SumoLogic · jpipkin1 · May 19, 2025 · May 13, 2025 · May 13, 2025 · May 14, 2025
@@ -2935,7 +2935,7 @@
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Palo_Alto_Firewall": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/SentinelOne": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Signal_Sciences_WAF": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf",
-  "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway",
+  "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Symantec_Proxy_Secure_Gateway_(Blue_Coat_Proxy)": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/ZScaler_NSS": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss",
   "/Cloud_SIEM_Enterprise/CSE_Ingestion/Zscaler_Private_Access": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access",
@@ -4215,7 +4215,7 @@
   "/docs/cse/ingestion/sentinelone": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone",
   "/docs/cse/ingestion/signal-sciences-waf": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf",
   "/docs/cse/ingestion/symantec-proxy-secure-gateway-blue-coat-proxy": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
-  "/docs/cse/ingestion/symantec-proxy-secure-gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway",
+  "/docs/cse/ingestion/symantec-proxy-secure-gateway": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy",
   "/docs/cse/ingestion/zscaler-nss": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss",
   "/docs/cse/ingestion/zscaler-private-access": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access",
   "/docs/cse/administration/onboarding-checklist-cse": "/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse",

@@ -7,10 +7,10 @@ description: Learn how to send log messages collected by a Sumo Logic Source or
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records. 
+This article has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records.
 
 :::note
-Cloud SIEM must be enabled in your Sumo Logic account in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
+[Cloud SIEM must be enabled in your Sumo Logic account](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/) in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Engineer or Sales Engineer.
 :::
 
 The process consists of configuring a source or collector to forward messages to Cloud SIEM, and ensuring that the forwarded messages are correctly tagged with the information Cloud SIEM needs in order to map messages fields to record attributes. These are referred to as *mapping hints*, and include: Format, Vendor, Product, and an Event ID template.
@@ -23,19 +23,19 @@ You can only send log data that resides in the [Continuous data tier](/docs/mana
 
 <img src={useBaseUrl('img/cse/cip-to-cse.png')} alt="Data flow diagram" width="800"/>
 
-### Cloud SIEM ingestion best practices
+### Recommended methods to ingest data into Cloud SIEM
 
-We recommend the following ingestion processes, starting with the most preferred:
+We recommend the following ingestion methods, starting with the most preferred:
 
-1. **Follow an ingestion guide**. The [Ingestion Guides](/docs/cse/ingestion) section of this help site provides specific collection and ingestion recommendations for many common products and services. An ingestion guide describes the easiest way to get data from a particular product into Cloud SIEM. When you’re ready to start using Cloud SIEM to monitor a new product, if there’s a Cloud SIEM ingestion guide for it, we recommend using it.
-1. **Use a Cloud-to-Cloud (C2C) connector**. If you don’t see an Ingestion Guide for your data source, check to see if there is a C2C connector. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires.  <br/><br/>Most C2C connectors have a **Forward to SIEM** option in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector.  <br/><br/>For information about what C2C sources are available, see Cloud-to-Cloud Integration Framework.  
+1. **Use a Cloud-to-Cloud (C2C) connector**. It’s an easy method, because if you configure your C2C source to send logs to Cloud SIEM, it automatically tags messages it sends to Cloud SIEM with fields that contain the mapping hints that Cloud SIEM requires.  <br/><br/>Most C2C connectors have a [**Forward to SIEM** option](/docs/c2c/info/#metadata-fields) in the configuration UI. If a C2C connector lacks that option, you can achieve the same effect by assigning a field named `_siemforward`, set to *true*, to the connector.  <br/><br/>For information about what C2C sources are available, see [Cloud-to-Cloud Integration Framework Sources](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/).  
 1. **Use a Sumo Logic Source and parser**. If there isn’t a C2C connector for your data source, your next best option is to use a Sumo Logic Source (running on an Installed Collector or a Hosted Collector, depending on the data source)—and a Sumo Logic parser, if we have one for the data source.   
 
-    Check if there’s a parser for your data source. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**.  If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).  
+    Check if there’s a parser for your data source. <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Parsers**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Parsers**. You can also click the **Go To...** menu at the top of the screen and select **Parsers**.  
+
+    If there is a parser for your data source, but you find it doesn’t completely meet your needs–for instance if the parser doesn’t support the particular log format you use–consider customizing the parser with a [local configuration](/docs/cse/schema/parser-editor#create-a-local-configuration-for-a-system-parser). If that’s not practical, you can submit a request for a new parser by filing a ticket at [https://support.sumologic.com](https://support.sumologic.com/).  
 
-    When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration:  
-
-    1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the **SIEM Processing** checkbox. You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:  
+    When you forward logs to Cloud SIEM for parser processing, there are two bits of important configuration: 
+    1. Configure the source to forward logs. To configure an HTTP source to send log messages to Cloud SIEM, click the [**SIEM Processing** checkbox](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source). You can configure other source types to send data to Cloud SIEM by assigning a field named `_siemforward`, set to *true*, to the source. For example:  
 
         ```
         _siemforward=true
@@ -53,3 +53,7 @@ We recommend the following ingestion processes, starting with the most preferred
          You can get the path to a parser on the **Parsers** page in Sumo Logic. Click the three-dot kebab menu in the row for a parser, and select **Copy Path**.
 
 1. **Use a Sumo Logic Source and Cloud SIEM Ingest mapping**. This is the least recommended method, as you have to manually configure the mapping hints in an ingestion mapping. For more information, see [Configure a Sumo Logic Ingest Mapping](/docs/cse/ingestion/sumo-logic-ingest-mapping/).
+
+:::tip
+See [Example Ingestion Sources for Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/) for specific collection and ingestion recommendations for many common products and services.
+:::
@@ -7,15 +7,13 @@ description: Learn how to configure ingestion for supported products and service
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-The topics in this section provide data ingestion guides for supported products and services.
-
-In this section, we'll introduce the following concepts:
+The articles in this section provide guidance on how to ingest data into Cloud SIEM.
 
 <div className="box-wrapper" >
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/ingestion/cse-ingestion-best-practices"><img src={useBaseUrl('img/icons/operations/data-volume.png')} alt="Database icon" width="40"/><h4>Best Practices</h4></a>
-  <p>Learn how to send Sumo Logic Source or Cloud-to-Cloud Connector log messages to Cloud SIEM to be transformed into Records.</p>
+  <p>Learn how to send Sumo Logic Source or Cloud-to-Cloud Connector log messages to Cloud SIEM to be transformed into records.</p>
   </div>
 </div>
 <div className="box smallbox card">

@@ -1,60 +1,18 @@
 ---
 id: auth0
-title: Auth0 - Cloud SIEM
-sidebar_label: Auth0 system parser
+title: Ingest Auth0 Data into Cloud SIEM
+sidebar_label: Auth0
 description: Configure an HTTP source to ingest Auth0 log messages and send them to Cloud SIEM’s Auth0 system parser.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## Step 1: Configure collection
-
-In this step, you configure an HTTP Source to collect Auth0 log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure an HTTP Source](#configure-an-http-source) below. Otherwise, create a new collector as described in [Configure a Hosted Collector](#configure-a-hosted-collector) below, and then create the HTTP Source on the collector.
-
-### Configure a Hosted Collector
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
-1. Click **Add Collector**.
-1. Click **Hosted Collector.**
-1. The **Add Hosted Collector** popup appears.<br/><img src={useBaseUrl('img/cse/add-hosted-collector.png')} alt="Add hosted image collector" style={{border: '1px solid gray'}} width="500" />
-1. **Name**. Provide a Name for the Collector.
-1. **Description**. (Optional)
-1. **Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`. 
-1. **Fields**. 
-    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the **+Add Field** link, and add a field whose name is `_siemForward` and value is *true*. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
-    1. If all sources in this collector will be Auth0 sources, add an additional field with key `_parser` and value */Parsers/System/Auth0/Auth0*.
-
-:::note
-It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
-:::
-
-### Configure an HTTP Source
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  
-1. Navigate to the Hosted Collector where you want to create the source.
-1. On the **Collectors** page, click **Add Source** next to a Hosted Collector.
-1. Select **HTTP Logs & Metrics**. 
-1. The page refreshes.<br/><img src={useBaseUrl('img/cse/http-source.png')} alt="HTTP source" style={{border: '1px solid gray'}} width="600" />
-1. **Name**. Enter a name for the source. 
-1. **Description**. (Optional) 
-1. **Source Host.** (Optional) Enter a string to tag the messages collected from the source. The string that you supply will be saved in a metadata field called `_sourceHost.`
-1. **Source Category**. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called `_sourceCategory`.
-1. **SIEM Processing**. Click the checkbox to configure the source to forward log messages to Cloud SIEM.
-1. **Fields.** If you are not parsing all sources in the hosted collector with the same parser, click the **+Add Field** link, and add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*.
-12. **Advanced Options for Logs**. For information about the optional advance options you can configure, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/).
-13. Click **Save**.
-14. Make a note of the HTTP Source URL that is displayed. You’ll supply it in Step 2 below.
-
-## Step 2: Configure Auth0
-
-In this step you configure Auth0 to send log messages to the Sumo Logic platform. For instructions, see [Stream Logs to Sumo Logic](https://auth0.com/docs/logs/streams/stream-logs-to-sumo-logic)
-in Auth0 help. 
-
-## Step 3: Verify ingestion
-
-In this step, you verify that your logs are successfully making it into
-Cloud SIEM. 
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
-1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.<br/><img src={useBaseUrl('img/cse/auth0-reocrd-volume.png')} alt="Record volume" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="800" />
-1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records.<br/><img src={useBaseUrl('img/cse/auth0-search.png')} alt="Auth0 search" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="500" />
+To ingest Auth0 data into Cloud SIEM:
+1. [Configure a source for Auth0](/docs/integrations/saml/auth0/#configure-a-source) on a collector. When you configure the source, do the following:
+    1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
+    1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/Auth0/Auth0*. This ensures that the Auth0 logs are parsed and normalized into structured records in Cloud SIEM.
+1. Configure Auth0 to send log messages to the Sumo Logic platform. For instructions, see [Sumo Logic](https://marketplace.auth0.com/integrations/sumo-logic-log-streaming) in the Auth0 help.
+1. To verify that your logs are successfully making it into Cloud SIEM:
+    1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
+    1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.<br/><img src={useBaseUrl('img/cse/auth0-reocrd-volume.png')} alt="Record volume" style={{border: '1px solid gray'}} style={{border: '1px solid gray'}} width="800" />
+    1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records: <br/>`_index=sec_record* and metadata_product = "Auth0"`