diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
index 42d64e0b0a..3bb3742a72 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
@@ -11,7 +11,7 @@ To ingest AWS GuardDuty data into Cloud SIEM:
1. [Configure an HTTP source for GuardDuty](/docs/integrations/amazon-aws/guardduty/#step-1-configure-an-http-source) on a collector. When you configure the source, do the following:
1. Select the **Forward to SIEM** option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
1. Click the **+Add** link to add a field whose name is `_parser` with value */Parsers/System/AWS/GuardDuty*. This ensures that the GuardDuty logs are parsed and normalized into structured records in Cloud SIEM.
-1. [Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-guardduty-events-processor).
+1. [Deploy the Sumo Logic GuardDuty events processor](/docs/integrations/amazon-aws/guardduty/#step-2-deploy-sumo-logic-guardduty-events-processor).
1. To verify that your logs are successfully making it into Cloud SIEM:
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
1. On the **Log Mappings** tab search for "GuardDuty" and check the **Records** columns.
diff --git a/docs/integrations/amazon-aws/guardduty.md b/docs/integrations/amazon-aws/guardduty.md
index 2c06f15040..7fbc0bb0dd 100644
--- a/docs/integrations/amazon-aws/guardduty.md
+++ b/docs/integrations/amazon-aws/guardduty.md
@@ -176,18 +176,58 @@ _sourceCategory=aws/guardduty
-## Collecting logs for the Amazon GuardDuty App
+## Collecting logs for the Amazon GuardDuty app
-This section has instructions for collecting logs for the Amazon GuardDuty App.
+You can collect the Amazon GuardDuty logs using two methods:
-1. Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
-2. A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo CloudWatchEventFunction Lambda function.
-3. The Lambda function sends the events to an HTTP source on a Sumo hosted collector.
+- [Method 1: Collecting Amazon GuardDuty logs using EventBridge](#method-1-collecting-amazon-guardduty-logs-using-eventbridge)
+- [Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint](#method-2-collecting-amazon-guardduty-logs-using-sumo-logic-http-endpoint)
-This configuration is defined in a [AWS Serverless Application Model (SAM) specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html) published in the [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/). You do not need to manually create the necessary AWS resources. You simply deploy the configuration, as described in Step 2 below.
+### Method 1: Collecting Amazon GuardDuty logs using EventBridge
+
+This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
+
+#### Step 1: Create an HTTP source in Sumo Logic
+
+To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
+
+#### Step 2: Configure EventBridge API destination
+
+Follow the steps below to configure the EventBridge API destination:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **API destinations**.
+1. Click **Create destination**.
+1. Enter a name for the API Destination.
+1. Provide the HTTP Source URL from Sumo Logic.
+1. Click **Create a new connection** to create a connection for the API destination.
+ 1. Provide a connection name.
+ 1. Keep the API Type as **Public**.
+ 1. Select **Basic (Username/Password)** in the **Authorization type**.
+ 1. Add any value of your choice for **Username** and **Password**.
+
+#### Step 3: Create the EventBridge rule
+Follow the steps below to create the EventBridge rule:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **Rules**.
+1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
+1. Select **All Events** in Event Type.
+1. Under **Select targets**, choose **EventBridge API destination**.
+1. Select the API Destination created in Step 2.
+1. Select **Create a new role for this specific resource** in the **Execution role**.
+1. Click **Create** to activate the rule.
-### Step 1: Configure an HTTP source
+### Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint
+
+This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
+
+- Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated.
+- A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo `CloudWatchEventFunction` Lambda function.
+- The Lambda function sends the events to an HTTP source on a Sumo Logic hosted collector.
+
+This configuration is defined in a [AWS Serverless Application Model (SAM) specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html) published in the [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/). You do not need to manually create the necessary AWS resources. You simply deploy the configuration, as described in Step 2 below.
+
+#### Step 1: Configure an HTTP source
1. In Sumo Logic, configure a [Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector).
2. In Sumo Logic, configure an [HTTP Source](/docs/send-data/hosted-collectors/http-source/logs-metrics). When you configure the source:
@@ -198,8 +238,7 @@ This configuration is defined in a [AWS Serverless Application Model (SAM) speci
When you configure the HTTP Source, make a note of the HTTP Source Address URL. You will need it in the next step.
-
-### Step 2: Deploy Sumo GuardDuty events processor
+#### Step 2: Deploy Sumo Logic GuardDuty events processor
In this step, you deploy the events processor. This will create the AWS resources described in [Collection overview](#collecting-logs-for-the-amazon-guardduty-app).
diff --git a/docs/integrations/amazon-aws/inspector.md b/docs/integrations/amazon-aws/inspector.md
index 65d7cdfa00..efda4fdde0 100644
--- a/docs/integrations/amazon-aws/inspector.md
+++ b/docs/integrations/amazon-aws/inspector.md
@@ -16,18 +16,55 @@ For information about integrating Amazon Inspector with Security Hub, see [Integ
## Collecting findings for the Amazon Inspector app
-Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub.
+You can collect Security Hub logs using three methods:
-Findings from AWS services (AWS Security Hub) are delivered to CloudWatch Events as events in near real time. The Lambda function parses those events and sends them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda function setup is defined using Serverless Application Model (SAM) specifications and is published in AWS Serverless Application Repository.
+- [Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge)
+- [Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-2-collect-security-hub-logs-using-sumo-logic-http-endpoint)
+-[Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source)
-You can collect Security Hub logs using two methods:
+### Method 1: Collecting Security Hub logs using EventBridge
-- [Method 1: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-1-collect-security-hub-logs-using-sumo-logic-http-endpoint)
-- [Method 2: Collect Security Hub logs using Amazon S3 source](#method-2-collect-security-hub-logs-using-amazon-s3-source)
+This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
-You do not have to manually create the AWS resources. Simply deploy the solution, as described in the [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector) for HTTP endpoint and [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector-1) for Amazon S3 source.
+#### Step 1: Create an HTTP source in Sumo Logic
+
+To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
+
+#### Step 2: Configure EventBridge API destination
+
+Follow the steps below to configure the EventBridge API destination:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **API destinations**.
+1. Click **Create destination**.
+1. Enter a name for the API Destination.
+1. Provide the HTTP Source URL from Sumo Logic.
+1. Click **Create a new connection** to create a connection for the API destination.
+ 1. Provide a connection name.
+ 1. Keep the API Type as **Public**.
+ 1. Select **Basic (Username/Password)** in the **Authorization type**.
+ 1. Add any value of your choice for **Username** and **Password**.
+
+#### Step 3: Create the EventBridge rule
+
+Follow the steps below to create the EventBridge rule:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **Rules**.
+1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
+1. Select **All Events** in Event Type.
+1. Under **Select targets**, choose **EventBridge API destination**.
+1. Select the API Destination created in Step 2.
+1. Select **Create a new role for this specific resource** in the **Execution role**.
+1. Click **Create** to activate the rule.
-### Method 1: Collect Security Hub logs using Sumo Logic HTTP endpoint
+### Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint
+
+This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
+
+Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub.
+
+Findings from AWS services (AWS Security Hub) are delivered to CloudWatch Events as events in near real time. The Lambda function parses those events and sends them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda function setup is defined using Serverless Application Model (SAM) specifications and is published in AWS Serverless Application Repository.
+
+You do not have to manually create the AWS resources. Simply deploy the solution, as described in the [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector) for HTTP endpoint and [Step 2: Deploy an AWS Security Hub app collector](/docs/integrations/amazon-aws/inspector/#step-2-deploy-an-aws-security-hub-app-collector-1) for Amazon S3 source.
#### Step 1: Add a hosted collector and Sumo Logic HTTP source
@@ -57,7 +94,9 @@ To deploy an AWS Security Hub app collector:
5. In the **AWS Lambda > Functions > Application Settings** panel, enter the endpoint **HTTP endpoint** of the source that you configured.
6. Scroll to the bottom of the window and click **Deploy**.
-### Method 2: Collect Security Hub logs using Amazon S3 source
+### Method 3: Collect Security Hub logs using Amazon S3 source
+
+This method uses a Lambda function to process findings, store them in an S3 bucket, and retrieve them through Sumo Logic's S3 Source. It is ideal for scenarios that require data archiving.
#### Step 1: Add a hosted collector and Amazon S3 source
@@ -187,4 +226,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
import AppUninstall from '../../reuse/apps/app-uninstall.md';
-
\ No newline at end of file
+
diff --git a/docs/integrations/amazon-aws/security-hub.md b/docs/integrations/amazon-aws/security-hub.md
index ae82202d6f..a11a0fc4df 100644
--- a/docs/integrations/amazon-aws/security-hub.md
+++ b/docs/integrations/amazon-aws/security-hub.md
@@ -37,15 +37,12 @@ The **AWS Security Hub CSPM forwarder** sends scheduled search results and alert
To complete the following tasks, Security Hub must be enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html).
-
#### Overview
AWS Security Hub CSPM forwarder creates a Lambda function along with an [Identity Access and Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) authentication secured API Gateway endpoint. A Sumo Logic scheduled search then sends the results to the endpoint using [Webhook for Lambda](/docs/alerts/webhook-connections/aws-lambda.md) The triggered Lambda function parses the search results, transforming them into [Amazon Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) (AFF). Each of the rows of the AFF data is sent as a finding to AWS Security Hub CSPM.
The configuration is defined using [SAM specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html) and published in [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/).
-
-
#### Step 1: Enable Sumo Logic as a Finding Provider
AWS Security Hub CSPM detects and consolidates those security findings from the supported AWS services that are generated after Security Hub is enabled in your AWS accounts. This section demonstrates how to enable Sumo Logic as an AWS Finding Provider (FP) to communicate with AWS Security Hub CSPM.
@@ -55,7 +52,6 @@ To enable Sumo Logic for AWS Security Hub CSPM, do the following:
1. Open the Security Hub console at [https://console.aws.amazon.com/securityhub](https://console.aws.amazon.com/securityhub), and choose **Settings > Providers**.
2. Search for “Sumo Logic” and click **Subscribe** for Sumo Logic Machine Data Analytics.
-
#### Step 2: Deploy the AWS Security Hub CSPM forwarder
This section demonstrates how to deploy the AWS Security Hub CSPM forwarder, a serverless application based on [AWS SAM specification](https://docs.aws.amazon.com/lambda/latest/dg/serverless_app.html).
@@ -67,7 +63,6 @@ To deploy the AWS Security Hub CSPM forwarder, do the following:
3. Select the **Show apps that create custom IAM roles or resource policies** checkbox, click the **sumo-logic-securityhub-forwarder** app link, and then click **Deploy**.
4. After the stack is deployed, go to **CloudFormation > Stacks > Stack details > Outputs** and copy the value of **SecurityHubForwarderApiUrl**. This is the API Gateway endpoint.
-
#### Step 3: Create a Webhook connection
This section demonstrates how to create a Webhook connection to trigger an AWS Lambda function.
@@ -91,7 +86,6 @@ To create a Webhook connection, do the following:
* For `"Types"`, `"Description"`, `"SourceUrl"`, `"GeneratorID"`, `"Severity"`, and `"ComplianceStatus"`, status are mapped to corresponding fields specified in Amazon Finding Format.
3. Ensure that the IAM role or IAM user (whose credentials are used) has permissions to invoke the API in API Gateway, as described in [Control Access for Invoking an API](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html) Amazon documentation. You can use the payload in troubleshooting tips section to test the connection.
-
#### Step 4: Create scheduled searches
When you save a search, you can add a schedule to run it at a regularly scheduled time, and add alerts. This section demonstrates how to write a query and then create a scheduled search for AWS Security Hub CSPM.
@@ -142,11 +136,10 @@ To write a query and create a scheduled search, do the following:
| ComplianceStatus | Results of a compliance check. This is an optional field and its value should be one of the following: PASSED/WARNING/FAILED/NOT_AVAILABLE. |
1. The `aws_account_id` field in the search results.
1. `AWS_ACCOUNT_ID` set as a Lambda environment variable.
-1. The `account_id` where the lambda function is running.
+1. The `account_id` where the Lambda function is running.
The `aws_account_id` defaults to the account in which Lambda is running.
-
#### Troubleshooting tips
In the case of a problem, perform the following tasks to discover the cause.
@@ -164,21 +157,58 @@ In the case of a problem, perform the following tasks to discover the cause.
}
```
2. Check for `status code 200` in the response body to verify whether the API Gateway and Lambda integration is working correctly. For more information on how to test API Gateway with console refer these [docs](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-test-method.html).
-3. Monitor scheduled search logs using following query in Sumo Logic. This verifies whether the scheduled search was triggered or not.
+3. Monitor scheduled search logs using the following query in Sumo Logic. This verifies whether the scheduled search was triggered or not.
```json
_view=sumologic_audit "Scheduled search alert triggered"
```
-4. Check the CloudWatch logs for the Lambda function. Sumo saves Lambda function logs to CloudWatch in a log group: `/aws/lambda/`. Check this log for any errors during lambda execution.
-
+4. Check the CloudWatch logs for the Lambda function. Sumo Logic saves Lambda function logs to CloudWatch in a log group: `/aws/lambda/`. Check this log for any errors during lambda execution.
## Collecting findings for the AWS Security Hub CSPM app
-This section shows you how to add a hosted collector and Amazon S3 Source and deploy an AWS Security Hub CSPM collector.
+You can collect the AWS Security Hub CSPM logs using two methods:
-To complete the following tasks, Security Hub must be enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html).
+- [Method 1: Collecting AWS Security Hub CSPM Logs using EventBridge](#method-1-collecting-aws-security-hub-cspm-logs-using-eventbridge)
+- [Method 2: Collecting Security Hub CSPM Logs using Sumo Logic HTTP endpoint](#method-2-collecting-security-hub-cspm-logs-using-sumo-logic-http-endpoint)
+
+Before collecting logs, ensure that Security Hub is enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html).
+### Method 1: Collecting AWS Security Hub CSPM logs using EventBridge
-#### Overview
+This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution.
+
+#### Step 1: Create an HTTP source in Sumo Logic
+
+To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source).
+
+#### Step 2: Configure EventBridge API destination
+
+Follow the steps below to configure the EventBridge API destination:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **API destinations**.
+1. Click **Create destination**.
+1. Enter a name for the API Destination.
+1. Provide the HTTP Source URL from Sumo Logic.
+1. Click **Create a new connection** to create a connection for the API destination.
+ 1. Provide a connection name.
+ 1. Keep the API Type as **Public**.
+ 1. Select **Basic (Username/Password)** in the **Authorization type**.
+ 1. Add any value of your choice for **Username** and **Password**.
+
+#### Step 3: Create the EventBridge rule
+
+Follow the steps below to configure the EventBridge rule:
+1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/).
+1. In the navigation bar, click **Rules**.
+1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service.
+1. Select **All Events** in Event Type.
+1. Under **Select targets**, choose **EventBridge API destination**.
+1. Select the API Destination created in Step 2.
+1. Select **Create a new role for this specific resource** in the **Execution role**.
+1. Click **Create** to activate the rule.
+
+### Method 2: Collecting Security Hub CSPM Logs using Sumo Logic HTTP endpoint
+
+This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity.
Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub CSPM.
@@ -186,7 +216,6 @@ Findings from AWS services (AWS Security Hub CSPM) are delivered to CloudWatch E
You do not have to manually create the AWS resources. Simply deploy the solution, as described in the [Step 2: Deploy an AWS Security Hub CSPM App collector](#step-2-deploy-an-aws-security-hub-cspm-app-collector).
-
#### Step 1: Add a hosted collector and Amazon S3 source
This section demonstrates how to add a hosted Sumo Logic collector and AWS source, to collect events for the AWS Security Hub CSPM App.
@@ -330,4 +359,4 @@ Use this dashboard to:
* Analyze how they are distributed across AWS accounts.
* Filter on Finding Type, Resource Type, Provider, AWS Account, Title, Category, Resource Type with the Finding details panel.
-})
\ No newline at end of file
+