})
+})
-1. The **Tag Schema** popup appears. The screenshot below shows a previously configured tag schema. })
+1. On the **Tag Schemas** page, click **Create**. })
+1. The **Tag Schema** popup appears.
1. **Key**. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the **Label** field blank.
1. **Label**. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
1. **Content Types**. Select the types that you want the tag to be
@@ -33,6 +33,7 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
* **Entity** The options do not include **Signal** or **Insight**. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
1. **Allow Custom Values**. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the **Value Options** section below.
1. **Value Options**. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
- * **Value**. Enter an allowable value for the tag.
- * **Label**. Enter a label for the value.
- * **Link** (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the **Tactic:TA0002** to associated information on the MITRE site. })
+ * **Enter Value**. Enter an allowable value for the tag.
+ * **Enter Label**. Enter a label for the value.
+ * **Enter Link** (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the **Tactic:TA0002** to associated information on the MITRE site. })
+* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
+* A link to the Insight in Cloud SIEM.
For the other Action types—AWS Simple Notification Service (SNS), Demisto (Cortex XSOAR), HTTP POST v2, and Slack Webhook—the notification includes the Insight itself in JSON format, and in some cases Signals or Records, depending on how you configure the Action.
@@ -92,9 +92,11 @@ The notification sent by a Rule Action contains the name of the rule and the re
* **Rule**. Click **When Automatically Disabled** to generate a notification when Cloud SIEM disables a rule.
1. **Active**. Move the slider to the right if you’d like the Action to be enabled upon creation.
+Continue filling out the dialog box depending on the type of action you are creating.
+
### AWS Simple Notification Service (SNS)
-When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to SNS.
+When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to the AWS Simple Notification Service (SNS).
You can configure the action to authenticate with SNS using your AWS Access Key and Secret Access Key, or using the **AssumeRole** method.
@@ -103,7 +105,7 @@ You can configure the action to authenticate with SNS using your AWS Access Key
1. **Assume Role ARN**. Enter the AssumeRole ARN, if that's how you want to authenticate. Enter the Sumo Logic AWS account ID. For the Sumo Logic ID, see [Create a role manually using the AWS console](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product#create-a-role-manually-using-the-aws-console).
1. **Topic ARN**. Enter the ARN of the SNS topic.
1. **Region**. Enter the AWS region for the SNS topic.
-1. Click **Create**. })
+1. Click **Create**.
### Demisto (Cortex XSOAR)
@@ -115,14 +117,14 @@ When you run this Action type for an Insight, Cloud SIEM sends the full Insight
1. **Create Incident API Endpoint**. Select `/incident/json`.
1. **Extra Headers**. Enter any additional headers you want to send, as line-delimited key:value pairs.
1. **Exclude Records**. Move the slider to the right if you don’t want to include Records in the notification.
-1. Click **Create**. })
+1. Click **Create**.
### Email
This Action type sends an email notification.
1. **Recipients**. Enter a comma-separated list of the email addresses to send the notification to.
-1. Click **Create**. })
+1. Click **Create**.
When this Action runs on an Insight, the email notification contains:
@@ -149,7 +151,7 @@ in Cloud SIEM.
1. **Include Signals**. Move the slider to the right to send the Signals associated with the Insight in the POST.
1. **Include Records**. Move the slider to the right to send the Records associated with the Signal in the POST.
1. **Record Fields to Include**. If desired, provide a comma-delimited list of selected Record fields to include (instead of all Record fields).
-1. Click **Create**. })
+1. Click **Create**.
### Microsoft Teams
@@ -162,7 +164,7 @@ Create a Webhook connection for the Microsoft Teams channel to which emails shou
#### Configure Action in Cloud SIEM
1. **URL**. Enter the URL for the Webhook connection you created above.
-1. Click **Create**. })
+1. Click **Create**.
### PagerDuty
@@ -170,7 +172,7 @@ This Action types sends a notification to PagerDuty.
1. **Service Key**. Enter your PagerDuty service key.
1. **Subdomain**. Enter your PagerDuty account subdomain.
-1. Click **Create**. })
+1. Click **Create**.
The notification contains:
@@ -192,7 +194,7 @@ Lookups will consume RF API credits.
1. On the **Generate New Token** page:
1. **Name**. Enter a name for the token.
1. **Integration**. Select “Sumologic” from the list of integrations.
-1. Click **Generate**. })
+1. Click **Generate**.
1. Copy and save the token.
#### Create Action in Cloud SIEM
@@ -200,13 +202,11 @@ Lookups will consume RF API credits.
1. **API Key**. Enter the Recorded Future API token you generated for the Sumo Logic integration.
1. **Enrich Insights**. Move the slider to the right to enrich Insights.
1. **Enrich Signals of Insights**. Move the slider to the right to enrich Signals.
-1. Click **Create**.})
+1. Click **Create**.
#### View Recorded Future Enrichments
-To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the **Enrichments** tab.
-
-})
+To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the [**Enrichments**](/docs/cse/integrations/enrichments-and-indicators/#enrichments) tab.
### Slack
@@ -214,7 +214,7 @@ This Action type sends a message to a Slack channel.
1. **API Key**. Enter your Slack API key.
1. **Channel**. Enter the Slack Channel that messages should go to.
-1. Click **Create**. })
+1. Click **Create**.
If the Action was run on an Insight, the message contains:
@@ -233,4 +233,4 @@ Create a Webhook connection for the Slack channel to which Insights should be se
#### Configure Action in Cloud SIEM
1. **Webhook URL**. Enter the URL of the Webhook you created above.
-1. Click **Create**. })
+1. Click **Create**.
diff --git a/docs/cse/administration/create-cse-context-actions.md b/docs/cse/administration/create-cse-context-actions.md
index 4a203b0b89..dd8e88b3c6 100644
--- a/docs/cse/administration/create-cse-context-actions.md
+++ b/docs/cse/administration/create-cse-context-actions.md
@@ -107,10 +107,6 @@ The only required parameter in the URL is `{{value}}`. Depending on your use cas
`https://www.criminalip.io/asset/report/{{value}}`
-For example:
-
-})
-
## Template parameters for Context Actions
The table below defines the parameters you can use in the URL template for a Context Action.
diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md
index 000cff3dd5..862b248f7b 100644
--- a/docs/cse/administration/create-custom-threat-intel-source.md
+++ b/docs/cse/administration/create-custom-threat-intel-source.md
@@ -42,17 +42,17 @@ Rule authors can also write rules that look for threat intelligence information
### Create a threat intelligence source from Cloud SIEM UI
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. })
-1. Click **Custom** on the **Add Source** popup. })
-1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. })
+1. Click **Add Source** on the **Threat Intelligence** page.
+1. Click **Custom** on the **Add Source** popup.
+1. On the **Add New Source** popup, enter a name, and if desired, a description for the source.
1. Click **Add Custom Source**.
Your new source should now appear on the **Threat Intelligence** page.
### Enter indicators manually
-1. On the **Threat Intelligence** page, click the name of the source you want to update. })
-1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**. })
+1. On the **Threat Intelligence** page, click the name of the source you want to update.
+1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**.
1. On the **New Threat Intelligence Indicator** popup.
1. **Value**. Enter an IP address, hostname, URL, or file hash.
Your entry must be one of:
@@ -72,7 +72,7 @@ Your new source should now appear on the **Threat Intelligence** page.
### Upload a file of indicators
If you have a large number of indicators to add to your source, you can
-save time by creating a .csv file and uploading it to Cloud SIEM. })
+save time by creating a .csv file and uploading it to Cloud SIEM.
#### Create a CSV file
diff --git a/docs/cse/administration/create-use-network-blocks.md b/docs/cse/administration/create-use-network-blocks.md
index 04a2117cf5..f73e929ebf 100644
--- a/docs/cse/administration/create-use-network-blocks.md
+++ b/docs/cse/administration/create-use-network-blocks.md
@@ -61,8 +61,6 @@ In the case that the two or more Network Blocks overlap, Cloud SIEM uses the sma
When Cloud SIEM looks for the Network Block address `10.128.0.1`, it will return the more-specific block, "WebServer IPs".
-})
-
## Create a Network Block manually
Follow these instructions to create a Network Block using the Cloud SIEM UI. For information about creating multiple Network Blocks by file upload, see [Upload a CSV file of Network Blocks](#upload-a-csv-file-of-network-blocks).
@@ -118,6 +116,8 @@ In the table below, the left column contains schema fields that contain IP addre
| `srcDevice_ip `| `srcDevice_ip_location` | `srcDevice_ip_isInternal` |
| `srcDevice_natIp` | `srcDevice_natIp_location` | `srcDevice_natIp_isInternal` |
+
+
## Using enrichment fields
You can use the `*_location` and `*_isInternal` fields the same way you do other Record fields. You can use them to filter Records in rule expressions or in searches.
diff --git a/docs/cse/administration/filter-search.md b/docs/cse/administration/filter-search.md
index adc446ac3e..c7b09d6b5a 100644
--- a/docs/cse/administration/filter-search.md
+++ b/docs/cse/administration/filter-search.md
@@ -11,7 +11,7 @@ keywords:
import useBaseUrl from '@docusaurus/useBaseUrl';
-You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filter** bar near the top of the page.
+You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filters** bar near the top of the page.
})
diff --git a/docs/cse/administration/manage-custom-insight-resolutions.md b/docs/cse/administration/manage-custom-insight-resolutions.md
index 15d7660eb3..d086313434 100644
--- a/docs/cse/administration/manage-custom-insight-resolutions.md
+++ b/docs/cse/administration/manage-custom-insight-resolutions.md
@@ -29,14 +29,15 @@ You can define custom *sub-resolutions* for any of the built-in resolutions. Thi
1. **Parent Resolution**. Display the dropdown list and select a built-in resolution.
1. **Description**. (Optional) Enter a description that will help other users understand when to use the new resolution.
1. Click **Create**. })
- 1. The new resolution appears on the **Insight Resolutions** page, indented below the parent resolution. })
+ 1. The new resolution appears on the **Insight Resolutions** page, indented below the parent resolution.
## Close an Insight using a custom resolution
-1. After navigating to an Insight, you can close it by either clicking the **Close Insight** button or by selecting **Closed** from the **Status** pulldown. })
-1. The **Close Insight** popup presents a list of resolutions, including any custom sub-resolutions that have been defined. Note that a custom resolution is indented below its parent built-in resolution. })
+1. After navigating to an Insight, you can close it by either clicking the **Close Insight** button or by selecting **Closed** from the **Status** pulldown. })
+1. Click **Resolution**. The list of resolutions appears, including any custom sub-resolutions that have been defined. })
+1. In **Additional Comments** add a comment if desired.
+1. Click **Close Insight** to apply the selected resolution and close the Insight.
## Filter Insights by custom resolution
@@ -44,6 +45,6 @@ You can filter Insights by custom resolution.
1. On the **Insights** page, check the **Filters** area and make sure that the **Status** filter is not set to “is not closed”.
1. Click in the **Filters** area and select **Custom Resolution**. })
-1. You’re prompted to select an operator: **is** or **is not**. })
-1. Select a resolution to view Insights that have that resolution. })
-1. Click **Create**.
+1. Click **Color** to select a color for the status. The color will appear on the status on the [Heads Up Display](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display).
## Change the order of Insight statuses
@@ -43,7 +42,7 @@ To change the order of Insight statuses:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**. }){kind=icon}
+1. On the **Statuses** page, each status that can be moved has a handle to the left of its name. })
1. In the **and product** field, type the product name as it appears in messages generated by the product and click the **Create "`})
If you also have Cloud SOAR installed, a **Cloud SOAR** option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM. ::: 1. Now that you are in the Automation Service, let's explore a little to see how playbooks run actions that are provided by integrations. Open a [playbook](/docs/platform-services/automation-service/automation-service-playbooks) to see the actions it runs. Click an action to view the integration resource that provides it. In the example below, notice that in the **Send Insight Slack Notification** playbook, the **Slack resource** provides the **Get User** action.
})
-1. Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click [**Integrations**](/docs/platform-services/automation-service/automation-service-integrations) in the left navigation bar.})
+1. Now that we know the resource that provides the action, let's look for the integration that contains that resource. In our case, we're looking for the integration with the Slack resource. Click [**Cloud SIEM > Integrations**](/docs/platform-services/automation-service/automation-service-integrations) in the left navigation bar.
1. If we open the **Slack** integration, we see the **Get User** action used in the **Send Insight Slack Notification** playbook. Now you know how integrations provide actions that are run in playbooks. })
To learn how to create automations in Cloud SIEM that run playbooks from the Automation Service, see [Automations in Cloud SIEM](/docs/cse/automation/automations-in-cloud-siem).
diff --git a/docs/cse/automation/automations-in-cloud-siem.md b/docs/cse/automation/automations-in-cloud-siem.md
index 2f5bbd6ee5..6019e1bed0 100644
--- a/docs/cse/automation/automations-in-cloud-siem.md
+++ b/docs/cse/automation/automations-in-cloud-siem.md
@@ -92,7 +92,7 @@ To view the automations that have run on Insights or Entities, see [View results
The following procedure provides a brief introduction to how to create an automation. For detailed examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. -1. At the top of the automations screen, click **New Automation**. (To modify an existing automation, click on the edit icon for the corresponding automation.)
})
+1. At the top of the automations screen, click **Create**. (To modify an existing automation, click on the edit icon for the corresponding automation.)
1. In the **New Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation. })
1. In **Expects attributes for** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM.
1. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
@@ -114,7 +114,7 @@ If an automation is set to run when an Insight is created or closed, it runs aut
Automations can be run manually from the **Actions** drop-down menu on [Insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui#insight-details-page) pages:
-})
+
You will see three sections in the **Actions** menu:
* **Insight Automation**. Displays a list of all enabled Insight automations configured to run manually.
@@ -125,7 +125,7 @@ You will see three sections in the **Actions** menu:
On [Entity details](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) pages, Entity Automations can be run manually from the **Automations** drop-down menu:
-})
+
:::tip
You can run the same automation more than once for a given Entity or Insight, but not at the same time. Additional attempts to run an automation while an instance is running will result in an error.
@@ -141,11 +141,6 @@ On an Insight, if you select **Actions** > **Entity Automation > Run Automations
1. Click **Next**. A list displays of all Entity automations that are enabled, configured to be run manually, and configured for at least one of the Entity types you selected on the previous screen.
1. Select the automations you wish to run and click **Run Automation**. The system will automatically run the appropriate automations for the appropriate Entity Types.})
-In this example:
- * The CarbonBlack automation is configured for IP Addresses, Email Addresses, and Domain Names, so it will run four times (once for the Email Address and once for each IP Address selected on the previous screen).
- * The nslookup automation is configured to only run on IP Addresses so it will run three times.
- * No automation will run on the Hostname.
-
## View results of an automation
If an automation is set to run when an Insight is created or closed, it [runs automatically](#run-an-automation-automatically). You can also [run an automation manually](#run-an-automation-manually).
@@ -172,7 +167,7 @@ After [running an automation](#run-an-automation-automatically), you can go to t
})
-On each card you will find:
+For each automation you will find:
* The time and date when the automation was run.
* The name and description of the associated playbook.
* The playbook’s current status.
@@ -184,11 +179,11 @@ You may have to manually refresh this screen to see the most current status.
If you click **View Playbook**, the Automation Service UI will open to the playbook status page:
-})
+
-You can switch to the graphical view by clicking **Graph** in the upper-right corner:
+You can switch to the graphical view by clicking **Graph View** in the upper-right corner:
-})
+
## Migrate from legacy actions and enrichments to the Automation Service
diff --git a/docs/cse/automation/cloud-siem-automation-examples.md b/docs/cse/automation/cloud-siem-automation-examples.md
index c4935ff44b..4946f98a18 100644
--- a/docs/cse/automation/cloud-siem-automation-examples.md
+++ b/docs/cse/automation/cloud-siem-automation-examples.md
@@ -19,17 +19,15 @@ Following are examples that show you how to create Cloud SIEM automations using
The following example shows how to add an enrichment to an Insight using the “IP Reputation V3” action from VirusTotal.
1. Edit the VirusTotal OIF resource:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.. - 1. From the Automation screen, click **Manage Playbooks**. This opens the [Automation Service UI](/docs/platform-services/automation-service/about-automation-service/#automation-service-ui). - 1. Click **Integrations** in the navigation menu. + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation** and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select **VirusTotal OIF**. - 1. Hover your mouse over the resource name and click the **Edit** button that appears.
})
+ 1. Hover your mouse over the resource name and click the **Edit** button that appears.
1. In the **Edit resource** dialog, enter the **API URL**: `https://www.virustotal.com`.
1. Enter the **API Key**. See the [VirusTotal documentation](https://support.virustotal.com/hc/en-us/articles/115002100149-API) to learn how to obtain the API key. If you do not already have a VirusTotal account, you need to create one to get an API key.
1. Click **Save**.})
1. Create the playbook:
- 1. Click **Playbook** in the navigation menu.
- 1. Click the **+** button to the left of **Playbook**.})
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. + 1. Click the **+** button to the left of **Playbook**.
1. In the **New playbook** dialog, give your playbook a **Name**.
1. For **Type**, enter **CSE**.
1. Enter a **Description**.
@@ -63,9 +61,8 @@ The following example shows how to add an enrichment to an Insight using the “
1. Click the **Save** button (floppy disk icon) at the bottom of the playbook view.
1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
-1. Create an automation to run the playbook:
- 1. Return to the main Cloud SIEM screen.
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. +1. Create an automation in Cloud SIEM to run the playbook: + 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**. 1. At the top of the automations screen, click **New Automation**. 1. For **Playbook**, select the playbook you created in the previous steps. 1. For **Expects attributes for**, select **Insight**. @@ -85,16 +82,14 @@ The following example shows how to add an enrichment to an Insight using the “ Depending on the action, you may need to select a playbook input. The playbook inputs define the kind of input data needed for the action. For descriptions of the playbook inputs, see the responses on the [Get an Insight API](https://api.sumologic.com/docs/sec/#operation/GetInsight). -
})
+
## Intermediate example: Configure a notification
The following example shows how to configure a notification that sends an email upon completion of an action to perform a log search in Sumo Logic core platform.
1. Edit the Sumo Logic resource:
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. - 1. From the Automation screen, click **Manage Playbooks**. This opens the [Automation Service UI](/docs/platform-services/automation-service/about-automation-service/#automation-service-ui). - 1. Click **Integrations** in the navigation menu. + 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation** and then select **Integrations** in the left nav bar.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select **Sumo Logic**. 1. Hover your mouse over the resource name and click the **Edit** button that appears.
})
1. In the **Edit resource** dialog, enter the **API URL** for your Sumo Logic core platform instance (for example, `https://api.us2.sumologic.com`). For the URL to use for your Sumo Logic instance, see [Sumo Logic Endpoints by Deployment and Firewall Security](/docs/api/getting-started#sumo-logic-endpoints-by-deployment-and-firewall-security).
@@ -103,8 +98,8 @@ The following example shows how to configure a notification that sends an email
1. Select your **Time Zone**.
1. Click **Save**.})
1. Create the playbook:
- 1. Click **Playbook** in the navigation menu.
- 1. Click the **+** button to the left of **Playbook**.
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. + 1. Click the **+** button to the left of **Playbook**.
1. In the **New playbook** dialog, give your playbook a **Name**, such as **Notification for a log search**.
1. For **Type**, enter **CSE**.
1. Enter a **Description**.
@@ -120,27 +115,26 @@ The following example shows how to configure a notification that sends an email
1. For **Action**, select **Search Sumo Logic**.
1. In the **Query** box enter the search query you want to make in the Sumo Logic core platform. For help with queries, see [General Search Examples Cheat Sheet](/docs/search/search-cheat-sheets/general-search-examples/).
1. For **Last Period** select **1 Hour**.
- 1. Click **Create**.})
+ 1. Click **Create**.
1. Add the "Send Email" action to the playbook:
1. Hover your mouse over the new **Search Sumo Logic** node.
1. Click the **Add Node** button (**+** icon) at the bottom of the **Search Sumo Logic** node.
1. Select **Action**.
- 1. In the **Add node** dialog, ror **Integration** select **Basic Tools**.
+ 1. In the **Add node** dialog, for **Integration** select **Basic Tools**.
1. Ensure that **Type** is **Notification**.
1. For **Action** select **Send Email**.
1. In **Recipients** enter your email address and press Enter.
1. For **Subject** type a subject line for the email (for example, "Results of Sumo Logic log search").
1. In **Plain text content** enter the text you want to appear in the body of the email. For example, enter "Search in Sumo Logic was executed. Click the Automations tab at the top of the Insight for which the 'Notification for a log search' automation was run. Click 'View Playbook' to see the results."
1. Copy the plain text content into **HTML content** and add formatting if desired.
- 1. Click **Create**.})
+ 1. Click **Create**.
1. Click and hold on the right semicircle of the new **Send Email** node and drag to the semicircle of the **END** node and release. The playbook is complete.
1. Save the playbook:
1. Click the **Save** button (floppy disk icon) at the bottom of the playbook view.
1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
-1. Create an automation to run the playbook:
- 1. Return to the main Cloud SIEM screen.
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. +1. Create an automation in Cloud SIEM to run the playbook: + 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu of Cloud SIEM select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. 1. At the top of the automations screen, click **New Automation**. 1. For **Playbook**, select the playbook you created in the previous steps. 1. For **Expects attributes for**, select **Insight**. @@ -169,21 +163,21 @@ The action uses [IP Quality Score](https://www.ipqualityscore.com/) to gather IP 1. Log in. 1. Go to your [account settings](https://www.ipqualityscore.com/user/settings) and copy the **API Key**. You will use this key later. 1. Create a new IP Quality Score integration: - 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. - 1. From the Automation screen, click **Manage Playbooks**. This opens the [Automation Service UI](/docs/platform-services/automation-service/about-automation-service/#automation-service-ui). - 1. Click **Integrations** in the navigation menu. - 1. Click the **+** icon at the top of the screen to the left of **Integrations**.
})
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation** and then select **Integrations** in the left nav bar. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. + 1. Click the **+** icon at the top of the screen to the left of **Integrations**.
1. Download this file: IP-Quality-Score-Test.yaml.
- 1. In the **New Integration** dialog, drag the file into the **Select File** box.
+ 1. In the **New Integration** dialog, click **Upload File**.
+ 1. Drag the file into the **Select File** box.
1. Click **Upload**. An IP Quality Score integration is created.
1. Open the new **IP Quality Score** integration.
1. Hover your mouse over the **IP Quality Score** name and click the **Upload** button that appears.})
- 1. In the **Upload** dialog, select **Action** in the **kind** field.
+ 1. In the **Upload** dialog, select **Action** in the **Type** field and click **Next**.
1. Download this file: IP-Reputation.yaml.
+ 1. In the **Upload** dialog, click **Upload File**.
1. Drag the file into the **Select File** box.
1. Click **Upload**. The **IP Reputation** action appears in the IP Quality Score integration.
1. Add the IP Quality Score integration resource:
- 1. Click the **+** button to the left of **Resources**.})
+ 1. Click the **+** button to the left of **Resources**.
1. Fill out the **Add Resource** dialog:
* **Label**: Enter **IP Quality Score Resource**.
* **API URL**: Enter `https://www.ipqualityscore.com/`.
@@ -193,8 +187,8 @@ The action uses [IP Quality Score](https://www.ipqualityscore.com/) to gather IP
* **Proxy options**: Select **Use no proxy**.
1. Click **Save**.})
1. Create the playbook:
- 1. Click **Playbook** in the navigation menu.
- 1. Click the **+** button to the left of **Playbook**.
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. + 1. Click the **+** button to the left of **Playbook**.
1. Give your playbook a **Name**, such as **Custom Enrichment with IP Quality Score**.
1. For **Type**, select **CSE**.
1. Enter a **Description**.
@@ -222,7 +216,7 @@ The action uses [IP Quality Score](https://www.ipqualityscore.com/) to gather IP
1. To the right of the **IP** field, click the gear icon.
1. Click [**Playbook inputs**](#playbook-inputs).
1. Select **input.entity.value**.
- 1. Click **Create**.})
+ 1. Click **Create**.
1. Add the “Add Insight Enrichment” action to the playbook:
1. Hover your mouse over the new **IP Reputation** node.
1. Click the **Add Node** button (**+** icon) at the bottom of the **IP Reputation** node.
@@ -237,15 +231,14 @@ The action uses [IP Quality Score](https://www.ipqualityscore.com/) to gather IP
1. To the right of the **Raw JSON** field, click the gear icon.
1. Click **IP Reputation**.
1. Select **output.raw**.
- 1. Click **Create**.})
+ 1. Click **Create**.
1. Click and hold on the right semicircle of the new **Add Insight Enrichment** node and drag to the semicircle of the **END** node and release. The playbook is complete.
1. Save the playbook:
1. Click the **Save** button (floppy disk icon) at the bottom of the playbook view.
1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
-1. Create an automation to run the playbook:
- 1. Return to the main Cloud SIEM screen.
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. +1. Create an automation in Cloud SIEM to run the playbook: + 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. 1. At the top of the automations screen, click **New Automation**. 1. For **Playbook**, select the playbook you created in the previous steps. 1. For **Expects attributes for**, select **Insight**. @@ -278,9 +271,7 @@ The resulting playbook should look like this:
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Integrations**. You can also click the **Go To...** menu at the top of the screen and select **Integrations**. 1. Select **VirusTotal OIF**. 1. Hover your mouse over the resource name and click the **Edit** button that appears.
1. In the **Edit resource** dialog, enter the **API URL**: `https://www.virustotal.com`.
@@ -298,8 +289,8 @@ The following example pulls together elements of the [Simple example](#simple-ex
1. Select your **Time Zone**.
1. Click **Save**.
1. Create the playbook:
- 1. Click **Playbook** in the navigation menu.
- 1. Click the **+** button to the left of **Playbook**.
+ 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**. + 1. Click the **+** button to the left of **Playbook**.
1. In the **New playbook** dialog, give your playbook a **Name**.
1. For **Type**, enter **CSE**.
1. Enter a **Description**.
@@ -350,7 +341,7 @@ The following example pulls together elements of the [Simple example](#simple-ex
1. For **Action**, select **Search Sumo Logic**.
1. In the **Query** box enter the search query you want to make in the Sumo Logic core platform. In the example below, a placeholder queries for a value obtained from the IP Reputation V3 node. For help with queries, see [General Search Examples Cheat Sheet](/docs/search/search-cheat-sheets/general-search-examples/).
1. For **Last Period** select **15 Minutes** (or any time period you want).
- 1. Click **Create**.})
+ 1. Click **Create**.
1. Click and hold on the right semicircle of the new Search Sumo Logic node and drag to the semicircle of the **END** node and release.
1. Add the “Send Email” action to the playbook, which will run if no value is returned from the IP Reputation V3 node:
1. Click the **Add Node** button (**+** icon) on the new **Condition**.
@@ -369,9 +360,8 @@ The following example pulls together elements of the [Simple example](#simple-ex
1. Click the **Save** button (floppy disk icon) at the bottom of the playbook view.
1. To [test the playbook](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook), click the kebab button in the upper-right of the UI and select **Run Test**.
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:})
-1. Create an automation to run the playbook:
- 1. Return to the main Cloud SIEM screen.
- 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. +1. Create an automation in Cloud SIEM to run the playbook: + 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. 1. For **Playbook**, select the playbook you created in the previous steps. 1. For **Expects attributes for**, select **Insight**. 1. For **Executes when**, select **Manually Done**. diff --git a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md index c4c2af89e2..25333eecb7 100644 --- a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md +++ b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md @@ -109,7 +109,9 @@ At the top of the Insight details page, you’ll see a Signal timeline that visu
})
1. **Signals**. The Signals link allows you to switch back to the Signals view from the Enrichments view, described below.
+1. **Entities**. Click to view [Entities](#about-the-entities-tab-graph-view) on the Signal.
1. **Enrichments**. Click this tab to view any enrichments that have been added to the Insight, including the output of the [Insight Enrichment Server](/docs/cse/integrations/insight-enrichment-server/).
+1. **Automations**. Click to view [automations](/docs/cse/automation/automations-in-cloud-siem/#view-results-of-an-automation) on the Insight.
1. **Signal timeline**. The timeline shows how spread apart each Signal in the Insight is. You can use the timeline to visualize how long these events are spread over and how often the Signals fire.
1. **Timeline controls**. The arrows on the far left and right sides allow you to toggle between each Signal to show the details on each. You can also click a specific Signal on the timeline to jump to those details.
1. **Legend**. Key to the symbols used to represent the Signals:
@@ -120,8 +122,6 @@ At the top of the Insight details page, you’ll see a Signal timeline that visu
1. **Show Related**. Click this link to show Related Signals in addition to Attached Signals. If you click the **Show Related** checkbox, the page updates and also displays any Related Signals or Related Insights.
* A *Related Signal* is a Signal that isn’t part of the current Insight (it’s not attached), but fired on the same Entity as the current Insight’s attached Signals within 7 days of the current Insight’s attached Signals.
* A *Related Insight* is an Insight that a Related Signal is attached to.
- Here is an example of what a Related Signal and Related Insight look like in the Signal list. Note that, to distinguish between Signals that are attached as opposed to related, an Attached Signal has a blue vertical “ornament” on the left side of the row. A Related Signal does not. -
})
1. **Sort options**. You can sort the Signals list by Content Type, Event Time, Created Time, Name, or Severity. Note that you can further sort by ascending or descending value.
1. **Add Signals**. Click this option if you want to add a Signal to the Insight. You’ll be prompted with a list of Signals that have the same Entity as the current Insight (if there are any), and are not already attached to another Insight. A Signal that you add to an Insight manually is considered an Attached Signal.
@@ -150,7 +150,7 @@ The **Entities** tab includes two views, the **list** view and the **graph** vie
The screenshot below shows the **Entities** tab **list** view for an Insight.
-})
+})
In this view, the primary Entity is always displayed first. (This is the Entity common to each of the Signals in the Insight). Below the primary Entity all of the related Entities are listed.
@@ -198,35 +198,31 @@ The card for an Entity displays any [tags](/docs/cse/records-signals-entities-in
#### About the Entities tab graph view
-The screenshot below shows the **Entities** tab **graph** view for an Insight.
+The screenshot below shows the **Entities** tab graph view for an Insight.
-})
+})
By default, this view shows the same entities that are displayed on the list view. However, the system will look for additional relationships outside of the Insight during the detection window to aid in deeper investigation.
-To switch between the list and graph view, click the chooser in the upper-right corner of the panel **(1)**.
-
-The graph view has several controls **(2)**:
-
-* A **key** that explains how to read the graph
-* **Zoom** controls (you can also use your mouse wheel)
-* A **screen size** control, which toggles between the center pane view and a full browser window view
-* A **reset** control, which resets the view to the original default
-* A link to **help**
-* A **filter** control, which enables you to view only specific Entity types in the graph
-* A **time frame** control, which controls what time frame to use when searching for and viewing relationships outside of the Insight
-
-Each node in the graph represents a single Entity and will include an icon representing the Entity type and the value (name). The primary Entity for this Insight will be larger and centered by default **(3)**. Entities that are related to this Insight will have an Insight icon on their upper-left edge **(4)**.
-
-When you select an Entity, it will be highlighted in blue **(5)** and the Entity details pane will appear on the right.
-
-As on the list view, the Entities that appear on the same Signal (also known as *involved* Entities) will be connected with dashed lines **(6)**. Entities with a *detected* relationship will be connected with solid lines **(7)**. A *detected relationship* is when a relationship is detected between Entities (for example, when an IP and hostname appear in a record together, but not necessarily in the insight being viewed).
-
-If you hover over an Entity, it and all connections to it will be highlighted in blue **(8)** and if its value is not fully visible by default, the full value will be displayed.
-
-Any Entity with an Indicator will have an additional icon in the upper right **(9)** and if the Indicator is Malicious or Suspicious, the Entity will be highlighted in red or yellow accordingly.
-
-Finally, if Cloud SIEM has detected additional relationships *outside* of the Insight during the selected time frame, an expand/contract control **(10)** will appear on the Entity. Clicking on that control will reveal (or hide) those additional relationships.
+1. **Graph view**. To switch between the list and graph view, click the chooser in the upper-right corner of the panel.
+1. **Primary Entity**. Each node in the graph represents a single Entity and will include an icon representing the Entity type and the value (name). The primary Entity for this Insight will be larger and centered by default.
+1. **Involved Entities**. As on the list view, the Entities that appear on the same Signal (also known as *involved* Entities) will be connected with dashed lines.
+1. **Related Entities**. Entities that are related to this Insight will have an Insight icon on their upper-left edge.
+1. **Selected Entity**. When you select an Entity, it will be highlighted in blue and the Entity details pane will appear on the right.
+1. **Expand control**. If Cloud SIEM has detected additional relationships *outside* of the Insight during the selected time frame, an expand/contract control will appear on the Entity. Clicking on that control will reveal (or hide) those additional relationships.
+1. **Controls**. The graph view has several controls:
+ * A **key** that explains how to read the graph
+ * **Zoom** controls (you can also use your mouse wheel)
+ * A **screen size** control, which toggles between the center pane view and a full browser window view.
+ * A **reset** control, which resets the view to the original default.
+ * A link to **help**.
+ * A **filter** control, which enables you to view only specific Entity types in the graph.
+ * A **time frame** control, which controls what time frame to use when searching for and viewing relationships outside of the Insight.
+
+In addition, the following can appear in the graph:
+* **Detected Entities**. Entities with a *detected* relationship will be connected with solid lines. A *detected relationship* is when a relationship is detected between Entities (for example, when an IP and hostname appear in a record together, but not necessarily in the insight being viewed).
+* **Threat indicators**. Any Entity with a threat indicator will have an additional icon in the upper right. If the threat indicator is Malicious or Suspicious, the Entity will be highlighted in red or yellow accordingly.
+* **Hover**. If you hover over an Entity, it and all connections to it will be highlighted in blue. If its value is not fully visible by default, the full value will be displayed.
Watch this micro lesson to learn more about the Entity relationship graph.
diff --git a/docs/cse/get-started-with-cloud-siem/insight-generation-process.md b/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
index a7666bd85e..ba1856fe83 100644
--- a/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
+++ b/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
@@ -91,9 +91,9 @@ After Cloud SIEM fires a particular Signal on a particular Entity, it suppresse
### Example of an Entity that has reached Activity Score threshold
-In the screenshot below, the **Details** pane on the left shows that the Insight was created for the entity “192.168.1.1”, an IP address. The right side of the page shows the three Signals that contributed to the Insight. You can see each of the Signals relate to the IP address for which the Insight was created; in the Record underlying each of the Signals, is mapped to the `srcDevice_ip` schema attribute.
+In the screenshot below, the **Details** pane on the left shows that the Insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the Signals that contributed to the Insight. You can see each of the Signals relate to the IP address for which the Insight was created; in the Record underlying each of the Signals, is mapped to the `srcDevice_ip` schema attribute.
-The severity of each Signal is also shown. Cloud SIEM generated an Insight for entity “192.168.1.1” because the cumulative severity of Signals fired for that entity within a two week period exceeds the threshold Activity Score.
+The severity of each Signal is also shown. Cloud SIEM generated an Insight for entity “217.xxx.x.x” because the cumulative severity of Signals fired for that entity within a two week period exceeds the threshold Activity Score.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index 2fc314ac03..fd5715650e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -63,7 +63,7 @@ In this step you configure Zeek to send log messages to the Sumo Logic platform.
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configure-collection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**. -1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
})
+1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
1. On the **Create Sumo Logic Mapping** popup:
1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configure-collection).
1. **Format**. Enter *Bro/Zeek JSON*.
diff --git a/docs/cse/ingestion/sumo-logic-ingest-mapping.md b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
index 5da33ad006..554af03be7 100644
--- a/docs/cse/ingestion/sumo-logic-ingest-mapping.md
+++ b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
@@ -76,12 +76,12 @@ For these formats, Cloud SIEM uses the values you configure for **Product**, **V
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. 1. The **Log Mappings** page displays a list of mappers.
})
1. In the **Filters** area, you can filter the list of log mappings by
- typing in a keyword, or by selecting a field to filter by.})
-1. When you find the mapper you’re looking for, you can find the **Product**, **Vendor**, and **Event ID pattern** for a mapper on the **If Input Matches** side of the **Input/Output** side of the page.
- * **Format**. This is the value labeled **c** in the screenshot below.
- * **Product**. This is the value labeled **b** in the screenshot below.
- * **Vendor**. This is the value labeled **a** in the screenshot below.
- * **Event ID pattern**. This is the value labeled **d** in the screenshot below.})
+ typing in a keyword, or by selecting a field to filter by.
+1. When you find the mapper you’re looking for, you can find the following for a mapper on the **If Input Matches** side of the page:
+ * Vendor
+ * Product
+ * Format
+ * Event ID pattern
### Quick reference to configuring ingest mappings
@@ -105,7 +105,7 @@ This table in this section is a quick reference to supplying values for each su
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**. -1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
})
+1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
1. On the **Create Sumo Logic Mapping** popup:
1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector.
1. **Format**. Follow the instructions for the type of messages your source collects:
@@ -166,10 +166,9 @@ If you would like to manipulate the JSON data before it’s flattened and parsed
`{ “pets” : { “fluffy” : “cat” , “fido” : “dog”, “sammy” : “snake”}}`
The JSON Zip parameters are:
-
-* **Key Name**. The name of the attribute whose value is the array to zip.
-* **Match Key**. The name of the attribute that represents the key in the output. In the example above, it’s `name`.
-* **Match Value**. The attribute in the array object that represents the value in the final output. In the example above it’s `type`.
+ * **Key Name**. The name of the attribute whose value is the array to zip.
+ * **Match Key**. The name of the attribute that represents the key in the output. In the example above, it’s `name`.
+ * **Match Value**. The attribute in the array object that represents the value in the final output. In the example above it’s `type`.
### JSON messages with a syslog header
diff --git a/docs/cse/ingestion/view-mappers-for-product.md b/docs/cse/ingestion/view-mappers-for-product.md
index 1ed7c9b8f5..115e26ddb4 100644
--- a/docs/cse/ingestion/view-mappers-for-product.md
+++ b/docs/cse/ingestion/view-mappers-for-product.md
@@ -13,5 +13,5 @@ See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-con
Cloud SIEM may have more than one log mapping for a particular product. For example, there may be a separate mapping for each message type issued by a product. You can view the available mappings in the Cloud SIEM UI.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. -1. In the **Filters** area, filter by **Output Vendor**, **Output Product**, or both. In the following screenshot, the list of mappings is filtered to display mappings for *Output Vendor is Proofpoint*. The list contains six mappings for two Proofpoint products: five for Targeted Attack Protection, and one for Proofpoint On Demand.
})
+1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. +1. In the **Filters** area, filter by **Output Vendor**, **Output Product**, or both.
In the following screenshot, the list of mappings is filtered to display mappings for *Output Vendor is Proofpoint*. The list contains six mappings for two Proofpoint products: five for Targeted Attack Protection, and one for Proofpoint On Demand.
diff --git a/docs/cse/integrations/configuring-threatq-source-in-cse.md b/docs/cse/integrations/configuring-threatq-source-in-cse.md
index cf16f2049e..ba803878ec 100644
--- a/docs/cse/integrations/configuring-threatq-source-in-cse.md
+++ b/docs/cse/integrations/configuring-threatq-source-in-cse.md
@@ -18,8 +18,8 @@ To do so, you simply configure a ThreatQ source in Cloud SIEM. You supply the in
## Configure a ThreatQ source
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. -1. On the **Threat Intelligence** page, click **Add Source**.
}){kind=icon}
-1. On the **Add New Source** page, click **Create** in the ThreatQ tile. }){kind=icon}
+1. On the **Threat Intelligence** page, click **Add Source**.
+1. On the **Add New Source** page, click **Create** in the ThreatQ tile.
1. The **Add New Source** page updates. })
1. **Name**. Enter a name for the source.
1. **Description**. (Optional) Enter a description of the source.
@@ -28,7 +28,9 @@ To do so, you simply configure a ThreatQ source in Cloud SIEM. You supply the in
1. **Client ID**. Enter your ThreatQ Client ID.
1. **Client Secret**. Enter your ThreatQ Client Secret.
1. **Poll Interval**. Enter how frequently, in minutes, that you want Cloud SIEM to collect indicators from ThreatQ.
+1. **Use Expiration Dates from ThreatQ**. Use the indicators expiration dates set in ThreatQ.
1. **Custom Filters JSON**. (Optional) If you want, you can enter a JSON filter to specify the indicators you want to collect from ThreatQ. The example shown in the screenshot above, `[{“score”:{“+gte”:3}}]`, will select indicators whose score is greater than or equal to 3.
+1. **Extra Headers**. Provide additional headers you want to add to each request in "Key: Value" format.
1. **Certificate**. (Optional) A PKCS format certificate is required to authenticate to your environment if you have an SSL API gateway in front of your on-premise ThreatQ service.
## ThreatQ sources in the Cloud SIEM UI
diff --git a/docs/cse/integrations/enable-virustotal-enrichment.md b/docs/cse/integrations/enable-virustotal-enrichment.md
index ff5d82250d..c915309477 100644
--- a/docs/cse/integrations/enable-virustotal-enrichment.md
+++ b/docs/cse/integrations/enable-virustotal-enrichment.md
@@ -37,8 +37,8 @@ VirusTotal enrichments are only added to Signals that are part of an Insight.
## Configure VirusTotal enrichment
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Enrichment**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Enrichment**. You can also click the **Go To...** menu at the top of the screen and select **Enrichment**. -1. On the **Enrichment** page, click the pencil icon for VirusTotal.
})
-2. On the **Edit VirusTotal Configuration** popup, enter your VirusTotal API Key, and click Update.})
+1. On the **Enrichment** page, click the pencil icon for VirusTotal.
+2. On the **Edit VirusTotal Configuration** popup, enter your VirusTotal API Key, and click Update.
## Example VirusTotal enrichment
})
diff --git a/docs/cse/integrations/enrichments-and-indicators.md b/docs/cse/integrations/enrichments-and-indicators.md
index 85e8cb56ac..357b7d45fd 100644
--- a/docs/cse/integrations/enrichments-and-indicators.md
+++ b/docs/cse/integrations/enrichments-and-indicators.md
@@ -31,10 +31,10 @@ Threat indicators, if set, will be displayed throughout the Cloud SIEM UI either
| Label | Description | Icon |
|:--|:--|:--|
| **Malicious** | })
| }){kind=icon}
|
-| **Suspicious** | })
| }){kind=icon}
|
+| **Suspicious** | | |
| **Not Flagged** | })
| None |
-No icon is displayed for Entities that with the **Not Flagged** label.
+No icon is displayed for Entities with the **Not Flagged** label.
:::note
**Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
diff --git a/docs/cse/integrations/insight-enrichment-server.md b/docs/cse/integrations/insight-enrichment-server.md
index 5fd0c67719..ca27d599b5 100644
--- a/docs/cse/integrations/insight-enrichment-server.md
+++ b/docs/cse/integrations/insight-enrichment-server.md
@@ -26,8 +26,6 @@ You configure enrichments in the server’s configuration file. The key settings
The Insight Enrichment Server periodically polls Cloud SIEM for new Insights. If an Insight’s Entity is of the same type as the `entity_type` specified for an enrichment configured in the server’s configuration file, the server runs the enrichment for the Entity instance in the Insight. You can see an enrichment that has been added to an Insight on the **Enrichments** tab for an Insight.
-The enrichment shown below returned the IP address associated with the hostname that is the Entity for the Insight.
-
})
## Create configuration file
diff --git a/docs/cse/integrations/integrate-cse-with-taxii-feed.md b/docs/cse/integrations/integrate-cse-with-taxii-feed.md
index 067f29b63e..43f38728b5 100644
--- a/docs/cse/integrations/integrate-cse-with-taxii-feed.md
+++ b/docs/cse/integrations/integrate-cse-with-taxii-feed.md
@@ -30,7 +30,7 @@ Cloud SIEM supports TAXII v1.1 and v1.2.
## Configure the integration
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. -1. On the **Threat Intelligence** page, click **Add Source**.
})
+1. On the **Threat Intelligence** page, click **Add Source**.
1. On the **Add New Source** popup, click **TAXII Feed**. })
1. The **Add Source** page appears. })
1. **Name**. Enter a name for the feed.
diff --git a/docs/cse/introduction-to-cloud-siem.md b/docs/cse/introduction-to-cloud-siem.md
index 96920eb661..981679da28 100644
--- a/docs/cse/introduction-to-cloud-siem.md
+++ b/docs/cse/introduction-to-cloud-siem.md
@@ -28,7 +28,7 @@ import Iframe from 'react-iframe';
### Access Cloud SIEM
-To access Cloud SIEM, in the main Sumo Logic menu select **Cloud SIEM**. })
+To access Cloud SIEM, in the main Sumo Logic menu select **Cloud SIEM**.
Cloud SIEM must be enabled by Sumo Logic before it is accessible to users in your organization. For more information, see [Onboarding Checklist for Cloud SIEM Administrators](/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse/).
@@ -269,9 +269,9 @@ Cloud SIEM typically processes thousands or millions of records and boils them d
})
-On the Cloud SIEM main page, you'll see a panel similar to this one. In this case, 199 thousand records have been ingested and processed into just 51 Signals. Some Signals could be false alarms, but many are worth investigating anyway. But, 51 is still way too many for the average SOC analyst to sift through every day. So, how do you know which Signals to pay attention to first?
+On the Cloud SIEM main page, you'll see a panel similar to this one. In this case, 52 thousand records have been ingested and processed into 4 thousand Signals. Some Signals could be false alarms, but many are worth investigating anyway. But, 4 thousand is still way too many for the average SOC analyst to sift through every day. So, how do you know which Signals to pay attention to first?
-Cloud SIEM takes everything one step further and correlates those Signals into a manageable number of Insights. Here, just four Insights were created out of 51 Signals.
+Cloud SIEM takes everything one step further and correlates those Signals into a manageable number of Insights. Here, just one Insight was created out of all those Signals.
An Insight is a group of Signals clustered around a single entity. An Insight is created when the sum of the severity scores of Signals with the same entity goes above a certain activity score within a certain timeframe. By default, this is an activity score of 12 within the last 14 days. For example, if a rule was triggered with a severity of 5, and then ten days later another rule with the same entity and a severity of 5 was triggered, the total activity score would only be 10 in the last 14 days, so an Insight would not be created. However, if those same two rules had a severity score of 7, an Insight would be created.
@@ -322,17 +322,17 @@ However, sometimes you may want to investigate deeper, to really understand what
The Signals tab lists all the Signals created by rules that have been triggered in your system in the last 14 days, by default. Signals provide summaries of potential security threats. Remember, not all Signals are security incidents. After all, there are legitimate reasons why someone might be logged in to two different devices at the same time, or why there have been several failed password attempts on an account.
-})
+
When you click into a Signal, you’ll have the option to see the full details of the record that triggered it. This includes information like the IP address, geolocation, threat level, and other information that can aid you in your investigation.
-})
+
#### Entities
The Entities tab lists all the entities that your rules have detected in the last 14 days, by default. Each entity has an Activity Score associated with it. The activity score is the sum of all the severity scores of all the unique signals associated with that entity. When an entity’s activity score reaches at least 12, an Insight is created. If you have several entities with relatively high activity scores, they might be a good starting point for a threat hunt.
-})
+
### Bring it back to Sumo Logic search
diff --git a/docs/cse/match-lists-suppressed-lists/create-match-list.md b/docs/cse/match-lists-suppressed-lists/create-match-list.md
index 33c26ad575..6aaa37e445 100644
--- a/docs/cse/match-lists-suppressed-lists/create-match-list.md
+++ b/docs/cse/match-lists-suppressed-lists/create-match-list.md
@@ -82,7 +82,7 @@ You can also create and manage Match Lists with Cloud SIEM's REST [API](/docs/cs
:::
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Match Lists**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Match List**. You can also click the **Go To...** menu at the top of the screen and select **Match List**. -1. Click **Create**.
}){kind=icon}
+1. Click **Create**.
1. On the **New Match List** popup, enter the following:
1. **Name**. Name of the Match list. If you are creating a standard Match List, make sure the name matches the standard Match List name. For more information, see [Standard Match Lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists). We recommend no embedded spaces in list names. For example, instead of *my list*, use *my_list*.
1. **Description**. Enter a description for the list. Descriptions for standard Match Lists can be found in [Standard Match Lists](/docs/cse/match-lists-suppressed-lists/standard-match-lists#standard-match-lists).
@@ -92,15 +92,15 @@ You can also create and manage Match Lists with Cloud SIEM's REST [API](/docs/cs
Once you create a Match List, it's not possible to change its **Target Column**.
:::
1. Click **Create**.})
-1. The Match List now appears on the **Match Lists** page. })
+1. The Match List now appears on the **Match Lists** page.
1. Click the name of the Match List to open it.
-1. On the **Match List > Details** page, click **ADD LIST ITEM**.}){kind=icon}
+1. On the **Match List > Details** page, click **Add List Item**.
1. On the **New Match List Item** popup, enter:
* **Value**. The value of the entity. Make sure the value you enter is of the same type as the type you selected as the Target Column for the list. For example, if the Target Column is `Domain`, enter a domain.
* **Description**. (Optional) Enter a description of the entity instance you entered.
* **Expiration**. (Optional) The date and time at which the list item should be removed from the list.
- * Click **Add** to add the item to the list.})
-1. The item now appears in the Match List.})
+ * Click **Add** to add the item to the list.
+1. The item now appears in the Match List.
## Import a Match List
diff --git a/docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md b/docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md
index c68ca884dd..e5bb677563 100644
--- a/docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md
+++ b/docs/cse/match-lists-suppressed-lists/custom-match-list-columns.md
@@ -22,7 +22,7 @@ To see the custom columns that have been defined in your environment:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Match Lists**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Match List**. You can also click the **Go To...** menu at the top of the screen and select **Match List**. 1. On the **Match Lists** page, click **Custom Columns**.
})
-1. The **Custom Columns** page lists the custom columns that have been defined in your environment. })
+1. The **Custom Columns** page lists the custom columns that have been defined in your environment.
## Create a Custom Column
diff --git a/docs/cse/match-lists-suppressed-lists/suppressed-lists.md b/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
index 90c87a2b2f..c3810e5d17 100644
--- a/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
+++ b/docs/cse/match-lists-suppressed-lists/suppressed-lists.md
@@ -83,14 +83,14 @@ Perform the steps below to create a Suppressed List and add an indicator to it u
If you want to create a custom Target Column, click **Manage Custom Columns**. For more information, see [Custom Match List Columns](/docs/cse/match-lists-suppressed-lists/custom-match-list-columns).
:::
1. Click **Create**.
-1. The Suppressed List now appears on the **Suppressed Lists** page. })
+1. The Suppressed List now appears on the **Suppressed Lists** page.
1. Click the name of the Suppressed List to open it.
-1. On the **Suppressed List > Details** page, click **ADD LIST ITEM**. })
+1. On the **Suppressed List > Details** page, click **Add List Item**.
1. On the **New Suppressed List Item** popup, enter:
1. **Value**. The value of the entity. Make sure the value you enter is of the same type as the type you selected as the Target Column for the list. For example, if the Target Column is Domain, enter a domain.
1. **Description**. (Optional) Enter a description of the list item.
1. **Expiration**. (Optional) The date and time at which the list item should be removed from the list.
- 1. Click **Add** to add the item to the list. })
+ 1. Click **Add** to add the item to the list.
1. The item now appears on the list.
## Import a list of indicators
diff --git a/docs/cse/records-signals-entities-insights/about-signal-suppression.md b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
index 627483f11c..e52103246c 100644
--- a/docs/cse/records-signals-entities-insights/about-signal-suppression.md
+++ b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
@@ -21,7 +21,7 @@ Signal suppression can occur for a variety of reasons, including [Entity suppres
By default, Signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the **Global Signal Suppression** setting on the **Insight Detection** page. See [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/).
-})
+
### Override global Signal suppression
@@ -45,9 +45,9 @@ You can suppress multiple Entities at once on the [Entities list page](/docs/cse
})
-When you checkmark one or more Entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select Entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic. You can see what Entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**.
+When you checkmark one or more Entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select Entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic.
-})
+You can see what Entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**.
## Suppress by indicator
diff --git a/docs/cse/records-signals-entities-insights/configure-custom-insight.md b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
index 9c860c0ca4..5d43e1f923 100644
--- a/docs/cse/records-signals-entities-insights/configure-custom-insight.md
+++ b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
@@ -24,18 +24,13 @@ There are two ways you can define a Custom Insight. You can specify that the Ins
Which method should you use? The difference is whether you’re going to create an Insight based on the name of the rule that fired the Signal, or based on the name of the Signal that was fired. Typically, Signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [Normalized Threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the Signals that a normalized rule fires vary by data source. So, if you want your Custom Insight configuration to generate Insights for Signals fired by normalized rules, you should base it on Signal names, rather than rule names.
When the conditions of a Custom Insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an Insight will be generated for each Entity involved. In other words, if each of the Signals in a Custom Insight configuration fired on a different Entity, an Insight will be created on each of those Entities. The generated Insights will include not only the Signals that it fired on, but also any related Signals.
-
-This example Custom Insight configuration will generate an Insight as a result of the **Mimecast - Message with Virus Detections from IP** rule firing a Signal.
-
-})
-
## Create a Custom Insight
To create a Custom Insight:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu, select **Content > Custom Insights**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Custom Insights**. You can also click the **Go To...** menu at the top of the screen and select **Custom Insights**. -2. Click **Create** on the **Custom Insights** page.
})
+2. Click **Create** on the **Custom Insights** page.
3. The **Configure the Custom Insight** popup appears. })
4. In the **Name** field, enter a name for the Custom Insight.
5. If you want the Custom Insight to be generated based on one or more rules firing Signals, jump to step 6, below. Otherwise:
@@ -61,8 +56,9 @@ To create a Custom Insight:
1. Select a default severity, one of **Low**, **Medium**, **High**, or **Critical**.
1. **Minimum Signal Severity** and **Insight Severity**. Enter a minimum Signal severity and associated Insight severity value. For example, if you enter 8 and select high, if any Signal in the Insight has a severity of 8 or higher, the custom Insight will have High severity.
1. If desired, you can enter a minimum Signal severity value for other Insight severity levels. For example, you could configure a minimum Signal severity of 4 as the threshold for an Insight severity level of Medium. If you do define multiple thresholds, we honor them from highest to lowest. For example, with the following configuration:
+ * If the highest signal severity was at least 3, severity is Low.
+ * If the highest Signal severity was at least 5, severity is Medium.
* If the highest Signal severity was at least 7, severity is Critical.
- * If the highest Signal severity was at least 5, severity is Medium.
- * If the highest signal severity was at least 3, severity is Low. })
+
11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the Custom Insight.
12. Click **Submit** to save your Custom Insight configuration.
diff --git a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
index 860577175d..8ae0cdc2e6 100644
--- a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+++ b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
@@ -65,7 +65,7 @@ After you’ve created your Entity Lookup Table in the Sumo Logic Library, you c
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Normalization**. You can also click the **Go To...** menu at the top of the screen and select **Normalization**. 1. On the **Entity Normalization** page, click **Lookup Tables**. 1. Click **Create** on the **Lookup Tables** tab. -1. The **Existing Lookup Table** popup appears.
})
+1. The **Existing Lookup Table** popup appears.
1. **Type**. Choose the type of normalization you want to set up.
* **Host ID to Normalized Hostname**. Maps unique host IDs to recognizable hostnames.
* **User ID to Normalized Username**. Maps unique user IDs to recognizable usernames.
diff --git a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
index 057736e157..0f442af310 100644
--- a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
+++ b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
@@ -22,7 +22,7 @@ Just as for Entities of built-in types listed above—IP addresses, MAC addresse
To create a custom Entity type:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Custom Types**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Custom Types**. You can also click the **Go To...** menu at the top of the screen and select **Custom Types**. -1. Click **Create** on the **Custom Entity Types** page.
})
+1. Click **Create** on the **Custom Entity Types** page.
2. The **Create Custom Entity Type** popup appears. })
3. **Name**. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom Entity type on the **Custom Entity Type** page.
4. **Identifier**. Enter a unique identifier for the custom Entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the Entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
diff --git a/docs/cse/records-signals-entities-insights/entity-criticality.md b/docs/cse/records-signals-entities-insights/entity-criticality.md
index 1585604e0b..bb7a356ef5 100644
--- a/docs/cse/records-signals-entities-insights/entity-criticality.md
+++ b/docs/cse/records-signals-entities-insights/entity-criticality.md
@@ -31,7 +31,7 @@ You can configure both the detection window and the threshold Activity Score for
## Define a Criticality
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Criticality**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Criticality**. You can also click the **Go To...** menu at the top of the screen and select **Criticality**. -1. On the **Entity Criticality** page, click **Create**.
})
+1. On the **Entity Criticality** page, click **Create**.
1. The **Create Entity Criticality** popup appears.})
2. **Name**. Enter a name.
3. **Severity Expression**. Enter a formula for adjusting a severity value. You can use a plus sign (+), minus sign (-), an asterisk (\*), or a forward slash (/). Enter the formula in this format: `severity+2 `
@@ -43,5 +43,5 @@ You can associate a Criticality with one or more Entities.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Entities** at the top of the screen. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**. 1. Navigate to the Entity you want to assign a Criticality and click on it to display the **Entity Details** page. -2. On the **Entity Details** page, click the **Criticality** field to display a list of Criticalities.
})
+2. On the **Entity Details** page, click the **Criticality** field to display a list of Criticalities.
3. Click a Criticality to apply it to the Entity.
diff --git a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
index 8211acbdbe..df7c68e8ee 100644
--- a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
+++ b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
@@ -66,7 +66,7 @@ difference is where you do the tagging.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rules**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 1. Navigate to a custom rule. 1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the **Rule Editor**. -1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
})
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
### UI for tagging an Entity
@@ -89,7 +89,7 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Custom Insights**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Custom Insights**. You can also click the **Go To...** menu at the top of the screen and select **Custom Insights**. 1. Navigate to a custom Insight. 1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the Insight Editor. -1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
## Apply a schema key tag
@@ -104,8 +104,8 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
1. Navigate to the Rule, Entity, or Insight to which you want to add a tag, as described in [Find the tagging UI](#find-the-tagging-ui).
1. In the tagging section, click the chevron icon.}){kind=icon}
1. A list of keyword tags that have already been assigned to items of the current type (Rule, Entity, or Insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.})
-1. To add a new tag, enter it and press Return.})
-1. The tag is added to the item.})
+1. To add a new tag, enter it and press Return.
+1. The tag is added to the item.
## Search by tag
@@ -113,23 +113,20 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Near the top of the screen, click in the Cloud SIEM search area and then click the funnel icon. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Search Cloud SIEM**, and click the funnel icon. You can also click the **Go To...** menu at the top of the screen and select **Search Cloud SIEM**.
}){kind=icon}
1. Select **Insights**, **Signals**, or **Entities** from the **Sources** list.})
-1. Select **Tags** from the **Fields** list.})
-1. Choose **contain** or **do not contain** from the **Operators** list.})
+1. Select **Tags** from the **Fields** list.
+1. Choose **contain** or **do not contain** from the **Operators** list.
1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords list**, items that match are listed.
### Search Rules by tag
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rules**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. -1. Click in the **Filters** area and select **Tags** from the **Fields** list.
})
-1. Choose **contain** or **do not contain** from the **Operators** list.
+1. Click in the **Filters** area and select **Tags** from the **Fields** list.
+1. Choose **contain** or **do not contain** from the **Operators** list.})
1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords Tags** list, items that match are listed. Note that if an item has a Mitre-related tag, an icon appears next to it. Click the icon to view a Mitre page on the Tactic or Technique.
-})
-
-
### Filter a list view by clicking a tag
-On the Insights, Signals, Rules, or Entities page, you can click a tag to filter the list. For example, if you click the **Tactic:TA0005 - Defense Evasion** tag on an Insight, like this:
+On the Insights, Signals, Rules, or Entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an Insight, like this:
})
diff --git a/docs/cse/records-signals-entities-insights/view-manage-entities.md b/docs/cse/records-signals-entities-insights/view-manage-entities.md
index 22ecf20e8e..3fdc2125dc 100644
--- a/docs/cse/records-signals-entities-insights/view-manage-entities.md
+++ b/docs/cse/records-signals-entities-insights/view-manage-entities.md
@@ -58,9 +58,6 @@ When a Signal is fired, if an Entity doesn’t already exist in Cloud SIEM for t
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). To view Entities, in the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**.
-
-Here’s a screenshot of the Entities page.
-
})
@@ -71,34 +68,43 @@ Here’s a screenshot of the Entities page.
| c | In this area you can sort Entities by Activity Score, Name, or Type. |
| d | The Import Metadata option allows you to upload a .csv file of updates to Entity tags, suppression state, and Criticality, as described in [Update Multiple Entities](#update-multiple-entities). |
| e | Shows the Entity Type and its value. |
-| f | The **Criticality** column shows whether a [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default". |
-| g | The current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see [Understanding Entity Activity Scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic. |
-| h | If you see a link below the Entity value, it’s a [tag](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/). You can click it to filter Entities by that tag. |
-| i | If an Entity has the **Suppressed** indicator, that means that Signals will not be fired on the Entity. |
+| f | If an Entity has the **Suppressed** indicator, that means that Signals will not be fired on the Entity. |
+| g | The **Criticality** column shows whether a [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default". |
+| h | The current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see [Understanding Entity Activity Scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic. |
+| i | The total amount of Signal severity for the Entity. |
+
+If you see a link below the Entity value, it’s a [tag](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/). You can click it to filter Entities by that tag.
## About the Entities Details page
When you click an Entity on the **Entities** page, a details page for
the Entity appears.
-})
+
| Letter | Description |
|:--|:--|
-| a | Suppression slider. Shows whether or not the Entity is currently [suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression). You can use the slider to suppress the Entity so that it is excluded from the Insight generation process. |
-| b | **Tags**. Lists any [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity. |
-| c | **Criticality**. An Entity’s [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration. You can reset the Criticality here. |
-| d | **Metadata**. This section lists the contents of enrichment fields that were added during Record processing. |
-| e | **Inventory**. If the selected Entity is standard Entity type (as opposed to a custom Entity type), this area provides selected information about the Inventory object associated with the Entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from Entities in Insights data to provide context to Signals. |
-| f | **Notes**. Contains any notes added to the Entity.|
-| g | **Audit Log**. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed.|
-| h | **Recent Activity**. Provides a count of how many Signals or Insights included the Entity within the last 30 days. Click the plus sign (+) next to **Signals** or **Insights** to expand the list. |
-| i | **Activity tab**. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals.
-| j | **Enrichments** tab. If you use Cloud SIEM’s automation as a service, Entity enrichments obtained from Cloud SOAR may be available on this tab. |
-| k | **Entity Timeline**. A timeline appears for the Entity's activity over a three-day period. For more information, see [About the Entity Timeline tab](#about-the-entity-timeline-tab).|
-| l | **Create Insight**. You can use this option to create an Insight on the Entity, as described below in [Create an Insight](#create-an-insight), below. |
-| m | The **Current State** section lists Signals that were generated for the Entity during the current [Detection Window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) that are not already part of an Insight. (The Detection Window is the period over which Cloud SIEM evaluates Signals, which is 14 days, by default. The Detection Window is configured on the **Content > Custom Insights** page in the Cloud SIEM UI.) |
-| n | The **Prior Activity** section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity. |
+| a | **Suppression**. Shows whether or not the Entity is currently [suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression). You can use the slider to suppress the Entity so that it is excluded from the Insight generation process. |
+| b | **Automations**. Click to view [automations](/docs/cse/automation/automations-in-cloud-siem/#run-an-automation-manually-on-entities) available to be run on the Entity. |
+| c | **Tags**. Lists any [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity. |
+| d | **Criticality**. An Entity’s [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration. You can reset the Criticality here. |
+| e | **Signal Severity Total**. The total amount of Signal severity for the Entity. |
+| f | **Indicators**. The indicators on the Entity, whether from enrichments or threat intelligence. |
+| g | **Metadata**. This section lists the contents of enrichment fields that were added during Record processing. |
+| h | **Network Blocks**. [Network blocks](/docs/cse/administration/create-use-network-blocks/) for the Entity. |
+| i | **Inventory**. If the selected Entity is standard Entity type (as opposed to a custom Entity type), this area provides selected information about the Inventory object associated with the Entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from Entities in Insights data to provide context to Signals. |
+| j | **Notes**. Contains any notes added to the Entity.|
+| k | **Audit Log**. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed.|
+| l | **Recent Activity**. Provides a count of how many Signals or Insights included the Entity within the last 30 days. Click the plus sign (+) next to **Signals** or **Insights** to expand the list. |
+| m | **Activity**. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals.
+| n | **Enrichments** tab. If you use Cloud SIEM’s automation as a service, Entity enrichments obtained from Cloud SOAR may be available on this tab. |
+| o | **Timeline**. A timeline appears for the Entity's activity over a three-day period. For more information, see [About the Entity Timeline tab](#about-the-entity-timeline-tab).|
+| p | **Related Entities**. Entities related to the current Entity. |
+| q | **Automations**. [Automations](/docs/cse/automation/automations-in-cloud-siem/#view-results-of-an-automation) that have been run on the Entity. |
+| r | **Create Insight**. You can use this option to create an Insight on the Entity, as described below in [Create an Insight](#create-an-insight), below. |
+| s | The **Current State** section lists Signals that were generated for the Entity during the current [Detection Window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) that are not already part of an Insight. (The Detection Window is the period over which Cloud SIEM evaluates Signals, which is 14 days, by default. The Detection Window is configured on the **Content > Custom Insights** page in the Cloud SIEM UI.) |
+
+Below the **Current State** section there may be a **Prior Activity** section. This section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity.
## About the Entity Timeline tab
@@ -120,10 +126,8 @@ You can create an Insight for an Entity based on one or more Signals on the Enti
})
-
The page refreshes and shows the selected Signals grouped in a new Insight.
-})
## Update multiple Entities
@@ -134,11 +138,12 @@ or Criticality for one or more Entities.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). Click **Entities** at the top of the screen. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**. 1. Note that there is a checkbox at the left end of each Entity row, and one above the Entities list.
})
-1. Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update. })
-1. Note that once you select an Entity, three options appear at the top of the Entities list. See the instructions for each option below:
+1. Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update.
+1. Note that once you select an Entity, three options appear at the top of the Entities list.
+See the instructions for each option below: * [Update Tags](#update-tags) * [Update Suppression](#update-suppression) - * [Update Criticalities](#update-criticalities) + * [Update Criticality](#update-criticality) #### Update tags @@ -159,11 +164,11 @@ or Criticality for one or more Entities. 2. The **Update Suppression** popup appears, with the suppression toggle set to **Not Suppressed**.
})
3. If you want to unsuppress the selected Entities, click **Update Entity Suppression**. Otherwise, if you want to suppress the Entity, toggle the slider to **Suppressed**, supply a comment if desired, and then click **Update Entity Suppression**.
-#### Update Criticalities
+#### Update Criticality
-1. After selecting the Entities you want to update, click **Update Criticalities**.
-2. The **Update Criticalities** popup appears. })
-3. If you want to assign default Criticality to the selected Entities, click **Update Entity Criticalities**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticalities**.
+1. After selecting the Entities you want to update, click **Update Criticality**.
+2. The **Update Criticality** popup appears.
+3. If you want to assign default Criticality to the selected Entities, click **Update Entity Criticality**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticality**.
### Import Entity updates from a CSV file
diff --git a/docs/cse/rules/before-writing-custom-rule.md b/docs/cse/rules/before-writing-custom-rule.md
index 885dff5e33..ae84b1d7b0 100644
--- a/docs/cse/rules/before-writing-custom-rule.md
+++ b/docs/cse/rules/before-writing-custom-rule.md
@@ -41,9 +41,9 @@ Let’s say you’re going to write a rule that fires every time a successful Wi
To find and review a log mapping:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu click **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**. -1. You can use the filter area at the top of the **Log Mappings** page to search for a mapping by various options. The screenshot below shows the results when we enter the filter **Name matches wildcard pattern *46...**. Two mappings match. For each mapping, you can see how many times it’s been used in the last 24 hrs and also over the last 7 days. We’ll select the one that has been in use, rather than the one that hasn’t.
})
-1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the Records produced by the mapping. })
-1. The **Fields** section of the page shows how raw message fields are mapped to Cloud SIEM schema attributes. In this mapping, `EventData.LogonProcessName` is mapped to `application`, `EventData.WorkstationName` is mapped to `device_hostname`, and so on. })
+1. You can use the filter area at the top of the **Log Mappings** page to search for a mapping by various options. The screenshot below shows the results when we enter the filter `Name matches wildcard pattern *4624`. A mapping matches. For the mapping, you can see how many times it’s been used in the last 24 hrs and also over the last 7 days. Select the mapping.
+1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the Records produced by the mapping.
+1. The **Fields** section of the page shows how raw message fields are mapped to Cloud SIEM schema attributes. In this mapping, `EventData.LogonProcessName` is mapped to `application`, `EventData.WorkstationName` is mapped to `device_hostname`, and so on.
Now that we understand the mapping in Cloud SIEM, we can see we will want to be looking for logs where the `metadata_vendor` is “Microsoft”, `metadata_product` is “Windows”, and `metadata_deviceEventId` is “Security-4624”, and we will also want to use the `user_username` field to find users that don’t match our naming convention.
@@ -103,7 +103,7 @@ Now we have a query we can use as the rule expression for our rule. Note that
You can use an expression like this example in any rule type. Here is an example Match rule with the expression, shown in the Rules Editor.
-})
+
## Degraded rules
diff --git a/docs/cse/rules/import-yara-rules.md b/docs/cse/rules/import-yara-rules.md
index 5fd4b9e18e..5f287d4ec4 100644
--- a/docs/cse/rules/import-yara-rules.md
+++ b/docs/cse/rules/import-yara-rules.md
@@ -19,8 +19,8 @@ To import YARA rules:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > File Analysis**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > File Analysis**. You can also click the **Go To...** menu at the top of the screen and select **File Analysis**. 1. Click **Add Source**. -1. On the **Add New Source** popup, click **Create** in the GitHub tile.
})
-1. The **Add New Source** popup updates. })
+1. On the **Add New Source** popup, click **Create** in the GitHub tile.
+1. The **Add New Source** popup updates.
1. **Name**. Enter a display name for the rule set to be imported.
1. **Description**. Describe the rule set.
1. Enabled. If you want Cloud SIEM to apply to rules upon import, leave the toggle set to Enabled. Otherwise, change it to Disabled.
diff --git a/docs/cse/rules/rule-tuning-expressions.md b/docs/cse/rules/rule-tuning-expressions.md
index f2b455f9b7..e3d76bf911 100644
--- a/docs/cse/rules/rule-tuning-expressions.md
+++ b/docs/cse/rules/rule-tuning-expressions.md
@@ -31,6 +31,16 @@ There is another benefit of using tuning built-in rules instead of writing custo
You can apply multiple tuning expressions to a rule. You can assign a tuning expression to selected rules, or to all of your rules. You can also create a tuning expression without immediately assigning it to any rules.
+### Example tuning expression
+
+Here’s what the example tuning expression looks like in the Cloud SIEM UI.
+
+})
+
+## Writing a tuning expression
+
+Writing a tuning expression is just like writing a rule expression. A tuning expression can use metadata, record fields, and Cloud SIEM [rules language](/docs/cse/rules/cse-rules-syntax) functions. For more information, see [About rule expressions](/docs/cse/rules/about-cse-rules#about-rule-expressions).
+
Watch this micro lesson to learn how to create a rule tuning expression.
-
## Create a tuning expression
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Rule Tuning**. [**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rule Tuning**. You can also click the **Go To...** menu at the top of the screen and select **Rule Tuning**. 1. On the **Rule Tuning** page, click **Create**. -
})
1. The **New Rule Tuning Expression** page appears.
})
1. **Name**. Enter a name for the tuning expression.
@@ -72,8 +71,7 @@ Here’s what the example tuning expression looks like in the Cloud SIEM UI.
* Leave **include** selected if you want Signals to be fired for Records that match both the rule expression and the tuning expression.
* Select **exclude** from the pulldown if you want Signals to be fired for Records that match the rule expression and do not match the tuning expression.
1. Enter a tuning expression.
-2. Click **Submit**.
- })
+1. Click **Submit**.
### Create tuning expression without applying it to rules
@@ -83,7 +81,7 @@ If you want to create a tuning expression and not apply it to any rules immediat
You can also create new tuning expression and apply existing tuning expressions to a rule using the **Rules Editor** UI.
-})
+
## Enabling and disabling a tuning expression
@@ -102,6 +100,6 @@ You can also toggle the enablement state on the details page for a tuning expres
When you test a [rule expression](/docs/cse/rules/about-cse-rules#about-rule-expressions) by clicking **Test Rule** in the rules editor, any tuning expressions assigned to the rule will be included in the test. If you do not want to test the tuning expressions, you can deselect one or more of the tuning expressions before clicking **Test Rule.**
-})
+
diff --git a/docs/cse/rules/tailor-global-rule.md b/docs/cse/rules/tailor-global-rule.md
index 9b70dfddfb..03cbf84484 100644
--- a/docs/cse/rules/tailor-global-rule.md
+++ b/docs/cse/rules/tailor-global-rule.md
@@ -47,7 +47,7 @@ You can override some of the fields in the **If Triggered** section on the left
| Aggregation rule | Chain Rule | Threshold rule |
|:--|:--|:--|
-| })
| })
| })
|
+| | | |
## Reverting overridden settings
@@ -55,6 +55,6 @@ You can revert any overrides you’ve made at any time back to the original valu
Once you save the overrides to a rule, a revert button appears next to each edited field, as shown in the screenshot below. If you hover over the revert button, you can see what the original value was.
-}){kind=icon}
+
To revert an override, just click the revert button next to it. After reverting all desired fields, click **Save Edits** at the bottom of the page.
diff --git a/docs/cse/rules/write-aggregation-rule.md b/docs/cse/rules/write-aggregation-rule.md
index 81dc927cc3..a4f61a5817 100644
--- a/docs/cse/rules/write-aggregation-rule.md
+++ b/docs/cse/rules/write-aggregation-rule.md
@@ -101,7 +101,7 @@ On the right side of the Rules Editor, in the **Then Create a Signal** section,
1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 7. })
1. **Configure dynamic severity**.
1. Choose **Dynamic**.
- 1. The severity area updates. })
+ 1. The severity area updates.
1. **severity of**. Use the pulldown to select a default severity value.
1. **for the record field**. Use the down arrows to display a list of fields, and select one. The dynamic severity will be based on the value of (or existence of) that field in the Record that matched the rule expression.
1. The **Add More Mappings** option appears. })
diff --git a/docs/cse/rules/write-first-seen-rule.md b/docs/cse/rules/write-first-seen-rule.md
index 85a6096054..4ccc7ffa2d 100644
--- a/docs/cse/rules/write-first-seen-rule.md
+++ b/docs/cse/rules/write-first-seen-rule.md
@@ -54,7 +54,7 @@ import Iframe from 'react-iframe';
## Example rule
The screenshot below shows a First Seen rule in the Cloud SIEM rules editor. For an explanation of the configuration options, see [Create a First Seen rule](#create-a-first-seen-rule), below.
-})
+})
## Create a First Seen rule
diff --git a/docs/cse/rules/write-match-rule.md b/docs/cse/rules/write-match-rule.md
index 012189fde0..0c3fb86b0f 100644
--- a/docs/cse/rules/write-match-rule.md
+++ b/docs/cse/rules/write-match-rule.md
@@ -77,20 +77,20 @@ import Iframe from 'react-iframe';
1. **with a severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are two ways to specify Severity:
* **Constant**. Every Signal that the rule fires will have the same severity,
* **Dynamic**. Severity is based on the value of a field in the Record.
-1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 8.
+1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 8.
1. **Configure dynamic severity**.
1. Choose **Dynamic**.
- 1. The severity area updates.
+ 1. The severity area updates.
1. **severity of**. Use the pulldown to select a default severity value.
1. **for the record field**. Use the down arrows to display a list of fields, and select one. The dynamic severity will be based on the value of (or existence of) that field in the Record that matched the rule expression.
- 1. The **Add More Mappings** option appears.
- 1. **Click Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the Record field you selected above.
- 1. The **if the value is** option appears.})
+ 1. The **Add More Mappings** option appears.
+ 1. Click **Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the Record field you selected above.
+ 1. The **if the value is** option appears.
1. Select one of the following options:
- * **equal to**. The Record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
- * **less than**. The Record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
* **greater than**. The Record field’s value must be greater than the numeric value you supply. The match is not inclusive. For example "greater than “5" will match “5.1”, but not “5”.
+ * **less than**. The Record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
* **between**. The Record field’s value must be between the two numeric values you supply. The match is inclusive. For example, "Between 5 and 10" will match “5”, “7”, or “10”, but not “10.1”.
+ * **equal to**. The Record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
* **not in the record**. Will match when the attribute is found in the Record. For example, if the selected field is `broirc_value`, and that field is not present in a Record, the rule will match. If `broirc_value` exists but is null or empty, the rule will not match.
1. You can define additional conditions, as desired. To define an additional condition, repeat the steps above, starting with **Add More Mappings**.
:::note
diff --git a/docs/platform-services/automation-service/automation-service-playbooks.md b/docs/platform-services/automation-service/automation-service-playbooks.md
index ef059acdcb..94140c85bc 100644
--- a/docs/platform-services/automation-service/automation-service-playbooks.md
+++ b/docs/platform-services/automation-service/automation-service-playbooks.md
@@ -23,7 +23,7 @@ To run a playbook, add it to an automation. For places in Sumo Logic where you c
The following procedure describes how to view playbooks already installed in your environment. To add more playbooks, [create a playbook](#create-a-new-playbook), or [install a playbook from App Central](/docs/platform-services/automation-service/automation-service-app-central/#install-a-playbook-from-app-central).
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**.
The list of playbooks displays.
})
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Automation > Playbooks**. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Automation > Playbooks**. You can also click the **Go To...** menu at the top of the screen and select **Playbooks**.
The list of playbooks displays.
1. Select a playbook to see the elements in the workflow.})
1. Click the elements in the playbook to see their details. For example, click actions (the boxes in the flow) to see the [integration](/docs/platform-services/automation-service/automation-service-integrations/) resources that provide the actions.
diff --git a/static/img/cse/Confidence-Screenshot.png b/static/img/cse/Confidence-Screenshot.png
index 284ee7a6a5..ce690a4dd5 100644
Binary files a/static/img/cse/Confidence-Screenshot.png and b/static/img/cse/Confidence-Screenshot.png differ
diff --git a/static/img/cse/Playbook_inputs.png b/static/img/cse/Playbook_inputs.png
index 161d237c6c..87aabbf5d5 100644
Binary files a/static/img/cse/Playbook_inputs.png and b/static/img/cse/Playbook_inputs.png differ
diff --git a/static/img/cse/add-list-item.png b/static/img/cse/add-list-item.png
index a5dc52a162..79aba046f3 100644
Binary files a/static/img/cse/add-list-item.png and b/static/img/cse/add-list-item.png differ
diff --git a/static/img/cse/add-more-mappings.png b/static/img/cse/add-more-mappings.png
index 05a229a9a3..1aa8122abf 100644
Binary files a/static/img/cse/add-more-mappings.png and b/static/img/cse/add-more-mappings.png differ
diff --git a/static/img/cse/add-new-source.png b/static/img/cse/add-new-source.png
index 08ff23e9b0..8b5ec6934d 100644
Binary files a/static/img/cse/add-new-source.png and b/static/img/cse/add-new-source.png differ
diff --git a/static/img/cse/add-source-1.png b/static/img/cse/add-source-1.png
index c4974ed515..2e589fe514 100644
Binary files a/static/img/cse/add-source-1.png and b/static/img/cse/add-source-1.png differ
diff --git a/static/img/cse/add-source-2.png b/static/img/cse/add-source-2.png
index c7e5c596db..71a745e84d 100644
Binary files a/static/img/cse/add-source-2.png and b/static/img/cse/add-source-2.png differ
diff --git a/static/img/cse/advanced-json-parsing.png b/static/img/cse/advanced-json-parsing.png
index 00578192b6..f0b648915f 100644
Binary files a/static/img/cse/advanced-json-parsing.png and b/static/img/cse/advanced-json-parsing.png differ
diff --git a/static/img/cse/advanced-threshold.png b/static/img/cse/advanced-threshold.png
index 441d8195da..95853791fe 100644
Binary files a/static/img/cse/advanced-threshold.png and b/static/img/cse/advanced-threshold.png differ
diff --git a/static/img/cse/agg-rule.png b/static/img/cse/agg-rule.png
index 8474592a18..a64fed278b 100644
Binary files a/static/img/cse/agg-rule.png and b/static/img/cse/agg-rule.png differ
diff --git a/static/img/cse/aggregation-rule-edits.png b/static/img/cse/aggregation-rule-edits.png
index d40d054ab0..8924b9bfaa 100644
Binary files a/static/img/cse/aggregation-rule-edits.png and b/static/img/cse/aggregation-rule-edits.png differ
diff --git a/static/img/cse/auth-rule-mapping-1.png b/static/img/cse/auth-rule-mapping-1.png
index 905bb7707b..7837b42f64 100644
Binary files a/static/img/cse/auth-rule-mapping-1.png and b/static/img/cse/auth-rule-mapping-1.png differ
diff --git a/static/img/cse/automation-example-playbook-4-send-email.png b/static/img/cse/automation-example-playbook-4-send-email.png
index b4a95edd23..8a357e9c8f 100644
Binary files a/static/img/cse/automation-example-playbook-4-send-email.png and b/static/img/cse/automation-example-playbook-4-send-email.png differ
diff --git a/static/img/cse/automation-examples-add-condition.png b/static/img/cse/automation-examples-add-condition.png
index 4c88b9300b..c6d9c69d94 100644
Binary files a/static/img/cse/automation-examples-add-condition.png and b/static/img/cse/automation-examples-add-condition.png differ
diff --git a/static/img/cse/automation-examples-add-integration-button.png b/static/img/cse/automation-examples-add-integration-button.png
index 7077c30a78..3cfeaa128d 100644
Binary files a/static/img/cse/automation-examples-add-integration-button.png and b/static/img/cse/automation-examples-add-integration-button.png differ
diff --git a/static/img/cse/automation-examples-add-ip-reputation-node.png b/static/img/cse/automation-examples-add-ip-reputation-node.png
index fe0de612e9..be7c6b99f6 100644
Binary files a/static/img/cse/automation-examples-add-ip-reputation-node.png and b/static/img/cse/automation-examples-add-ip-reputation-node.png differ
diff --git a/static/img/cse/automation-examples-add-playbook-button.png b/static/img/cse/automation-examples-add-playbook-button.png
index 1c5cb4eec6..249e88c2c9 100644
Binary files a/static/img/cse/automation-examples-add-playbook-button.png and b/static/img/cse/automation-examples-add-playbook-button.png differ
diff --git a/static/img/cse/automation-examples-add-resource-button.png b/static/img/cse/automation-examples-add-resource-button.png
index 6bab029ab4..63b1773ff8 100644
Binary files a/static/img/cse/automation-examples-add-resource-button.png and b/static/img/cse/automation-examples-add-resource-button.png differ
diff --git a/static/img/cse/automation-examples-add-resource-ip-quality-score.png b/static/img/cse/automation-examples-add-resource-ip-quality-score.png
index dc955d7408..9bb3a6d65c 100644
Binary files a/static/img/cse/automation-examples-add-resource-ip-quality-score.png and b/static/img/cse/automation-examples-add-resource-ip-quality-score.png differ
diff --git a/static/img/cse/automation-examples-advanced-add-insight-enrichment-node.png b/static/img/cse/automation-examples-advanced-add-insight-enrichment-node.png
index 85769243f8..d78f0e84f5 100644
Binary files a/static/img/cse/automation-examples-advanced-add-insight-enrichment-node.png and b/static/img/cse/automation-examples-advanced-add-insight-enrichment-node.png differ
diff --git a/static/img/cse/automation-examples-complex-condition-1.png b/static/img/cse/automation-examples-complex-condition-1.png
index 11af7ab5f5..72b23ecbd2 100644
Binary files a/static/img/cse/automation-examples-complex-condition-1.png and b/static/img/cse/automation-examples-complex-condition-1.png differ
diff --git a/static/img/cse/automation-examples-edit-sumo-logic-resource.png b/static/img/cse/automation-examples-edit-sumo-logic-resource.png
index 41b1b260fb..4a438931a8 100644
Binary files a/static/img/cse/automation-examples-edit-sumo-logic-resource.png and b/static/img/cse/automation-examples-edit-sumo-logic-resource.png differ
diff --git a/static/img/cse/automation-examples-ip-reputation-v3-add-node.png b/static/img/cse/automation-examples-ip-reputation-v3-add-node.png
index 681a38ee54..613dd045b9 100644
Binary files a/static/img/cse/automation-examples-ip-reputation-v3-add-node.png and b/static/img/cse/automation-examples-ip-reputation-v3-add-node.png differ
diff --git a/static/img/cse/automation-examples-search-sumo-logic-node-2.png b/static/img/cse/automation-examples-search-sumo-logic-node-2.png
index 0c87288d67..919a47f462 100644
Binary files a/static/img/cse/automation-examples-search-sumo-logic-node-2.png and b/static/img/cse/automation-examples-search-sumo-logic-node-2.png differ
diff --git a/static/img/cse/automation-examples-search-sumo-logic-node.png b/static/img/cse/automation-examples-search-sumo-logic-node.png
index caf341f273..66e5521e84 100644
Binary files a/static/img/cse/automation-examples-search-sumo-logic-node.png and b/static/img/cse/automation-examples-search-sumo-logic-node.png differ
diff --git a/static/img/cse/automation-examples-send-email-node.png b/static/img/cse/automation-examples-send-email-node.png
index 9e2e94de3d..f6e381ef1c 100644
Binary files a/static/img/cse/automation-examples-send-email-node.png and b/static/img/cse/automation-examples-send-email-node.png differ
diff --git a/static/img/cse/automation-examples-sumo-logic-cip-resource-edit-button.png b/static/img/cse/automation-examples-sumo-logic-cip-resource-edit-button.png
index 3f9a158669..a9e6dc7fda 100644
Binary files a/static/img/cse/automation-examples-sumo-logic-cip-resource-edit-button.png and b/static/img/cse/automation-examples-sumo-logic-cip-resource-edit-button.png differ
diff --git a/static/img/cse/automation-examples-upload-button.png b/static/img/cse/automation-examples-upload-button.png
index d4bef5f459..50722bce56 100644
Binary files a/static/img/cse/automation-examples-upload-button.png and b/static/img/cse/automation-examples-upload-button.png differ
diff --git a/static/img/cse/automation-examples-virus-total-edit-resource.png b/static/img/cse/automation-examples-virus-total-edit-resource.png
index 4de18a945d..4773c6da2d 100644
Binary files a/static/img/cse/automation-examples-virus-total-edit-resource.png and b/static/img/cse/automation-examples-virus-total-edit-resource.png differ
diff --git a/static/img/cse/automation-examples-virus-total-resource-edit-button.png b/static/img/cse/automation-examples-virus-total-resource-edit-button.png
index 59c030f820..43fa8a3fef 100644
Binary files a/static/img/cse/automation-examples-virus-total-resource-edit-button.png and b/static/img/cse/automation-examples-virus-total-resource-edit-button.png differ
diff --git a/static/img/cse/automation-menu-in-nav-bar.png b/static/img/cse/automation-menu-in-nav-bar.png
index 340e5dcf6b..5b48911640 100644
Binary files a/static/img/cse/automation-menu-in-nav-bar.png and b/static/img/cse/automation-menu-in-nav-bar.png differ
diff --git a/static/img/cse/automations-action-example.png b/static/img/cse/automations-action-example.png
index 87d5c1c002..e0ef2b0823 100644
Binary files a/static/img/cse/automations-action-example.png and b/static/img/cse/automations-action-example.png differ
diff --git a/static/img/cse/automations-actions-menu.png b/static/img/cse/automations-actions-menu.png
index 327d515dae..52f10ad61f 100644
Binary files a/static/img/cse/automations-actions-menu.png and b/static/img/cse/automations-actions-menu.png differ
diff --git a/static/img/cse/automations-automations-list.png b/static/img/cse/automations-automations-list.png
index 7f2e6724c5..3b3887b073 100644
Binary files a/static/img/cse/automations-automations-list.png and b/static/img/cse/automations-automations-list.png differ
diff --git a/static/img/cse/automations-entity-automations-menu.png b/static/img/cse/automations-entity-automations-menu.png
index b2be2d6d9c..e7c1526886 100644
Binary files a/static/img/cse/automations-entity-automations-menu.png and b/static/img/cse/automations-entity-automations-menu.png differ
diff --git a/static/img/cse/automations-entity-menu-2.png b/static/img/cse/automations-entity-menu-2.png
index 08cd404ac9..46ce5e6463 100644
Binary files a/static/img/cse/automations-entity-menu-2.png and b/static/img/cse/automations-entity-menu-2.png differ
diff --git a/static/img/cse/automations-entity-menu.png b/static/img/cse/automations-entity-menu.png
index 5da5a19bc7..352380bbe9 100644
Binary files a/static/img/cse/automations-entity-menu.png and b/static/img/cse/automations-entity-menu.png differ
diff --git a/static/img/cse/automations-execution-status.png b/static/img/cse/automations-execution-status.png
index 441b473c8c..c19ddcbcb8 100644
Binary files a/static/img/cse/automations-execution-status.png and b/static/img/cse/automations-execution-status.png differ
diff --git a/static/img/cse/automations-malicious-threat-indicator.png b/static/img/cse/automations-malicious-threat-indicator.png
index 6da6be987c..2be22ad5ea 100644
Binary files a/static/img/cse/automations-malicious-threat-indicator.png and b/static/img/cse/automations-malicious-threat-indicator.png differ
diff --git a/static/img/cse/automations-manage-playbooks.png b/static/img/cse/automations-manage-playbooks.png
index eb4ebfbe0e..fad8e501f5 100644
Binary files a/static/img/cse/automations-manage-playbooks.png and b/static/img/cse/automations-manage-playbooks.png differ
diff --git a/static/img/cse/automations-new.png b/static/img/cse/automations-new.png
index d866422603..808ddfbb63 100644
Binary files a/static/img/cse/automations-new.png and b/static/img/cse/automations-new.png differ
diff --git a/static/img/cse/automations-on-insight.png b/static/img/cse/automations-on-insight.png
index 8c535765b9..8a40969c6c 100644
Binary files a/static/img/cse/automations-on-insight.png and b/static/img/cse/automations-on-insight.png differ
diff --git a/static/img/cse/automations-playbook-list.png b/static/img/cse/automations-playbook-list.png
index 1035ae2f35..39f26e24dc 100644
Binary files a/static/img/cse/automations-playbook-list.png and b/static/img/cse/automations-playbook-list.png differ
diff --git a/static/img/cse/automations-playbook-status-graph.png b/static/img/cse/automations-playbook-status-graph.png
index ba63301756..62019c5824 100644
Binary files a/static/img/cse/automations-playbook-status-graph.png and b/static/img/cse/automations-playbook-status-graph.png differ
diff --git a/static/img/cse/automations-playbook-status.png b/static/img/cse/automations-playbook-status.png
index 44c52c436c..447005806c 100644
Binary files a/static/img/cse/automations-playbook-status.png and b/static/img/cse/automations-playbook-status.png differ
diff --git a/static/img/cse/automations-resource-example.png b/static/img/cse/automations-resource-example.png
index 29cbadeb1b..c3b32e13fb 100644
Binary files a/static/img/cse/automations-resource-example.png and b/static/img/cse/automations-resource-example.png differ
diff --git a/static/img/cse/before-suppression.png b/static/img/cse/before-suppression.png
index 5d70998c96..7ce7437431 100644
Binary files a/static/img/cse/before-suppression.png and b/static/img/cse/before-suppression.png differ
diff --git a/static/img/cse/board.png b/static/img/cse/board.png
index b10931077e..805a8cb3c0 100644
Binary files a/static/img/cse/board.png and b/static/img/cse/board.png differ
diff --git a/static/img/cse/built-in-tags.png b/static/img/cse/built-in-tags.png
index 93ad3237a7..9e225f2fd7 100644
Binary files a/static/img/cse/built-in-tags.png and b/static/img/cse/built-in-tags.png differ
diff --git a/static/img/cse/chain-rule-edits.png b/static/img/cse/chain-rule-edits.png
index 192e78d8d9..3b4b2eb953 100644
Binary files a/static/img/cse/chain-rule-edits.png and b/static/img/cse/chain-rule-edits.png differ
diff --git a/static/img/cse/chevron-icon.png b/static/img/cse/chevron-icon.png
index f329792fac..3ffc8fe6ea 100644
Binary files a/static/img/cse/chevron-icon.png and b/static/img/cse/chevron-icon.png differ
diff --git a/static/img/cse/close-insight.png b/static/img/cse/close-insight.png
new file mode 100644
index 0000000000..6e64526e23
Binary files /dev/null and b/static/img/cse/close-insight.png differ
diff --git a/static/img/cse/close-options.png b/static/img/cse/close-options.png
index 3eb6234b87..b77666a7a5 100644
Binary files a/static/img/cse/close-options.png and b/static/img/cse/close-options.png differ
diff --git a/static/img/cse/closeup.png b/static/img/cse/closeup.png
index 522694264e..dd9df7da6a 100644
Binary files a/static/img/cse/closeup.png and b/static/img/cse/closeup.png differ
diff --git a/static/img/cse/constant-severity.png b/static/img/cse/constant-severity.png
index 56f9e4eccc..463cc45fa2 100644
Binary files a/static/img/cse/constant-severity.png and b/static/img/cse/constant-severity.png differ
diff --git a/static/img/cse/corelight-edit-mapping.png b/static/img/cse/corelight-edit-mapping.png
index 44a9b43609..d1f5710d85 100644
Binary files a/static/img/cse/corelight-edit-mapping.png and b/static/img/cse/corelight-edit-mapping.png differ
diff --git a/static/img/cse/create-action-empty.png b/static/img/cse/create-action-empty.png
index 18c92113c7..9ce2fc7aed 100644
Binary files a/static/img/cse/create-action-empty.png and b/static/img/cse/create-action-empty.png differ
diff --git a/static/img/cse/create-column.png b/static/img/cse/create-column.png
index b540f82cd9..283f3fb87d 100644
Binary files a/static/img/cse/create-column.png and b/static/img/cse/create-column.png differ
diff --git a/static/img/cse/create-custom-entity-type.png b/static/img/cse/create-custom-entity-type.png
index 081275000a..efbef08e15 100644
Binary files a/static/img/cse/create-custom-entity-type.png and b/static/img/cse/create-custom-entity-type.png differ
diff --git a/static/img/cse/create-insight-resolution.png b/static/img/cse/create-insight-resolution.png
index 702fec49cf..39d864110e 100644
Binary files a/static/img/cse/create-insight-resolution.png and b/static/img/cse/create-insight-resolution.png differ
diff --git a/static/img/cse/create-insight.png b/static/img/cse/create-insight.png
index a0780297d0..dd0a9ac788 100644
Binary files a/static/img/cse/create-insight.png and b/static/img/cse/create-insight.png differ
diff --git a/static/img/cse/create-mapping-1.png b/static/img/cse/create-mapping-1.png
index 0819e59ebc..702b42e192 100644
Binary files a/static/img/cse/create-mapping-1.png and b/static/img/cse/create-mapping-1.png differ
diff --git a/static/img/cse/create-mapping-2.png b/static/img/cse/create-mapping-2.png
index 9c6a8499ad..6960833867 100644
Binary files a/static/img/cse/create-mapping-2.png and b/static/img/cse/create-mapping-2.png differ
diff --git a/static/img/cse/create-mapping-3.png b/static/img/cse/create-mapping-3.png
index c8ee512e06..80c8115a95 100644
Binary files a/static/img/cse/create-mapping-3.png and b/static/img/cse/create-mapping-3.png differ
diff --git a/static/img/cse/create-mapping-4.png b/static/img/cse/create-mapping-4.png
index 4c7a56dc92..5c7d6c8231 100644
Binary files a/static/img/cse/create-mapping-4.png and b/static/img/cse/create-mapping-4.png differ
diff --git a/static/img/cse/create-network-block.png b/static/img/cse/create-network-block.png
index 2d07352ae8..217b7689ac 100644
Binary files a/static/img/cse/create-network-block.png and b/static/img/cse/create-network-block.png differ
diff --git a/static/img/cse/criticality-popup.png b/static/img/cse/criticality-popup.png
index 2824064e85..19b4fb558b 100644
Binary files a/static/img/cse/criticality-popup.png and b/static/img/cse/criticality-popup.png differ
diff --git a/static/img/cse/cse-option-in-left-nav.png b/static/img/cse/cse-option-in-left-nav.png
index 31b050ad34..c6feb8d3e7 100644
Binary files a/static/img/cse/cse-option-in-left-nav.png and b/static/img/cse/cse-option-in-left-nav.png differ
diff --git a/static/img/cse/custom-insight.png b/static/img/cse/custom-insight.png
index da7fe31f13..edef65bab8 100644
Binary files a/static/img/cse/custom-insight.png and b/static/img/cse/custom-insight.png differ
diff --git a/static/img/cse/detection-threshold-global-signal-suppression.png b/static/img/cse/detection-threshold-global-signal-suppression.png
index 13d2a58392..e1b3cd175b 100644
Binary files a/static/img/cse/detection-threshold-global-signal-suppression.png and b/static/img/cse/detection-threshold-global-signal-suppression.png differ
diff --git a/static/img/cse/detection-threshold-popup.png b/static/img/cse/detection-threshold-popup.png
index 2cc0bb2b12..6591d3b34f 100644
Binary files a/static/img/cse/detection-threshold-popup.png and b/static/img/cse/detection-threshold-popup.png differ
diff --git a/static/img/cse/edit.png b/static/img/cse/edit.png
index 5882ff6379..a0c06b7dd9 100644
Binary files a/static/img/cse/edit.png and b/static/img/cse/edit.png differ
diff --git a/static/img/cse/empty-first-seen-rule.png b/static/img/cse/empty-first-seen-rule.png
index 6b75bddaca..a223bf2c01 100644
Binary files a/static/img/cse/empty-first-seen-rule.png and b/static/img/cse/empty-first-seen-rule.png differ
diff --git a/static/img/cse/empty-outlier-rule.png b/static/img/cse/empty-outlier-rule.png
index a53755bc36..b546036cb8 100644
Binary files a/static/img/cse/empty-outlier-rule.png and b/static/img/cse/empty-outlier-rule.png differ
diff --git a/static/img/cse/enable-on-details.png b/static/img/cse/enable-on-details.png
index 738e0e39d1..cbbcb2c459 100644
Binary files a/static/img/cse/enable-on-details.png and b/static/img/cse/enable-on-details.png differ
diff --git a/static/img/cse/enable-on-list.png b/static/img/cse/enable-on-list.png
index 550c50eb93..1bf4cd8830 100644
Binary files a/static/img/cse/enable-on-list.png and b/static/img/cse/enable-on-list.png differ
diff --git a/static/img/cse/enrichment-1a.png b/static/img/cse/enrichment-1a.png
index ae6cabfc20..ccd989030e 100644
Binary files a/static/img/cse/enrichment-1a.png and b/static/img/cse/enrichment-1a.png differ
diff --git a/static/img/cse/enrichment-page.png b/static/img/cse/enrichment-page.png
index 7750139d37..ad09477137 100644
Binary files a/static/img/cse/enrichment-page.png and b/static/img/cse/enrichment-page.png differ
diff --git a/static/img/cse/enrichments.png b/static/img/cse/enrichments.png
index b70b8b9da7..2be22ad5ea 100644
Binary files a/static/img/cse/enrichments.png and b/static/img/cse/enrichments.png differ
diff --git a/static/img/cse/entities-page-2.png b/static/img/cse/entities-page-2.png
index bfb41e3e96..fef799f896 100644
Binary files a/static/img/cse/entities-page-2.png and b/static/img/cse/entities-page-2.png differ
diff --git a/static/img/cse/entities-page.png b/static/img/cse/entities-page.png
index 918ff75509..30656c854f 100644
Binary files a/static/img/cse/entities-page.png and b/static/img/cse/entities-page.png differ
diff --git a/static/img/cse/entity-data-popup.png b/static/img/cse/entity-data-popup.png
index 678ebef466..047dfdb54a 100644
Binary files a/static/img/cse/entity-data-popup.png and b/static/img/cse/entity-data-popup.png differ
diff --git a/static/img/cse/entity-details-criticality.png b/static/img/cse/entity-details-criticality.png
index be4188e52e..47eb2461cd 100644
Binary files a/static/img/cse/entity-details-criticality.png and b/static/img/cse/entity-details-criticality.png differ
diff --git a/static/img/cse/entity-details-new-host.png b/static/img/cse/entity-details-new-host.png
index af20ac3558..a8d594d980 100644
Binary files a/static/img/cse/entity-details-new-host.png and b/static/img/cse/entity-details-new-host.png differ
diff --git a/static/img/cse/entity-inventory.png b/static/img/cse/entity-inventory.png
index 48a22aaa2b..3e17251e51 100644
Binary files a/static/img/cse/entity-inventory.png and b/static/img/cse/entity-inventory.png differ
diff --git a/static/img/cse/entity-list-page.png b/static/img/cse/entity-list-page.png
index e8ae411d09..c74e2f907a 100644
Binary files a/static/img/cse/entity-list-page.png and b/static/img/cse/entity-list-page.png differ
diff --git a/static/img/cse/entity-list-tags.png b/static/img/cse/entity-list-tags.png
index c8e6642350..6e62e2aa78 100644
Binary files a/static/img/cse/entity-list-tags.png and b/static/img/cse/entity-list-tags.png differ
diff --git a/static/img/cse/entity-page.png b/static/img/cse/entity-page.png
index b7de9a201c..595665aefd 100644
Binary files a/static/img/cse/entity-page.png and b/static/img/cse/entity-page.png differ
diff --git a/static/img/cse/entity-timeline.png b/static/img/cse/entity-timeline.png
index 48dbe17361..85231f7e6a 100644
Binary files a/static/img/cse/entity-timeline.png and b/static/img/cse/entity-timeline.png differ
diff --git a/static/img/cse/example-dynamic.png b/static/img/cse/example-dynamic.png
index 0f2806943d..a575a607ed 100644
Binary files a/static/img/cse/example-dynamic.png and b/static/img/cse/example-dynamic.png differ
diff --git a/static/img/cse/example-expression.png b/static/img/cse/example-expression.png
index 9d14a77230..897946a468 100644
Binary files a/static/img/cse/example-expression.png and b/static/img/cse/example-expression.png differ
diff --git a/static/img/cse/example-in-editor.png b/static/img/cse/example-in-editor.png
index 268fad6266..62ade10a98 100644
Binary files a/static/img/cse/example-in-editor.png and b/static/img/cse/example-in-editor.png differ
diff --git a/static/img/cse/example-match-list.png b/static/img/cse/example-match-list.png
index b699cc2645..d2612668a1 100644
Binary files a/static/img/cse/example-match-list.png and b/static/img/cse/example-match-list.png differ
diff --git a/static/img/cse/example-threat-intl.png b/static/img/cse/example-threat-intl.png
index ed61769e6f..82463c42b3 100644
Binary files a/static/img/cse/example-threat-intl.png and b/static/img/cse/example-threat-intl.png differ
diff --git a/static/img/cse/existing-lookup-table.png b/static/img/cse/existing-lookup-table.png
index 46d4bddf36..c6be30d0e8 100644
Binary files a/static/img/cse/existing-lookup-table.png and b/static/img/cse/existing-lookup-table.png differ
diff --git a/static/img/cse/extracted-fields-json.png b/static/img/cse/extracted-fields-json.png
index 4a59cf9fd1..8ceb7ea8f3 100644
Binary files a/static/img/cse/extracted-fields-json.png and b/static/img/cse/extracted-fields-json.png differ
diff --git a/static/img/cse/filter-list-by-tag.png b/static/img/cse/filter-list-by-tag.png
index 7c9b083f76..2e7851b2de 100644
Binary files a/static/img/cse/filter-list-by-tag.png and b/static/img/cse/filter-list-by-tag.png differ
diff --git a/static/img/cse/filter-option.png b/static/img/cse/filter-option.png
index 79585e1777..b193902c39 100644
Binary files a/static/img/cse/filter-option.png and b/static/img/cse/filter-option.png differ
diff --git a/static/img/cse/filter-options.png b/static/img/cse/filter-options.png
index 89816cce7a..dce0f0f73f 100644
Binary files a/static/img/cse/filter-options.png and b/static/img/cse/filter-options.png differ
diff --git a/static/img/cse/filtered-list.png b/static/img/cse/filtered-list.png
index 7e0f8fe913..642f79a955 100644
Binary files a/static/img/cse/filtered-list.png and b/static/img/cse/filtered-list.png differ
diff --git a/static/img/cse/first-seen-rule.jpg b/static/img/cse/first-seen-rule.jpg
deleted file mode 100644
index 117100d2b5..0000000000
Binary files a/static/img/cse/first-seen-rule.jpg and /dev/null differ
diff --git a/static/img/cse/first-seen-rule.png b/static/img/cse/first-seen-rule.png
new file mode 100644
index 0000000000..ba54dae493
Binary files /dev/null and b/static/img/cse/first-seen-rule.png differ
diff --git a/static/img/cse/freeform-tag-list.png b/static/img/cse/freeform-tag-list.png
index 9ebe6f60fd..331dbab785 100644
Binary files a/static/img/cse/freeform-tag-list.png and b/static/img/cse/freeform-tag-list.png differ
diff --git a/static/img/cse/funnel-icon.png b/static/img/cse/funnel-icon.png
index aa13225b5f..081aa35ee0 100644
Binary files a/static/img/cse/funnel-icon.png and b/static/img/cse/funnel-icon.png differ
diff --git a/static/img/cse/hud.png b/static/img/cse/hud.png
index cfd586aa57..3dca82053c 100644
Binary files a/static/img/cse/hud.png and b/static/img/cse/hud.png differ
diff --git a/static/img/cse/if-the-value-is.png b/static/img/cse/if-the-value-is.png
index f21359cced..ff396b8d45 100644
Binary files a/static/img/cse/if-the-value-is.png and b/static/img/cse/if-the-value-is.png differ
diff --git a/static/img/cse/indicator-malicious-icon.png b/static/img/cse/indicator-malicious-icon.png
index 9711bda236..0920b62f91 100644
Binary files a/static/img/cse/indicator-malicious-icon.png and b/static/img/cse/indicator-malicious-icon.png differ
diff --git a/static/img/cse/indicator-malicious-label.png b/static/img/cse/indicator-malicious-label.png
index b073ce4545..14ea622c9f 100644
Binary files a/static/img/cse/indicator-malicious-label.png and b/static/img/cse/indicator-malicious-label.png differ
diff --git a/static/img/cse/indicator-suspicious-icon.png b/static/img/cse/indicator-suspicious-icon.png
index eddc3456ab..6b11db2b61 100644
Binary files a/static/img/cse/indicator-suspicious-icon.png and b/static/img/cse/indicator-suspicious-icon.png differ
diff --git a/static/img/cse/indicator-suspicious-label.png b/static/img/cse/indicator-suspicious-label.png
index b71bd4257d..30acadcfb8 100644
Binary files a/static/img/cse/indicator-suspicious-label.png and b/static/img/cse/indicator-suspicious-label.png differ
diff --git a/static/img/cse/insight-actions-icon.png b/static/img/cse/insight-actions-icon.png
index a9e1674bb3..44fa91f98e 100644
Binary files a/static/img/cse/insight-actions-icon.png and b/static/img/cse/insight-actions-icon.png differ
diff --git a/static/img/cse/insight-details.png b/static/img/cse/insight-details.png
index a35f5d8ae7..e2ace5dd6c 100644
Binary files a/static/img/cse/insight-details.png and b/static/img/cse/insight-details.png differ
diff --git a/static/img/cse/insight-list-tags.png b/static/img/cse/insight-list-tags.png
index fed29fab47..a9a574a117 100644
Binary files a/static/img/cse/insight-list-tags.png and b/static/img/cse/insight-list-tags.png differ
diff --git a/static/img/cse/insight-summary.png b/static/img/cse/insight-summary.png
index 736c408b1e..26265ee19f 100644
Binary files a/static/img/cse/insight-summary.png and b/static/img/cse/insight-summary.png differ
diff --git a/static/img/cse/insight.png b/static/img/cse/insight.png
index acf7ac5c9b..6da568d7f8 100644
Binary files a/static/img/cse/insight.png and b/static/img/cse/insight.png differ
diff --git a/static/img/cse/insights-page.png b/static/img/cse/insights-page.png
index 178932b293..4a34fc35a9 100644
Binary files a/static/img/cse/insights-page.png and b/static/img/cse/insights-page.png differ
diff --git a/static/img/cse/intro-cloud-siem-entities.png b/static/img/cse/intro-cloud-siem-entities.png
index f1160d3c6a..a407caf916 100644
Binary files a/static/img/cse/intro-cloud-siem-entities.png and b/static/img/cse/intro-cloud-siem-entities.png differ
diff --git a/static/img/cse/intro-cloud-siem-records-signals-insights.png b/static/img/cse/intro-cloud-siem-records-signals-insights.png
index acbb9b2553..9238cfbf07 100644
Binary files a/static/img/cse/intro-cloud-siem-records-signals-insights.png and b/static/img/cse/intro-cloud-siem-records-signals-insights.png differ
diff --git a/static/img/cse/intro-cloud-siem-signals-details.png b/static/img/cse/intro-cloud-siem-signals-details.png
index bc44d80a8f..97e7a3e1eb 100644
Binary files a/static/img/cse/intro-cloud-siem-signals-details.png and b/static/img/cse/intro-cloud-siem-signals-details.png differ
diff --git a/static/img/cse/intro-cloud-siem-signals.png b/static/img/cse/intro-cloud-siem-signals.png
index 84e519fcb4..19e1000332 100644
Binary files a/static/img/cse/intro-cloud-siem-signals.png and b/static/img/cse/intro-cloud-siem-signals.png differ
diff --git a/static/img/cse/kemp-reocrd-volume.png b/static/img/cse/kemp-reocrd-volume.png
index 7afbbbdb9f..e8b006f49c 100644
Binary files a/static/img/cse/kemp-reocrd-volume.png and b/static/img/cse/kemp-reocrd-volume.png differ
diff --git a/static/img/cse/list-page-search.png b/static/img/cse/list-page-search.png
index fd59067cdc..ed07eddd1a 100644
Binary files a/static/img/cse/list-page-search.png and b/static/img/cse/list-page-search.png differ
diff --git a/static/img/cse/log-mapping-filters.png b/static/img/cse/log-mapping-filters.png
index c5751564af..465ff7c569 100644
Binary files a/static/img/cse/log-mapping-filters.png and b/static/img/cse/log-mapping-filters.png differ
diff --git a/static/img/cse/log-mappings-page.png b/static/img/cse/log-mappings-page.png
index 801a6f8cef..21c477bd8b 100644
Binary files a/static/img/cse/log-mappings-page.png and b/static/img/cse/log-mappings-page.png differ
diff --git a/static/img/cse/mapping.png b/static/img/cse/mapping.png
index d56bba9a70..91d935bbd0 100644
Binary files a/static/img/cse/mapping.png and b/static/img/cse/mapping.png differ
diff --git a/static/img/cse/match-lists.png b/static/img/cse/match-lists.png
index eddcbcce4c..f5bcce36d9 100644
Binary files a/static/img/cse/match-lists.png and b/static/img/cse/match-lists.png differ
diff --git a/static/img/cse/matching-mappings.png b/static/img/cse/matching-mappings.png
index 5b03211820..b2c72d5254 100644
Binary files a/static/img/cse/matching-mappings.png and b/static/img/cse/matching-mappings.png differ
diff --git a/static/img/cse/mitre-link.png b/static/img/cse/mitre-link.png
index 98618450b7..f3a50e36c7 100644
Binary files a/static/img/cse/mitre-link.png and b/static/img/cse/mitre-link.png differ
diff --git a/static/img/cse/network-block-page.png b/static/img/cse/network-block-page.png
index 923a4610c4..d5dbef0e56 100644
Binary files a/static/img/cse/network-block-page.png and b/static/img/cse/network-block-page.png differ
diff --git a/static/img/cse/new-match-list.png b/static/img/cse/new-match-list.png
index e22619b958..4b8f3226d7 100644
Binary files a/static/img/cse/new-match-list.png and b/static/img/cse/new-match-list.png differ
diff --git a/static/img/cse/on-entity-example.png b/static/img/cse/on-entity-example.png
index 7f02745a4d..f49089d837 100644
Binary files a/static/img/cse/on-entity-example.png and b/static/img/cse/on-entity-example.png differ
diff --git a/static/img/cse/on-entity.png b/static/img/cse/on-entity.png
index 702b4c28b1..8a82951369 100644
Binary files a/static/img/cse/on-entity.png and b/static/img/cse/on-entity.png differ
diff --git a/static/img/cse/operators-for-rules.png b/static/img/cse/operators-for-rules.png
new file mode 100644
index 0000000000..0767951371
Binary files /dev/null and b/static/img/cse/operators-for-rules.png differ
diff --git a/static/img/cse/operators.png b/static/img/cse/operators.png
index d73feb2611..08b7c1f601 100644
Binary files a/static/img/cse/operators.png and b/static/img/cse/operators.png differ
diff --git a/static/img/cse/outlier-rule.png b/static/img/cse/outlier-rule.png
index b53587939d..a8d6e75112 100644
Binary files a/static/img/cse/outlier-rule.png and b/static/img/cse/outlier-rule.png differ
diff --git a/static/img/cse/proofpoint-log-mappers.png b/static/img/cse/proofpoint-log-mappers.png
index 992925726d..1df45e1f02 100644
Binary files a/static/img/cse/proofpoint-log-mappers.png and b/static/img/cse/proofpoint-log-mappers.png differ
diff --git a/static/img/cse/related-entities.jpg b/static/img/cse/related-entities.jpg
deleted file mode 100644
index e40788301f..0000000000
Binary files a/static/img/cse/related-entities.jpg and /dev/null differ
diff --git a/static/img/cse/related-entities.png b/static/img/cse/related-entities.png
new file mode 100644
index 0000000000..061c03e59e
Binary files /dev/null and b/static/img/cse/related-entities.png differ
diff --git a/static/img/cse/related-entity-graph.png b/static/img/cse/related-entity-graph.png
new file mode 100644
index 0000000000..04e46c68fd
Binary files /dev/null and b/static/img/cse/related-entity-graph.png differ
diff --git a/static/img/cse/reorder-icons.png b/static/img/cse/reorder-icons.png
index a688d7d53b..ee62c97f15 100644
Binary files a/static/img/cse/reorder-icons.png and b/static/img/cse/reorder-icons.png differ
diff --git a/static/img/cse/resolution-options-2.png b/static/img/cse/resolution-options-2.png
index 57e4b56751..95536ddc02 100644
Binary files a/static/img/cse/resolution-options-2.png and b/static/img/cse/resolution-options-2.png differ
diff --git a/static/img/cse/revert-icons.png b/static/img/cse/revert-icons.png
index e311e543ca..aed7472fd4 100644
Binary files a/static/img/cse/revert-icons.png and b/static/img/cse/revert-icons.png differ
diff --git a/static/img/cse/search-rules-by-tag.png b/static/img/cse/search-rules-by-tag.png
index 82ab8ad9ef..14ec6efde5 100644
Binary files a/static/img/cse/search-rules-by-tag.png and b/static/img/cse/search-rules-by-tag.png differ
diff --git a/static/img/cse/selected-mapping-bottom.png b/static/img/cse/selected-mapping-bottom.png
index 6462663a08..2a992a1279 100644
Binary files a/static/img/cse/selected-mapping-bottom.png and b/static/img/cse/selected-mapping-bottom.png differ
diff --git a/static/img/cse/selected-mapping-top.png b/static/img/cse/selected-mapping-top.png
index 303b8b9bcf..7535a670f2 100644
Binary files a/static/img/cse/selected-mapping-top.png and b/static/img/cse/selected-mapping-top.png differ
diff --git a/static/img/cse/signal-list-area.png b/static/img/cse/signal-list-area.png
index 14d23bf6a8..ad0c2d5fd0 100644
Binary files a/static/img/cse/signal-list-area.png and b/static/img/cse/signal-list-area.png differ
diff --git a/static/img/cse/signal-list.png b/static/img/cse/signal-list.png
index f3e14f523f..8e07897099 100644
Binary files a/static/img/cse/signal-list.png and b/static/img/cse/signal-list.png differ
diff --git a/static/img/cse/sources.png b/static/img/cse/sources.png
index 1dc89d690b..ad76354faf 100644
Binary files a/static/img/cse/sources.png and b/static/img/cse/sources.png differ
diff --git a/static/img/cse/status-dropdown.png b/static/img/cse/status-dropdown.png
index 8c64dceb44..636af47dba 100644
Binary files a/static/img/cse/status-dropdown.png and b/static/img/cse/status-dropdown.png differ
diff --git a/static/img/cse/suppressed-entities-page.png b/static/img/cse/suppressed-entities-page.png
index 3a146d77db..d0faae2f8e 100644
Binary files a/static/img/cse/suppressed-entities-page.png and b/static/img/cse/suppressed-entities-page.png differ
diff --git a/static/img/cse/suppressed-list.png b/static/img/cse/suppressed-list.png
index ed371606db..1cbeef350d 100644
Binary files a/static/img/cse/suppressed-list.png and b/static/img/cse/suppressed-list.png differ
diff --git a/static/img/cse/suppressed-lists.png b/static/img/cse/suppressed-lists.png
index c5cca92b3f..086f285318 100644
Binary files a/static/img/cse/suppressed-lists.png and b/static/img/cse/suppressed-lists.png differ
diff --git a/static/img/cse/syslog-delimiters.png b/static/img/cse/syslog-delimiters.png
index 18d19e7d73..49366db45f 100644
Binary files a/static/img/cse/syslog-delimiters.png and b/static/img/cse/syslog-delimiters.png differ
diff --git a/static/img/cse/tag-a-rule.png b/static/img/cse/tag-a-rule.png
index 1e23870c2b..b105251ed4 100644
Binary files a/static/img/cse/tag-a-rule.png and b/static/img/cse/tag-a-rule.png differ
diff --git a/static/img/cse/tag-action-menu.png b/static/img/cse/tag-action-menu.png
index 7231f69344..5f2da8fba5 100644
Binary files a/static/img/cse/tag-action-menu.png and b/static/img/cse/tag-action-menu.png differ
diff --git a/static/img/cse/tag-an-entity.png b/static/img/cse/tag-an-entity.png
index e596cf7d3a..bf942cf15e 100644
Binary files a/static/img/cse/tag-an-entity.png and b/static/img/cse/tag-an-entity.png differ
diff --git a/static/img/cse/tag-an-insight.png b/static/img/cse/tag-an-insight.png
index f5949d66cc..c332fc1260 100644
Binary files a/static/img/cse/tag-an-insight.png and b/static/img/cse/tag-an-insight.png differ
diff --git a/static/img/cse/tag-list-1.png b/static/img/cse/tag-list-1.png
index 75ae0acde5..40d228847d 100644
Binary files a/static/img/cse/tag-list-1.png and b/static/img/cse/tag-list-1.png differ
diff --git a/static/img/cse/tag-options.png b/static/img/cse/tag-options.png
index db57089ad3..d79cc091f3 100644
Binary files a/static/img/cse/tag-options.png and b/static/img/cse/tag-options.png differ
diff --git a/static/img/cse/tag-schema-empty.png b/static/img/cse/tag-schema-empty.png
new file mode 100644
index 0000000000..6a4e100630
Binary files /dev/null and b/static/img/cse/tag-schema-empty.png differ
diff --git a/static/img/cse/tags-field.png b/static/img/cse/tags-field.png
index c35660acce..13ff70572d 100644
Binary files a/static/img/cse/tags-field.png and b/static/img/cse/tags-field.png differ
diff --git a/static/img/cse/tags-to-add.png b/static/img/cse/tags-to-add.png
index 6ba64f2da2..2b9b0e3484 100644
Binary files a/static/img/cse/tags-to-add.png and b/static/img/cse/tags-to-add.png differ
diff --git a/static/img/cse/target-column-selector.png b/static/img/cse/target-column-selector.png
index f3e7893783..fa618ea91c 100644
Binary files a/static/img/cse/target-column-selector.png and b/static/img/cse/target-column-selector.png differ
diff --git a/static/img/cse/taxii-feed-option.png b/static/img/cse/taxii-feed-option.png
index 866150a7e1..e81f53222c 100644
Binary files a/static/img/cse/taxii-feed-option.png and b/static/img/cse/taxii-feed-option.png differ
diff --git a/static/img/cse/then-create.png b/static/img/cse/then-create.png
index 3f46cfbc9e..6779dee075 100644
Binary files a/static/img/cse/then-create.png and b/static/img/cse/then-create.png differ
diff --git a/static/img/cse/threatq-add-source.png b/static/img/cse/threatq-add-source.png
index 2c16d00018..9c0fc2e8f9 100644
Binary files a/static/img/cse/threatq-add-source.png and b/static/img/cse/threatq-add-source.png differ
diff --git a/static/img/cse/threatq-create-icon.png b/static/img/cse/threatq-create-icon.png
index 50622e0430..ad23ad8767 100644
Binary files a/static/img/cse/threatq-create-icon.png and b/static/img/cse/threatq-create-icon.png differ
diff --git a/static/img/cse/thresh-rule-edits.png b/static/img/cse/thresh-rule-edits.png
index 03d6792303..fb3389c377 100644
Binary files a/static/img/cse/thresh-rule-edits.png and b/static/img/cse/thresh-rule-edits.png differ
diff --git a/static/img/cse/timeline-records.png b/static/img/cse/timeline-records.png
index 8ccb82567a..d7a510902a 100644
Binary files a/static/img/cse/timeline-records.png and b/static/img/cse/timeline-records.png differ
diff --git a/static/img/cse/top-bit.png b/static/img/cse/top-bit.png
index 97d07f914e..2699c37798 100644
Binary files a/static/img/cse/top-bit.png and b/static/img/cse/top-bit.png differ
diff --git a/static/img/cse/tuning-checkbox.png b/static/img/cse/tuning-checkbox.png
index 32338816bc..2d116203cc 100644
Binary files a/static/img/cse/tuning-checkbox.png and b/static/img/cse/tuning-checkbox.png differ
diff --git a/static/img/cse/tuning.png b/static/img/cse/tuning.png
index 360238d469..8e0ee17a93 100644
Binary files a/static/img/cse/tuning.png and b/static/img/cse/tuning.png differ
diff --git a/static/img/cse/update-criticalities.png b/static/img/cse/update-criticalities.png
index 344c31f680..52ff9f04de 100644
Binary files a/static/img/cse/update-criticalities.png and b/static/img/cse/update-criticalities.png differ
diff --git a/static/img/cse/update-options.png b/static/img/cse/update-options.png
index 760114f408..6506c5075c 100644
Binary files a/static/img/cse/update-options.png and b/static/img/cse/update-options.png differ
diff --git a/static/img/cse/values.png b/static/img/cse/values.png
index 219c5c2ab9..95c587defd 100644
Binary files a/static/img/cse/values.png and b/static/img/cse/values.png differ
diff --git a/static/img/cse/windows.png b/static/img/cse/windows.png
index 994a454a97..4a2f8d6b0f 100644
Binary files a/static/img/cse/windows.png and b/static/img/cse/windows.png differ
diff --git a/static/img/cse/winlogbeats.png b/static/img/cse/winlogbeats.png
index 856ab42ce3..7089e4bcf2 100644
Binary files a/static/img/cse/winlogbeats.png and b/static/img/cse/winlogbeats.png differ
diff --git a/static/img/cse/workflow-page.png b/static/img/cse/workflow-page.png
index 2ec65f49f0..9898de2f9b 100644
Binary files a/static/img/cse/workflow-page.png and b/static/img/cse/workflow-page.png differ