumo Logic.
+
+})
+
+These messages are then forwarded to Cloud SIEM. It's a good idea to periodically examine the data you're ingesting and sending to Cloud SIEM. Ask yourself these questions:
+
+* **Are you ingesting enough data?** Cloud SIEM takes thousands or millions of records and boils them down into just a handful of insights. Most organizations ingest more than 50GB of data every day to start finding any insights. If your ingest volume is smaller than this, consider sending more data to Cloud SIEM or using other security solutions like the [Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/).
+* **Are you ingesting too much data?** More data doesn't always mean more insights. The threat detection logic built into Cloud SIEM generally prevents false positives. However, some organizations choose to ingest or store less data as a way to cut costs. One solution is partitioning your data into different tiers, and only sending some of that data along to Cloud SIEM.
+* **Are you ingesting the right data?** Cloud SIEM doesn't just work on quantity alone. Quality data will affect your performance as well. As a best practice, you'll need to bring in quality data sources that are supported by Cloud SIEM. High-value data sources include [CloudTrail logs](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/), [Windows event logs](/docs/send-data/installed-collectors/sources/collect-forwarded-events-windows-event-collector/), [AWS logs](/docs/integrations/amazon-aws/), and [GuardDuty logs](/docs/integrations/amazon-aws/guardduty/). You should also consider whether your data is structured, like key-value pairs, or unstructured, like plain text files. Most data ingested into Sumo Logic is semi-structured, like JSON logs.
+
+Once you've answered these questions, you can assess what is and isn't working for you and your SOC team. You can then partition your data in Sumo Logic and forward some or all of it to Cloud SIEM.
+
+#### Extra resources
+
+* All data must be ingested into Sumo Logic before it can be forwarded to Cloud SIEM. See [Cloud SIEM Ingestion](/docs/cse/ingestion/) to learn more details about data ingestion, setting up collectors, partitioning your data, and designing good metadata.
+* If you only want to forward some, but not all of your data to Cloud SIEM you can use data tiers and partitions. For more information, see [Partitions](/docs/manage/partitions/).
+
+### Which UI should I use?
+
+As a Cloud SIEM admin, you'll use both the Sumo Logic UI and the Cloud SIEM UI. Even if you're primarily focused on Cloud SIEM, you need to be comfortable using both interfaces.
+
+| Sumo Logic UI | Cloud SIEM UI |
+| :-- | :-- |
+| })
+
+As an admin, there are several steps you must complete to forward data to Cloud SIEM.
+1. First, you request backend configuration. This is a one-time setup for each Sumo Logic organization. Often, your Sumo account rep will complete this process for you.
+1. Next, you enable data forwarding. You can do this by adding the `_siemForward = True` field when you set up a collector. For cloud data sources, you can also toggle the **Forward to SIEM** checkbox. You'll need to enable data forwarding each time you add a new data source into Sumo Logic, update your partitions, or make other changes to your data ingestion process.
+
+ Cloud SIEM will not ingest historic data. In other words, any new data ingested into Sumo Logic will be forwarded to Cloud SIEM as soon as you enable data forwarding. However, older data will not be processed by Cloud SIEM. Data will start flowing from Sumo Logic into Cloud SIEM within a few minutes of enabling data forwarding. You can expect signals and insights to start generating within a few hours.
+1. Finally, you'll configure the log and ingest mappings. This process is usually automatic, but must be completed for certain types of custom data sources.
+
+If you do need to configure log and ingest mappings, there are certain details you need to know about your data:
+* Is your data structured or unstructured?
+* Does your data have a syslog header?
+* Is your data CEF, LEEF, JSON, XML, or some other common data type?
+* Have field extraction rules been applied to your messages in Sumo Logic?
+* What product and vendor do your messages come from? For example, are they Windows Event Logs, Palo Alto Firewall logs, or AWS GuardDuty logs?
+
+Once you know these details of your data, you can consult the Sumo Logic documentation for specific help for configuring your data pipeline.
+
+Later in this introduction, we'll be ingesting and processing simple, structured JSON log messages to demonstrate this configuration process.
+
+#### Extra resources
+
+* There are many different data sources and data types you may be ingesting into Sumo Logic. You can read the details about forwarding data from various vendors and products to Cloud SIEM in [Cloud SIEM Ingestion](/docs/cse/ingestion/).
+* For the best signals and insights with the fewest false positives in Cloud SIEM, you need to ingest high-quality data. You can ensure your data is high quality by making sure your data and metadata are clean and organized from the moment you first ingest them into Sumo Logic. One way to do this is by writing good field extraction rules. See [Create a Field Extraction Rule](/docs/manage/field-extractions/create-field-extraction-rule/).
+
+### Enable data forwarding for an HTTP source
+
+In this section, we'll show you how to create a new source using a pre-configured collector and enable data forwarding to Cloud SIEM by selecting the **Forward to SIEM** checkbox. Once the new source is configured with data forwarding, you'll be able to send data to it and observe the data flow.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. })
+
+Now that you have a source set up to send data Sumo Logic into Cloud SIEM, let's follow a simple log message down that data pipeline.
+
+```
+sso : ip-192-0-2-0 : alex@travellogic.com : "Successful Login" : “2024-05-25T22:11:42"
+```
+
+First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of ip-127-0-0-1, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the [Cloud SIEM schema](/docs/cse/schema/). Finally, the record is enriched with information from match lists or threat intelligence databases.
+
+These normalized records are then sent down the Cloud SIEM pipeline and compared to rules. When Cloud SIEM extracts an entity from a record to create a signal, it uses the parsed and mapped key-value pairs to categorize each signal. When signals with the same entity cluster together, an insight is created. Therefore, it's important for the records to have quality metadata from the start to produce the best insights.
+
+You can make sure these records are parsed, mapped, and enriched properly by maintaining good metadata design and setting up good log and ingest mappings, which we'll practice in the next sections.
+
+### Set up an ingest mapping
+
+In [Send a log message to Cloud SIEM](#send-a-log-message-to-cloud-siem), we sent a log message to Cloud SIEM, and received a "failed record" error. In this section and the next one, we'll create ingest and log mappings to ensure the custom JSON data from the log messages we send are used properly by Cloud SIEM.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. })
+
+You've already learned how to set up log and ingest mappings to ensure rules accurately match and track these entities. Now that you have a properly parsed a record in Cloud SIEM, it will be compared to rules and potentially generate signals and insights.
+
+
+You've already learned how to set up log and ingest mappings to ensure rules accurately match and track these entities. Now that you have a properly parsed record in Cloud SIEM, it will be compared to rules and potentially generate signals and insights.
+
+Although you don't have to write rules from scratch, you can. In fact, there are several customizations you can do through Cloud SIEM.
+* [Rule tuning expressions](/docs/cse/rules/rule-tuning-expressions/) are simple ways to add small exceptions and other clauses to existing rules.
+* [Rules](/docs/cse/rules/about-cse-rules/) let you write logic that's unique to your system, to cover threats or data sources that aren't covered by built-in rules.
+* [Custom insights](/docs/cse/records-signals-entities-insights/configure-custom-insight/) let you get alerts based on just one rule or a chain of rules.
+* [Match lists](/docs/cse/match-lists-suppressed-lists/create-match-list/) can help create groups of entities, such as domains or IP addresses, that can be used when creating other custom content.
+
+Through [role-based access controls](/docs/manage/users-roles/roles/role-based-access-control/), you can allow analysts to customize content as well. However, as a best practice, you should limit who in your organization has the permission to edit and delete rules and other content, since they can impact the number of insights that are generated.
+
+### Custom rules
+
+You don't have to write rules from scratch. The Sumo Logic content team creates and maintains hundreds of out-of-the-box rules, to get you started. You can find documentation on all the out-of-the-box rules in the [Cloud SIEM Content Catalog](/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog/). These rules are updated frequently, often every few days. You can check out the most recent updates in the [release notes](/release-notes-cse/).
+
+However, if you have a specific threat you're concerned about or a unique data source that isn't covered, you can write a custom rule. See [Rule types](/docs/cse/rules/about-cse-rules#rule-types) for the types of rules you can create:
+* **Match rules** take a simple boolean statement, check if it's true or false. If it's true, then an entity is extracted and a signal is created.
+* **Threshold rules** are triggered when a match is found a certain number of times. So, for example, if one failed login attempt is acceptable, but 5 isn't, then a threshold rule would fire after the fifth failed login attempt.
+* **Chain rules** fire when certain events happen in a certain time window. So, for example, if you want to look for 5 failed login attempts followed by one successful log in within one hour, you'd use a chain rule.
+* **Aggregation rules** are triggered when up to six different events accumulate over time. For example, if you want a rule that looks for a large number of event types from a single device IP, you'd use aggregation rules.
+* **First Seen rules** are triggered when behavior by an entity (such as a user) is encountered for the first time. For instance, it fires the first time a user logged in from a new geographic location.
+* **Outlier rules** are triggered when behavior by an entity is encountered that deviates from "normal" baseline activity. For instance, it fires when a user has an abnormal volume of downloaded data, or has a number of failed logins.
+
+As a Cloud SIEM admin, you'll be able to create all these rules. Work with the SOC analysts on your team to write rules that help them investigate threats and reduce response time.
+
+Before you create custom rules from scratch, there are some best practices you'll want to follow.
+* **Check existing rules**. Sumo Logic already has hundreds of [built-in rules](/docs/cse/rules/cse-built-in-rules/), so you might not need to write a new one. Or, you may only need to make small changes to existing rules, like adding a rule tuning expression or adjusting a severity score.
+* **Know your system**. You'll need to understand the [schema](/docs/cse/schema/) and [log mappings](/docs/cse/schema/create-structured-log-mapping/) of all the records ingested into Cloud SIEM to write effective rules. As an administrator, it's your responsibility to know this inside and out.
+* **Know your risk appetite**. In addition to your system's details about log mappings and other metadata, you need to understand your company's risk appetite and risk tolerance. For example, some companies might want to monitor a large amount of outbound traffic, but not consider this a threat. So, they'd assign this rule a severity of zero. However, other companies might be alarmed by outbound traffic and consider it data exfiltration, assigning the same rule a severity of five.
+* **Know the rule types**. You also need to understand all [the types of rules](/docs/cse/rules/about-cse-rules/#rule-types). If your use case requires a chain rule, but you try writing a threshold rule, the rule might not be as efficient or effective.
+* **Make small changes**. As a best practice, when you do write a new rule or edit an existing one, make small changes. For example, instead of decreasing a severity score from 8 to 2, try decreasing it from 8 to 7 and monitoring the change for a while.
+* **Save as a prototype**. Another best practice is to [save all new rules as a prototype](/docs/cse/rules/write-match-rule#save-as-prototype). This allows you to monitor the rule's behavior, without creating new insights and alerts.
+
+### Write a threshold rule
+
+In this section, we'll write a rule that looks for three unique Windows event IDs related to failed logins within an hour.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. })
+
+### Automations and integrations
+
+Cloud SIEM comes with hundreds of pre-built playbooks, integrations, and use cases as part of [App Central](/docs/platform-services/automation-service/app-central/).
+
+As a Cloud SIEM administrator, you can explore App Central and install any integrations your team requests. You can also create custom integrations using APIs from the **Integrations** page. These integrations will connect Cloud SIEM to other tools like CrowdStrike, ServiceNow, or Jira. Once all your tools are integrated, Cloud SIEM can be a single, central location for orchestrating your security response.
+
+### Install a new integration
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation** and then and click **App Central** in the left navigation bar. })
+
+* A. **Condition**. Conditions, represented by a purple diamond, allow your playbook to branch in different directions based on an if-then statement.
+* B. **Enrichment**. Green nodes are enrichments. These might add additional information from a threat intel database or convert data from one type to another.
+* C. **Notification**. Blue nodes are notification actions, such as a Slack or email alert.
+
+Action nodes use integrations. These integrations broadly fall into several types:
+* **Enrichment**. Add information, metadata, or context, such as from a threat intelligence database.
+* **Containment**. Reduces further damage by isolating files or machines related to a threat.
+* **Notification**. Alerts sent via email, Slack, PagerDuty, or most other services you can connect with an API.
+* **Custom**. Scripts and any other automations you can create using YAML, Perl, Python, PowerShell, or Bash.
+* **Daemons**. Background processes that can ingest data.
+
+Custom actions can also include trigger actions, which run based on an event type until certain criteria are met. For example, if malware is detected, a trigger action could run an anti-malware cleanup software until no malware is detected. Similarly, you can create scheduled actions that run at certain intervals. For example, you could create a scheduled action that checks for malicious IP addresses every 5 minutes until no more malicious IP addresses are found.
+
+#### Best practices
+
+Before you begin creating or customizing a playbook, decide what you'd like to automate. Think about what conditions you want met, and what actions or integrations you want to accomplish based on different flows. Once you have a design in mind for the flow of your playbook, you can create or customize a new one. Search App Central to see if the automations you want already exist, or if you can modify a playbook that's similar to what you have in mind.
+
+### Create a custom playbook
+
+In this section, we'll create a simple playbook from scratch. This playbook will send an email with insight details.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu of Cloud SIEM select **Configuration**, and then under **Integrations** select **Automation**.
+
+* A. **Count**. A count of the records created from incoming messages, and the signals and insights that have been generated.
+* B. **Insights by Status**. An overview of recent insights and their statuses: New, In Progress, Closed, or Other.
+* C. **Radar**. Visualizes the last 24 hours of security activity. Dark blue lines represent records, light blue bars represent signals, and red triangles represent insights.
+* D. **Recent Activity**. Displays a feed of the latest insights that have been generated.
+
+Cloud SIEM is a purchased add-on with an ever-expanding library of content designed for security operations. Cloud SIEM automatically normalizes, enriches, and correlates all your data across multiple data sources into actionable security insights. Because it's designed for larger data volumes, most organizations need to ingest a large amount of data each day for insights to surface in Cloud SIEM. For smaller organizations, [additional security features](/docs/security/additional-security-features/) may be a better fit for your data ingest volume.
+
+### Getting your data into Cloud SIEM
+
+If you already use Sumo Logic, you're probably familiar with the data pipeline:
+
+})
+
+1. **Data collection**. To use Sumo Logic, first you must set up either an installed collector or a hosted collector and add a source. You can also set up source categories and other metadata, which helps you search and analyze the data you collect.
+2. **Search and analyze**. Once data is in Sumo Logic, you can write queries to search and correlate events in real-time from the analytics platform UI. Or, you might configure the collector to forward data to Cloud SIEM, and let it do all the correlation work for you.
+3. **Visualize and monitor**. Once you've found and analyzed data that's interesting, you can create dashboards to visualize it and set up alerts to monitor your data in real-time.
+4. **Share the findings**. Export your dashboards or share with others on your team. You can control who can view and edit your dashboards to keep your data secure.
+
+Throughout this section, you'll learn more about the security data pipeline. Then, you'll be better prepared to discuss these things with your admin, or to set them up yourself if you need to.
+
+#### Data collection
+
+Before you can start investigating threats, you need data. As a data analyst, this step may have been done by your administrator.
+
+Your company collects and ingests millions of log messages into Sumo Logic. Typically, you can use these messages right away in many Sumo Logic apps. To use them in Cloud SIEM, however, your admin must enable data forwarding. Your admin may also need to create log mappings, field extraction rules, or complete other preprocessing steps to extract the right data.
+
+})
+
+As a data analyst, you should periodically examine the data that's being ingested into Sumo Logic and Cloud SIEM. After you've been using Cloud SIEM for a while, you may want to fine-tune it to fit your organization's needs. If you discover that you're ingesting too much or too little data to do threat hunting, you can work with your admin to find that balance.
+
+So, what's the balance between too much and too little data? It depends. Work with your admin to answer these questions:
+
+* **Are you ingesting enough data?** Cloud SIEM takes thousands or millions of records and boils them down into just a handful of insights. Most organizations ingest more than 50GB of data every day to start finding any insights. If your ingest volume is smaller than this, consider sending more data to Cloud SIEM.
+* **Are you ingesting too much data?** More data doesn't always mean more insights. The threat detection logic built into Cloud SIEM generally prevents false positives. However, some organizations choose to ingest or store less data as a way to cut costs. One solution is partitioning your data into different tiers, and only sending some of that data along to Cloud SIEM.
+* **Are you ingesting the right data?** Cloud SIEM doesn't just work on quantity alone. Quality data will affect your performance as well. As a best practice, you'll need to bring in quality data sources that are supported by Cloud SIEM. High-value data sources include [CloudTrail logs](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/), [Windows event logs](/docs/send-data/installed-collectors/sources/collect-forwarded-events-windows-event-collector/), [AWS logs](/docs/integrations/amazon-aws/), and [GuardDuty logs](/docs/integrations/amazon-aws/guardduty/).
+
+### Processing your data for Cloud SIEM
+
+Before Cloud SIEM can generate security insights, your log messages must go through a little processing first. First, Cloud SIEM processes the messages into records. Each record contains the information from a message, which is parsed into key-value pairs, mapped to a Cloud SIEM schema, and enriched with other data.
+
+})
+
+Let's follow a simple log message down this pipeline:
+```
+sso : ip-192-0-2-0 : alex@travellogic.com :
+"Successful Login" : "2024-05-25T22:11:42"
+```
+
+First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-192-0-2-0`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or threat intelligence databases, such as its [CrowdStrike threat level](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). These normalized records are then sent down the Cloud SIEM pipeline and compared to rules.
+
+### Extracting security insights from Cloud SIEM
+
+Each record ingested into Cloud SIEM is compared to hundreds of built-in and custom [rules](/docs/cse/rules/about-cse-rules/). If a record matches the criteria specified in a rule, then Cloud SIEM creates a signal. When a signal is created, it contains a name, entity, severity, stage, and description. A signal always contains, at minimum, an entity and a severity. This data is later used by Cloud SIEM's insight engine algorithm.
+
+A [signal](/docs/cse/records-signals-entities-insights/view-records-signal/) is an individual security event. The entity in a signal is something like an IP address, MAC address, or hostname. The entity tells us who or what was involved in the event that the record described. The stage or tags are assigned based on where the event fits in the [MITRE ATT&CK](https://attack.mitre.org/) framework. This can tell us a bit about how or why the event occurred. The severity is a number between 0 and 10 that tells Cloud SIEM how serious the potential threat is.
+
+Let's look at the details of one signal:
+
+})
+
+* A. **Description**. Every signal's details page includes a description, detailed metadata, and other information to help your threat investigation.
+* B. **Event Time**. The event time tells you when the event occurred.
+* C. **Severity**. A signal's severity score is a number between 0 and 10. This score is used to track the entity's activity score.
+* D. **Rule**. Signals are created when the conditions of a rule are met. You can click on the rule from the signal's details page to learn more.
+* E. **Tags**. Tags or stages use the MITRE ATT&CK framework to point you toward how or why an event occurred.
+* F. **Entity**. The entity can be any unique identifier like an IP address. In this case, it's a username.
+
+Cloud SIEM typically processes thousands or millions of records and boils them down into hundreds of signals.
+
+})
+
+On the Cloud SIEM main page, you'll see a panel similar to this one. In this case, 52 thousand records have been ingested and processed into 4 thousand signals. Some signals could be false alarms, but many could be worth investigating anyway. But, 4 thousand is still way too many for the average SOC analyst to sift through every day. So, how do you know which signals to pay attention to first?
+
+Cloud SIEM takes everything one step further and correlates those signals into a manageable number of insights. Here, just 1 insight was created out of 4 thousand signals.
+
+An [insight](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) is a group of signals clustered around a single entity. An insight is created when the sum of the severity scores of signals with the same entity goes above a certain activity score within a certain timeframe. By default, this is an activity score of 12 within the last 14 days. For example, if a rule was triggered with a severity of 5, and then ten days later another rule with the same entity and a severity of 5 was triggered, the total activity score would only be 10 in the last 14 days, so an insight would not be created. However, if those same two rules each had a severity score of 7, an insight would be created.
+
+### Explore the Cloud SIEM UI
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu select **Cloud SIEM**. })
+1. In the center of the Cloud SIEM HUD is the insight radar. Hover over each piece of the radar to answer these questions:
+ * What time were the most records ingested in the last 24 hours? When were the fewest records ingested? Hint: Hover over the blue line to find out how many records were ingested at each time increment.
+ * What time were the most signals created in the last 24 hours? When were the fewest signals created? Hint: Hover over each bar to find out how many signals were generated at each time increment.
+ * How many insights have been generated in the last 24 hours? Hint: Each triangle represents one or more insights, so hover over each to find the number of insights each represents.})
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. })
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen. })
+
+Your answer to all these questions may vary. Make sure you feel confident navigating the Cloud SIEM UI to find all this information.
+
+:::tip
+* Filters persist each time you search. This is great if you want to drill down into subsets of data.
+* Depending on your monitor size and the zoom settings of your browser, you may see two panes instead of three on the Cloud SIEM HUD. Try resizing your browser and adjusting your zoom settings to suit your needs.
+* Depending on your monitor size and the zoom settings of your browser, you may only see the icons, and not the words, in the top navigation bar. Try resizing your browser and adjusting your zoom settings to suit your needs.
+:::
+
+## Introduction to threat investigation
+
+### Different threats but one platform
+
+In this section, we'll help three fictional companies investigate their threats. Each company has their own unique security and compliance concerns.
+* Company 1 is a small retail business with a big tech idea: automate the entire coffee business from bean to cup. In addition to consumer protections like PCI DSS, their main concerns include keeping compute costs down while their startup grows.
+* Company 2 is a healthcare company that ships prescription meds to patients. While they meet all HIPAA standards and guidelines, they're still concerned about data privacy. They want to monitor all their data to make sure their patients are safe and healthy in the digital world, too.
+* Company 3 is a major player in the banking industry. They meet all the GDPR and other international compliance standards but worry their big investors are still targets for hackers.
+
+Sumo Logic can help all of these companies meet their different security and compliance goals. Moreover, Cloud SIEM can help them identify potential threats before they become a problem.
+
+Think about it: What security and compliance issues are you most concerned about in your company today? How has that changed over the years? How were security concerns different at other companies you've worked for in the past?
+
+### Using the MITRE ATT&CK matrix
+
+The [MITRE ATT&CK matrix](https://attack.mitre.org/matrices/enterprise/) is published by MITRE, a non-profit research organization. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
+
+The framework organizes and categorizes the tactics and techniques that hactivists, cyber criminals, nation states, scripters, and other adversaries use. This includes attacks like exfiltrating databases, installing malware, stealing credentials, and all the other nefarious activities you and your SOC team are trying to stop.
+
+Cloud SIEM uses these same tactic names for the stages of signals and the names of insights. Once you're familiar with ATT&CK, navigating Cloud SIEM's insights page becomes easier.
+
+Let's return to our fictional companies, and which MITRE ATT&CK tactics and techniques they might prioritize:
+
+* Company 1 monitors their infrastructure to make sure their apps are as efficient as possible. Execution is a particular concern, since many executable files use precious compute resources.
+* Company 2 is concerned about their patients' privacy and compliance with standards like HIPAA. Exfiltration of private data is a major concern.
+* Company 3 needs to keep their client's data secure. Credential access is a concern, since all customers have user credentials tied to their financial accounts.
+
+If you read the news, or are familiar with other cybersecurity frameworks like the Pyramid of Pain, you know there are many kinds of threats out there. It's easy to become overwhelmed. However, Cloud SIEM helps organize all the potential threats in your system into one manageable dashboard, leveraging the knowledge found in the MITRE ATT&CK matrix along with the insights algorithm.
+
+### Get started with threat investigation
+
+Threat investigation is reactive while threat hunting is proactive. Typically, threat investigation happens in response to an alert. Once you've investigated a threat, you can hunt for similar threats and take precautionary steps to prevent attacks from happening again.
+
+Threat investigation is an iterative process, much like troubleshooting. In both threat investigation and troubleshooting, you first monitor your systems. Once an anomaly is detected, you can make a hypothesis about how it happened and diagnose the problem. As you dig deeper, you may revise this initial hypothesis and find more clues about why or how the attack or error happened. You can then take action to resolve the issue.
+
+})
+
+Cloud SIEM acts as your first line of defense, monitoring your system. Cloud SIEM's threat intelligence and correlation algorithms organize related potential security events into insights. When you get alerted to an insight, it's up to you to diagnose the problem and take action.
+
+})
+
+* A. **Name**. The insight's name can point you to how the event occurred, or why the adversaries did it. In this case, the adversaries wanted to gain credential access.
+* B. **Assignee**. You can assign the insight to a coworker, update the insight's status, send alerts, close the insight, and perform other actions here.
+* C. **Entity**. The entity can point to who, where, or what was affected. In this case, the insight is clustered around a username.
+* D. **Left pane**. A summary of the insight's key features, like its severity, can be found in the left pane.
+* E. **Timeline**. The timeline can show you when the events occurred. Each event represents a signal.
+* F. **Signals**. The signals below the timeline contain details of each event.
+
+The insight page shows everything you need to start unravelling the security event. As you start investigating, try to answer as many wh- questions as you can about the event:
+
+* Who is behind the event?
+* What assets did the event affect?
+* Where did the event occur?
+* When did the event occur?
+* Why did the event occur?
+* How did the event occur?
+
+When signals cluster together, Cloud SIEM uses their tactics and techniques to name the insights they generate. The insight's name can point you to how the event occurred, or why the adversary is behaving that way. For example, a tactic name like discovery or persistence shows the reasons the adversary has. Similarly, tactic names like initial access or execution can tell you a little about the methods the adversary used. These names are just starting points, however, and you may need to revise your hypotheses as you continue your investigations.
+
+Example: An insight is named "Discovery with Execution". Why did the event occur? Probably so the adversary could discover your information. How did the event occur? By using an executable file or a similar technique.
+
+The timeline can tell you when the event occurred. You can see whether each signal was triggered at the same time, or sequentially, as well as whether everything happened over minutes, hours, or days. By default, insights are related signals that cluster together within the last 14 days.
+
+The entities within each signal can help point to who, what, or where the event occurred. An entity might point to the IP address of a hacked device, the location of the adversary, the location of the database that leaked, the owner of a website or domain, or some other piece of the puzzle.
+
+A day in the life of a SOC analyst can be summarized as follows:
+
+})
+
+Cloud SIEM can help with every step of the threat investigation process:
+1. **Monitor**. Cloud SIEM automatically detects and monitors potential threats by analyzing millions of records and distilling them into a handful of insights with a low false positive rate. You can choose insights from the home page of Cloud SIEM in the insight radar, under the **Insight Activity** pane, or from the **Insights** panel.
+1. **Investigate**. Once you choose an insight, you can dig through all the raw logs and signals to conduct deep-dive investigations and even proactive threat hunts.
+1. **Hypothesize**. You can organize your thoughts, make hypotheses, and take notes about your investigation in the comments of each insight. This will share your ideas with your SOC teammates and help you keep track of your investigation.
+1. **Take action**. You can also take certain actions directly from the insight. You can email teammates, create JIRA tickets, execute playbooks, and many other custom actions with the **Actions** button.
+1. **Update**. Finally, you can update the insight. You can mark it as "in progress" or "closed". When you close it, you can mark it as "resolved," "false positive", "duplicate", or "no action". Updating the status correctly will help the Cloud SIEM insight engine produce more accurate insights for your organization in the future.
+
+Of course, this process will repeat each day as new insights are generated for you to investigate.
+
+### Investigating an insight
+
+In this section, you'll be investigating an insight for your organization that was detected through Cloud SIEM. Our goal is to analyze the insight details and complete the narrative of what happened.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Insights** at the top of the screen. })
+1. Use the insight's name (and the [MITRE ATT&CK matrix](https://attack.mitre.org/matrices/enterprise/)), timeline, signals, and entities to answer these questions:
+ * What events (signals) were detected and correlated together?
+ * What is the total of all the severity scores of the signals in this insight?
+ * What order did the events happen in?
+ * What hypotheses do you have about how and why the event happened?
+ * What other information can you find by exploring this insight?
+1. Scroll to the bottom of the left navigation pane of the insight. Write a short summary of your answers from from the previous step in the **Comments** section. Here is a summary that we could have written for our example:
+ "*First, a known phishing link was received in a user's email. A few minutes later, a malicious file was allowed. It seems the user clicked a phishing link and downloaded the file. Then, threat intelligence detected a ZIP file with a known malicious file hash, coming from a domain that has also been recognized as suspicious by external threat monitoring services. Follow-up activity accessing the AWS APIs and Lambda service was detected, the first time that this user has been recorded using those services. This unusual activity also triggered Amazon's GuardDuty service, recognizing unusual network activity. All of these individual signals were correlated together into this insight. Given the likelihood of active malware in the network, the user's machine and credentials should be locked down immediately. Further investigation is needed to determine the total impact of the malicious file.*"
+
+### Dive into signals and entities
+
+Insights provide a great, high-level summary of potential security events. Because of Cloud SIEM's threat intelligence and sophisticated correlation engine, very few insights are false positives, so they're all worth investigating.
+
+However, sometimes you may want to investigate deeper, to really understand what happened. Or, you may want to do proactive threat hunting work, to find potential problems before they begin impacting your system, even if some of what you're looking at are false alarms.
+
+The **Signals** tab lists all the signals created by rules that have been triggered in your system in the last 14 days, by default. Signals provide summaries of potential security threats. Remember, not all signals are security incidents. After all, there are legitimate reasons why someone might be logged in to two different devices at the same time, or why there have been several failed password attempts on an account.
+
+})
+
+When you click into a signal, you'll have the option to see the full details of the record that triggered it. This includes information like the IP address, geolocation, threat level, and other information that can aid you in your investigation.
+
+})
+
+The **Entities** tab lists all the entities that your rules have detected in the last 14 days, by default. Each entity has an activity score associated with it. The activity score is the sum of all the severity scores of all the unique signals associated with that entity. When an entity's activity score reaches at least 12, an insight is created. If you have several entities with relatively high activity scores, they might be a good starting point for a threat hunt.
+
+})
+
+### Bring it back to Sumo Logic search
+
+Sometimes you want to take your investigation even further. An in-depth threat investigation will use the most of both Cloud SIEM and Sumo Logic's core search functionality.
+
+There are several ways to bring the information you find in Cloud SIEM back to the Sumo Logic platform. One [context action](/docs/cse/administration/create-cse-context-actions) is **Sumo Logic Search**. Selecting this action will create a log search in Sumo Logic. This way, you can find all log messages with that entity, even if it wasn't detected by a rule in Cloud SIEM. Hover your mouse over the entity name, click the }){kind=icon}
button that appears, and select **Sumo Logic Search** from the list.
+
+})
+
+Many entities in the insights, signals, and entities pages have context actions (six dots icon). Hover next to certain entities and the six dot icon may appear, if context actions are available for that object. Use the context actions to insert the entity into an API call, do a DNS lookup, or many other tasks. Your admin can add custom context actions too.
+
+You can also work with your admin to set up dashboards in Sumo Logic that track insights and other activity in Cloud SIEM. This allows you to monitor what's going on in Cloud SIEM without ever leaving Sumo Logic's core platform.
+
+### Continue the investigation
+
+In a previous section, we looked at an insight. In this section, we will use Sumo Logic search to continue the investigation. Then, we will update the status of your investigation in Cloud SIEM.
+
+1. Return to the insight you looked at in the previous section [Investigating an insight](#investigating-an-insight).
+1. In the left pane, hover your mouse cursor over the **Entity** field (this is randomly generated and can be a user name or an IP address). Click the context actions (six dots) icon that appears next to the entity name.
+1. From the dropdown (under **Actions**), select **Sumo Logic Search** as described in [Bring it back to Sumo Logic search](#bring-it-back-to-sumo-logic-search). You may need to scroll to find it. You'll be redirected to Sumo Logic search.
+1. Make a note of the entity name that's pre-populated in the query builder.
+1. Open another log search in Sumo Logic:
+
+You don't have to write rules from scratch. The Sumo Logic content team creates and maintains hundreds of [out-of-the box rules](/docs/cse/rules/cse-built-in-rules/), to get you started. These rules are updated frequently, often every few days. You can check out the most recent updates in the [Cloud SIEM release notes page](/release-notes-cse/).
+
+If you do decide to write a custom rule, insight, or rule tuning expression, these aren't updated or deleted by Sumo Logic during the regular updates. They're independent from the default rules.
+
+### Write a rule tuning expression
+
+You're updating some of the firewalls in your system, and you don't want to trigger unnecessary alerts. Write a rule tuning expression that will allow yourself to bypass firewall-related rules.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rule Tuning**. })
+
+* A. **If Triggered**. Configure the IF statement to decide what records will cause the rule to trigger.
+* B. **Rule logic**. The rule's logic is a short piece of code. For match rules, it's usually simple boolean logic.
+* C. **Add Tuning Expression**. You can optionally add rule tuning expressions when you create new rules.
+* D. **Then Create a Signal**. The THEN statement of a rule configures the signal that will be created if there's a match with the IF statement.
+* E. **On Entity**. The entity for a rule is usually something that is found in the IF statement. For example, if your boolean logic looks for matches on IP addresses, then the entity would be an IP address.
+* F. **with the Summary**. The name, summary, and description are required fields. As a best practice, fill these out with details that will help other SOC analysts understand why you wrote this rule.
+* G. **and a __ severity of**. You can configure the rule's severity score. This is on a scale from 0 to 10, with 10 being the most severe. Higher severity scores are more likely to trigger insights.
+* H. **with tags**. The tags let you choose which tactics and techniques from the [MITRE ATT&CK](https://attack.mitre.org/) framework your rule is looking for.
+
+### Write a match rule
+
+You're concerned about traffic coming from a particular IP address that isn't covered by any of the default rules in Cloud SIEM. Write a match rule that looks for this IP address.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. })
+
+Once an entity is in Cloud SIEM's system, Cloud SIEM tracks the total severity score of signals associated with each entity as an activity score. Once that activity score gets high enough, usually over 12 by default, then an insight is created.
+
+So, if you want an insight to be created with the default settings, you'd have to have rules with a severity score of 1 trigger 13 different times, or rules with higher severity scores trigger enough times to add up to 13. This is why insights typically have several signals associated with them.
+
+You can have a large number of low-severity score signals that won't create an insight. Or, you can have a small number of high-severity score signals that will create an insight. Keep this in mind when you're configuring the severity scores of your custom rules.
+
+})
+
+But what if you want to be alerted right away when a certain rule is triggered?
+
+[Custom insights](/docs/cse/records-signals-entities-insights/configure-custom-insight/) let you create insights based on one specific signal, or a chain of signals. This is great for known threats specific to your system. You won't need to change any of your existing rules and insights. They'll keep working normally.
+
+### Create a custom insight
+
+You want to be alerted right away when your new custom match rule is triggered. Create a custom insight that looks for only this rule.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu, select **Content > Custom Insights**. }){kind=icon}
Learn basic concepts about Cloud SIEM.
-})
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
index 9e176ebc9a..7fc4068e7a 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
@@ -70,6 +70,6 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into
Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
index 6169ad900b..159b7349c9 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
@@ -46,7 +46,7 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
index d558d4ee46..6c686f8f6c 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
@@ -75,6 +75,6 @@ In this step, you deploy the events processor. This will create the AWS resource
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for GuardDuty security records..})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
index a13d5e3fdc..57eb34426e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
@@ -61,7 +61,7 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
index 589a146f74..329120c2b5 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
@@ -70,6 +70,6 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
3. For a more granular look at the incoming Records, you can also search Sumo Logic for Carbon Black Cloud Records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
index 399fbaaec3..e71abbf5a9 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
@@ -61,6 +61,6 @@ In this step you configure Check Point Firewall to send log messages to the Sumo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Check Point Firewall security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
index 0addb5ce3b..5706dc2187 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
@@ -59,6 +59,6 @@ To configure Cisco ASA logging, follow the instructions in the [ASA Syslog Conf
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco ASA security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
index d40fb37e83..c35f05bc88 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
@@ -60,6 +60,6 @@ Configure logging for Cisco Meraki as described in [Syslog Server Overview and
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco Meraki security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index 2f401171eb..6666cee597 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -57,7 +57,7 @@ In this step you configure Zeek to send log messages to the Sumo Logic platform.
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configure-collection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Corelight Zeek security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
index 3a10d6a806..f8aea4bcab 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
@@ -69,6 +69,6 @@ Different parsers are required for CEF and JSON format logs.
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for FortiGate security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
index 5112ea73ec..6c7fb403d0 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
@@ -49,6 +49,6 @@ In this step, you configure an HTTP Source to collect G Suite Alert Center log m
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for G Suite Alert Center security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
index 96334660c9..a2dc4a13a9 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
@@ -36,6 +36,6 @@ In this step, you configure an Google Workspace Apps Audit Source to collect Goo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
index fa5190fd95..81773cc8e3 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
@@ -62,6 +62,6 @@ While the linked document only focuses on unexpected reboot logs, the process fo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Kemp security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
index 5d5f185053..83a079f81b 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
@@ -86,6 +86,6 @@ In this step, you configure forwarding to the the Syslog Source. Follow the ins
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Linux OS security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
index c60e0b51c5..93a80f3203 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
@@ -41,6 +41,6 @@ In this step, you configure an Microsoft 365 Audit Source to collect Microsoft 3
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Office 365 security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
index b365626bc9..77dfdc97e5 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
@@ -53,6 +53,6 @@ In this step you configure Azure Activity Log to send log messages to the Sumo L
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Azure security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
index 631b85969b..461a057a11 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
@@ -60,6 +60,6 @@ In this step, you configure a Local Windows Event Log Source to collect Microsof
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Windows security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
index 6233ff342e..93aef33c60 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
@@ -64,6 +64,6 @@ Follow the Nginx [instructions](https://docs.nginx.com/nginx/admin-guide/monito
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Nginx security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
index cb786421c0..feb18648e0 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
@@ -32,6 +32,6 @@ In this step, you configure an Okta Source to collect Okta log messages. You can
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Okta security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
index 8e9285c21f..4cc6246357 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
@@ -55,6 +55,6 @@ the OneLogin knowledge base. You must use the SIEM (NDJSON) format. Use the **S
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for OneLogin security records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
index b7af31e976..5d7d3b55c7 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
@@ -64,6 +64,6 @@ In this step you configure osquery to send log messages to Sumo Logic core platf
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
index 9b431986f2..6bfe26c50e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
@@ -116,6 +116,6 @@ In this step, you configure Palo Alto Firewall to send log messages to the Sumo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Palo Alto Firewall security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
index d4955b6e14..8f6d9b5694 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
@@ -56,7 +56,7 @@ In this step you configure SentinelOne to send log messages to the Sumo Logic pl
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for SentinelOne security records.})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
index b41cc2f08c..200589a465 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
@@ -57,7 +57,7 @@ For more information on Generic Webhooks refer to the [Generic Webhooks](https:/
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configurecollection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Signal Sciences WAF security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
index 9144404fc6..98d565faef 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
@@ -67,6 +67,6 @@ In this step, you configure ProxySG to forward access logs to the the Syslog S
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search Sumo Logic for ProxySG Records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
index 367c2da303..34bb5e2578 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
@@ -71,6 +71,6 @@ Instructions for sending access logs to a syslog server are available on the [Br
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security Records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
index 5902b28375..2fd61e0926 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
@@ -60,6 +60,6 @@ In this step, you configure ZScaler NSS to send log messages to the Sumo Logic
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for ZScaler NSS security Records. })
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
index 57f7e110b4..6f49d4136d 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
@@ -56,6 +56,6 @@ In this step you configure Zscaler Private Access to send log messages to Sumo L
In this step, you verify that your logs are successfully making it into Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for "ZPA" security records. })
diff --git a/docs/cse/ingestion/sumo-logic-ingest-mapping.md b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
index 554af03be7..5b474c31cf 100644
--- a/docs/cse/ingestion/sumo-logic-ingest-mapping.md
+++ b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
@@ -73,7 +73,7 @@ When you fill out the **Sumo Logic Ingest Mapping** page, for most of the suppor
For these formats, Cloud SIEM uses the values you configure for **Product**, **Vendor**, and **Event ID** (in addition to **Format**) to select the appropriate Cloud SIEM mapper to process the messages. To verify the correct values, you can go to the **Log Mapping Details** page for the mapper in the Cloud SIEM UI. To do so:
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
1. In the **Filters** area, you can filter the list of log mappings by
typing in a keyword, or by selecting a field to filter by.})
@@ -104,7 +104,7 @@ This table in this section is a quick reference to supplying values for each su
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. })
diff --git a/docs/cse/integrations/configuring-threatq-source-in-cse.md b/docs/cse/integrations/configuring-threatq-source-in-cse.md
index ba803878ec..468f45c6ff 100644
--- a/docs/cse/integrations/configuring-threatq-source-in-cse.md
+++ b/docs/cse/integrations/configuring-threatq-source-in-cse.md
@@ -17,7 +17,7 @@ To do so, you simply configure a ThreatQ source in Cloud SIEM. You supply the in
## Configure a ThreatQ source
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. }){kind=icon}
1. The **Add New Source** page updates. })
diff --git a/docs/cse/integrations/enable-virustotal-enrichment.md b/docs/cse/integrations/enable-virustotal-enrichment.md
index c915309477..1a2ca9f19f 100644
--- a/docs/cse/integrations/enable-virustotal-enrichment.md
+++ b/docs/cse/integrations/enable-virustotal-enrichment.md
@@ -36,7 +36,7 @@ VirusTotal enrichments are only added to Signals that are part of an Insight.
## Configure VirusTotal enrichment
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Enrichment**. })
2. On the **Edit VirusTotal Configuration** popup, enter your VirusTotal API Key, and click Update.})
diff --git a/docs/cse/integrations/integrate-cse-with-taxii-feed.md b/docs/cse/integrations/integrate-cse-with-taxii-feed.md
index 43f38728b5..61ae228ac8 100644
--- a/docs/cse/integrations/integrate-cse-with-taxii-feed.md
+++ b/docs/cse/integrations/integrate-cse-with-taxii-feed.md
@@ -29,7 +29,7 @@ Cloud SIEM supports TAXII v1.1 and v1.2.
## Configure the integration
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. })
1. The **Add Source** page appears. })
diff --git a/docs/cse/introduction-to-cloud-siem.md b/docs/cse/introduction-to-cloud-siem.md
deleted file mode 100644
index 975e19300c..0000000000
--- a/docs/cse/introduction-to-cloud-siem.md
+++ /dev/null
@@ -1,432 +0,0 @@
----
-id: introduction-to-cloud-siem
-title: Introduction to Cloud SIEM
-sidebar_label: Introduction to Cloud SIEM
-description: Learn basic concepts about Cloud SIEM.
----
-
-import useBaseUrl from '@docusaurus/useBaseUrl';
-
-Cloud SIEM is a cloud-based enterprise-grade security information and event management (SIEM) system. Cloud SIEM leverages Sumo Logic's core functionality, including data collection, ingestion, storage, and threat intelligence. Cloud SIEM is a purchased add-on with an ever-expanding library of content designed for security operations.
-
-Watch the following micro lesson to learn how to get started using Cloud SIEM for threat investigation.
-
-
-
-import Iframe from 'react-iframe';
-
-## Cloud SIEM user interface
-
-### Access Cloud SIEM
-
-To access Cloud SIEM, in the main Sumo Logic menu select **Cloud SIEM**.
-
-Cloud SIEM must be enabled by Sumo Logic before it is accessible to users in your organization. For more information, see [Onboarding Checklist for Cloud SIEM Administrators](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/).
-
-### Theme
-
-import Theme from '../reuse/dark-light-theme.md';
-
-
-
-Use the top menu to access:
-* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
-* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
-* [**Content**](/docs/cse/introduction-to-cloud-siem/#content-menu). Create Cloud SIEM content, such as rules.
-* [**Configuration**](/docs/cse/introduction-to-cloud-siem/#configuration-menu). Configure Cloud SIEM.
-* **Help**. Access feature guides, documentation, release notes, and system status.
-* **Switch Apps**. Access the Sumo Logic [Log Analytics Platform](/docs/get-started/sumo-logic-ui/) or [Cloud SOAR](/docs/cloud-soar/) (if enabled in your organization).
-* **Profile**. View your Cloud SIEM username and time zone.
-
-#### Content menu
-
-The **Content** menu allows you to create elements to customize Cloud SIEM. To access the menu, click **Content** on the [top menu](#top-menu).
-
-Use the **Content** menu to access:
-* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
-* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
-* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
-* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
-* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
-* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
-* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
-
-#### Configuration menu
-
-The **Configuration** menu allows you to configure Cloud SIEM. To access this menu, click on the [top menu](#top-menu).
-
-Use the **Configuration** menu to access:
-* **Incoming Data**
- * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
-* **Entities**
- * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
- * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
- * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
- * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
-* **Workflow**
- * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
- * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
- * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
- * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
-* **Integrations**
- * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to Record attributes.
- * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
- * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
- * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
- * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
-
-### New UI
-
-The new UI provides a streamlined way to navigate in Sumo Logic. For more information, see [Tour the Sumo Logic UI](/docs/get-started/sumo-logic-ui).
-
-#### Sidebar menu
-
-Click **Cloud SIEM** in the main Sumo Logic menu to open the sidebar menu.
-
-Use the **Cloud SIEM** sidebar menu to access:
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you’re prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
-* **Security Events**
- * [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
- * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
- * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
- * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
- * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
-* **Security Detection**
- * [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
- * [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
- * [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
- * [**Match List**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
- * [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
- * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
- * [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules
- * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
- * [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
-
-#### Top menu
-
-This menu appears at the top of the screen:
-
-Use the top menu to access:
-* **Go To...** Launch Sumo Logic features, including for Cloud SIEM.
-* **Help**. Access links to documentation, support, community, release notes, and system status.
-* [**Configuration**](#configuration-menu-1). Configure Sumo Logic features, including for Cloud SIEM.
-* **Administration**. Access Sumo Logic administration settings, such as for for [account](/docs/manage/), [users and roles](/docs/manage/users-roles/), and [account security](/docs/manage/security/).
-* **Profile**. View your notification and [preference](/docs/get-started/account-settings-preferences/) settings.
-
-#### Go To... menu
-
-The **Go To...** menu allows you to launch Sumo Logic features, including for Cloud SIEM. To access this menu, click on the [top menu](#top-menu-1).
-
-Use the **Go To...** menu to access these Cloud SIEM features:
-* [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
-* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
-* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
-* [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
-* [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
-* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
-* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
-* [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
-* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
-* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
-* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
-* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
-* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
-* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
-* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
-* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
-* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
-* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you’re prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
-* [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
-* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
-* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
-* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
-
-#### Configuration menu
-
-The **Configuration** menu allows you to configure Sumo Logic features, including for Cloud SIEM. To access this menu, click the configuration icon on the [top menu](#top-menu-1). Scroll down the menu to see Cloud SIEM configuration options.
-
-Use the **Configuration** menu to access:
-
-* **Cloud SIEM Integrations**
- * [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
- * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
- * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
- * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
- * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
- * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
-* **Cloud SIEM Entities**
- * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
- * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
- * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
- * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
-* **Cloud SIEM Workflow**
- * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
- * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
- * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
- * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
-
-
-## Getting your data into Cloud SIEM
-
-Cloud SIEM automatically normalizes, enriches, and correlates all your data across multiple data sources into actionable security Insights. As shown below, the process starts when logs from data sources enter a collector, then flow through an ingestion process that generates messages. The messages are parsed, mapped to normalized values, and enriched with additional data before becoming records.
-
-})
-
-When records enter Cloud SIEM, rules analyze Entities on the records to produce Signals. The Signals are correlated, and if an Entity's activity score exceeds 12 or more in a two-week period, [an Insight is generated](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) for that Entity.
-
-})
-
-:::tip
-For definitions of many of these terms, see the [Glossary](/docs/contributing/glossary).
-:::
-
-Because Cloud SIEM designed for larger data volumes, most organizations need to ingest a large amount of data each day for Insights to surface in Cloud SIEM.
-
-If you already use the Sumo Logic core platform, you’re probably familiar with the data pipeline:
-
-
-
-1. **Data collection**. To use Sumo Logic, first you must set up either an installed collector or a hosted collector and add a source. You can also set up source categories and other metadata, which helps you search and analyze the data you collect.
-2. **Search and analyze**. Once data is in Sumo Logic, you can write queries to search and correlate events in real-time from the analytics platform UI. Or, you might configure the collector to forward data to Cloud SIEM, and let it do all the correlation work for you.
-3. **Visualize and monitor**. Once you’ve found and analyzed data that’s interesting, you can create dashboards to visualize it and set up alerts to monitor your data in real-time. Certain apps, like [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/), come pre-configured with several dashboards designed for security.
-4. **Share the findings**. Export your dashboards or share with others on your team. You can control who can view and edit your dashboards to keep your data secure.
-
-
-### Data collection
-
-Before you can start investigating threats, you need data. As a data analyst, this step may have been done by your administrator.
-
-Your company collects and [ingests](/docs/cse/ingestion/) millions of log messages into Sumo Logic. Typically, you can use these messages right away in many Sumo Logic apps. To use them in Cloud SIEM, however, your admin must enable [data forwarding](/docs/manage/data-forwarding/). Your admin may also need to [create log mappings](/docs/cse/schema/create-structured-log-mapping/), [field extraction rules](/docs/manage/field-extractions/create-field-extraction-rule/), or complete other preprocessing steps to extract the right data.
-
-
-
-As a data analyst, you should periodically examine the data that’s being ingested by Sumo Logic and Cloud SIEM. After you’ve been using Cloud SIEM for a while, you may want to fine-tune it to fit your organization’s needs. If you discover that you’re ingesting too much or too little data to do threat hunting, you can work with your admin to find that balance.
-
-So, what’s the balance between too much and too little data? It depends. Work with your admin to answer these questions:
-
-* **Are you ingesting enough data?** Cloud SIEM takes thousands or millions of records and boils them down into just a handful of Insights. Most organizations ingest more than 50GB of data every day to start finding any Insights. If your ingest volume is smaller than this, consider sending more data to Cloud SIEM or using other security solutions like the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/) app.
-* **Are you ingesting too much data?** More data doesn’t always mean more Insights. The threat detection logic built into Cloud SIEM generally prevents false positives. However, some organizations choose to ingest or store less data as a way to cut costs. One solution is partitioning your data into different tiers, and only sending some of that data along to Cloud SIEM.
-* **Are you ingesting the right data?** Cloud SIEM doesn’t just work on quantity alone. Quality data will affect your performance as well. As a best practice, you’ll need to bring in quality data sources that are supported by Cloud SIEM. High-value data sources include [CloudTrail logs](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/), [Windows event logs](/docs/send-data/installed-collectors/sources/collect-forwarded-events-windows-event-collector/), [AWS logs](/docs/integrations/amazon-aws/), and [GuardDuty logs](/docs/integrations/amazon-aws/guardduty/).
-
-### Processing your data for Cloud SIEM
-
-Before Cloud SIEM can generate security Insights, your log messages must go through a little processing first. First, Cloud SIEM processes the messages into Records. Each Record contains the information from a message, which is parsed into key-value pairs, mapped to a Cloud SIEM schema, and enriched with other data.
-
-
-
-Let’s follow a simple log message down this pipeline:
-```
-sso : ip-127-0-0-1 : alex@travellogic.com :
-"Successful Login" : “2021-05-25T22:11:42"
-```
-
-First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-127-0-0-1`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `127.0.0.1`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or threat intelligence databases, such as its [CrowdStrike threat level](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq).
-
-These normalized Records are then sent down the Cloud SIEM pipeline and compared to rules.
-
-### Extracting security Insights for Cloud SIEM
-
-Each record ingested into Cloud SIEM is compared to hundreds of built-in and custom [rules](/docs/cse/rules/). If a record matches the criteria specified in a rule, then Cloud SIEM creates a Signal. When a Signal is created, it contains a name, entity, severity, stage, and description. A Signal always contains, at minimum, an entity and a severity. This data is later used by Cloud SIEM's Insight engine algorithm.
-
-A Signal is an individual security event. The entity in a Signal is something like an IP address, MAC address, or hostname. The entity tells us who or what was involved in the event that the record described. The stage or tags are assigned based on where the event fits in the [MITRE ATT&CK](https://attack.mitre.org/) framework. This can tell us a bit about how or why the event occurred. The severity is a number between 0 and 10 that tells Cloud SIEM how serious the potential threat is.
-
-Cloud SIEM typically processes thousands or millions of records and boils them down into hundreds of Signals.
-
-
-
-On the Cloud SIEM main page, you'll see a panel similar to this one. In this case, 52 thousand records have been ingested and processed into 4 thousand Signals. Some Signals could be false alarms, but many are worth investigating anyway. But, 4 thousand is still way too many for the average SOC analyst to sift through every day. So, how do you know which Signals to pay attention to first?
-
-Cloud SIEM takes everything one step further and correlates those Signals into a manageable number of Insights. Here, just one Insight was created out of all those Signals.
-
-An Insight is a group of Signals clustered around a single entity. An Insight is created when the sum of the severity scores of Signals with the same entity goes above a certain activity score within a certain timeframe. By default, this is an activity score of 12 within the last 14 days. For example, if a rule was triggered with a severity of 5, and then ten days later another rule with the same entity and a severity of 5 was triggered, the total activity score would only be 10 in the last 14 days, so an Insight would not be created. However, if those same two rules had a severity score of 7, an Insight would be created because the total activity score exceeds 12.
-
-## Get started with threat investigation
-
-Threat investigation is reactive while threat hunting is proactive. Typically, threat investigation happens in response to an alert. Once you’ve investigated a threat, you can hunt for similar threats and take precautionary steps to prevent attacks from happening again.
-
-Threat investigation is an iterative process, much like troubleshooting. In both threat investigation and troubleshooting, you first monitor your systems. Once an anomaly is detected, you can make a hypothesis about how it happened and diagnose the problem. As you dig deeper, you may revise this initial hypothesis and find more clues about why or how the attack or error happened. You can then take action to resolve the issue.
-
-
-
-Cloud SIEM acts as your first line of defense, monitoring your system. Cloud SIEM’s threat intelligence and correlation algorithms organize related potential security events into Insights. When you get alerted to an Insight, it’s up to you to diagnose the problem and take action.
-
-The [Insight page](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) shows everything you need to start unravelling the security event. As you start investigating, try to answer as many wh- questions as you can about the event:
-
-* Who is behind the event?
-* What assets did the event affect?
-* Where did the event occur?
-* When did the event occur?
-* Why did the event occur?
-* How did the event occur?
-
-When Signals cluster together, Cloud SIEM uses their tactics and techniques to name the Insights they generate. The Insight’s name can point you to how the event occurred, or why the adversary is behaving that way. For example, a tactic name like discovery or persistence shows the reasons the adversary has. Similarly, tactic names like initial access or execution can tell you a little about the methods the adversary used. These names are just starting points, however, and you may need to revise your hypotheses as you continue your investigations.
-
-For example, an Insight is named Discovery with Execution. Why did the event occur? Probably so the adversary could discover your information. How did the event occur? By using an executable file or a similar technique.
-
-The [timeline](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui#signal-visualization-area) can tell you when the event occurred. You can see whether each signal was triggered at the same time, or sequentially, as well as whether everything happened over minutes, hours, or days. By default, Insights are related Signals that cluster together within the last 14 days.
-
-The [entities within each Signal](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui#entities-tab) can help point to who, what, or where the event occurred. An entity might point to the IP address of a hacked device, the location of the adversary, the location of the database that leaked, the owner of a website or domain, or some other piece of the puzzle.
-
-Cloud SIEM can help with every step of the threat investigation process. Cloud SIEM automatically detects and monitors potential threats by analyzing millions of records and distilling them into a handful of Insights with a low false positive rate. You can choose Insights from the home page of Cloud SIEM in the [Insight Radar](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display#5-insight-radar), under the [Recent Activity pane](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display#6-recent-activity), or from the [Insights panel](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/).
-
-Once you choose an Insight, you can dig through all the raw logs and Signals to conduct deep-dive investigations and even proactive threat hunts. You can organize your thoughts, make hypotheses, and take notes about your investigation in the comments of each Insight. This will share your ideas with your SOC teammates and help you keep track of your investigation.
-
-You can also take certain [actions](/docs/cse/administration/create-cse-actions) directly from the Insight. You can email teammates, create Jira tickets, execute playbooks, and many other custom actions with the Actions button.
-
-Finally, you can [update the Insight](/docs/cse/administration/manage-custom-insight-resolutions#about-insight-resolutions). You can mark it as “in progress” or “closed”. When you close it, you can mark it as “resolved”, “false positive”, “duplicate”, or “no action”. Updating the status correctly will help the Cloud SIEM Insight engine produce more accurate Insights for your org in the future.
-
-Of course, this process will repeat each day as new Insights are generated for you to investigate.
-
-### Dive into Signals and Entities
-
-Insights provide a great, high-level summary of potential security events. Because of Cloud SIEM’s threat intelligence and sophisticated correlation engine, very few Insights are false positives, so they’re all worth investigating.
-
-However, sometimes you may want to investigate deeper, to really understand what happened. Or, you may want to do proactive threat hunting work, to find potential problems before they begin impacting your system, even if some of what you’re looking at are false alarms.
-
-#### Signals
-
-The Signals tab lists all the Signals created by rules that have been triggered in your system in the last 14 days, by default. Signals provide summaries of potential security threats. Remember, not all Signals are security incidents. After all, there are legitimate reasons why someone might be logged in to two different devices at the same time, or why there have been several failed password attempts on an account.
-
-
-
-When you click into a Signal, you’ll have the option to see the full details of the record that triggered it. This includes information like the IP address, geolocation, threat level, and other information that can aid you in your investigation.
-
-
-
-#### Entities
-
-The Entities tab lists all the entities that your rules have detected in the last 14 days, by default. Each entity has an Activity Score associated with it. The activity score is the sum of all the severity scores of all the unique signals associated with that entity. When an entity’s activity score exceeds 12, an Insight is created. If you have several entities with relatively high activity scores, they might be a good starting point for a threat hunt.
-
-
-
-### Bring it back to Sumo Logic search
-
-Sometimes you want to take your investigation even further. An in-depth threat investigation will use the most of both Cloud SIEM and Sumo Logic’s core search functionality.
-
-There are several ways to bring the information you find in Cloud SIEM back to the Sumo Logic platform. One [context action](/docs/cse/administration/create-cse-context-actions) is Sumo Logic Search. Selecting this action will create a log search in Sumo Logic. This way, you can find all log messages with that entity, even if it wasn’t detected by a rule in Cloud SIEM.
-
-Many entities in the Insights, Signals, and Entities pages have context actions (six-dot icon). Hover next to certain entities and the six-dot icon may appear, if context actions are available for that object. Use the context actions to insert the entity into an API call, do a DNS lookup, or many other tasks. Your admin can add custom context actions too.
-
-You can also work with your admin to set up dashboards in Sumo Logic that track Insights and other activity in Cloud SIEM. This allows you to monitor what’s going on in Cloud SIEM without ever leaving Sumo Logic’s core platform.
-
-### Take action on Insights
-
-In addition to the context actions available in the Cloud SIEM UI, there are many other [actions](/docs/cse/administration/create-cse-actions/) you might take in response to an Insight. For example, you might work with your IT team to isolate and wipe laptops infected with malware to prevent spread of malicious code. Or, you might work with your HR team to enforce mandatory anti-phishing training among all employees to prevent future attacks.
-
-In Cloud SIEM, there are several different actions you can take on each Insight. You can comment on the Insight, or close it or assign a status to it. When you close an Insight, Cloud SIEM uses the resolution information to reduce false positives and duplicates further. Assigning a status to the Insight lets you keep working on it, and keep track of your progress.
-
-You can also assign the Insight to yourself or to a colleague, and use the Actions button to alert colleagues, create Jira tickets, send Slack messages, execute playbooks, or use other APIs. This Actions button is customizable, but can only be configured by admins. If you need a custom Action, ask your Admin or Sumo account rep for help creating one.
-
-### Using the MITRE ATT&CK matrix
-
-The [MITRE ATT&CK matrix](https://attack.mitre.org/matrices/enterprise/) is published by MITRE, a non-profit research organization. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
-
-The framework organizes and categorizes the tactics and techniques that hactivists, cyber criminals, nation states, scripters, and other adversaries use. This includes attacks like exfiltrating databases, installing malware, stealing credentials, and all the other nefarious activities you and your SOC team are trying to stop.
-
-Cloud SIEM uses these same tactic names for the stages of Signals and the names of Insights. Once you're familiar with ATT&CK, navigating Cloud SIEM's Insights page becomes easier.
-
-If you read the news, or are familiar with other cybersecurity frameworks like the Pyramid of Pain, you know there are many kinds of threats out there. It’s easy to become overwhelmed. However, Cloud SIEM helps organize all the potential threats in your system into one manageable dashboard, leveraging the knowledge found in the MITRE ATT&CK matrix along with the Insights algorithm.
-
-## Tune your environment
-
-### Why tune?
-
-Once you’ve completed a few investigations, you may want to add or modify the rules, data sources, match lists, and other pieces of the Cloud SIEM puzzle. These modifications can help further reduce false positives or alert you even faster. The most common things to customize are rules and Insights.
-
-[Rules](/docs/cse/rules/about-cse-rules/) are one of the most important pieces of Cloud SIEM’s threat detection engine. All the records that are ingested in Cloud SIEM are compared to every rule in Cloud SIEM. If there’s a match, an entity is extracted and a Signal is created. Those entities are tracked and may correlate with other Signals to create an Insight, which is where most threat investigations begin.
-
-
-
-You don’t have to write rules from scratch. The Sumo Logic content team creates and maintains hundreds of [out-of-the box rules](/docs/cse/rules/cse-built-in-rules/), to get you started. These rules are updated frequently, often every few days. You can check out the most recent updates in the [Cloud SIEM release notes page](/release-notes-cse/).
-
-If you do decide to write a custom rule, Insight, or rule tuning expression, these aren’t updated or deleted by Sumo Logic during the regular updates. They’re independent from the default rules.
-
-### Rule tuning
-
-With [rule tuning](/docs/cse/rules/rule-tuning-expressions/), you can modify existing rules without rewriting them from scratch. This lets you customize them without a lot of work. When you use rule tuning instead of [custom rules](/docs/cse/rules/before-writing-custom-rule/), your tuning expressions are retained when Sumo updates that rule. So you still get to take advantage of the rules Sumo pushes out to all users.
-
-Once you’ve written a tuning expression, you can apply that tuning expression to multiple rules. You can also apply multiple tuning expressions to each rule, so they’re very flexible. We’ll learn how to apply one tuning expression to multiple rules, and we’ll also learn how to apply multiple tuning expressions to one rule today.
-
-A rule tuning expression is an AND statement that you add to an existing rule. It’s usually simple logic you add to rules. As a best practice, you should use rule tuning expressions when you have a small number of specific exceptions to existing rules.
-
-### Custom rules
-
-Adding a rule tuning expression to an existing rule is one of the easiest and most common ways to customize your rules. But sometimes you need to [write a new rule from scratch](/docs/cse/rules/before-writing-custom-rule/). You might do this if your system has a source that isn’t covered by the default rules, or if you’re looking for a threat that isn’t covered by the default rules.
-
-See [Rule types](/docs/cse/rules/about-cse-rules#rule-types) for the types of rules you can create.
-
-### Custom Insights
-
-Once a rule is in your system, whether it’s a custom rule you created or one created by the Sumo team, Cloud SIEM will use it to create Signals. When a rule is created, you configure its severity score. This is on a scale from 0 to 10, with 10 being the most severe.
-
-If a record matches a rule, an entity is extracted from the record. The entity might be something like an IP address, a user name, a domain name. It tells you who the potential threat is.
-
-Once an entity is in Cloud SIEM’s system, Cloud SIEM tracks the total severity score of Signals associated with each entity as an activity score. Once that activity score gets high enough, usually over 12 by default, then an insight is created.
-
-So, if you want an Insight to be created with the default settings, you’d have to have rules with a severity score of 1 trigger 12 different times, or rules with severity scores of 6 or higher trigger twice. This is why Insights typically have several Signals associated with them.
-
-You can have a large number of low-severity score Signals that won’t create an Insight. Or, you can have a small number of high-severity score Signals that will create an Insight. Keep this in mind when you’re configuring the severity scores of your custom rules.
-
-
-
-But what if you want to be alerted right away when a certain rule is triggered?
-
-[Custom Insights](/docs/cse/records-signals-entities-insights/configure-custom-insight/) let you create Insights based on one specific Signal, or a chain of Signals. This is great for known threats specific to your system. You won’t need to change any of your existing rules and Insights. They’ll keep working normally.
-
-### Other customizations and best practices
-
-Remember, Cloud SIEM’s out-of-the-box rules and Insights are great. But we want you to have the flexibility to customize your environment. There are three simple three ways to customize Cloud SIEM’s rules and Insights.
-
-* First, [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions/) are simple ways to add small exceptions and other clauses to existing rules.
-* Second, [custom rules](/docs/cse/rules/before-writing-custom-rule/) let you write logic that’s unique to your system, to cover threats or data sources that aren’t covered by built-in rules.
-* Finally, [Custom Insights](/docs/cse/records-signals-entities-insights/configure-custom-insight/) allow you to get alerts based on just one rule or a chain of rules.
-
-Before you create custom rules from scratch, there are some best practices you’ll want to follow.
-
-* **Check existing rules**. Sumo Logic already has hundreds of [built-in rules](/docs/cse/rules/cse-built-in-rules/), so you might not need to write a new one. Or, you may only need to make small changes to existing rules, like adding a rule tuning expression or adjusting a severity score.
-* **Know your system**. You’ll need to understand the [schema](/docs/cse/schema/) and [log mappings](/docs/cse/schema/create-structured-log-mapping/) of all the records ingested into Cloud SIEM to write effective rules. You might want to work with an administrator on your team who knows this to write better rules.
-* **Know your risk appetite**. In addition to your system’s details about log mappings and other metadata, you need to understand your company’s risk appetite and risk tolerance. For example, some companies might want to monitor a large amount of outbound traffic, but not consider this a threat. So, they’d assign this rule a severity of zero. However, other companies might be alarmed by outbound traffic and consider it data exfiltration, assigning the same rule a severity of five.
-* **Know the rule types**. You also need to understand all [the types of rules](/docs/cse/rules/about-cse-rules/#rule-types). If your use case requires a chain rule, but you try writing a threshold rule, the rule might not be as efficient or effective.
-* **Make small changes**. As a best practice, when you do write a new rule or edit an existing one, make small changes. For example, instead of decreasing a severity score from 8 to 2, try decreasing it from 8 to 7 and monitoring the change for a while.
-* **Save as a prototype**. Another best practice is to [save all new rules as a prototype](/docs/cse/rules/write-match-rule#save-as-prototype). This allows you to monitor the rule’s behavior, without creating new Insights and alerts.
-
-Rule tuning, custom rules, and custom Insights are just a taste of what you can customize in Cloud SIEM. However, some customizations, like configuring the [Actions button](/docs/cse/administration/create-cse-actions), need admin privileges. You can work with your admin or your Sumo Logic account rep to customize:
-* [Log mappings](/docs/cse/schema/create-structured-log-mapping/)
-* [Match lists](/docs/cse/match-lists-suppressed-lists/)
-* [APIs](/docs/cse/administration/cse-apis/) and other [plugins](/docs/cse/integrations/)
-* How much data Cloud SIEM [ingests](/docs/cse/ingestion/)
diff --git a/docs/cse/match-lists-suppressed-lists/create-match-list.md b/docs/cse/match-lists-suppressed-lists/create-match-list.md
index 6aaa37e445..42b9e45338 100644
--- a/docs/cse/match-lists-suppressed-lists/create-match-list.md
+++ b/docs/cse/match-lists-suppressed-lists/create-match-list.md
@@ -81,7 +81,7 @@ Perform the steps below to create a Match List in Cloud SIEM.
You can also create and manage Match Lists with Cloud SIEM's REST [API](/docs/cse/administration/cse-apis).
:::
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Match Lists**. })
1. The **Custom Columns** page lists the custom columns that have been defined in your environment.
diff --git a/docs/cse/match-lists-suppressed-lists/suppressed-lists.md b/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
index c3810e5d17..5755be5f52 100644
--- a/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
+++ b/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
@@ -72,7 +72,7 @@ A Suppressed List can contain up to 50,000 items.
Perform the steps below to create a Suppressed List and add an indicator to it using the Cloud SIEM UI.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Suppressed Lists**. })
1. On the **New Suppressed List** popup, enter the following:
1. **Name**. Name of the Suppressed List.
diff --git a/docs/cse/records-signals-entities-insights/configure-custom-insight.md b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
index 5d43e1f923..efc88d3b56 100644
--- a/docs/cse/records-signals-entities-insights/configure-custom-insight.md
+++ b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
@@ -29,7 +29,7 @@ When the conditions of a Custom Insight configuration are met during the current
To create a Custom Insight:
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu, select **Content > Custom Insights**. })
4. In the **Name** field, enter a name for the Custom Insight.
diff --git a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
index 82fb7de2e1..510eb7f263 100644
--- a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+++ b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
@@ -71,7 +71,7 @@ For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-
After you've [created your Entity Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. })
diff --git a/docs/cse/records-signals-entities-insights/create-an-entity-group.md b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
index e3144102eb..8e5fa1c298 100644
--- a/docs/cse/records-signals-entities-insights/create-an-entity-group.md
+++ b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
@@ -46,7 +46,7 @@ It’s possible to define Entity Groups that overlap, in terms of the Entities t
Follow these instructions to create an Entity Group based on Entity name or whether the Entity is within a specified range of IP addresses.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Groups**. })
1. **Name**. Enter a name for the Entity Group.
@@ -81,7 +81,7 @@ Follow these instructions to create an Entity Group based on Entity name or whet
Follow these instructions to create an Entity Group that corresponds to a group in an inventory service in your infrastructure.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Groups**. })
1. **Name**. Enter a name for the Entity Group.
diff --git a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
index 0f442af310..e009ceb5c8 100644
--- a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
+++ b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
@@ -21,7 +21,7 @@ Just as for Entities of built-in types listed above—IP addresses, MAC addresse
To create a custom Entity type:
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Custom Types**. })
3. **Name**. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom Entity type on the **Custom Entity Type** page.
diff --git a/docs/cse/records-signals-entities-insights/entity-criticality.md b/docs/cse/records-signals-entities-insights/entity-criticality.md
index bb7a356ef5..916b969bf1 100644
--- a/docs/cse/records-signals-entities-insights/entity-criticality.md
+++ b/docs/cse/records-signals-entities-insights/entity-criticality.md
@@ -30,7 +30,7 @@ You can configure both the detection window and the threshold Activity Score for
## Define a Criticality
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Criticality**. })
2. **Name**. Enter a name.
@@ -41,7 +41,7 @@ You can configure both the detection window and the threshold Activity Score for
You can associate a Criticality with one or more Entities.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Entities** at the top of the screen. })
3. Click a Criticality to apply it to the Entity.
diff --git a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
index 9824953253..4439c28ba9 100644
--- a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
+++ b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
@@ -13,7 +13,7 @@ By default, the detection window is 14 days, and the threshold Activity Score i
To change the Insight generation settings:
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Detection**. })
1. Enter values for **Detection Threshold** and **Signal Suppression**:
* **Standard Threshold**
diff --git a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
index df7c68e8ee..54a3e495c2 100644
--- a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
+++ b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
@@ -63,14 +63,14 @@ difference is where you do the tagging.
### UI for tagging a Rule
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rules**. })
### UI for tagging an Entity
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Entities** at the top of the screen. })
@@ -79,14 +79,14 @@ difference is where you do the tagging.
Note that in addition to tags that you manually assign to an Insight, an Insight will inherit any tags that were applied to the content that went into the Insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the Insight.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Insights** at the top of the screen. })
### UI for tagging a custom Insight
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Custom Insights**.
@@ -111,7 +111,7 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
### Search Insights, Signals, or Entities by tag
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Near the top of the screen, click in the Cloud SIEM search area and then click the funnel icon. }){kind=icon}
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Near the top of the screen, click in the Cloud SIEM search area and then click the funnel icon.
1. Select **Insights**, **Signals**, or **Entities** from the **Sources** list.})
1. Select **Tags** from the **Fields** list.})
1. Choose **contain** or **do not contain** from the **Operators** list.})
@@ -119,7 +119,7 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
### Search Rules by tag
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rules**. })
1. Choose **contain** or **do not contain** from the **Operators** list.})
1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords Tags** list, items that match are listed. Note that if an item has a Mitre-related tag, an icon appears next to it. Click the icon to view a Mitre page on the Tactic or Technique.
diff --git a/docs/cse/records-signals-entities-insights/view-manage-entities.md b/docs/cse/records-signals-entities-insights/view-manage-entities.md
index 3fdc2125dc..1cc38e833d 100644
--- a/docs/cse/records-signals-entities-insights/view-manage-entities.md
+++ b/docs/cse/records-signals-entities-insights/view-manage-entities.md
@@ -54,9 +54,9 @@ When a Signal is fired, if an Entity doesn’t already exist in Cloud SIEM for t
## About the Entities list page
-[**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). To view Entities, click **Entities** at the top of the screen.
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view Entities, click **Entities** at the top of the screen.
-[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). To view Entities, in the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**.
+[**New UI**](/docs/get-started/sumo-logic-ui). To view Entities, in the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**.
})
@@ -136,7 +136,7 @@ or Criticality for one or more Entities.
### Update Entities from the UI
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Entities** at the top of the screen. })
1. Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update.
1. Note that once you select an Entity, three options appear at the top of the Entities list. })
diff --git a/docs/cse/records-signals-entities-insights/view-records-signal.md b/docs/cse/records-signals-entities-insights/view-records-signal.md
index 9565c6cc63..20f99d0d2f 100644
--- a/docs/cse/records-signals-entities-insights/view-records-signal.md
+++ b/docs/cse/records-signals-entities-insights/view-records-signal.md
@@ -10,7 +10,7 @@ Cloud SIEM uses rules to evaluate incoming records, and when the conditions of
## View record details
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). To view signals, click **Signals** at the top of the screen. })
1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the Records produced by the mapping. })
1. The **Fields** section of the page shows how raw message fields are mapped to Cloud SIEM schema attributes. In this mapping, `EventData.LogonProcessName` is mapped to `application`, `EventData.WorkstationName` is mapped to `device_hostname`, and so on. })
diff --git a/docs/cse/rules/import-yara-rules.md b/docs/cse/rules/import-yara-rules.md
index 5f287d4ec4..689742f895 100644
--- a/docs/cse/rules/import-yara-rules.md
+++ b/docs/cse/rules/import-yara-rules.md
@@ -17,7 +17,7 @@ YARA rules are an open source framework for identifying malware. Cloud SIEM runs
To import YARA rules:
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > File Analysis**. })
1. The **Add New Source** popup updates. })
diff --git a/docs/cse/rules/rule-tuning-expressions.md b/docs/cse/rules/rule-tuning-expressions.md
index e3d76bf911..a85bbd80b1 100644
--- a/docs/cse/rules/rule-tuning-expressions.md
+++ b/docs/cse/rules/rule-tuning-expressions.md
@@ -58,7 +58,7 @@ import Iframe from 'react-iframe';
## Create a tuning expression
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rule Tuning**. })
diff --git a/docs/cse/rules/write-aggregation-rule.md b/docs/cse/rules/write-aggregation-rule.md
index a4f61a5817..50d310ec74 100644
--- a/docs/cse/rules/write-aggregation-rule.md
+++ b/docs/cse/rules/write-aggregation-rule.md
@@ -55,7 +55,7 @@ import Iframe from 'react-iframe';
## Create an Aggregation rule
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rules**. })
1. Click the **Structured Mapping** tile on the **Create a Mapping** page. })
1. On the **New Mapping** page, enter a name for the mapping.})
diff --git a/docs/cse/schema/username-and-hostname-normalization.md b/docs/cse/schema/username-and-hostname-normalization.md
index f33a786e1c..f5eb7546d0 100644
--- a/docs/cse/schema/username-and-hostname-normalization.md
+++ b/docs/cse/schema/username-and-hostname-normalization.md
@@ -54,7 +54,7 @@ If no name normalization configuration exists, the name attribute will consist o
## Configure entity normalization
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. })
1. On the **Create Sumo Logic Mapping** page:
1. **Source Category**. Enter the Source Category value you assigned to the Source you configured above in [Configure a Sumo Logic Source](#configure-a-sumo-logic-source).
diff --git a/docs/integrations/product-list/index.md b/docs/integrations/product-list/index.md
index c25129f7f4..d66ba7217c 100644
--- a/docs/integrations/product-list/index.md
+++ b/docs/integrations/product-list/index.md
@@ -11,7 +11,7 @@ This section contains articles that list all the vendors and products that Sumo
Types of integrations:
* **Apps**. Pre-built applications with dashboards that provide robust analytics about the product. To [install apps](/docs/get-started/apps-integrations/), select **App Catalog** from the main menu. See [Apps and Integrations](/docs/integrations/) for more information.
* **Automation integrations**. Integrations for use in the Automation Service and Cloud SOAR. For more information, see [Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/).
-* **Cloud SIEM integrations**. Rules, mappers, parsers, and normalization schema in Cloud SIEM for integrating with external products. See [Cloud SIEM Content Catalog](/docs/cse/cloud-siem-content-catalog) for more information.
+* **Cloud SIEM integrations**. Rules, mappers, parsers, and normalization schema in Cloud SIEM for integrating with external products. See [Cloud SIEM Content Catalog](/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog) for more information.
* **Collectors**. Agents that collect data from the product. See [Send Data](/docs/send-data/) for documentation about collectors.
* **Community apps**. Apps provided by internal and external users and our creator community. See [Sumo Logic Community Ecosystem Apps](/docs/integrations/community-ecosystem-apps/) for more information.
* **Partner integrations**. Apps and integrations that are provided by members of our partner network. See [Partner Ecosystem Apps](/docs/integrations/partner-ecosystem-apps/) and [Partner Integrations for Sumo Logic](/docs/integrations/partner-integrations/) for more information.
diff --git a/docs/platform-services/automation-service/about-automation-service.md b/docs/platform-services/automation-service/about-automation-service.md
index 0572e461b2..3bddb7a9a5 100644
--- a/docs/platform-services/automation-service/about-automation-service.md
+++ b/docs/platform-services/automation-service/about-automation-service.md
@@ -57,7 +57,7 @@ Before you can access the Automation Service, you must first [configure role cap
### From Cloud SIEM
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the Cloud SIEM top menu select **Configuration**, and then under **Integrations** select **Automation**.
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the Cloud SIEM top menu select **Configuration**, and then under **Integrations** select **Automation**.
1. At the top of the screen, click **Manage Playbooks**.
1. The Automation Service screen opens on the **Playbook** tab. })
diff --git a/sidebars.ts b/sidebars.ts
index debd447602..3aab495cec 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -2674,8 +2674,6 @@ integrations: [
collapsed: true,
link: {type: 'doc', id: 'cse/index'},
items: [
- 'cse/introduction-to-cloud-siem',
- 'cse/cloud-siem-content-catalog',
{
type: 'category',
label: 'Get Started with Cloud SIEM',
@@ -2683,10 +2681,14 @@ integrations: [
collapsed: true,
link: {type: 'doc', id: 'cse/get-started-with-cloud-siem/index'},
items: [
+ 'cse/get-started-with-cloud-siem/cloud-siem-ui',
+ 'cse/get-started-with-cloud-siem/intro-for-analysts',
+ 'cse/get-started-with-cloud-siem/intro-for-administrators',
'cse/get-started-with-cloud-siem/cse-heads-up-display',
'cse/get-started-with-cloud-siem/insight-generation-process',
'cse/get-started-with-cloud-siem/about-cse-insight-ui',
'cse/get-started-with-cloud-siem/onboarding-checklist-cse',
+ 'cse/get-started-with-cloud-siem/cloud-siem-content-catalog',
],
},
{
diff --git a/static/img/cse/cloud-siem-hud.png b/static/img/cse/cloud-siem-hud.png
new file mode 100644
index 0000000000..83b718a9ae
Binary files /dev/null and b/static/img/cse/cloud-siem-hud.png differ
diff --git a/static/img/cse/intro-admin-playbook-example.png b/static/img/cse/intro-admin-playbook-example.png
new file mode 100644
index 0000000000..01667f30d3
Binary files /dev/null and b/static/img/cse/intro-admin-playbook-example.png differ
diff --git a/static/img/cse/intro-blank-rule-template.png b/static/img/cse/intro-blank-rule-template.png
new file mode 100644
index 0000000000..10a9419e85
Binary files /dev/null and b/static/img/cse/intro-blank-rule-template.png differ
diff --git a/static/img/cse/intro-cloud-siem-data-pipeline.png b/static/img/cse/intro-cloud-siem-data-pipeline.png
index 3c0b08563a..8a4abb87b9 100644
Binary files a/static/img/cse/intro-cloud-siem-data-pipeline.png and b/static/img/cse/intro-cloud-siem-data-pipeline.png differ
diff --git a/static/img/cse/intro-cloud-siem-signals.png b/static/img/cse/intro-cloud-siem-signals.png
index 19e1000332..c86f9e936a 100644
Binary files a/static/img/cse/intro-cloud-siem-signals.png and b/static/img/cse/intro-cloud-siem-signals.png differ
diff --git a/static/img/cse/intro-context-action-icon.png b/static/img/cse/intro-context-action-icon.png
new file mode 100644
index 0000000000..c5efeeb4f5
Binary files /dev/null and b/static/img/cse/intro-context-action-icon.png differ
diff --git a/static/img/cse/intro-data-flow.png b/static/img/cse/intro-data-flow.png
new file mode 100644
index 0000000000..d1623a42c8
Binary files /dev/null and b/static/img/cse/intro-data-flow.png differ
diff --git a/static/img/cse/intro-day-in-the-life-cloud-siem.png b/static/img/cse/intro-day-in-the-life-cloud-siem.png
new file mode 100644
index 0000000000..c9f955ef0b
Binary files /dev/null and b/static/img/cse/intro-day-in-the-life-cloud-siem.png differ
diff --git a/static/img/cse/intro-filter-entities.png b/static/img/cse/intro-filter-entities.png
new file mode 100644
index 0000000000..f004b68cb7
Binary files /dev/null and b/static/img/cse/intro-filter-entities.png differ
diff --git a/static/img/cse/intro-filter-rules.png b/static/img/cse/intro-filter-rules.png
new file mode 100644
index 0000000000..53449e4f8d
Binary files /dev/null and b/static/img/cse/intro-filter-rules.png differ
diff --git a/static/img/cse/intro-forward-data.gif b/static/img/cse/intro-forward-data.gif
new file mode 100644
index 0000000000..217e47478b
Binary files /dev/null and b/static/img/cse/intro-forward-data.gif differ
diff --git a/static/img/cse/intro-hud.gif b/static/img/cse/intro-hud.gif
new file mode 100644
index 0000000000..61ca04bde4
Binary files /dev/null and b/static/img/cse/intro-hud.gif differ
diff --git a/static/img/cse/intro-ingest-the-right-data.png b/static/img/cse/intro-ingest-the-right-data.png
new file mode 100644
index 0000000000..5983dabe87
Binary files /dev/null and b/static/img/cse/intro-ingest-the-right-data.png differ
diff --git a/static/img/cse/intro-insight-example-investigation.png b/static/img/cse/intro-insight-example-investigation.png
new file mode 100644
index 0000000000..24ba0a6199
Binary files /dev/null and b/static/img/cse/intro-insight-example-investigation.png differ
diff --git a/static/img/cse/intro-insight-example.png b/static/img/cse/intro-insight-example.png
new file mode 100644
index 0000000000..4c98f120df
Binary files /dev/null and b/static/img/cse/intro-insight-example.png differ
diff --git a/static/img/cse/intro-log-search-context-action.png b/static/img/cse/intro-log-search-context-action.png
new file mode 100644
index 0000000000..0cc89a8af8
Binary files /dev/null and b/static/img/cse/intro-log-search-context-action.png differ
diff --git a/static/img/cse/intro-logs-into-records.png b/static/img/cse/intro-logs-into-records.png
new file mode 100644
index 0000000000..27fbf7d86b
Binary files /dev/null and b/static/img/cse/intro-logs-into-records.png differ
diff --git a/static/img/cse/intro-records-to-signals.png b/static/img/cse/intro-records-to-signals.png
new file mode 100644
index 0000000000..61debe0546
Binary files /dev/null and b/static/img/cse/intro-records-to-signals.png differ
diff --git a/static/img/cse/intro-select-timeframe.png b/static/img/cse/intro-select-timeframe.png
new file mode 100644
index 0000000000..6501e407d6
Binary files /dev/null and b/static/img/cse/intro-select-timeframe.png differ
diff --git a/static/img/cse/intro-signal-example.png b/static/img/cse/intro-signal-example.png
new file mode 100644
index 0000000000..87857a9eed
Binary files /dev/null and b/static/img/cse/intro-signal-example.png differ