diff --git a/cid-redirects.json b/cid-redirects.json
index 06bce50232..56110bf890 100644
--- a/cid-redirects.json
+++ b/cid-redirects.json
@@ -2938,7 +2938,7 @@
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Palo_Alto_Firewall": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/SentinelOne": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Signal_Sciences_WAF": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf",
-  "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway",
+  "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway_(Blue_Coat_Proxy)": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/ZScaler_NSS": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Zscaler_Private_Access": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access",
@@ -4225,7 +4225,8 @@
   "/docs/cse/ingestion/sentinelone": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone",
   "/docs/cse/ingestion/signal-sciences-waf": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf",
   "/docs/cse/ingestion/symantec-proxy-secure-gateway-blue-coat-proxy": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
-  "/docs/cse/ingestion/symantec-proxy-secure-gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway",
+  "/docs/cse/ingestion/symantec-proxy-secure-gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
+  "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/docs/cse/ingestion/zscaler-nss": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss",
   "/docs/cse/ingestion/zscaler-private-access": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access",
   "/docs/cse/administration/onboarding-checklist-cse": "/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse",
diff --git a/docs/cse/ingestion/cse-ingestion-best-practices.md b/docs/cse/ingestion/cse-ingestion-best-practices.md
index d7c58945fe..efff9cb9cc 100644
--- a/docs/cse/ingestion/cse-ingestion-best-practices.md
+++ b/docs/cse/ingestion/cse-ingestion-best-practices.md
@@ -7,10 +7,10 @@ description: Learn how to send log messages collected by a Sumo Logic Source or
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records. 
+This article has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records.
 
 :::note
-Cloud SIEM must be enabled in your Sumo Logic account in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
+[Cloud SIEM must be enabled in your Sumo Logic account](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/) in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
 :::
 
 The process consists of configuring a source or collector to forward messages to Cloud SIEM, and ensuring that the forwarded messages are correctly tagged with the information Cloud SIEM needs in order to map messages fields to record attributes. These are referred to as *mapping hints*, and include: Format, Vendor, Product, and an Event ID template.
@@ -23,19 +23,19 @@ You can only send log data that resides in the [Continuous data tier](/docs/mana
 
 <img src={useBaseUrl('img/cse/cip-to-cse.png')} alt="Data flow diagram" width="800"/>
 
-### Cloud SIEM ingestion best practices
+### Recommended methods to ingest data into Cloud SIEM
 
-We recommend the following ingestion processes, starting with the most preferred:
+We recommend the following ingestion methods, starting with the most preferred:
 
-1. **Follow an ingestion guide**. The [Ingestion Guides](/docs/cse/ingestion) section of this help site provides specific collection and ingestion recommendations for many common products and services. An ingestion guide describes the easiest way to get data from a particular product into Cloud SIEM. When you’re ready to start using Cloud SIEM to monitor a new product, if there’s a Cloud SIEM ingestion guide for it, we recommend using it.
-1. **Use a Cloud-to-Cloud (C2C) connector**. If you don’t see an Ingestion Guide for your data source, check to see if there is a C2C connector. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires.  <br/><br/>Most C2C connectors have a **Forward to SIEM** option in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector.  <br/><br/>For information about what C2C sources are available, see Cloud-to-Cloud Integration Framework.  
+1. **Use a Cloud-to-Cloud (C2C) connector**. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires.  <br/><br/>Most C2C connectors have a [**Forward to SIEM** option](/docs/c2c/info/#metadata-fields) in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector.  <br/><br/>For information about what C2C sources are available, see [Cloud-to-Cloud Integration Framework Sources](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/).  
 1. **Use a Sumo Logic Source and parser**. If there isn’t a C2C connector for your data source, your next best option is to use a Sumo Logic Source (running on an Installed Collector or a Hosted Collector, depending on the data source)—and a Sumo Logic parser, if we have one for the data source.   
 
-    Check if there’s a parser for your data source. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**.  If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).  
+    Check if there’s a parser for your data source. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**.  
+    
+    If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).  
 
-    When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration:  
-     
-    1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the **SIEM Processing** checkbox. You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:  
+    When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration: 
+    1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the [**SIEM Processing** checkbox](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source). You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:  
 
         ```
         _siemforward=true
@@ -53,3 +53,7 @@ We recommend the following ingestion processes, starting with the most preferred
          You can get the path to a parser on the **Parsers** page in Sumo Logic. Click the three-dot kebab menu in the row for a parser, and select **Copy Path**.
 
 1. **Use a Sumo Logic Source and Cloud SIEM Ingest mapping**. This is the least recommended method, as you have to manually configure the mapping hints in an ingestion mapping. For more information, see [Configure a Sumo Logic Ingest Mapping](/docs/cse/ingestion/sumo-logic-ingest-mapping/).
+
+:::tip
+See [Example Ingestion Sources for Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/) for specific collection and ingestion recommendations for many common products and services.
+:::
\ No newline at end of file
diff --git a/docs/cse/ingestion/index.md b/docs/cse/ingestion/index.md
index 67dbfe243d..c5a119f7c1 100644
--- a/docs/cse/ingestion/index.md
+++ b/docs/cse/ingestion/index.md
@@ -7,15 +7,13 @@ description: Learn how to configure ingestion for supported products and service
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-The topics in this section provide data ingestion guides for supported products and services.
-
-In this section, we'll introduce the following concepts:
+The articles in this section provide guidance on how to ingest data into Cloud SIEM.
 
 <div className="box-wrapper" >
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/ingestion/cse-ingestion-best-practices"><img src={useBaseUrl('img/icons/operations/data-volume.png')} alt="Database icon" width="40"/><h4>Best Practices</h4></a>
-  <p>Learn how to send Sumo Logic Source or Cloud-to-Cloud Connector log messages to Cloud SIEM to be transformed into Records.</p>
+  <p>Learn how to send Sumo Logic Source or Cloud-to-Cloud Connector log messages to Cloud SIEM to be transformed into records.</p>
   </div>
 </div>
 <div className="box smallbox card">
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
index a3a60f669c..fa12aee0a4 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
@@ -1,60 +1,18 @@
 ---
 id: auth0
-title: Auth0 - Cloud SIEM
-sidebar_label: Auth0 system parser
+title: Ingest Auth0 Data into Cloud SIEM
+sidebar_label: Auth0
 description: Configure an HTTP source to ingest Auth0 log messages and send them to Cloud SIEM’s Auth0 system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect Auth0 log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted image collector" style={{border: '1px solid gray'}} width="500" />
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Auth0 sources, add an additional field with key `_parser` and value */Parsers/System/Auth0/Auth0*.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600" />
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **SIEM Processing**. Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*.
-12. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-13. Click **Save**.
-14. Make a note of the HTTP Source URL that is displayed. You’ll supply it in Step 2 below.
-
-## Step 2: Configure Auth0
-
-In this step you configure Auth0 to send log messages to the Sumo Logic platform. For instructions, see [Stream Logs to Sumo Logic](https://auth0.com/docs/logs/streams/stream-logs-to-sumo-logic)
-in Auth0 help. 
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into
-Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.<br/><img src={useBaseUrl('img/cse/auth0-reocrd-volume.png')} alt="Record volume" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="800" />
-1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records.<br/><img src={useBaseUrl('img/cse/auth0-search.png')} alt="Auth0 search" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="500" />
+To ingest Auth0 data into Cloud SIEM:
+1. [Configure a source for Auth0](/docs/integrations/saml/auth0/#configure-a-source) on a collector. When you configure the source, do the following:
+    1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*. This ensures that the Auth0 logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Auth0 to send log messages to the Sumo Logic platform. For instructions, see [Sumo Logic](https://marketplace.auth0.com/integrations/sumo-logic-log-streaming) in the Auth0 help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.<br/><img src={useBaseUrl('img/cse/auth0-reocrd-volume.png')} alt="Record volume" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="800" />
+    1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records: <br/>`_index=sec_record* and metadata_product = "Auth0"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
index bde8e2e26f..9103666c33 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
@@ -1,75 +1,18 @@
 ---
 id: aws-application-load-balancer
-title: AWS Application Load Balancer - Cloud SIEM
+title: Ingest AWS Application Load Balancer Data into Cloud SIEM
 sidebar_label: AWS Application Load Balancer
 description: Configure collection and ingestion of AWS Application Load Balancer (ALB) log messages from an S3 bucket to be parsed by Cloud SIEM's AWS ALB system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS Application Load Balancer log messages via AWS S3 and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-Sumo Logic Cloud SIEM supports the default AWS Application Load Balancer log format which includes all version 2 fields. See [AWS Application Load Balancer log records documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields) for more details.
-
-## Step 1: Enable AWS Application Load Balancer Logs
-
-By default, ALB logging is not enabled in your organization's AWS account. You can find additional assistance for enabling logging in [AWS Documentation](http://aws.amazon.com/documentation/elastic-load-balancing/).
-
-1. In the AWS Management Console, choose **EC2 > Load Balancers**.
-1. Under **Access Logs**, click **Edit**.
-1. In the **Configure Access Logs** dialog box, click **Enable Access Logs**, then choose an Interval and S3 bucket. This is the S3 bucket that will upload logs to Sumo Logic.
-1. Click **Save**.
-1. Ensure permission is granted for an AWS Source.
-
-## Step 2: Configure Collection
-
-In this step, you configure an HTTP Source to collect AWS ALB log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source](#configure-an-aws-s3-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a hosted collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS ALB sources, add an additional field with key `_parser` and value */Parsers/System/AWS/AWS ALB*.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an AWS S3 Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select Amazon S3. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/s3-source.png')} alt="S3 source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
-1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS
-1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields**.
-    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    1. Add another field named `_parser` with value */Parsers/System/AWS/AWS ALB*.
-1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-enable-aws-application-load-balancer-logs)) is a prerequisite for role-based access
-    * **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.<br/><img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN" style={{border: '1px solid gray'}} width="500"/>   
-    * **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details.
-1. In the **Advanced Options for Logs** section, uncheck the **Detect
-    messages spanning multiple lines** option.
-1. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into
-Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records.<br/><img src={useBaseUrl('img/cse/AWS-elb-search.png')} alt="AWS ELB search" style={{border: '1px solid gray'}} width="600"/>
+To ingest AWS Application Load Balancer data into Cloud SIEM:
+1. [Enable ELB logging in AWS](/docs/send-data/hosted-collectors/amazon-aws/aws-elastic-load-balancing-source/#enable-elb-logging-in-aws).
+1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector. When you configure the source, do the following:
+   1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Add another field named `_parser` with value */Parsers/System/AWS/AWS ALB*. This ensures that the AWS Application Load Balancer logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM: 
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns.
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records:<br/>`_index=sec_record* and metadata_product = "AWS - Application Load Balancer - JSON"`
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
index 153c1c8da6..c601df4714 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
@@ -1,52 +1,22 @@
 ---
 id: aws-cloudtrail
-title: AWS CloudTrail - Cloud SIEM
+title: Ingest AWS CloudTrail Data into Cloud SIEM
 sidebar_label: AWS CloudTrail
-description: Configure a CloudTrail source on a hosted collector to ingest CloudTrail log messages to be parsed by Cloud SIEM's CloudTrail system parser.
+description: Configure a CloudTrail source to ingest log messages to be parsed by Cloud SIEM’s CloudTrail system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS CloudTrail log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
 Sumo Logic Cloud SIEM supports the default AWS CloudTrail log format which includes all version 2 fields. See [AWS CloudTrail log records documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields) for more details.
 
-## Step 1: Enable AWS CloudTrail logs
-
-In this step, you configure AWS CloudTrail logging in AWS as described
-in AWS Help.
-
+To ingest AWS CloudTrail data into Cloud SIEM:
 1. Unless you’ve already done so, [Configure CloudTrail in AWS](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-a-trail-using-the-console.html).
 1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For more information, see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).
-
-## Step 2: Configure collection
-
-In this step, you configure an HTTP Source to collect AWS CloudTrail log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS CloudTrail Source](#configure-an-aws-cloudtrail-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. To create a new hosted collector, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector). 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS CloudTrail sources, add an additional field with key `_parser` and value */Parsers/System/AWS/CloudTrail*.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an AWS CloudTrail Source
-
-1. To configure a CloudTrail Source, see [Configure an AWS CloudTrail source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source).
-1. Configure fields as shown below to forward CloudTrail logs to the Cloud SIEM platform.
-    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    1. Add another field named `_parser` with value */Parsers/System/AWS/CloudTrail*.
-14. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "CloudTrail" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.<br/><img src={useBaseUrl('img/cse/cloudtrail-search.png')} alt="CloudTrail search" style={{border: '1px solid gray'}} width="400"/>
+1. [Configure an AWS CloudTrail source](/docs/send-data/hosted-collectors/amazon-aws/aws-cloudtrail-source/#configure-an-aws-cloudtrail-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/AWS/CloudTrail*. This ensures that the CloudTrail logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM. 
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "CloudTrail" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records:<br/>`_index=sec_record* and metadata_product = "CloudTrail"`
 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
index b79fc01692..42d64e0b0a 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
@@ -1,80 +1,18 @@
 ---
 id: aws-guardduty
-title: AWS GuardDuty - Cloud SIEM
+title: Ingest AWS GuardDuty Data into Cloud SIEM
 sidebar_label: AWS GuardDuty
-description: Configure an HTTP source to ingest AWS GuardDuty log messages and send them to GuardDuty system parser.
+description: Configure an HTTP source to ingest AWS GuardDuty log messages and send them to the GuardDuty system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS GuardDuty log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect AWS GuardDuty log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS VPC Flow sources, add an additional field with key `_parser` and value */Parsers/System/AWS/GuardDuty*.
-1. Click **Save**.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP logs and metrics" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost`.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **SIEM Processing.** Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, **+Add Field** named `_parser` with value `/Parsers/System/AWS/GuardDuty`.
-12. **Advanced Options for Logs**.
-    1. Specify **Format** as `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`
-    1. Specify **Timestamp locator** as `.\*"updatedAt":"(.\*)".\*`<br/><img src={useBaseUrl('img/cse/timestamp-format.png')} alt="Timestamp format" style={{border: '1px solid gray'}} width="500"/>
-13. Click **Save**.
-14. Make a note of the **HTTP Source URL** that is displayed. You’ll supply it in [Step 2](#step-2deploy-sumo-logic-guardduty-events-processor) below.
-
-## Step 2: Deploy Sumo Logic GuardDuty events processor
-
-In this step, you deploy the events processor. This will create the AWS resources described in the [Collecting Logs for the Amazon GuardDuty App](/docs/integrations/amazon-aws/guardduty/#collecting-logs-for-the-amazon-guardduty-app) overview documentation.
-
-1. Go to https://serverlessrepo.aws.amazon.com/application.
-1. Search for “sumologic-guardduty-events-processor”.<br/><img src={useBaseUrl('img/cse/aws-repo.png')} alt="AWS repo" style={{border: '1px solid gray'}} width="800"/>
-1. When the page for the Sumo app appears, click **Deploy**.<br/><img src={useBaseUrl('img/cse/aws-deploy.png')} alt="AWS deploy" style={{border: '1px solid gray'}} width="800"/>
-1. In  the **Configure application parameters** popup, paste the URL for the HTTP source you created above. <br/><img src={useBaseUrl('img/cse/config-app-params.png')} alt="Configure app parameters" style={{border: '1px solid gray'}} width="400"/>
-1. Click **Deploy**.
-
-## Step 3: Configure optional environment variables
-
-1. Go to the AWS Lambda console.
-1. Search for the `"aws-serverless-repository-CloudWatchEventFunction-<suffix>"` function and click it.
-1. Scroll down to the **Environment variables** section.<br/><img src={useBaseUrl('img/cse/env-vars.png')} alt="Environment variables" style={{border: '1px solid gray'}} width="800"/>
-    You can set any of the following optional variables:
-   * `ENCODING` (Optional). Encoding to use when decoding CloudWatch log events. Default is utf-8.
-   * `SOURCE_CATEGORY_OVERRIDE` (Optional). Override the `_sourceCategory` value configured for the HTTP source.
-   * `SOURCE_HOST_OVERRIDE` (Optional). Override the `_sourceHost` value  configured for the HTTP source.
-   * `SOURCE_NAME_OVERRIDE` (Optional). Override the `_sourceName` value configured for the HTTP source.
-
-## Step 4: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "GuardDuty" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for GuardDuty security records..<br/><img src={useBaseUrl('img/cse/guardduty-search.png')} alt="GuardDuty search" style={{border: '1px solid gray'}} width="400"/>
+To ingest AWS GuardDuty data into Cloud SIEM:
+1. [Configure an HTTP source for GuardDuty](/docs/integrations/amazon-aws/guardduty/#step-1-configure-an-http-source) on a collector. When you configure the source, do the following:
+    1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/AWS/GuardDuty*. This ensures that the GuardDuty logs are parsed and normalized into structured records in Cloud SIEM.
+1. [Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-guardduty-events-processor).
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "GuardDuty" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for GuardDuty security records:<br/>`_index=sec_record* and metadata_product = "GuardDuty"`
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
index dee9863953..e317f85123 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
@@ -1,69 +1,20 @@
 ---
 id: aws-network-firewall
-title: AWS Network Firewall - Cloud SIEM
+title: Ingest AWS Network Firewall Data into Cloud SIEM
 sidebar_label: AWS Network Firewall
 description: Configure collection and ingestion of AWS Network Firewall log messages from an S3 bucket to be parsed by Cloud SIEM's AWS Network Firewall system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS Network Firewall log messages from AWS S3 and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Enable AWS Network Firewall logs
-
-1. Follow AWS instructions on [firewall log delivery](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html) for [S3](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html).
-1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For instructions see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).  
-
-## Step 2: Configure collection
-
-In this step, you configure an HTTP Source to collect AWS Network Firewall messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source](#configure-an-aws-s3-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS Network Firewall sources, add an additional field with key `_parser` and value `/Parsers/System/AWS/AWS Network Firewall`.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an AWS S3 Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.   
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select Amazon S3. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/s3-source.png')} alt="S3 source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
-1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS.
-1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
-1. **Source Category**. Enter a string to tag the output collected from  the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields**.
-    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    1. If you are not parsing all sources in the hosted collector with the same parser, add an additional field named `_parser` with value */Parsers/System/AWS/AWS Network Firewall*.
-1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-enable-aws-network-firewall-logs)) is a prerequisite for role-based access.
-    -   **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.<br/><img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN" style={{border: '1px solid gray'}} width="600"/>
-    -   **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details.
-14. In the **Advanced Options for Logs** section, uncheck the **Detect messages spanning multiple lines** option.
-15. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "AWS Network Firewall " and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records. <br/><img src={useBaseUrl('img/cse/AWS-network-firewall-search.png')} alt="AWS Firewall search" style={{border: '1px solid gray'}} width="600"/>
-
-
- 
+To ingest AWS Network Firewall data into Cloud SIEM:
+1. Enable AWS Network Firewall logs:
+    1. Follow AWS instructions on [firewall log delivery](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html) for [S3](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html).
+    1. Before configuring collection, you need to grant Sumo Logic permission to access your AWS data. For instructions see [Grant Access to an AWS Product](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product/).  
+1. [Create an Amazon S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/AWS/AWS Network Firewall*. This ensures that the AWS Network Firewall logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM: 
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "AWS Network Firewall" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records:<br/>`_index=sec_record* and metadata_vendor = "AWS" and metadata_product = "Network Firewall"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
index 6e501ecf2f..85f95e0028 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
@@ -1,75 +1,17 @@
 ---
 id: aws-vpc-flow
-title: AWS VPC Flow - Cloud SIEM
+title: Ingest AWS VPC Flow Data into Cloud SIEM
 sidebar_label: AWS VPC Flow
 description: Configure collection and ingestion of VPC Flow logs from an S3 bucket to be parsed by Cloud SIEM's AWS VPC Flow system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting AWS VPC Flow log messages from AWS S3 and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-Sumo Logic Cloud SIEM supports the default AWS VPC Flow log format which includes all version 2 fields. See [AWS VPC flow log records documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields) for more details.
-
-## Step 1: Enable AWS VPC Flow Logs
-
-In this step, you configure AWS VPC Flow logging in AWS as described in [AWS Help](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html).
-
-1. You can use an existing S3 bucket, or create a new one, as described in [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html) in AWS help.
-1. Create flow logs for your VPCs, subnets, or network interfaces. For instructions, see [Creating a Flow Log that Publishes to Amazon S3](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-create-flow-log) in AWS help.
-1. Confirm that logs are being delivered to the S3 bucket. Log files are saved to the bucket using following folder structure: `bucket_ARN/optional_folder/AWSLogs/aws_account_id/vpcflowlogs/region/year/month/day/log_file_name.log.gz`
-1. Ensure permission is granted for an AWS Source and that [logging is enabled.](http://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-console.html)
-
-## Step 2: Configure Collection
-
-In this step, you configure an HTTP Source to collect AWS VPC Flow log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source](#configure-an-aws-s3-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a hosted collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="600>"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be AWS VPC Flow sources, add an additional field with key `_parser` and value */Parsers/System/AWS/AWS VPC Flow*.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an AWS S3 Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.   
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select Amazon S3. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/s3-source.png')} alt="S3 source" style={{border: '1px solid gray'}} width="600>"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
-1. **Bucket Name**. The name of your organizations S3 bucket as it appears in AWS
-1. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields**.
-    1. If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    1. Add another field named `_parser` with value */Parsers/System/AWS/AWS VPC Flow*.
-1. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-enable-aws-vpc-flow-logs))  is a prerequisite for role-based access.
-    * **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.<br/><img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN" style={{border: '1px solid gray'}} width="500>"/>
-    * **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access  Key](https://aws.amazon.com/iam/) for details.
-1. In the **Advanced Options for Logs** section, uncheck the **Detect messages spanning multiple lines** option.
-1. In the **Processing Rules for Logs** section, add an **Exclude messages** **that match** processing rule to ignore the following file header lines:  
-    `version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status`  
-     
-1. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "AWS VPC Flow" and check the **Records** columns. 
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS VPC Flow security records.
+To ingest AWS VPC Flow data into Cloud SIEM:
+1. [Collect Amazon VPC Flow logs using an Amazon S3 source](/docs/integrations/amazon-aws/vpc-flow-logs/#collecting-amazon-vpc-flow-logs-using-an-amazon-s3-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/AWS/AWS VPC Flow*. This ensures that the AWS VPC Flow logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "AWS VPC Flow" and check the **Records** columns. 
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS VPC Flow security records:<br/>`_index=sec_record* and metadata_product = "VPC Flow"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
index 8b379f2c8a..ae44779cfe 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
@@ -1,80 +1,18 @@
 ---
 id: carbon-black
-title: Carbon Black Cloud - Cloud SIEM
+title: Ingest Carbon Black Cloud Data into Cloud SIEM
 sidebar_label: Carbon Black Cloud
 description: Configure collection of Carbon Black Cloud logs messages from an S3 bucket to be parsed by Cloud SIEM's system parser for Carbon Black Cloud.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This page has instructions for collecting Carbon Black Cloud log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-VMware does NOT recommend setting up a Cloud-to-Cloud integration for Carbon Black Cloud and instead recommends collecting logs in an S3 bucket as an intermediary, as described below.
-
-
-### Step 1: Configure collection
-
-In this step, you configure an AWS S3 Source to collect Carbon Black Cloud log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an AWS S3 Source below](#configure-an-aws-s3-source). Otherwise, create a new collector as described in Configure a hosted collector below, and then create the source on the collector.
-
-
-#### Configure a hosted collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-2. Click **Add Collector**.
-3. Click **Hosted Collector.**
-4. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add Hosted Collector dialog" style={{border: '1px solid gray'}} width="500" />
-5. **Name**. Provide a Name for the Collector.
-6. **Description**. (Optional)
-7. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-8. **Fields**.
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is _true_. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    2. If all sources in this collector will be Carbon Black Cloud sources, add an additional field with key `_parser` and value _/Parsers/System/VMware/Carbon Black Cloud_.
-
-
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-
-
-#### Configure an AWS S3 Source
-
-If you have issues performing the steps below, see the [AWS S3 Source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source) topic for more information.
-
-The bucket you designate for Carbon Black Cloud data must be exclusively used for this data source. Note also that the Sumo Logic collector does not support collection of logs that are edited after being stored in S3 and prior to being polled for ingestion to the Sumo Logic core platform.
-
-1. [Grant Sumo Logic access](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product) to an Amazon S3 bucket.
-2. [Enable logging in AWS](http://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-console.html) using the Amazon Console.
-3. Confirm that logs are being delivered to the Amazon S3 bucket.
-4. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-5. Navigate to the Hosted Collector where you want to create the source.
-6. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-7. Select **Amazon S3**.
-8. The page refreshes.<br/> <img src={useBaseUrl('img/cse/s3-source.png')} alt="Add Hosted Collector dialog" style={{border: '1px solid gray'}} width="600" />
-9. **Name**. Enter a name for the source.
-10. **Description**. (Optional)
-11. **S3 Region**. Choose the AWS Region the S3 bucket resides in.
-12. **Use AWS versioned APIs?** Leave the default, _Yes_.
-13. **Bucket Name**. The name of your organization.s S3 bucket as it appears in AWS.
-14. **Path Expression**. The path expression of the log file(s) in S3, can contain wildcards to include multiple log files.
-15. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-16. **Fields**.
-    * If you are not forwarding all sources in the hosted collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is _true_. This will ensure all logs for this source are forwarded to Cloud SIEM.
-    * Add another field named `_parser` with value _/Parsers/System/VMware/Carbon Black Cloud_
-17. **AWS Access**. For AWS Access you have two Access Method options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred. Note that Sumo Logic access to AWS (instructions are provided above in [Step 1](#step-1-configure-collection))  is a prerequisite for role-based access
-    * **Role-based access**. Enter the Role ARN that was provided by AWS after creating the role.<br/> <img src={useBaseUrl('img/cse/role-arn.png')} alt="Role ARN field" style={{border: '1px solid gray'}} width="500" />
-    * **Key access**. Enter the Access Key ID and Secret Access Key. See [AWS Access Key ID](http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html#RequestWithSTS) and [AWS Secret Access Key](https://aws.amazon.com/iam/) for details.
-18. **Log File Discovery**. These settings allow Sumo Logic to automatically collect logs from the specified S3 bucket when an Amazon SNS message is received (highly recommended). Alternatively, an automatic scan interval for new log files can be configured.
-19. **Advanced Options for Logs.** For information about the optional advanced options you can configure, see [AWS S3 Source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source).
-20. Click **Save**.
-
-
-### Step 2: Configure Carbon Black Cloud
-
-In this step you configure Carbon Black Cloud to send log messages to an S3 bucket. For instructions, see [Data Forwarders](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-E8D33F72-BABB-4157-A908-D8BBDB5AF349.html) in VMware help.
-
-
-### Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM.
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-2. On the **Log Mappings** tab search for Carbon Black Cloud and check the **Records** columns.
-3. For a more granular look at the incoming records, you can also search Sumo Logic for Carbon Black Cloud records.<br/> <img src={useBaseUrl('img/cse/carbon-black-search.png')} alt="A Carbon Black query" style={{border: '1px solid gray'}} width="500" />
+To ingest Carbon Black Cloud data into Cloud SIEM:
+1. [Configure an AWS S3 source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source/#create-an-amazons3-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/VMware/Carbon Black Cloud*. This ensures that the Carbon Black Cloud logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Carbon Black Cloud to send log messages to the S3 bucket. For instructions, see [Data Forwarders](https://techdocs.broadcom.com/us/en/carbon-black/cloud/carbon-black-cloud/index/cbc-user-guide-tile/GUID-9620FAB7-FE70-45DE-9CAB-590FA358721F-en/GUID-E8D33F72-BABB-4157-A908-D8BBDB5AF349-en.html) in the Carbon Black Cloud documentation.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for Carbon Black Cloud and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search Sumo Logic for Carbon Black Cloud records:<br/>`_index=sec_record* and metadata_product = "Carbon Black Cloud"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
index ca6def2349..339c9e20ba 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
@@ -1,66 +1,18 @@
 ---
 id: check-point-firewall
-title: Check Point Firewall - Cloud SIEM
+title: Ingest Check Point Firewall Data into Cloud SIEM
 sidebar_label: Check Point Firewall
 description: Configure a syslog source to ingest Check Point Firewall log messages to be parsed by Cloud SIEM’s system parser for Check Point Firewall.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Check Point Firewall log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Check Point Firewall log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears.<br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Check Point/Check Point Firewall Syslog*. This will cause all sources on the collector to use the specified parser.
-
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-check-point-firewall) below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Check Point/Check Point Firewall Syslog*. 
-1. Click **Save**.
-
-## Step 2: Configure Check Point Firewall
-
-In this step you configure Check Point Firewall to send log messages to the Sumo Logic platform. Sumo Logic supports the default Syslog format from Check Point’s Log Exporter. For more information on Syslog forwarding see [Log Exporter - Check Point Log Export](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323) in Check Point help
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "checkpoint" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Check Point Firewall security records.<br/><img src={useBaseUrl('img/cse/checkpoint-search.png')} alt="Checkpoint search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Check Point Firewall data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Check Point/Check Point Firewall Syslog*. This ensures that the Check Point Firewall logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Check Point Firewall to send log messages to the Sumo Logic platform. Sumo Logic supports the default Syslog format from Check Point’s Log Exporter. For more information on Syslog forwarding, see [Log Exporter - Check Point Log Export](https://support.checkpoint.com/results/sk/sk122323) in the Check Point documentation.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "checkpoint" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Check Point Firewall security records:<br/>`_index=sec_record* and metadata_product = "checkpoint"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
index c76a3e8af8..3c3744d360 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
@@ -1,64 +1,18 @@
 ---
 id: cisco-asa
-title: Cisco ASA - Cloud SIEM
+title: Ingest Cisco ASA Data into Cloud SIEM
 sidebar_label: Cisco ASA
 description: Configure a syslog source to ingest Cisco ASA log messages to be parsed by Cloud SIEM’s system parser for Cisco ASA.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Cisco ASA log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Cisco ASA log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is  `_parser` with the value */Parsers/System/Cisco/Cisco ASA*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-cisco-asa) below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Cisco/Cisco ASA*. 
-1. Click **Save**.
-
-## Step 2: Configure Cisco ASA
-
-To configure Cisco ASA logging, follow the instructions in the [ASA Syslog Configuration Example](https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html) topic in Cisco help.
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Cisco ASA" and check the **Records** columns. A list of mappers for Cisco ASA Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco ASA security records.<br/><img src={useBaseUrl('img/cse/cisco-asa-search.png')} alt="Cisco ASA search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Cisco ASA data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Cisco/Cisco ASA*. This ensures that the Cisco ASA logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Cisco ASA logging as described in [Configure Adaptive Security Appliance (ASA) Syslog](https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html) in the Cisco documentation.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Cisco ASA" and check the **Records** columns. A list of mappers for Cisco ASA Syslog will appear and you can see if logs are coming in.
+    1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco ASA security records:<br/>`_index=sec_record* and metadata_product = "ASA"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
index cfcccf414c..f1198d674f 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
@@ -1,65 +1,18 @@
 ---
 id: cisco-meraki
-title: Cisco Meraki - Cloud SIEM
+title: Ingest Cisco Meraki Data into Cloud SIEM
 sidebar_label: Cisco Meraki
 description: Configure a syslog source to ingest Cisco Meraki log messages to be parsed by Cloud SIEM’s system parser for Cisco Meraki.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Cisco Meraki log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Cisco Meraki log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the
-    **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Cisco/Cisco Meraki*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-cisco-meraki)  below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Cisco/Cisco Meraki*. 
-1. Click **Save**.
-
-## Step 2: Configure Cisco Meraki
-
-Configure logging for Cisco Meraki as described in [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration) in Cisco help.
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Cisco Meraki" and check the **Records** columns. A list of mappers for Cisco Meraki will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco Meraki security records.<br/><img src={useBaseUrl('img/cse/cisco-meraki-search.png')} alt="Cisco Meraki search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Cisco Meraki data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Cisco/Cisco Meraki*. This ensures that the Cisco Meraki logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure logging for Cisco Meraki as described in [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration) in Cisco help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Cisco Meraki" and check the **Records** columns. A list of mappers for Cisco Meraki will appear and you can see if logs are coming in.
+    1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco Meraki security records:<br/>`_index=sec_record* and metadata_product = "Meraki"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index 0f4e8be796..f21afa6a3b 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -1,74 +1,25 @@
 ---
 id: corelight-zeek
-title: Corelight Zeek - Cloud SIEM
+title: Ingest Corelight Zeek Data into Cloud SIEM
 sidebar_label: Corelight Zeek
 description: Configure a syslog source to ingest Corelight Zeek log messages and send them to the Cloud SIEM Corelight log mapper.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Corelight Zeek log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-These instructions are for Corelight Zeek logs sent as JSON over syslog.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Corelight Zeek log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears.<br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-1. Click **Save**.
-  :::note
-  It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-  :::
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-corelight-zeek) below.
-1. **Fields**. If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-1. Click **Save**.
-
-## Step 2: Configure Corelight Zeek
-
-In this step you configure Zeek to send log messages to the Sumo Logic platform. For instructions, see [Corelight JSON Streaming documentation](https://github.com/corelight/json-streaming-logs).
-
-## Step 3: Cloud SIEM Ingest Configuration
-
-In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configure-collection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
-1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
-1. On the **Add Ingest Mapping** popup:
-    1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configure-collection). 
-    1. **Format**. Enter *Bro/Zeek JSON*.  
-    1. **Event ID**. *`{_path}`*.<br/><img src={useBaseUrl('img/cse/corelight-edit-mapping.png')} alt="Corelight edit mappings" style={{border: '1px solid gray'}} width="400"/> 
-1. Click **Create** to save the mapping.
-
-## Step 4: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/corelight-record-volume.png')} alt="Corelight record volume" style={{border: '1px solid gray'}} width="800"/>
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.<br/><img src={useBaseUrl('img/cse/corelight-search.png')} alt="Corelight search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Corelight Zeek data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. In **Source Category**, enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it below.
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+1. Configure a Sumo Logic ingest mapping in Cloud SIEM for the source category assigned to the source you configured above. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top Cloud SIEM menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
+    1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+    1. On the **Add Ingest Mapping** popup:
+        1. **Source Category**. Enter the category you assigned to the source above. 
+        1. **Format**. Enter *Bro/Zeek JSON*.  
+        1. **Event ID**. *`{_path}`*.<br/><img src={useBaseUrl('img/cse/corelight-edit-mapping.png')} alt="Corelight edit mappings" style={{border: '1px solid gray'}} width="400"/> 
+    1. Click **Save** to save the mapping.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top Cloud SIEM menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/corelight-record-volume.png')} alt="Corelight record volume" style={{border: '1px solid gray'}} width="800"/>
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records:<br/>`_index=sec_record* and metadata_product = "Zeek"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
index 2d19da005e..8ca356b3e2 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
@@ -1,74 +1,23 @@
 ---
 id: fortigate-firewall
-title: Fortigate Firewall - Cloud SIEM
+title: Ingest Fortigate Firewall Data into Cloud SIEM
 sidebar_label: Fortigate Firewall
 description: Configure a syslog source to ingest Fortigate Firewall log messages to be parsed by Cloud SIEM’s system parser for Fortigate Firewall.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting FortiGate log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect FortiGate log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears.<br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Fortinet/Fortigate/Fortigate-Syslog*. This will cause all sources on the collector to use the specified parser.
+To ingest Fortigate Firewall data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Fortinet/Fortigate/Fortigate-Syslog*. This ensures that the Fortigate Firewall logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure forwarding to the the syslog source:
+    * If your FortiGate logs are aggregated by FortiAnalyzer, you can forward them to Sumo Logic  as described in [Configuring log forwarding](https://help.fortinet.com/fa/faz50hlp/56/5-6-1/FMG-FAZ/2400_System_Settings/1600_Log%20Forwarding/0400_Configuring.htm?Highlight=syslog) in FortiAnalyzer help.
+    * If your FortiGate logs are not aggregated by FortiAnalyzer, you can forward them to Sumo Logic directly from FortiGate as described in [FortiOS documentation for syslog forwarding](https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/610676/configuring-multiple-fortianalyzers-or-syslog-servers-per-vdom).
     :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
+    Cloud SIEM supports standard syslog, CEF, or JSON log formats from FortiGate. Different parsers are required for CEF and JSON format logs.
     :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-fortigate) below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Fortinet/Fortigate/Fortigate-Syslog*. 
-1. Click **Save**.
-
-## Step 2: Configure FortiGate
-
-In this step, you configure forwarding to the the Syslog Source. 
-
-If your FortiGate logs are aggregated by  FortiAnalyzer, you can forward them to Sumo Logic  as described in [Configuring log forwarding](https://help.fortinet.com/fa/faz50hlp/56/5-6-1/FMG-FAZ/2400_System_Settings/1600_Log%20Forwarding/0400_Configuring.htm?Highlight=syslog) in FortiAnalyzer help.
-
-If your FortiGate logs are not aggregated by FortiAnalyzer, you can forward them to Sumo Logic directly from FortiGate as described in [FortiOS documentation for syslog forwarding](https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/610676/configuring-multiple-fortianalyzers-or-syslog-servers-per-vdom).
-
-Cloud SIEM supports standard syslog, CEF, or JSON log formats from FortiGate.
-
-:::note
-Different parsers are required for CEF and JSON format logs.
-:::
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "FortiGate" and check the **Records** columns. A list of mappers for FortiGate will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for FortiGate security records.  <br/><img src={useBaseUrl('img/cse/fortigate-search.png')} alt="Fortigate search" style={{border: '1px solid gray'}} width="400"/>
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "FortiGate" and check the **Records** columns. A list of mappers for FortiGate will appear and you can see if logs are coming in.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for FortiGate security records:<br/>`_index=sec_record* and metadata_product = "Fortigate"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
index b960ba0688..2aa53640e0 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
@@ -1,54 +1,17 @@
 ---
 id: g-suite-alert-center
-title: G Suite Alert Center - Cloud SIEM
+title: Ingest G Suite Alert Center Data into Cloud SIEM
 sidebar_label: G Suite Alert Center
 description: Collect log messages from G Suite Alert Center to be parsed by Cloud SIEM's system parser for G Suite Alert Center.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect G Suite Alert Center log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source below.](#configure-an-http-source) Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears. <br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Hosted collector" style={{border: '1px solid gray'}} width="600"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be G Suite Alert Center, add an additional field with key `_parser` and value */Parsers/System/Google/G Suite Alert Center*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600"/> 
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/Google/G Suite Alert Center*.
-1. **Advanced Options for Logs**. Under **Timestamp Format**, select **Specify a format.**
-    1. **Format**. Enter `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`
-    1. **Timestamp locator**. Enter `\"createTime\":(.*),`
-    1. Click **Add.**
-1. Click **Save**.
-
-## Step 2: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "G Suite Alert Center" and check the **Records** columns. 
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for G Suite Alert Center security records. <br/><img src={useBaseUrl('img/cse/gsuite-search.png')} alt="GSuite search" style={{border: '1px solid gray'}} width="400"/> 
+To ingest G Suite Alert Center data into Cloud SIEM:
+1. [Configure a Google Workspace Apps Audit source](/docs/integrations/google/workspace/collect-logs/#configure-google-workspace-apps-audit-sources) for Google Workspace Alert Center on a collector. When you configure the source, do the following:
+   1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Google/G Suite Alert Center*. This ensures that the G Suite Alert Center logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "G Suite Alert Center" and check the **Records** columns. 
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for G Suite Alert Center security records:<br/>`_index=sec_record* and metadata_product = "G Suite"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
index 28f2fe0238..df7c980377 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
@@ -1,41 +1,17 @@
 ---
 id: google-workspace-apps-audit
-title: Google Workspace Apps Audit - Cloud SIEM
+title: Ingest Google Workspace Apps Audit Data into Cloud SIEM
 sidebar_label: Google Workspace Apps Audit
 description: Configure an Workspace Apps Audit Source to collect Google Workspace log messages to be parsed by Cloud SIEM's system parser for Google Workspace Audit.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-<img src={useBaseUrl('img/send-data/gcp-icon.png')} alt="Google Workspace icon" width="35"/>
-
-## Step 1: Configure collection
-
-In this step, you configure an Google Workspace Apps Audit Source to collect Google Workspace log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure Google Workspace Apps Audit Source](#configure-google-workspace-apps-audit-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the Google Workspace Apps Audit Source on the collector.
-
-### Configure a Hosted Collector
-
-1. To create a new hosted collector, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Google Workspace Audit sources, add an additional field with key `_parser` and value */Parsers/System/Google/G Suite Audit*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure Google Workspace Apps Audit Source
-
-1. To configure Google Workspace source, see [Configure a Google Workspace Apps Audit Source](/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source/#configuring-a-google-workspace-apps-auditsource).
-1. **Fields**.
-    1. If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you are not parsing all sources in the hosted collector with the same parser, **+Add Field** named `_parser` with value */Parsers/System/Google/G Suite Audit.*
-1. Sign in with Google. Click to give permission to Sumo Logic to set up watchpoints using the Google Workspace Apps Reports API. Click **Accept**.
-1. Click **Save**.
-
-## Step 2: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Google Workspace" and check the **Records** columns. 
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.<br/><img src={useBaseUrl('img/cse/gsuite-search.png')} alt="GSuite search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Google Workspace Apps Audit data into Cloud SIEM:
+1. [Configure a Google Workspace Apps Audit source](/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source/#configuring-a-google-workspace-apps-auditsource) on a collector. When you configure the source, do the following:
+   1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Add another field named `_parser` with value */Parsers/System/Google/G Suite Audit*. This ensures that the Google Workspace Apps Audit logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM: 
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "Google Workspace" and check the **Records** columns. 
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records:<br/>`_index=sec_record* and metadata_product = "G Suite"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/index.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/index.md
index 00800a163b..153c2a78bd 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/index.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/index.md
@@ -1,19 +1,24 @@
 ---
 slug: /cse/ingestion/ingestion-sources-for-cloud-siem
-title: Ingestion Sources for Cloud SIEM
+title: Example Ingestion Sources for Cloud SIEM
 description: Learn the sources available for ingesting data to Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This guide lists the sources available for ingesting data into Cloud SIEM. You can configure a variety of sources on [Installed Collectors](/docs/send-data/installed-collectors).
+This section shows examples of sources you can use to ingest data into Cloud SIEM. There are many sources you can use to ingest data into Cloud SIEM. The sources described in this section are just a few.
+
+:::tip
+The most common method to ingest data into Cloud SIEM is to install a Cloud-to-Cloud Integration Framework source and select the **Forward to SIEM** option in the configuration UI, or to click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. Once you do that, add another field named `_parser` with value that points to the parser associated with that source type, for example, */Parsers/System/Cisco/Cisco ASA*. This ensures that the logs from that type of source are properly parsed and normalized into structured records in Cloud SIEM.
+
+For all available methods to ingest data into Cloud SIEM, see [Recommended methods to ingest data into Cloud SIEM](/docs/cse/ingestion/cse-ingestion-best-practices/#recommended-methods-to-ingest-data-into-cloud-siem).
+::: 
 
-In this section, we'll introduce the following concepts:
 
 <div className="box-wrapper" >
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0"><img src={useBaseUrl('img/integrations/saml/auth0.png')} alt="Auth0 thumbnail icon" width="50"/><h4>Auth0 system parser</h4></a>
+  <a href="/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0"><img src={useBaseUrl('img/integrations/saml/auth0.png')} alt="Auth0 thumbnail icon" width="50"/><h4>Auth0</h4></a>
   <p>Configure an HTTP source to ingest Auth0 log messages and send them to Cloud SIEM’s Auth0 system parser.</p>
   </div>
 </div>
@@ -167,12 +172,6 @@ In this section, we'll introduce the following concepts:
   <p>Configure a Syslog source to collect and send Symantec Proxy Secure Gateway (ProxySG) log messages to Cloud SIEM.</p>
   </div>
  </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway"><img src={useBaseUrl('img/send-data/symantec-logo.svg')} alt="Symantec Proxy Secure Gateway icon" width="110"/><h4>Symantec Proxy Secure Gateway</h4></a>
-  <p>Configure a syslog source to ingest Symantec Proxy Secure Gateway log messages to be parsed by Cloud SIEM.</p>
-  </div>
- </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss"><img src={useBaseUrl('img/integrations/security-threat-detection/zscaler.png')} alt="ZScaler NSS icon" width="160"/><h4>ZScaler NSS</h4></a>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
index 45e29bc9bc..d49f0dfef3 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
@@ -1,67 +1,21 @@
 ---
 id: kemp-loadmaster
-title: Kemp LoadMaster - Cloud SIEM
+title: Ingest Kemp LoadMaster Data into Cloud SIEM
 sidebar_label: Kemp LoadMaster
 description: Configure a syslog source to ingest Kemp LoadMaster messages to be parsed by Cloud SIEM’s system parser for Kemp LoadMaster.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Kemp LoadMaster messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-The Sumo Logic parser for Kemp LoadMaster logs primarily supports wafd (Web Application Firewall daemon) logging and various l4d (Layer 4 Load Balancing daemon) log messages. Other messages will parse, but a parser [local configuration](/docs/cse/schema/parser-editor/) might be required to actually extract all fields.  
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Kemp LoadMaster messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installer collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Kemp/Kemp LoadMaster Syslog*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in Step 2 below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward  all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Kemp/Kemp LoadMaster Syslog*. 
-12. Click **Save**.
-
-## Step 2: Configure Kemp LoadMaster 
-
-Follow the instructions provided on the Kemp support site to [configure syslog logging](https://support.kemptechnologies.com/hc/en-us/articles/216491943-How-to-configure-the-LoadMaster-to-send-unexpected-reboot-event-logs-to-a-Syslog-Server).
-While the linked document only focuses on unexpected reboot logs, the process for enabling other log types is the same. General instructions to Configure forwarding to Syslog Source are available in Sumo Logic help.
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Kemp" and check the **Records** column. A list of mappers for Kemp will appear and you can see if logs are coming in. 
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Kemp security records. <br/><img src={useBaseUrl('img/cse/kemp-search.png')} alt="Kemp search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Kemp LoadMaster data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Kemp/Kemp LoadMaster Syslog*. This ensures that the Kemp LoadMaster logs are parsed and normalized into structured records in Cloud SIEM.
+       :::note
+       The Sumo Logic parser for Kemp LoadMaster logs primarily supports wafd (Web Application Firewall daemon) logging and various l4d (Layer 4 Load Balancing daemon) log messages. Other messages will parse, but a parser [local configuration](/docs/cse/schema/parser-editor/) might be required to actually extract all fields. 
+       :::
+1. Follow the instructions provided on the Kemp support site to [configure syslog logging](https://support.kemptechnologies.com/hc/en-us/articles/216491943-How-to-configure-the-LoadMaster-to-send-unexpected-reboot-event-logs-to-a-Syslog-Server). While this linked page only focuses on unexpected reboot logs, the process for enabling other log types is the same. See [Configure forwarding to a Syslog Source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-forwarding-to-a-syslogsource) for general instructions to configure forwarding to a syslog source.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Kemp" and check the **Records** column. A list of mappers for Kemp will appear and you can see if logs are coming in. 
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Kemp security records:<br/>`_index=sec_record* and metadata_product = "LoadMaster"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
index fb5296e0af..626c57a39c 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
@@ -1,91 +1,18 @@
 ---
 id: linux-os-syslog
-title: Linux OS Syslog - Cloud SIEM
+title: Ingest Linux OS Syslog Data into Cloud SIEM
 sidebar_label: Linux OS Syslog
 description: Configure a syslog source to ingest Linux OS log messages to be parsed by Cloud SIEM’s system parser for Linux OS Syslog.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Linux OS Syslog log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-Current distributions of Linux write logs using Rsyslog and Systemd-journal. Cloud SIEM currently supports Rsyslog and Systemd-journal logging in Linux.
-
-## Supported Linux distributions and processes
-
-Currently, support for Linux OS is limited to the following distributions of Linux:
-
-* Red Hat Enterprise Linux
-* Ubuntu
-* Amazon Linux
-
-Currently, support is limited to security-relevant processes, including:
-
-* cron
-* dhclient
-* gpasswd
-* groupadd
-* groupdel
-* groupmod
-* passwd
-* sshd
-* su
-* sudo
-* useradd
-* userdel
-* usermod
-* systemd
-* omiserver
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Linux OS log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the
-    source. The string that you supply will be saved in a metadata field
-    called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Linux/Linux OS Syslog*. This will cause all sources on the collector to use the specified parser. It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes.  <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-linux-os) below.
-1. **Fields**. 
-    * If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Linux/Linux OS Syslog*. 
-1. Click **Save**.
-
-## Step 2: Configure Linux OS
-
-In this step, you configure forwarding to the the Syslog Source. Follow the instructions in the  Configure forwarding to Syslog Source section of the *Syslog Source* page. 
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Linux OS" and check the **Records** columns. A list of mappers for Linux OS Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Linux OS security records.<br/><img src={useBaseUrl('img/cse/search.png')} alt="Search" style={{border: '1px solid gray'}} width="400"/>  
+To ingest Linux OS data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Linux/Linux OS Syslog*. This ensures that the Linux OS logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure forwarding for the Linux OS to the the syslog source. See [Configure forwarding to a Syslog Source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-forwarding-to-a-syslogsource).
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Linux OS" and check the **Records** columns. A list of mappers for Linux OS Syslog will appear and you can see if logs are coming in.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Linux OS security records:<br/>`_index=sec_record* and metadata_product = "Linux OS Syslog"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
index cc660651f7..830b74c05b 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
@@ -1,46 +1,17 @@
 ---
 id: microsoft-audit-office
-title: Microsoft 365 Audit (Office 365 Audit) - Cloud SIEM
+title: Ingest Microsoft 365 Audit Data into Cloud SIEM
 sidebar_label: Microsoft 365 Audit (Office 365 Audit)
 description: Configure collection of Microsoft 365 log messages to be parsed by Cloud SIEM's system parser for Microsoft 365. 
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has instructions for collecting Microsoft 365 audit logs and sending them to Sumo Logic to be ingested by Cloud SIEM. 
-
-## Step 1: Configure Microsoft 365
-
-Before configuring a Sumo Logic collector and source, ensure that the requirements described in the Microsoft Office 365 Audit Source topic have been met. To ensure you have the appropriate Microsoft permissions when configuring the source, that page suggests using Microsoft's Global Administrator role. Note that the permissions this role grants are only necessary to complete the configuration of the Microsoft 365 Audit Source, not for actual ingestion of logs.
-
-## Step 2: Configure collection
-
-In this step, you configure an Microsoft 365 Audit Source to collect Microsoft 365 log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure Microsoft 365 Audit Source](#configure-office-365-audit-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the Microsoft 365 Audit Source on the collector.
-
-### Configure a Hosted Collector
-
-1. To create a new hosted collector, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Microsoft 365 sources, add an additional field with key `_parser` and value */Parsers/System/Microsoft/Office 365.*
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure Office 365 Audit Source
-
-
-1. To configure Microsoft office 365 audit source, see [Configure a Microsoft Office 365 Audit source](/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source/#configure-a-microsoft-office-365-audit-source). 
-1. **Fields**.
-    1. If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you are not parsing all sources in the hosted collector with the same parser, click **+Add Field** and add a field named `_parser` with value */Parsers/System/Microsoft/Office 365*.
-1. Sign in with Office 365. Click to give permission to Sumo Logic to collect Microsoft 365 logs.
-1. Click **Save**.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for Office 365 and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Office 365 security records. <br/><img src={useBaseUrl('img/cse/office-365-audit-search.png')} alt="Office 365 audit search" style={{border: '1px solid gray'}} width="400"/>  
+To ingest Microsoft 365 Audit data into Cloud SIEM:
+1. [Configure a Microsoft Office 365 Audit source](/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source/#configure-a-microsoft-office-365-audit-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Microsoft/Office 365*. This ensures that the Microsoft Office 365 Audit logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for Office 365 and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Office 365 security records:<br/>`_index=sec_record* and metadata_product = "Office 365"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
index 7e1dad5187..9b044aa333 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
@@ -1,58 +1,18 @@
 ---
 id: microsoft-azure-activity-log
-title: Microsoft Azure Activity Log - Cloud SIEM
+title: Ingest Microsoft Azure Activity Log Data into Cloud SIEM
 sidebar_label: Microsoft Azure Activity Log
 description: Configure an HTTP Source to ingest Microsoft Azure Activity Log messages and to be parsered by Cloud SIEM's system parser for Azure Activity Log.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Azure Activity log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect Azure Activity log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing  collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector**.
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Microsoft Azure sources, add an additional field with key `_parser` and value */Parsers/System/Microsoft/Microsoft Azure JSON*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/Microsoft/Microsoft Azure JSON*.
-1. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-1. Click **Save**.
-1. Make a note of the HTTP Source URL that is displayed. You’ll supply it in [Step 2](#step-2-configure-azure-activity-log) below.
-
-## Step 2: Configure Azure Activity Log
-
-In this step you configure Azure Activity Log to send log messages to the Sumo Logic platform. For instructions, see steps for [Collecting Logs for the Azure Audit App from Event Hub](/docs/integrations/microsoft-azure/audit/#collecting-logs-for-the-azure-audit-app-from-event-hub).
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. 
-1. On the **Log Mappings** tab search for "Azure" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Azure security records. <br/><img src={useBaseUrl('img/cse/azure-activity-log-search.png')} alt="Azure activity log search" style={{border: '1px solid gray'}} width="400"/> 
+To ingest Microsoft Azure Activity Log data into Cloud SIEM:
+1. [Configure an HTTP Logs and Metrics source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source) on a collector. When you configure the source, do the following:
+   1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Microsoft/Microsoft Azure JSON*. This ensures that the Microsoft Azure Activity logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Azure Activity Log to send log messages to the Sumo Logic platform. For instructions, see steps for [Collecting Logs for the Azure Audit App from Event Hub](/docs/integrations/microsoft-azure/audit/#collecting-logs-for-the-azure-audit-app-from-event-hub). 
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. 
+    1. On the **Log Mappings** tab search for "Azure" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Azure security records:<br/>`_index=sec_record* and metadata_product = "Azure"`
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
index debc880d8c..35921d1a61 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
@@ -1,65 +1,18 @@
 ---
 id: microsoft-windows
-title: Microsoft Windows - Cloud SIEM
+title: Ingest Microsoft Windows Data into Cloud SIEM
 sidebar_label: Microsoft Windows
 description: Configure collection of Windows Event Log messages and send them to the Cloud SIEM Windows Event Log mapper.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CollBegin from '../../../reuse/collection-should-begin-note.md';
- 
-## Step 1: Configure collection
 
-In this step, you configure a Local Windows Event Log Source to collect Microsoft Windows Event Log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Local Windows Event Log Source](#configure-a-local-windows-event-log-source) below. Otherwise, create a new collector as described in [Configure an Installed collector](#configure-an-installed-collector) below, and then create the Local Windows Event Log Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. For instructions for your preferred operating system and method of installation, see [Installed Collectors](/docs/send-data/installed-collectors).
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector** popup appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-   1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-   1. If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field link**, and add a field whose name is `_parser` with the value */Parsers/System/Microsoft/Windows-JSON*. This will cause all sources on the collector to use the specified parser.
-  :::note
-  It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-  :::
-
-### Configure a Local Windows Event Log Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. Click **Add Source** next to the Installed Collector.
-1. Select **Windows Event Log**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/windows-event-source.png')} alt="Windows event source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host**. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost`.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields**. 
-    1. If you have *not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you have *not* configured the Installed Collector to parse all sources in the collector with the same parser, click the +Add Field link, and add a field whose name is `_parser` with the value */Parsers/System/Microsoft/Windows-JSON*.
-1. **Event Format**. Select **Collect using JSON format**.
-1. **Windows Event Types**. Select the desired event types. You can  also specify Custom Event Channels in the box below.
-1. **Event Collection Level**. Select **Concise Message**.
-1. **Security Identifier**. You **may** specify how you want the Security Identifier (SID) to appear in the log message, **Username Only** is the default option.
-1. **Collection should begin**. Specify when you want the log collection to start.
-   :::note
-   <CollBegin/>
-   :::
-1. Click **Save**.
-
-## Step 2: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Windows" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Windows security records. <br/><img src={useBaseUrl('img/cse/windows-search.png')} alt="Windows search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Microsoft Windows data into Cloud SIEM:
+1. [Configure a Local Windows Event Log Source](/docs/send-data/installed-collectors/sources/local-windows-event-log-source/) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Microsoft/Windows-JSON*. This ensures that the Microsoft Windows logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Windows" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Windows security records:<br/>`_index=sec_record* and metadata_product = "Windows"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
index f423d6c092..96ed53d8ef 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
@@ -1,69 +1,21 @@
 ---
 id: nginx-access-logs
-title: Nginx Access Logs - Cloud SIEM
+title: Ingest Nginx Access Logs into Cloud SIEM
 sidebar_label: Nginx Access Logs
 description: Configure a syslog source to ingest Nginx Access log messages to be parsed by Cloud SIEM’s system parser for Nginx.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Nginx Access Log Syslog messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Nginx Access Log messages. You can configure the source on an existing Installed Collector or create a new collector.
-
-The Sumo Logic parser for Nginx Access Log messages supports the default “combined” format defined in `/etc/nginx/nginx.conf` and will allow additional information to be appended to that format without causing parsing to fail. Note that appended fields in a custom format will not be parsed without local configurations being applied. Other than appended fields that have local configurations applied, changes you make to the default format itself are not supported by the Sumo Logic parser.
-
-If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
- 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    * If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    * If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Nginx/Nginx Syslog*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in Step 2 below.
-1. **Fields**. 
-    * If you *have not* configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you *have not* configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Nginx/Nginx Syslog *. 
-1. Click **Save**.
-
-## Step 2: Configure Nginx 
-
-Follow the Nginx [instructions](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/?_bt=569896217465&_bk=&_bm=&_bn=g&_bg=129938098486&gclid=Cj0KCQiAraSPBhDuARIsAM3Js4ofA0fdqQ-4JXfkhqJFoX7qjLl7hdHhuVe4CJsI1ESWUUdnekGV03saAuS9EALw_wcB) for configuring the access log. General instructions to Configure forwarding to Syslog Source are available in Sumo Logic help.
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Nginx" and check the **Records** columns. A list of mappers for Nginx will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Nginx security records. <br/><img src={useBaseUrl('img/cse/nginx-search.png')} alt="Nginix search" style={{border: '1px solid gray'}} width="400"/> 
+To ingest Nginx Access Logs into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Nginx/Nginx Syslog*. This ensures that the Nginx Access Logs are parsed and normalized into structured records in Cloud SIEM.
+       :::note
+       The Sumo Logic parser for Nginx Access Log messages supports the default “combined” format defined in `/etc/nginx/nginx.conf` and will allow additional information to be appended to that format without causing parsing to fail. Note that appended fields in a custom format will not be parsed without local configurations being applied. Other than appended fields that have local configurations applied, changes you make to the default format itself are not supported by the Sumo Logic parser.
+       :::
+1. Follow the Nginx [instructions](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/?_bt=569896217465&_bk=&_bm=&_bn=g&_bg=129938098486&gclid=Cj0KCQiAraSPBhDuARIsAM3Js4ofA0fdqQ-4JXfkhqJFoX7qjLl7hdHhuVe4CJsI1ESWUUdnekGV03saAuS9EALw_wcB) for configuring the access log. See [Configure forwarding to a Syslog Source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-forwarding-to-a-syslogsource) for general instructions to configure forwarding to a syslog source. 
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Nginx" and check the **Records** columns. A list of mappers for Nginx will appear and you can see if logs are coming in.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Nginx security records:<br/>`_index=sec_record* and metadata_product = "Nginx"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
index 446218b3db..7f78f97b82 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
@@ -1,37 +1,17 @@
 ---
 id: okta
-title: Okta - Cloud SIEM
+title: Ingest Okta Data into Cloud SIEM
 sidebar_label: Okta
 description: Configure an Okta source to ingest Okta log messages and send them to Cloud SIEM’s Okta system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## Step 1: Configure collection
-
-In this step, you configure an Okta Source to collect Okta log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Create an Okta Source](#create-an-okta-source) below. Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the Okta Source on the collector.
-
-### Configure a Hosted Collector
-
-1. To configure a hosted collector, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector/#step-1-configure-hosted-collector).  
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Okta sources, add an additional field with key `_parser` and value */Parsers/System/Okta/Okta*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Create an Okta Source
-
-1. To create an Okta source, see [Okta Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/okta-source/).
-1. **SIEM Processing**. Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value  */Parsers/System/Okta/Okta*.
-1. Click **Save**. 
-
-## Step 2: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for Okta and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Okta security records.<br/><img src={useBaseUrl('img/cse/okta-search.png')} alt="Okta search" style={{border: '1px solid gray'}} width="500"/>   
+To ingest Okta data into Cloud SIEM:
+1. [Configure an Okta source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/okta-source/#source-configuration) on a collector. When you configure the source, do the following:
+    1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Okta/Okta*. This ensures that the Okta logs are parsed and normalized into structured records in Cloud SIEM.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for Okta and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Okta security records:<br/>`_index=sec_record* and metadata_product = "Okta"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
index 98f74cec9a..82d8e150f5 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
@@ -1,60 +1,19 @@
 ---
 id: onelogin
-title: OneLogin - Cloud SIEM
+title: Ingest OneLogin Data into Cloud SIEM
 sidebar_label: OneLogin
 description: Learn how to collect OneLogin log messages and send them to Sumo Logic to be ingested by Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting OneLogin log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect OneLogin log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>  
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be OneLogin sources, add an additional field with key `_parser` and value */Parsers/System/OneLogin/OneLogin SSO JSON*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic).
- In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600"/> 
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/OneLogin/OneLogin SSO JSON*.
-1. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-1. Click **Save**.
-1. Make a note of the **HTTP Source URL** that is displayed. You’ll supply it in [Step 2](#step-2-configure-onelogin) below.
-
-## Step 2: Configure OneLogin
-
-In this step you configure OneLogin to send log messages to the Sumo Logic platform. For instructions, see [Stream Real-Time OneLogin Event Data to SIEM (Webhooks)](https://onelogin.service-now.com/support?id=kb_article&sys_id=60de41ecdb1928d0ca1c400e0b961905&kb_category=00b6ad30db185340d5505eea4b9619ae) in
-the OneLogin knowledge base. You must use the SIEM (NDJSON) format. Use the **Sumo Logic HTTP Source URL** as the **Listener URL**, and a custom header is not needed.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "OneLogin" and check the **Records** columns. 
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for OneLogin security records. <br/><img src={useBaseUrl('img/cse/onelogin-search.png')} alt="OneLogin search" style={{border: '1px solid gray'}} width="400"/>
+To ingest OneLogin data into Cloud SIEM:
+1. [Configure an HTTP Logs and Metrics source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source) on a collector. When you configure the source, do the following:
+   1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/OneLogin/OneLogin SSO JSON*. This ensures that the OneLogin logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure OneLogin to send log messages to the Sumo Logic platform. For instructions, see [Streaming Real-Time OneLogin Event Data to SIEM Solutions](https://onelogin.service-now.com/support?id=kb_article&sys_id=60de41ecdb1928d0ca1c400e0b961905&kb_category=00b6ad30db185340d5505eea4b9619ae) in
+the OneLogin knowledge base. You must use the SIEM (NDJSON) format. Use the **Sumo Logic HTTP Source URL** as the **Listener URL**, and a custom header is not needed. 
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "OneLogin" and check the **Records** columns. 
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for OneLogin security records:<br/>`_index=sec_record* and metadata_product = "OneLogin"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
index 693253d7f2..ba775aa662 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
@@ -1,16 +1,13 @@
 ---
 id: osquery
-title: Osquery - Cloud SIEM
+title: Ingest Osquery Data into Cloud SIEM
 sidebar_label: Osquery
 description: Configure an HTTP source to ingest osquery log messages and send them to the osquery system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting [osquery](https://osquery.io/) log messages  and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
 Sumo Logic Cloud SIEM supports osquery logs sent in JSON format for the following log types:
-
 * Schedule results in Events format
   :::note
   Batch and Snapshot formats are not natively supported.
@@ -19,51 +16,12 @@ Sumo Logic Cloud SIEM supports osquery logs sent in JSON format for the followin
 * Anomaly Detection
 * File Integrity Monitoring
 
-## Configure collection
-
-In this step, you configure an HTTP Source to collect osquery log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure an HTTP Source below. Otherwise, create a new collector as described in Configure a hosted  collector below, and then create the HTTP Source on the collector.
-
-### Configure a hosted collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector**.
-1. The **Add Hosted Collector** popup appears. <br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field  called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be osquery sources, add an additional field with key `_parser` and value */Parsers/System/Osquery/Osquery JSON*.
-    :::note
-    It is also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600"/> 
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host**. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost`.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **SIEM Processing**. Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Fields**. If you are not parsing all sources in the hosted collector with the same parser, **+Add Field** named `_parser` with the value `/Parsers/System/Osquery/Osquery JSON.`
-12. **Advanced Options for Logs**. For information about the optional advanced options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-13. Click **Save**.
-14. Make a note of the HTTP Source URL that is displayed. You’ll supply it in when you configure osquery in the next section.
-
-## Configure an Osquery log profile
-
-In this step you configure osquery to send log messages to Sumo Logic core platform. For instructions, see [Logging osquery](https://osquery.readthedocs.io/en/stable/deployment/logging/) in osquery help.
-
-## Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab, search for *osquery* and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery records.
+To ingest osquery data into Cloud SIEM:
+1. [Configure an HTTP Logs and Metrics source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source) on a collector. When you configure the source, do the following:
+   1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Osquery/Osquery JSON*. This ensures that the osquery logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure osquery to send log messages to Sumo Logic core platform. For instructions, see [Logging osquery](https://osquery.readthedocs.io/en/stable/deployment/logging/) in osquery help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab, search for *osquery* and check the **Records** columns.
+   1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery records:<br/>`_index=sec_record* and metadata_product = "osquery"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
index 1f681e431b..7022ffca7d 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
@@ -1,121 +1,63 @@
 ---
 id: palo-alto-firewall
-title: Palo Alto Firewall - Cloud SIEM
+title: Ingest Palo Alto Firewall Data into Cloud SIEM
 sidebar_label: Palo Alto Firewall
 description: Configure collection of Palo Alto Firewall log messages to be parsed by Cloud SIEM's system parser for Palo Alto Firewall.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Palo Alto Firewall log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-Sumo Logic Cloud SIEM supports the default comma separated value (CSV), as well as Common Event Format (CEF) logs from Palo Alto Firewalls running PAN OS 10.1 or greater. This guide provides steps for collecting CSV format logs.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect Palo Alto Firewall log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-   1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-   1. If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Palo Alto/PAN Firewall CSV*. This will cause all sources on the collector to use the specified parser. It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 3](#step-3-configure-palo-alto-firewall) below.
-1. **Fields**. 
-    1. If you have not configured the Installed Collector to forward  all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Palo Alto/PAN Firewall CSV*. 
-1. Click **Save**.
-
-## Step 2: Define destination for the logs
-
-In this step you create a server profile where you can define the log destination. This will be the host name, port and protocol (TLS) of the Sumo Logic Cloud Syslog source.
-
-To create a server profile specifying the log destination, do the following:
-
-1. Login to the Palo Alto Networks Web interface as an administrative user.
-2. Select **Device** tab > **Server Profiles** > **Syslog**.
-3. Click **Add** at the bottom of the screen and provide endpoint details and a profile name, such as `Sumo_Logs_Profile01`.
-4. In the Syslog Server Profile window, select the **Servers** tab and click **Add**.
-5. In the Servers window, specify the following information:
-   * Name: `Sumo_CloudSyslog_EndPoint01`
-   * Syslog Server: Internal IP of Collector
-   * Transport: UDP
-   * Port: Port from Collector Setup
-   * Format: BSD
-   * Facility: `LOG_USER`
-6. In the **Syslog Server Profile** window, select the **Custom Log Format** tab, and use the following custom formats for the following log types:
-
-[Config](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$before-change-detail,$after-change-detail,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$dg_id,$comment,$high_res_timestamp
-```
-
-[System](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$eventid,$object,,,$module,$severity,$opaque,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$high_res_timestamp
-```
-
-[Threat](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,,$sessionid,$repeatcnt,$sport,$dport,$natsport,$natdport,$flags,$proto,$action,$misc,$threatid,$category,$severity,$direction,$seqno,$actionflags,$srcloc,$dstloc,$contenttype,$pcap_id,$filedigest,$cloud,$url_idx,$user_agent,$filetype,$xff,$referer,$sender,$subject,$recipient,$reportid,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$src_uuid,$dst_uuid,$http_method,$tunnelid/$imsi,$monitortag/$imei,$parent_session_id,$parent_start_time,$tunnel,$thr_category,$contentver,$assoc_id,$ppid,$http_headers,$rule_uuid,$dynusergroup_name
-```
-
-[Traffic](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,$sessionid,$repeatcnt,$sport,$dport,$natsport,$natdport$,flags,$proto,$action,$bytes,$bytes_sent,$bytes_received,$packets,$start,$elapsed,$category,$seqno,$actionflags,$srcloc,$dstloc,$pkts_sent,$pkts_received,$session_end_reason,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$action_source,$src_uuid,$dst_uuid,$tunnelid/$imsi,$monitortag/$imei,$parent_session_id,$parent_start_time,$tunnel,$assoc_id,$chunks,$chunks_sent,$chunks_received,$rule_uuid,$link_change_count,$policy_id,$link_switches,$sdwan_cluster,$sdwan_device_type,$sdwan_cluster_type,$sdwan_site,$dynusergroup_name
-```
-
-[Hip Match](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$srcuser,$vsys,$machinename,$os,$src,$matchname,$repeatcnt,$matchtype,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$vsys_id,$srcipv6,$hostid,$serialnumber,$mac,$high_res_timestamp
-```
-
-[UserID](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$ip,$user,$datasourcename,$eventid,$repeatcnt,$timeout,$beginport,$endport,$datasource,$datasourcetype,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$vsys_id,$factortype,$factorcompletiontime,$factorno,,,$ugflags,$userbysource,$high_res_timestamp
-```
-
-[GlobalProtect](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields)
-```
-,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$eventid,$stage,$auth_method,$tunnel_type,$srcuser,$srcregion,$machinename,$public_ip,$public_ipv6,$private_ip,$private_ipv6,$hostid,$serialnumber,$client_ver,$client_os,$client_os_ver,$repeatcnt,$reason,$error,$opaque,$status,$location,$login_duration,$connect_method,$error_code,$portal,$seqno,$actionflags
-```
-
-7. Click OK.
-8. Commit the changes.
-
-
-## Step 3: Configure Palo Alto Firewall
-
-In this step, you configure Palo Alto Firewall to send log messages to the Sumo Logic platform. Follow the Palo Alto documentation to [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/configure-log-forwarding). 
-
-## Step 4: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Palo Alto" and check the **Records**.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Palo Alto Firewall security records.<br/><img src={useBaseUrl('img/cse/palo-alto-firewall-search.png')} alt="Palo Alto Firewall search" style={{border: '1px solid gray'}} width="500"/>
+Sumo Logic Cloud SIEM supports the default comma separated value (CSV), as well as Common Event Format (CEF) logs from Palo Alto Firewalls running PAN OS 10.1 or greater. This article provides steps for collecting CSV format logs.
+
+To ingest Palo Alto Firewall data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Palo Alto/PAN Firewall CSV*. This ensures that the Palo Alto Firewall logs are parsed and normalized into structured records in Cloud SIEM.
+1. Create a server profile to define the log destination. The profile will contain the host name, port and protocol (TLS) of the Sumo Logic Cloud syslog source:
+    1. Login to the Palo Alto Networks Web interface as an administrative user.
+    1. Select **Device** tab > **Server Profiles** > **Syslog**.
+    1. Click **Add** at the bottom of the screen and provide endpoint details and a profile name, such as `Sumo_Logs_Profile01`.
+    1. In the Syslog Server Profile window, select the **Servers** tab and click **Add**.
+    1. In the Servers window, specify the following information:
+       * Name: `Sumo_CloudSyslog_EndPoint01`
+       * Syslog Server: Internal IP of Collector
+       * Transport: UDP
+       * Port: Port from Collector Setup
+       * Format: BSD
+       * Facility: `LOG_USER`
+    1. In the **Syslog Server Profile** window, select the **Custom Log Format** tab, and use the following custom formats for the following log types:
+       * [Config](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$before-change-detail,$after-change-detail,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$dg_id,$comment,$high_res_timestamp
+          ```
+       * [System](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$eventid,$object,,,$module,$severity,$opaque,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$high_res_timestamp
+          ```
+       * [Threat](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,,$sessionid,$repeatcnt,$sport,$dport,$natsport,$natdport,$flags,$proto,$action,$misc,$threatid,$category,$severity,$direction,$seqno,$actionflags,$srcloc,$dstloc,$contenttype,$pcap_id,$filedigest,$cloud,$url_idx,$user_agent,$filetype,$xff,$referer,$sender,$subject,$recipient,$reportid,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$src_uuid,$dst_uuid,$http_method,$tunnelid/$imsi,$monitortag/$imei,$parent_session_id,$parent_start_time,$tunnel,$thr_category,$contentver,$assoc_id,$ppid,$http_headers,$rule_uuid,$dynusergroup_name
+          ```
+       * [Traffic](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,$sessionid,$repeatcnt,$sport,$dport,$natsport,$natdport$,flags,$proto,$action,$bytes,$bytes_sent,$bytes_received,$packets,$start,$elapsed,$category,$seqno,$actionflags,$srcloc,$dstloc,$pkts_sent,$pkts_received,$session_end_reason,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$action_source,$src_uuid,$dst_uuid,$tunnelid/$imsi,$monitortag/$imei,$parent_session_id,$parent_start_time,$tunnel,$assoc_id,$chunks,$chunks_sent,$chunks_received,$rule_uuid,$link_change_count,$policy_id,$link_switches,$sdwan_cluster,$sdwan_device_type,$sdwan_cluster_type,$sdwan_site,$dynusergroup_name
+          ```
+       * [Hip Match](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$srcuser,$vsys,$machinename,$os,$src,$matchname,$repeatcnt,$matchtype,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$vsys_id,$srcipv6,$hostid,$serialnumber,$mac,$high_res_timestamp
+          ```
+       * [UserID](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$ip,$user,$datasourcename,$eventid,$repeatcnt,$timeout,$beginport,$endport,$datasource,$datasourcetype,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$vsys_id,$factortype,$factorcompletiontime,$factorno,,,$ugflags,$userbysource,$high_res_timestamp
+          ```
+       * [GlobalProtect](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields)
+          ```
+          ,$receive_time,$serial,$type,$subtype,,$time_generated,$vsys,$eventid,$stage,$auth_method,$tunnel_type,$srcuser,$srcregion,$machinename,$public_ip,$public_ipv6,$private_ip,$private_ipv6,$hostid,$serialnumber,$client_ver,$client_os,$client_os_ver,$repeatcnt,$reason,$error,$opaque,$status,$location,$login_duration,$connect_method,$error_code,$portal,$seqno,$actionflags
+          ```
+    7. Click **OK**.
+    8. Commit the changes.
+1. Configure Palo Alto Firewall to send log messages to the Sumo Logic platform. Follow the Palo Alto documentation to [Configure Log Forwarding](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/configure-log-forwarding). 
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "Palo Alto" and check the **Records**.
+    1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Palo Alto Firewall security records: <br/>`_index=sec_record* and metadata_vendor = "Palo Alto" and metadata_product = "Firewall"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
index ad28472efb..fefb84518d 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
@@ -1,64 +1,23 @@
 ---
 id: sentinelone
-title: SentinelOne - Cloud SIEM
+title: Ingest SentinelOne Data into Cloud SIEM
 sidebar_label: SentinelOne
 description: Learn how to collect SentinelOne log messages and send them to Sumo Logic to be ingested by Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting SentinelOne log messages for CEF and Syslog ingest and sending them to Sumo Logic to be ingested by Cloud SIEM. 
+This article has instructions for collecting SentinelOne log messages for CEF and Syslog ingest and sending them to Sumo Logic to be ingested by Cloud SIEM. (To collect data such as activities, agents, and threats, use the [SentinelOne Mgmt API Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/sentinelone-mgmt-api-source/).)
 
-To collect data such as activities, agents, and threats, use the [SentinelOne Mgmt API Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/sentinelone-mgmt-api-source/).
-
-## Step 1: Configure collection
-
-In this step, you configure a Cloud Syslog Source to collect SentinelOne log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Cloud Syslog Source](#configure-a-cloud-syslog-source) below. Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the Cloud Syslog Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears. <br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/> 
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Sentinel One sources, add an additional field with key `_parser`; set the value to:
-        * */Parsers/System/SentinelOne/SentinelOne CEF* if your logs are in CEF format.
-        * */Parsers/System/SentinelOne/SentinelOne Syslog* if your logs are in Syslog format.
-
-### Configure a Cloud Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to the Hosted
-    Collector.
-1. Select **Cloud Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/cloud-syslog-source.png')} alt="Cloud syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host**. (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost`.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in Step 2 below.
-1. **Fields**. 
-    1. If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward `and value is *true*.
-    1. If you have not configured the collector to parse all sources in  the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser`; set the value to:
+To ingest SentinelOne data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. To ensure that the SentinelOne logs are parsed and normalized into structured records in Cloud SIEM, add another field whose name is `_parser` and set the value to:
         * */Parsers/System/SentinelOne/SentinelOne CEF* if your logs  are in CEF format.
         * */Parsers/System/SentinelOne/SentinelOne Syslog* if your logs are in Syslog format.
-1. Click **Save**.
-1. Make a note of the **Token** and **Host** that are displayed. You’ll supply them in [Step 2](#step-2-configure-sentinelone) below.
-
-## Step 2: Configure SentinelOne
-
-In this step you configure SentinelOne to send log messages to the Sumo Logic platform. If you have a SentinelOne account, you can follow directions on the SentinelOne Support [knowledge base](https://support.sentinelone.com/hc/en-us/articles/360007044894-Syslog-Integration-with-Sumo-Logic), or the instructions in Step 2 of [Collecting Logs for SentinelOne](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/#step-2-configure-syslog-messages) topic.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "SentinelOne" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for SentinelOne security records.<br/><img src={useBaseUrl('img/cse/sentinelone-search.png')} alt="SentinelOne search" style={{border: '1px solid gray'}} width="400"/> 
-     
+    1. Make a note of the **Source Category**, **Token**, and **Host** for the syslog source. You’ll supply them in the next step.
+1. Configure SentinelOne to send log messages to the Sumo Logic platform. If you have a SentinelOne account, you can follow directions on the SentinelOne Support [knowledge base](https://support.sentinelone.com/hc/en-us/articles/360007044894-Syslog-Integration-with-Sumo-Logic), or the instructions in [Step 2 of the *Collecting Logs for SentinelOne* article](/docs/send-data/collect-from-other-data-sources/collect-logs-sentinelone/#step-2-configure-syslog-messages).
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for "SentinelOne" and check the **Records** columns.
+    1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for SentinelOne security records:<br/>`_index=sec_record* and metadata_product = "SentinelOne"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
index 32dc91d527..74a18e954b 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
@@ -1,77 +1,33 @@
 ---
 id: signal-sciences-waf
-title: Signal Sciences WAF - Cloud SIEM
+title: Ingest Signal Sciences WAF Data into Cloud SIEM
 sidebar_label: Signal Sciences WAF
 description: Lean how to collect Signal Sciences WAF log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Signal Sciences WAF log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect Signal Sciences WAF log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a hosted collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears. <br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field  called `_sourceCategory`.
-1. **Fields**. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-signal-sciences-waf) below.
-1. **SIEM Processing.** Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-1. Click **Save**.
-1. Make a note of the HTTP Source URL that is displayed. You’ll supply it in [Step 2](#step-2-configure-signal-sciences-waf) below.
-
-## Step 2: Configure Signal Sciences WAF
-
-In this step you configure Signal Sciences WAF to send log messages to the Sumo Logic platform.
-
-1. Go to the **SigSci Site Tools > Integrations** in the **SigSci** dashboard.
-1. Click **Add** for **Generic Webhook**.
-1. Paste the HTTP Source URL from the previous step into the **Webhook URL** field and click **Add**.
-
-For more information on Generic Webhooks refer to the [Generic Webhooks](https://docs.fastly.com/signalsciences/integrations/generic-webhooks/) page in Fastly help.
-
-## Step 3: Cloud SIEM Ingest Configuration
-
-In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configurecollection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
-
-1.  [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
-1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
-1. On the **Add Ingest Mapping** popup:
-    * **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configurecollection). 
-    * **Format**. Enter *JSON.*
-    * **Vendor**. Enter *SignalSciences*.
-    * **Product**. Enter *WAF*. 
-    * **Event ID**. Enter *.\**
-1. Click **Create** to save the mapping.
-
-## Step 4: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** page search for "Signal Sciences" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/signal-sciences-record-volume.png')} alt="Signal Sciences record volume" style={{border: '1px solid gray'}} width="800"/>
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Signal Sciences WAF security records.  
-     
+To ingest Signal Sciences data into Cloud SIEM:
+1. [Configure an HTTP Logs and Metrics source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source) on a collector. When you configure the source, do the following:
+   1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   1. Make note of the **Source Category**. You'll supply it in a later step.
+   1. After saving the source, click the **Show URL** link and make note of the HTTP source URL. You'll supply it in a later step.
+1. Configure Signal Sciences WAF to send log messages to the Sumo Logic platform:
+   1. Go to the **SigSci Site Tools > Integrations** in the **SigSci** dashboard.
+   1. Click **Add** for **Generic Webhook**.
+   1. Paste the HTTP source URL from the previous step into the **Webhook URL** field and click **Add**.
+      For more information on Generic Webhooks refer to the [Generic Webhooks](https://docs.fastly.com/signalsciences/integrations/generic-webhooks/) page in Fastly help.
+1. Configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to the source. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
+   1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+   1. On the **Add Ingest Mapping** popup:
+       * **Source Category**. Enter the category you assigned to the HTTP source you created earlier. 
+       * **Format**. Enter *JSON.*
+       * **Vendor**. Enter *SignalSciences*.
+       * **Product**. Enter *WAF*. 
+       * **Event ID**. Enter *.\**
+   1. Click **Create** to save the mapping.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** page search for "Signal Sciences" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/signal-sciences-record-volume.png')} alt="Signal Sciences record volume" style={{border: '1px solid gray'}} width="800"/>
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Signal Sciences WAF security records:<br/>`_index=sec_record* and metadata_product = "Signal Sciences"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
index 0c05297f2f..c557a96bfe 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
@@ -1,13 +1,13 @@
 ---
 id: symantec-proxy-secure-gateway-blue-coat-proxy
-title: Symantec Proxy Secure Gateway (Blue Coat Proxy) - Cloud SIEM
+title: Ingest Symantec Proxy Secure Gateway (Blue Coat Proxy) Data into Cloud SIEM
 sidebar_label: Symantec Proxy Secure Gateway - Blue Coat Proxy
 description: Learn how to configure a Syslog source to collect and send Symantec Proxy Secure Gateway (ProxySG) log messages to Sumo Logic to be ingested by Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Symantec Proxy Secure Gateway (ProxySG) log messages as comma-separated values (CSV) and sending them to Sumo Logic to be ingested by Cloud SIEM. While this document shows how to configure and ingest logs as CSV, Cloud SIEM also supports Common Event Format (CEF) ProxySG logs.
+This article has instructions for collecting Symantec Proxy Secure Gateway (ProxySG) log messages as comma-separated values (CSV) and sending them to Sumo Logic to be ingested by Cloud SIEM. While this article shows how to configure and ingest logs as CSV, Cloud SIEM also supports Common Event Format (CEF) ProxySG logs.
 
 Sumo Logic Cloud SIEM supports the following Proxy Secure Gateway logging fields:
 
@@ -15,58 +15,14 @@ Sumo Logic Cloud SIEM supports the following Proxy Secure Gateway logging fields
 dt,time,c-ip,cs-username,x-exception-id,sc-filter-result,cs-categories,cs-referer,sc-status,proxy_cache_code,cs-method,cs-content-type,cs-protocol,cs-host,cs-uri-port,c-uri,cs-uri-query,cs-uri-extension,cs-user-agent,s-ip,sc-bytes,cs-bytes,x-bluecoat-access-type,x-bluecoat-application-name,r-ip
 ```
 
-Cloud SIEM supports collection either from a file or over syslog. Instructions for syslog are included in this document.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect ProxySG log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears.<br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Blue Coat/Blue Coat ProxySG CSV*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-symantec-proxy-secure-gateway) below.
-1. **Fields**. 
-    1. If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Blue Coat/Blue Coat ProxySG CSV*. 
-1. Click **Save**.
-
-## Step 2: Configure Symantec Proxy Secure Gateway
-
-In this step, you configure ProxySG to forward access logs to the the Syslog Source. For instructions, see [Sending Access Logs to a Syslog server](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html) on the Broadcom knowledge site. 
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search Sumo Logic for ProxySG records. <br/><img src={useBaseUrl('img/cse/proxysg-search.png')} alt="ProxySG search" style={{border: '1px solid gray'}} width="500"/> 
+Cloud SIEM supports collection either from a file or over syslog. Instructions for syslog are included in this article.
+
+To ingest Symantec Proxy Secure Gateway data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Blue Coat/Blue Coat ProxySG CSV*. This ensures that the Symantec Proxy Secure Gateway (Blue Coat Proxy) logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure ProxySG to forward access logs to the the syslog source. For instructions, see [Sending Access Logs to a Syslog Server](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html) on the Broadcom knowledge site. 
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG will appear and you can see if logs are coming in.
+   1. For a more granular look at the incoming records, you can also search Sumo Logic for ProxySG records:<br/>`_index=sec_record* and metadata_product = "Proxy Secure Gateway"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
deleted file mode 100644
index 6b41f12e93..0000000000
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-id: symantec-proxy-secure-gateway
-title: Symantec Proxy Secure Gateway - Cloud SIEM
-sidebar_label: Symantec Proxy Secure Gateway
-description: Configure a syslog source to ingest Symantec Proxy Secure Gateway log messages to be parsed by Cloud SIEM’s system parser for Symantec Proxy Secure Gateway.
----
-
-import useBaseUrl from '@docusaurus/useBaseUrl';
-
-This section has instructions for collecting Symantec Proxy Secure Gateway (ProxySG) log messages as comma separated values (CSV) and sending them to Sumo Logic to be ingested by Cloud SIEM. While this document shows how to configure and ingest logs as CSV, Cloud SIEM also supports Common Event Format (CEF) ProxySG logs.
-
-Cloud SIEM supports collection either from a file or using syslog. Instructions for syslog are included in this document.
-
-## Supported fields
-
-Sumo Logic Cloud SIEM supports the following Proxy Secure Gateway logging
-fields:
-
-```
-dt,time,c-ip,cs-username,x-exception-id,sc-filter-result,cs-categories,cs-referer,sc-status,proxy_cache_code,cs-method,cs-content-type,cs-protocol,cs-host,cs-uri-port,c-uri,cs-uri-query,cs-uri-extension,cs-user-agent,s-ip,sc-bytes,cs-bytes,x-bluecoat-access-type,x-bluecoat-application-name,r-ip
-```
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect ProxySG log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the
-    **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/><img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-   1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-   1. If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Blue Coat/Blue Coat ProxySG CSV*. This will cause all sources on the collector to use the specified parser.
-   :::note
-   It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-   :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/><img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configure-symantec-proxy-secure-gateway) below.
-1. **Fields**. 
-    * If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    * If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Blue Coat/Blue Coat ProxySG CSV*. 
-1. Click **Save**.
-
-## Step 2: Configure Symantec Proxy Secure Gateway
-
-Instructions for sending access logs to a syslog server are available on the [Broadcom knowledge site](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html).
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security records. <br/><img src={useBaseUrl('img/cse/search-blue-coat-psg.png')} alt="PSG search" style={{border: '1px solid gray'}} width="500"/> 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
index 2bcc71b931..dd35975a61 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
@@ -1,65 +1,19 @@
 ---
 id: zscaler-nss
-title: ZScaler NSS - Cloud SIEM
+title: Ingest ZScaler NSS Data into Cloud SIEM
 sidebar_label: ZScaler NSS
 description: Configure collection of ZScaler NSS log messages to be parsed by Cloud SIEM's system parser for ZScaler NSS.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting ZScaler NSS log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-## Step 1: Configure collection
-
-In this step, you configure a Syslog Source to collect ZScaler NSS log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
-
-### Configure an Installed Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Installed Collector**.
-1. The **Add Installed Collector** popup appears.
-1. Download the appropriate collector for your operating system.
-1. Install the collector. Instructions for your preferred operating system and method of installation are available on the [Installed Collectors](/docs/send-data/installed-collectors) page.
-1. Once the collector is installed, confirm it is available on the **Collection** page and select **Edit**.
-1. The **Edit Collector popup** appears. <br/> <img src={useBaseUrl('img/cse/edit-collector.png')} alt="Edit collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF*. This will cause all sources on the collector to use the specified parser.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-1. Click **Save**.
-
-### Configure a Syslog Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Installed Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to an Installed Collector.
-1. Select **Syslog**. 
-1. The page refreshes. <br/> <img src={useBaseUrl('img/cse/syslog-source.png')} alt="Syslog source" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Protocol**. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more
-    information, see [Choosing TCP or UDP](/docs/send-data/installed-collectors/sources/syslog-source#choosing-tcp-or-udp) on the *Syslog Source* page.
-1. **Port**. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. Make a note of the source category. You’ll supply it in [Step 2](#step-2-configurezscaler-nss) below.
-1. **Fields**. 
-    1. If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*.
-    1. If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with the value */Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF.* 
-1. Click **Save**.
-
-## Step 2: Configure ZScaler NSS
-
-In this step, you configure ZScaler NSS to send log messages to the Sumo Logic platform. Follow the instructions in the Connect the Zscaler NSS Feed to Sumo Logic section of the *Collect Logs for the Zscaler Web Security App* topic. For more information on configuring ZScaler NSS, see [About NSS Feeds](https://help.zscaler.com/zia/about-nss-feeds) in ZScaler help.
-
-## Step 3: Verify Ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "Nanolog Streaming Service" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for ZScaler NSS security records. <br/><img src={useBaseUrl('img/cse/zscaler-nss-search.png')} alt="Zscaler NSS search" style={{border: '1px solid gray'}} width="400"/>
+To ingest ZScaler NSS data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value */Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF*. This ensures that the ZScaler NSS Data logs are parsed and normalized into structured records in Cloud SIEM.
+    1. After saving the source, click the **Show URL** link and make note of the HTTP source URL. You'll supply it in the next step.
+1. Configure ZScaler NSS to send log messages to the Sumo Logic platform by following the instructions in [Configure Zscaler Cloud NSS](/docs/integrations/security-threat-detection/zscaler-internet-access/#step-2-configure-zscaler-cloud-nss). For more information on configuring ZScaler NSS, see [About NSS Feeds](https://help.zscaler.com/zia/about-nss-feeds) in ZScaler help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "Nanolog Streaming Service" and check the **Records** columns.
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for ZScaler NSS security records:<br/>`_index=sec_record* and metadata_product = "NSS"`
\ No newline at end of file
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
index d1b0b784f3..1149e72338 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
@@ -1,61 +1,19 @@
 ---
 id: zscaler-private-access
-title: Zscaler Private Access - Cloud SIEM
+title: Ingest Zscaler Private Access Data into Cloud SIEM
 sidebar_label: Zscaler Private Access
 description: Configure an HTTP source to ingest Zscaler Private Access log messages and send them to Cloud SIEM’s Zscaler Private Access system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for collecting Zscaler Private Access (ZPA) log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
-
-Sumo Logic Cloud SIEM supports ZPA logs sent as JSON.
-
-## Step 1: Configure Sumo Logic core platform collection
-
-In this step, you configure an HTTP Source to collect Zscaler Private Access log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below.
-Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.  <br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted collector" style={{border: '1px solid gray'}} width="500"/>
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Zscaler Private Access sources, add an additional field with key `_parser` and value */Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON*.
-    :::note
-    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-    :::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600"/>
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON*.
-1. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-1. Click **Save**.
-1. Make a note of the HTTP Source URL that is displayed. You’ll supply it in [Step 2](#step-2-configure-zscaler-private-access) below.
-
-## Step 2: Configure Zscaler Private Access
-
-In this step you configure Zscaler Private Access to send log messages to Sumo Logic core platform. For instructions, see [Configuring a Log Receiver](https://help.zscaler.com/zpa/configuring-log-receiver) in ZPA Help.
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for "ZPA" and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for "ZPA" security records. <br/><img src={useBaseUrl('img/cse/zscaler-search.png')} alt="Zscaler search" style={{border: '1px solid gray'}} width="400"/>
+To ingest Zscaler Private Access data into Cloud SIEM:
+1. [Configure a Syslog source](/docs/send-data/installed-collectors/sources/syslog-source/#configure-a-syslog-source) on a collector. When you configure the source, do the following:
+    1. Click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Add another field named `_parser` with value *Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSONF*. This ensures that the Zscaler Private Access logs are parsed and normalized into structured records in Cloud SIEM.
+    1. After saving the source, click the **Show URL** link and make note of the HTTP source URL. You'll supply it in the next step.
+1. Configure Zscaler Private Access to send log messages to Sumo Logic core platform. For instructions, see [Configuring a Log Receiver](https://help.zscaler.com/zpa/configuring-log-receiver) in ZPA Help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+   1. On the **Log Mappings** tab search for "ZPA" and check the **Records** columns.
+   1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for "ZPA" security records:<br/>`_index=sec_record* and metadata_product = "ZPA"`
\ No newline at end of file
diff --git a/docs/integrations/amazon-aws/guardduty.md b/docs/integrations/amazon-aws/guardduty.md
index bb9281f975..12f270a568 100644
--- a/docs/integrations/amazon-aws/guardduty.md
+++ b/docs/integrations/amazon-aws/guardduty.md
@@ -190,9 +190,11 @@ This configuration is defined in a [AWS Serverless Application Model (SAM) speci
 ### Step 1: Configure an HTTP source
 
 1. In Sumo Logic, configure a [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
-2. In Sumo Logic, configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics). When you configure the source, in the **Advanced Options for Logs** section of the page:
-    * Specify **Format** as `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`
-    * Specify **Timestamp locator** as `.*"updatedAt":"(.*)".*`
+2. In Sumo Logic, configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics). When you configure the source:
+    * Select **Forward to SIEM** if you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM. If you select **Forward to SIEM**, also click the **+Add** link and add a field whose name is `_parser` with value */Parsers/System/AWS/GuardDuty*.
+    * In the **Advanced Options for Logs** section of the page:
+       * Specify **Format** as `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`
+       * Specify **Timestamp locator** as `.*"updatedAt":"(.*)".*`
 
 When you configure the HTTP Source, make a note of the HTTP Source Address URL. You will need it in the next step.  
 
diff --git a/docs/integrations/amazon-aws/vpc-flow-logs.md b/docs/integrations/amazon-aws/vpc-flow-logs.md
index 11ef3e8cbc..ca8266e9ca 100644
--- a/docs/integrations/amazon-aws/vpc-flow-logs.md
+++ b/docs/integrations/amazon-aws/vpc-flow-logs.md
@@ -154,6 +154,11 @@ This section has instructions for collecting Amazon VPC Flow Logs using an Amazo
 4. Add an [AWS Source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source) for the S3 Source to Sumo Logic. When you configure the S3 source:
     1. In the **Advanced Options for Logs** section, uncheck the **Detect messages spanning multiple lines** option.
     2. In the **Processing Rules for Logs** section, add an **Exclude messages that match** processing rule to ignore the following file header lines: `version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status`.
+    :::note
+     If you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM: 
+     * Click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM. 
+     * Also add another field named `_parser` and enter the value `/Parsers/System/AWS/AWS VPC Flow`.
+     :::
 
 
 ## Field Extraction Rule(s) for VPC Flow logs
diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md
index 58f97472f7..39c4e48cc8 100644
--- a/docs/integrations/product-list/product-list-a-l.md
+++ b/docs/integrations/product-list/product-list-a-l.md
@@ -155,7 +155,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 | <img src={useBaseUrl('img/integrations/misc/circl-logo.png')} alt="Thumbnail icon" width="50"/>  | [CIRCL](http://www.circle.lu) | Automation integration: [CIRCL CVE Search](/docs/platform-services/automation-service/app-central/integrations/circl-cve-search/) <br/>Cloud SIEM integration: [PassiveDns](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/ab6459e5-53ac-4791-845f-0f7b861a8f4c.md) |
 |  <img src={useBaseUrl('img/integrations/misc/circleci-logo.png')} alt="Thumbnail icon" width="50"/>   | [CircleCI](https://circleci.com/)  | 	Partner integration: [CircleCI](https://circleci.com/docs/sumo-logic-integration/)	 |
 |  <img src={useBaseUrl('img/integrations/amazon-aws/cisaws.png')} alt="Thumbnail icon" width="50"/>   | [CIS Benchmarks for AWS](https://aws.amazon.com/what-is/cis-benchmarks/)  | 	App: [CIS AWS Foundations Benchmark](/docs/integrations/amazon-aws/cis-aws-foundations-benchmark/)	 |
-| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/armorblox.png')} alt="Thumbnail icon" width="50"/> | [Cisco](https://www.cisco.com/) | Apps: <br/>- [Cisco AMP](/docs/integrations/saas-cloud/cisco-amp/) <br/>- [Cisco Meraki](/docs/integrations/security-threat-detection/cisco-meraki/) <br/>- [Cisco Meraki - C2C](/docs/integrations/saas-cloud/cisco-meraki-c2c/) <br/>- [Cisco Umbrella](/docs/integrations/saas-cloud/cisco-umbrella/) <br/>- [Cisco Vulnerability Management](/docs/integrations/saas-cloud/cisco-vulnerability-management/) <br/>- [Webex](/docs/integrations/saas-cloud/webex)<br/>Automation integrations: <br/>- [Armorblox](/docs/platform-services/automation-service/app-central/integrations/armorblox/) <br/>- [Cisco AMP for Endpoints](/docs/platform-services/automation-service/app-central/integrations/cisco-amp-for-endpoints/) <br/>- [Cisco Cyber Vision](/docs/platform-services/automation-service/app-central/integrations/cisco-cyber-vision/) <br/>- [Cisco ESA](/docs/platform-services/automation-service/app-central/integrations/cisco-esa/) <br/>- [Cisco IOS XE](/docs/platform-services/automation-service/app-central/integrations/cisco-ios-xe/) <br/>- [Cisco ISE](/docs/platform-services/automation-service/app-central/integrations/cisco-ise/) <br/>- [Cisco Meraki](/docs/platform-services/automation-service/app-central/integrations/cisco-meraki/) <br/>- [Cisco Stealthwatch](/docs/platform-services/automation-service/app-central/integrations/cisco-stealthwatch/) <br/>- [Cisco Threat Grid](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-grid/) <br/>- [Cisco Threat Response](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-response/) <br/>- [Cisco Umbrella Investigate](/docs/platform-services/automation-service/app-central/integrations/cisco-umbrella-investigate/) <br/>- [Cisco Webex](/docs/platform-services/automation-service/app-central/integrations/cisco-webex/) <br/>- [Snort](/docs/platform-services/automation-service/app-central/integrations/snort/) <br/>Cloud SIEM integration: [Cisco Systems](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e2d55f62-8ebb-4d00-b2f9-b55d1fa642bb.md) <br/>Collectors: <br/>- [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) <br/>- [Cisco Meraki Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-meraki-source/) <br/>- [Cisco Vulnerability Management Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/) <br/>- [Webex Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/webex-source/) <br/>Community app: [Sumo Logic for Cisco Sourcefire](https://github.com/SumoLogic/sumologic-content/tree/master/Cisco/Sourcefire) |
+| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/armorblox.png')} alt="Thumbnail icon" width="50"/> | [Cisco](https://www.cisco.com/) | Apps: <br/>- [Cisco AMP](/docs/integrations/saas-cloud/cisco-amp/) <br/>- [Cisco ASA](/docs/integrations/security-threat-detection/cisco-asa/)<br/>- [Cisco Meraki](/docs/integrations/security-threat-detection/cisco-meraki/) <br/>- [Cisco Meraki - C2C](/docs/integrations/saas-cloud/cisco-meraki-c2c/) <br/>- [Cisco Umbrella](/docs/integrations/saas-cloud/cisco-umbrella/) <br/>- [Cisco Vulnerability Management](/docs/integrations/saas-cloud/cisco-vulnerability-management/) <br/>- [Webex](/docs/integrations/saas-cloud/webex)<br/>Automation integrations: <br/>- [Armorblox](/docs/platform-services/automation-service/app-central/integrations/armorblox/) <br/>- [Cisco AMP for Endpoints](/docs/platform-services/automation-service/app-central/integrations/cisco-amp-for-endpoints/) <br/>- [Cisco Cyber Vision](/docs/platform-services/automation-service/app-central/integrations/cisco-cyber-vision/) <br/>- [Cisco ASA](/docs/platform-services/automation-service/app-central/integrations/cisco-asa/)<br/>- [Cisco ESA](/docs/platform-services/automation-service/app-central/integrations/cisco-esa/) <br/>- [Cisco IOS XE](/docs/platform-services/automation-service/app-central/integrations/cisco-ios-xe/) <br/>- [Cisco ISE](/docs/platform-services/automation-service/app-central/integrations/cisco-ise/) <br/>- [Cisco Meraki](/docs/platform-services/automation-service/app-central/integrations/cisco-meraki/) <br/>- [Cisco Stealthwatch](/docs/platform-services/automation-service/app-central/integrations/cisco-stealthwatch/) <br/>- [Cisco Threat Grid](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-grid/) <br/>- [Cisco Threat Response](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-response/) <br/>- [Cisco Umbrella Investigate](/docs/platform-services/automation-service/app-central/integrations/cisco-umbrella-investigate/) <br/>- [Cisco Webex](/docs/platform-services/automation-service/app-central/integrations/cisco-webex/) <br/>- [Snort](/docs/platform-services/automation-service/app-central/integrations/snort/) <br/>Cloud SIEM integration: [Cisco Systems](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e2d55f62-8ebb-4d00-b2f9-b55d1fa642bb.md) <br/>Collectors: <br/>- [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) <br/>- [Cisco Meraki Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-meraki-source/) <br/>- [Cisco Vulnerability Management Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/) <br/>- [Webex Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/webex-source/) <br/>Community app: [Sumo Logic for Cisco Sourcefire](https://github.com/SumoLogic/sumologic-content/tree/master/Cisco/Sourcefire) |
 |  <img src={useBaseUrl('img/send-data/citrix-logo.png')} alt="Thumbnail icon" width="50"/>   | [Citrix](https://www.citrix.com/)  | 	App: [Citrix Cloud](/docs/integrations/saas-cloud/citrix-cloud/) <br/>Cloud SIEM integration: [Citrix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/f3d0223a-78a7-42f6-93cc-3bcd15569a5b.md) <br/>Collector: [Citrix Cloud Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/citrix-cloud-source/) <br/>Community apps: <br/>- [Sumo Logic for Citrix Netscaler VPN](https://github.com/SumoLogic/sumologic-content/tree/master/Citrix/VPN) <br/>- [Sumo Logic for Citrix XenServer](https://github.com/SumoLogic/sumologic-content/tree/master/Citrix/XenServer) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/claroty.png')} alt="Thumbnail icon" width="50"/>  | [Claroty](https://claroty.com/) | Automation integration: [Claroty](/docs/platform-services/automation-service/app-central/integrations/claroty/) <br/>Cloud SIEM integration: [Claroty](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/7d7a8243-bd53-417a-93f7-b73f800b1925.md) |
 |  <img src={useBaseUrl('img/integrations/saas-cloud/cloudflare.png')} alt="Thumbnail icon" width="50"/>   | [Cloudflare](https://www.cloudflare.com/)  | App: [Cloudflare](/docs/integrations/saas-cloud/cloudflare/) <br/>Automation integration: [Cloudflare](/docs/platform-services/automation-service/app-central/integrations/cloudflare/) <br/>Cloud SIEM integration: [Cloudflare](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/4c1c0f12-5d0a-4f0c-918f-c83dca43c967.md) <br/>Community app: [Sumo Logic Dashboards for Cloudflare](https://github.com/SumoLogic/sumologic-content/tree/master/Cloudflare) <br/>Partner integration: [Cloudflare](https://developers.cloudflare.com/logs/get-started/enable-destinations/sumo-logic/) |
@@ -251,7 +251,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 |  <img src={useBaseUrl('img/integrations/app-development/gitlab.png')} alt="Thumbnail icon" width="50"/>   | [GitLab](https://about.gitlab.com/)  | App: [GitLab](/docs/integrations/app-development/gitlab/) <br/>Automation integration: [GitLab](/docs/platform-services/automation-service/app-central/integrations/gitlab/) |
 |  <img src={useBaseUrl('img/integrations/saas-cloud/gmail-icon.png')} alt="Thumbnail icon" width="50"/>   |  [Gmail](https://www.google.com/gmail/about/) | App: [Gmail Trace Logs](/docs/integrations/saas-cloud/gmail-tracelogs)	<br/>Automation integrations: <br/>- [Gmail](/docs/platform-services/automation-service/app-central/integrations/gmail/) <br/>- [Gmail Multiple Mailbox](/docs/platform-services/automation-service/app-central/integrations/gmail-multiple-mailbox/) <br/>Collector: [Gmail Trace Logs Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/gmail-tracelogs-source) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/google.png')} alt="Thumbnail icon" width="75"/> | [Google](https://about.google/) | Apps: <br/>- [Google App Engine](/docs/integrations/google/app-engine/) <br/>- [Google BigQuery](/docs/integrations/google/bigquery/) <br/>- [Google Cloud AlloyDB for PostgreSQL](/docs/integrations/google/cloud-alloydb-for-postgresql/) <br/>- [Google Cloud API Gateway](/docs/integrations/google/cloud-api-gateway/) <br/>- [Google Cloud APIs](/docs/integrations/google/cloud-apis/) <br/>- [Google Cloud Armor](/docs/integrations/google/cloud-armor/) <br/>- [Google Cloud Audit](/docs/integrations/google/cloud-audit) <br/>- [Google Cloud Auto Scaler](/docs/integrations/google/cloud-auto-scaler) <br/>- [Google Cloud Backup for GKE](/docs/integrations/google/cloud-backup-for-gke/) <br/>- [Google Cloud BigQuery BI Engine](/docs/integrations/google/cloud-bigquery-bi-engine/) <br/>- [Google Cloud Bigtable](/docs/integrations/google/cloud-bigtable/) <br/>- [Google Cloud Certificate Authority Service](/docs/integrations/google/cloud-certificate-authority-service/) <br/>- [Google Cloud Certificate Manager](/docs/integrations/google/cloud-certificate-manager/) <br/>- [Google Cloud Composer](/docs/integrations/google/cloud-composer/) <br/>- [Google Compute Engine](/docs/integrations/google/compute-engine/) <br/>- [Google Cloud Dataflow](/docs/integrations/google/cloud-dataflow/) <br/>- [Google Cloud Dataproc](/docs/integrations/google/cloud-dataproc/)	 <br/>- [Google Cloud Dataproc Metastore](/docs/integrations/google/cloud-dataproc-metastore/) <br/>- [Google Cloud Datastore](/docs/integrations/google/cloud-datastore/) <br/>- [Google Cloud Datastream](/docs/integrations/google/cloud-datastream/) <br/>- [Google Cloud Deploy](/docs/integrations/google/cloud-deploy/) <br/>- [Google Cloud Filestore](/docs/integrations/google/cloud-filestore/) <br/>- [Google Cloud Firebase](/docs/integrations/google/cloud-firebase/) <br/>- [Google Cloud Firestore](/docs/integrations/google/cloud-firestore/) <br/>- [Google Cloud Firewall](/docs/integrations/google/cloud-firewall/) <br/>- [Google Cloud Fleet Engine](/docs/integrations/google/cloud-fleet-engine/) <br/>- [Google Cloud Functions](/docs/integrations/google/cloud-functions/) <br/>- [Google Cloud Interconnect](/docs/integrations/google/cloud-interconnect/) <br/>- [Google Cloud Load Balancing](/docs/integrations/google/cloud-load-balancing/) <br/>- [Google Cloud Logging](/docs/integrations/google/cloud-logging/) <br/>- [Google Cloud Memorystore for Redis](/docs/integrations/google/cloud-memorystore-for-redis/) <br/>- [Google Cloud Net App Cloud Volumes Service](/docs/integrations/google/cloud-net-app-cloud-volumes-service/) <br/>- [Google Cloud Network Topology](/docs/integrations/google/cloud-network-topology/) <br/>- [Google Cloud Pub Sub](/docs/integrations/google/cloud-pub-sub/) <br/>- [Google Cloud Router](/docs/integrations/google/cloud-router/) <br/>- [Google Cloud Run](/docs/integrations/google/cloud-run/) <br/>- [Google Cloud Spanner](/docs/integrations/google/cloud-spanner/) <br/>- [Google Cloud SQL](/docs/integrations/google/cloud-sql/) <br/>- [Google Cloud Storage](/docs/integrations/google/cloud-storage/) <br/>- [Google Cloud Tasks](/docs/integrations/google/cloud-tasks/) <br/>- [Google Cloud TPU](/docs/integrations/google/cloud-tpu/) <br/>- [Google Cloud Trace](/docs/integrations/google/cloud-trace/) <br/>- [Google Cloud Traffic Director](/docs/integrations/google/cloud-traffic-director/) <br/>- [Google Cloud Vertex AI](/docs/integrations/google/cloud-vertex-ai/) <br/>- [Google Cloud VPC](/docs/integrations/google/cloud-vpc/) <br/>- [Google Cloud VPN](/docs/integrations/google/cloud-vpn/) <br/>- [Google Kubernetes Engine (GKE)](/docs/integrations/google/kubernetes-engine/) <br/>Automation integrations: <br/>- [Chronicle](/docs/platform-services/automation-service/app-central/integrations/chronicle/) <br/>- [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat/) <br/>- [Google Safe Browsing](/docs/platform-services/automation-service/app-central/integrations/google-safe-browsing/) <br/>- [Mandiant Advantage Threat intelligence](/docs/platform-services/automation-service/app-central/integrations/mandiant-advantage-threat-intelligence/) <br/>Cloud SIEM integration: [Google](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/45601247-66a5-4c9c-b3af-c422f5b4cbeb.md) <br/>Collectors: <br/>- [Google BigQuery Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-bigquery-source/) <br/>- [GCP Metrics Source](/docs/send-data/hosted-collectors/google-source/gcp-metrics-source/) <br/>- [Google Cloud Platform (GCP) Source](/docs/send-data/hosted-collectors/google-source/google-cloud-platform-source/) <br/>- [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/)<br/>Community app: [Sumo Logic for GCP Balancer Metrics](https://github.com/SumoLogic/sumologic-content/tree/master/GCP/Load_Balancer_Metrics) |
-|  <img src={useBaseUrl('img/send-data/Google_Workspace_Logo.svg')} alt="Thumbnail icon" width="100"/>   |  [Google Workspace](https://workspace.google.com/) | App: [Google Workspace](/docs/integrations/google/workspace/install-app-dashboards/) <br/>Automation integrations: <br/>- [Google Alert Center](/docs/platform-services/automation-service/app-central/integrations/google-alert-center/) <br/>- [Google Admin](/docs/platform-services/automation-service/app-central/integrations/google-admin/) <br/>- [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) <br/>Collector: [Google Workspace AlertCenter Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-alertcenter/) <br/>- [Google Workspace Apps Audit Source](/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source/) <br/>- [Google Workspace User Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-source/) <br/>- [G Suite Alert Center - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center/) |
+|  <img src={useBaseUrl('img/send-data/Google_Workspace_Logo.svg')} alt="Thumbnail icon" width="100"/>   |  [Google Workspace](https://workspace.google.com/) | App: [Google Workspace](/docs/integrations/google/workspace/install-app-dashboards/) <br/>Automation integrations: <br/>- [Google Alert Center](/docs/platform-services/automation-service/app-central/integrations/google-alert-center/) <br/>- [Google Admin](/docs/platform-services/automation-service/app-central/integrations/google-admin/) <br/>- [Google Drive](/docs/platform-services/automation-service/app-central/integrations/google-drive/) <br/>Collector: [Google Workspace AlertCenter Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-alertcenter/) <br/>- [Google Workspace Apps Audit Source](/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source/) <br/>- [Google Workspace User Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-source/) |
 |  <img src={useBaseUrl('img/integrations/webhooks/grafana-oncall-logo.png')} alt="Thumbnail icon" width="50"/>   |  [Grafana](https://grafana.com/) | Webhook: [Grafana OnCall](/docs/integrations/webhooks/grafana-oncall/)	 |
 |  <img src={useBaseUrl('img/integrations/webhooks/gremlin-logo.png')} alt="Thumbnail icon" width="50"/>   |  [Gremlin](https://www.gremlin.com/) | Webhook: [Gremlin](/docs/integrations/webhooks/gremlin/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/greynoise.png')} alt="Thumbnail icon" width="100"/> | [GreyNoise](https://www.greynoise.io/) | Automation integration: [GreyNoise](/docs/platform-services/automation-service/app-central/integrations/greynoise/) |
diff --git a/docs/integrations/saml/auth0.md b/docs/integrations/saml/auth0.md
index ee6fb2fea0..4994a4b8c2 100644
--- a/docs/integrations/saml/auth0.md
+++ b/docs/integrations/saml/auth0.md
@@ -11,8 +11,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 Auth0 is a cloud-based, extensible identity provider for applications. The Sumo Logic App for Auth0 makes it easy to analyze and visualize your Auth0 event logs, and provides insight into security and operational issues.
 
-For more information, see [Export Logs to Sumo Logic](https://auth0.com/docs/extensions/sumologic).
-
+For more information, see [Use Auth0 App for Sumo Logic](https://auth0.com/docs/customize/log-streams/sumo-logic-dashboard) in Auth0 documentation.
 
 ## Collecting logs for Auth0
 This procedure explains how to collect error logs from Auth0.
@@ -30,35 +29,34 @@ Sumo Logic collects the following log types:
 * Rate limiting events
 * Other operational events and errors
 
-For more information about Auth0 logs, see [https://auth0.com/docs/api/managemen.../Logs/get_logs](https://auth0.com/docs/api/management/v2#!/Logs/get_logs)
+For more information about Auth0 logs, see [Search Log Events](https://auth0.com/docs/api/management/v2#!/Logs/get_logs) in Auth0 documentation.
 
 
 ### Prerequisites
 
-Use the Auth0 Management Portal to configure the extension. For more information, see [https://auth0.com/docs/extensions/sumologic](https://auth0.com/docs/extensions/sumologic).
-
-
-### Configure a Collector
+Use the Auth0 Management Portal to configure the extension. For more information, see [Sumo Logic](https://marketplace.auth0.com/integrations/sumo-logic-log-streaming) in Auth0 documentation.
 
-Use the in-product [setup wizard](/docs/send-data/setup-wizard) in the Sumo Logic UI to configure a **Custom App**.
+### Configure a collector
 
+Configure a hosted collector. Follow the directions in [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector/).
 
 ### Configure a Source
 
-Source type is [HTTP](/docs/send-data/hosted-collectors/http-source/logs-metrics).
-
-* **Name**: Required
-* **Category**:
-* **Timestamp Parsing Settings**:
-  * **Enable Timestamp Parsing**: True
-  * **Timezone**: Logs are sent in UTC by default and can be automatically detected
-  * **Timestamp Format**: Select **Specify a format** and use the following, \
-Format: `yyyy-MM-dd'T'HH:mm:ss.SSS'Z' \
-`Timestamp locator: `"date":"(.*?)\","`
-* **Multi-line Parsing Settings**:
-  * **Detect Messages Spanning Multiple Lines**: True
-  * **Multi Line Boundary**: Infer Boundaries
-
+Configure a source on the collector. Follow the directions in [Configure an HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
+
+Fill out the following:
+* **Name**
+* **Source Category**
+* Select **Forward to SIEM** if you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM. If you select **Forward to SIEM**, also click the **+Add** link and add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*.
+* **Timestamp Parsing**
+  * Select **Extract timestamp information from log file entries**.
+  * **Default Timezone**. Select the default time zone to use. Logs are sent in UTC by default and can be automatically detected.
+  * **Timestamp Format**. Select **Specify a format**. Click **Add Timestamp Format** and enter the following:
+     * **Format**: `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'` 
+     * **Timestamp locator**: `"date":"(.*?)\","`
+* **Message Processing**
+   * Select **Multiline Processing**.
+   * For **Infer Message Boundaries**  select **Detect Automatically**.
 
 ### Use Field Extraction Rules
 
diff --git a/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source.md b/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source.md
index 00d343c064..6f32675c93 100644
--- a/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source.md
+++ b/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source.md
@@ -114,9 +114,13 @@ You can adjust the configuration of when and how AWS handles communication attem
 
 1. For **Source Category**, enter any string to tag the output collected from this Source. (Category metadata is stored in a searchable field called _sourceCategory.)
 1.  **Fields.** Click the **+Add Field** link to define the fields you want to associate, each field needs a name (key) and value.
-
-   * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
-   * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+     * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
+     * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+     :::note
+     If you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM: 
+     * Click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM. 
+     * Also add another field named `_parser` with value for the AWS parser you want to use for the forwarded data. For example, if you want to use the data for AWS Application Load Balancer enter `/Parsers/System/AWS/AWS ALB`, for AWS Network Firewall enter `/Parsers/System/AWS/AWS Network Firewall`, or for AWS VPC Flow enter `/Parsers/System/AWS/AWS VPC Flow`.
+     :::
 
 1. For **AWS** **Access** you have two **Access Method** options. Select **Role-based access** or **Key access** based on the AWS authentication you are providing. Role-based access is preferred, this was completed in the prerequisite step [Grant Sumo Logic access to an AWS Product](grant-access-aws-product.md). If you're collecting from a Cisco Umbrella bucket you must use **Key access**.
 
diff --git a/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source.md b/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source.md
index 32e874740e..814ba4d960 100644
--- a/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source.md
+++ b/docs/send-data/hosted-collectors/google-source/google-workspace-apps-audit-source.md
@@ -65,6 +65,9 @@ To configure a Google Workspace Apps Audit Source:
 
    * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+   :::note
+   If you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM, click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   :::
 1. Click **Sign in with Google** to give permission to Sumo Logic to set up watchpoints using **the Google Apps Reports API**. Click **Accept**.
 1. Click **Save**.
 
diff --git a/docs/send-data/hosted-collectors/http-source/logs-metrics/index.md b/docs/send-data/hosted-collectors/http-source/logs-metrics/index.md
index 0aabb3a30e..7c962a095d 100644
--- a/docs/send-data/hosted-collectors/http-source/logs-metrics/index.md
+++ b/docs/send-data/hosted-collectors/http-source/logs-metrics/index.md
@@ -30,10 +30,10 @@ To configure an HTTP Logs and Metrics Source:
 1. Select **HTTP Logs & Metrics**. 
 1. Enter a **Name** to display for the Source in the Sumo web application. Description is optional.
 1. (Optional) For **Source Host **and** Source Category**, enter any string to tag the output collected from the source. (Category metadata is stored in a searchable field called _sourceCategory.)
-1. **SIEM Processing**. This option is present if Cloud SIEM is enabled. Click the checkbox to to send the logs collected by the source to Cloud SIEM.
-1. **Fields.** Click the **+Add Field** link to define the fields you want to associate, each field needs a name (key) and value.
+1. **Forward to SIEM**. This option is present if [Cloud SIEM](/docs/cse/) is enabled. Click the checkbox to send the logs collected by the source to Cloud SIEM.
+1. **Fields/Metadata.** Click the **+Add** link to define the fields you want to associate. Each field needs a name (key) and value.
    * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
-   * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+   * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped. 
 1. **Advanced Options for Logs.** Advanced options do *not* apply to uploaded metrics.<br/><img src={useBaseUrl('img/send-data/HTTP-source-advanced-options-for-logs.png')} alt="A screenshot of the 'Advanced Options for Logs' settings in Sumo Logic. The options include 'Extract timestamp information from log file entries' (checked), 'Default Time Zone' with options to 'Use time zone from log file. If not detected, use default time zone' (selected) and 'Ignore time zone from log file and instead use default time zone'. The 'Timestamp Format' settings offer 'Automatically detect the format' (selected) and 'Specify a format'. The 'Message Processing' section has 'Multiline Processing' checked. The 'Infer Message Boundaries' options include 'Detect Automatically' (selected) and 'Add Boundary Regex'. Finally, there is an unchecked option for 'One Message Per Request', which notes that each request will be treated as a single message, ignoring line breaks." width="400"/>
    * **Timestamp Parsing.** This option is selected by default. If it's deselected, no timestamp information is parsed at all.
      * **Time Zone.** There are two options for Time Zone. You can use the time zone present in your log files, and then choose an option in case time zone information is missing from a log message. Or, you can have Sumo Logic completely disregard any time zone information present in logs by forcing a time zone. It's very important to have the proper time zone set, no matter which option you choose. If the time zone of logs cannot be determined, Sumo Logic assigns logs UTC; if the rest of your logs are from another time zone your search results will be affected.
diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md
index 006b79f5c0..6402f93ae1 100644
--- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md
+++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md
@@ -109,6 +109,9 @@ During the configuration, you will need to authenticate to Microsoft using sta
 1. **Fields.** Click the **+Add Field** link to define the fields you want to associate, each field needs a name (key) and value.
    * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
    * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+   :::note
+   If you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM, click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+   :::
 1. Click **Sign in with Office 365** to authenticate to Microsoft using standard OAuth v2 interaction.  
     :::note
     Sumo Logic never receives your Microsoft Office 365 credentials.
diff --git a/docs/send-data/installed-collectors/sources/syslog-source.md b/docs/send-data/installed-collectors/sources/syslog-source.md
index 5df1e1699a..524a326710 100644
--- a/docs/send-data/installed-collectors/sources/syslog-source.md
+++ b/docs/send-data/installed-collectors/sources/syslog-source.md
@@ -27,6 +27,9 @@ If you are editing a Source, metadata changes are reflected going forward. Metad
 1. **Fields.** Click the **+Add Field** link to define the fields you want to associate; each field needs a name (key) and value. <br/>
      * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
      * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
+     :::note
+     If you have [Cloud SIEM](/docs/cse) installed and you want to forward log data to Cloud SIEM, click the **+Add Field** link and add a field whose name is `_siemForward` and value is *true*. This will ensure all logs for this source are forwarded to Cloud SIEM.
+     :::
 1. Set any of the following under **Advanced**:
    * **Enable Timestamp Parsing.** This option is selected by default. If it's deselected, no timestamp information is parsed at all.
    * **Time Zone.** There are two options for Time Zone. You can use the time zone present in your log files, and then choose an option in case time zone information is missing from a log message. Or, you can have Sumo Logic completely disregard any time zone information present in logs by forcing a time zone. It's very important to have the proper time zone set, no matter which option you choose. If the time zone of logs cannot be determined, Sumo assigns logs UTC; if the rest of your logs are from another time zone your search results will be affected.
diff --git a/sidebars.ts b/sidebars.ts
index 0449d044c6..48cb938f97 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -2831,7 +2831,7 @@ integrations: [
             'cse/ingestion/sumo-logic-ingest-mapping',
             {
               type: 'category',
-              label: 'Ingestion Sources for Cloud SIEM',
+              label: 'Example Ingestion Sources for Cloud SIEM',
               collapsible: true,
               collapsed: true,
               link: {type: 'doc', id: 'cse/ingestion/ingestion-sources-for-cloud-siem/index'},
@@ -2862,7 +2862,6 @@ integrations: [
                 'cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall',
                 'cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone',
                 'cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf',
-                'cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway',
                 'cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy',
                 'cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss',
                 'cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access',