SumoLogic · jpipkin1 · Oct 29, 2024 · Oct 18, 2024 · Oct 21, 2024 · Oct 21, 2024
@@ -13,7 +13,7 @@ This topic has instructions for creating a custom tag schema in Cloud SIEM.
 
 Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: *keyword tags*, which are arbitrary, freeform strings; and *schema keys*, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.
 
-<img src={useBaseUrl('img/cse/built-in-tags.png')} alt="Built-in schema keys" style={{border: '1px solid gray'}} width="400"/>
+<img src={useBaseUrl('img/cse/built-in-tags.png')} alt="Built-in schema keys" style={{border: '1px solid gray'}} width="800"/>
 
 Schema tags can enforce specific tag values and prevent confusion from variations in tag values. For example, you might want to ensure the use of standard server identifiers, such as “FinanceServer”, rather than “Server-Finance” or “Finance_Server”. 
 
@@ -22,8 +22,8 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
 ## Define a custom tag schema
 
 1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Tag Schemas**.<br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Tag Schemas**. You can also click the **Go To...** menu at the top of the screen and select **Tag Schemas**. 
-1. On the **Tag Schemas** page, click **Create**. <br/><img src={useBaseUrl('img/cse/tag-schemas-page.png')} alt="Tag schemas page" style={{border: '1px solid gray'}} width="800"/>
-1. The **Tag Schema** popup appears. The screenshot below shows a previously configured tag schema.  <br/><img src={useBaseUrl('img/cse/tag-schema-filled-in.png')} alt="Example tag schema" style={{border: '1px solid gray'}} width="800"/>
+1. On the **Tag Schemas** page, click **Create**. <br/><img src={useBaseUrl('img/cse/tag-schema-empty.png')} alt="Create tag schema" style={{border: '1px solid gray'}} width="400"/>
+1. The **Tag Schema** popup appears. 
     1. **Key**. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the **Label** field blank.
     1. **Label**. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
     1. **Content Types**. Select the types that you want the tag to be
@@ -33,6 +33,7 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
         * **Entity** The options do not include **Signal** or **Insight**. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
     1. **Allow Custom Values**. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the **Value Options** section below.
     1. **Value Options**. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
-        * **Value**. Enter an allowable value for the tag.
-        * **Label**. Enter a label for the value.
-        * **Link** (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the **Tactic:TA0002** to associated information on the MITRE site. <br/><img src={useBaseUrl('img/cse/mitre-link.png')} alt="Example MITRE link" style={{border: '1px solid gray'}} width="800"/>
+        * **Enter Value**. Enter an allowable value for the tag.
+        * **Enter Label**. Enter a label for the value.
+        * **Enter Link** (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the **Tactic:TA0002** to associated information on the MITRE site. <br/><img src={useBaseUrl('img/cse/mitre-link.png')} alt="Example MITRE link" style={{border: '1px solid gray'}} width="400"/>
+
@@ -52,8 +52,8 @@ You can configure an Action to send information about an Insight to another syst
 What gets sent to the target system depends on the Action type. For some types—Slack, Microsoft Teams, and PagerDuty—the notification contains a summary of the Insight with the following information:
 
 * The Entity the Insight fired on.
-* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to. In the example below, the “Initial Access” tactic is shown.
-* A link to the Insight in Cloud SIEM. <br/><img src={useBaseUrl('img/cse/received-email.png')} alt="Example notification" width="600" />
+* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to. 
+* A link to the Insight in Cloud SIEM. 
 
 For the other Action types—AWS Simple Notification Service (SNS), Demisto (Cortex XSOAR), HTTP POST v2, and Slack Webhook—the notification includes the Insight itself in JSON format, and in some cases Signals or Records, depending on how you configure the Action.
 
@@ -92,9 +92,11 @@ The notification sent by a Rule Action contains the name of the rule and the re
     * **Rule**. Click **When Automatically Disabled** to generate a notification when Cloud SIEM disables a rule.
 1. **Active**. Move the slider to the right if you’d like the Action to be enabled upon creation.
 
+Continue filling out the dialog box depending on the type of action you are creating.
+
 ### AWS Simple Notification Service (SNS)
 
-When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to SNS.
+When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to the AWS Simple Notification Service (SNS).
 
 You can configure the action to authenticate with SNS using your AWS Access Key and Secret Access Key, or using the **AssumeRole** method.
 
@@ -103,7 +105,7 @@ You can configure the action to authenticate with SNS using your AWS Access Key
 1. **Assume Role ARN**. Enter the AssumeRole ARN, if that's how you want to authenticate. Enter the Sumo Logic AWS account ID. For the Sumo Logic ID, see [Create a role manually using the AWS console](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product#create-a-role-manually-using-the-aws-console).
 1. **Topic ARN**. Enter the ARN of the SNS topic.
 1. **Region**. Enter the AWS region for the SNS topic. 
-1. Click **Create**.  <br/><img src={useBaseUrl('img/cse/sns.png')} alt="AWS simple notification service action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**.  
 
 ### Demisto (Cortex XSOAR)
 
@@ -115,14 +117,14 @@ When you run this Action type for an Insight, Cloud SIEM sends the full Insight
 1. **Create Incident API Endpoint**. Select `/incident/json`.
 1. **Extra Headers**. Enter any additional headers you want to send, as line-delimited key:value pairs.
 1. **Exclude Records**. Move the slider to the right if you don’t want to include Records in the notification.
-1. Click **Create**. <br/><img src={useBaseUrl('img/cse/demisto-action.png')} alt="Example Demisto action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**. 
 
 ### Email
 
 This Action type sends an email notification.
 
 1. **Recipients**. Enter a comma-separated list of the email addresses to send the notification to.
-1. Click **Create**.  <br/><img src={useBaseUrl('img/cse/email-action.png')} alt="Example email action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**. 
 
 When this Action runs on an Insight, the email notification contains:
 
@@ -149,7 +151,7 @@ in Cloud SIEM.
 1. **Include Signals**. Move the slider to the right to send the Signals associated with the Insight in the POST. 
 1. **Include Records**. Move the slider to the right to send the Records associated with the Signal in the POST. 
 1. **Record Fields to Include**. If desired, provide a comma-delimited list of selected Record fields to include (instead of all Record fields).
-1. Click **Create**. <br/><img src={useBaseUrl('img/cse/http-post-v2.png')} alt="Example HTTP Post V2 action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**. 
 
 ### Microsoft Teams
 
@@ -162,15 +164,15 @@ Create a Webhook connection for the Microsoft Teams channel to which emails shou
 #### Configure Action in Cloud SIEM
 
 1. **URL**. Enter the URL for the Webhook connection you created above. 
-1. Click **Create**. <br/><img src={useBaseUrl('img/cse/microsoft-teams.png')} alt="Example Microsoft Teams action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**. 
 
 ### PagerDuty
 
 This Action types sends a notification to PagerDuty.
 
 1. **Service Key**. Enter your PagerDuty service key.
 1. **Subdomain**. Enter your PagerDuty account subdomain.
-1. Click **Create**. <br/><img src={useBaseUrl('img/cse/pagerduty.png')} alt="Example PagerDuty action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**. 
 
 The notification contains:
 
@@ -192,29 +194,27 @@ Lookups will consume RF API credits.
 1. On the **Generate New Token** page:
     1. **Name**. Enter a name for the token. 
     1. **Integration**. Select “Sumologic” from the list of integrations.
-1. Click **Generate**.  <br/><img src={useBaseUrl('img/cse/rf-api-token.png')} alt="Generate New API token dialog" style={{border: '1px solid gray'}} width="400" />
+1. Click **Generate**.
 1. Copy and save the token.
 
 #### Create Action in Cloud SIEM
 
 1. **API Key**. Enter the Recorded Future API token you generated for the Sumo Logic integration. 
 1. **Enrich Insights**. Move the slider to the right to enrich Insights.
 1. **Enrich Signals of Insights**. Move the slider to the right to enrich Signals.
-1. Click **Create**.<br/><img src={useBaseUrl('img/cse/recorded-future.png')} alt="Example recorded Future action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**.
 
 ####  View Recorded Future Enrichments
 
-To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the **Enrichments** tab.
-
-<img src={useBaseUrl('img/cse/rf-enrichments.png')} alt="Example recorded Future enrichments" style={{border: '1px solid gray'}} width="600" />
+To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the [**Enrichments**](/docs/cse/integrations/enrichments-and-indicators/#enrichments) tab.
 
 ### Slack
 
 This Action type sends a message to a Slack channel.
 
 1. **API Key**. Enter your Slack API key.
 1. **Channel**. Enter the Slack Channel that messages should go to.
-1. Click **Create**.  <br/><img src={useBaseUrl('img/cse/slack.png')} alt="Example Slack action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**.
 
 If the Action was run on an Insight, the message contains:
 
@@ -233,4 +233,4 @@ Create a Webhook connection for the Slack channel to which Insights should be se
 #### Configure Action in Cloud SIEM
 
 1. **Webhook URL**. Enter the URL of the Webhook you created above.
-1. Click **Create**.  <br/><img src={useBaseUrl('img/cse/slack-webhook.png')} alt="Example Slack webhook action" style={{border: '1px solid gray'}} width="500" />
+1. Click **Create**.
@@ -107,10 +107,6 @@ The only required parameter in the URL is `{{value}}`. Depending on your use cas
 
 `https://www.criminalip.io/asset/report/{{value}}`
 
-For example:
-
-<img src={useBaseUrl('img/cse/context-action-criminal-ip-example.png')} alt="Criminal IP context action example" style={{border: '1px solid gray'}} width="500"/>
-
 ## Template parameters for Context Actions
 
 The table below defines the parameters you can use in the URL template for a Context Action.

@@ -42,17 +42,17 @@ Rule authors can also write rules that look for threat intelligence information
 ### Create a threat intelligence source from Cloud SIEM UI
 
 1.  [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
-1. Click **Add Source** on the **Threat Intelligence** page. <br/><img src={useBaseUrl('img/cse/threat-intel-page2.png')} alt="Threat Intelligence page" width="800"/>
-1. Click **Custom** on the **Add Source** popup. <br/><img src={useBaseUrl('img/cse/custom-button.png')} alt="Custom button" width="600"/>
-1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. <br/><img src={useBaseUrl('img/cse/add-custom-source.png')} alt="Add new source" width="600"/>
+1. Click **Add Source** on the **Threat Intelligence** page. 
+1. Click **Custom** on the **Add Source** popup.
+1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. 
 1. Click **Add Custom Source**.
 
 Your new source should now appear on the **Threat Intelligence** page.
 
 ### Enter indicators manually
 
-1. On the **Threat Intelligence** page, click the name of the source you want to update.  <br/><img src={useBaseUrl('img/cse/click-name.png')} alt="List of sources" width="800"/>
-1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**. <br/><img src={useBaseUrl('img/cse/threat-details.png')} alt="List of indicators" width="800"/>
+1. On the **Threat Intelligence** page, click the name of the source you want to update.  
+1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**.
 1. On the **New Threat Intelligence Indicator** popup.
     1. **Value**. Enter an IP address, hostname, URL, or file hash.
         Your entry must be one of:
@@ -72,7 +72,7 @@ Your new source should now appear on the **Threat Intelligence** page.
 ### Upload a file of indicators 
 
 If you have a large number of indicators to add to your source, you can
-save time by creating a .csv file and uploading it to Cloud SIEM. <br/><img src={useBaseUrl('img/cse/import-indicators.png')} alt="'Import Indicators from CSV' dialog" width="400"/>
+save time by creating a .csv file and uploading it to Cloud SIEM. 
 
 #### Create a CSV file
 

@@ -61,8 +61,6 @@ In the case that the two or more Network Blocks overlap, Cloud SIEM uses the sma
 
 When Cloud SIEM looks for the Network Block address `10.128.0.1`, it will return the more-specific block, "WebServer IPs".
 
-<img src={useBaseUrl('img/cse/overlapping-network-blocks.png')} alt="Overlapping network blocks" style={{border: '1px solid gray'}} width="400"/>
-
 ## Create a Network Block manually
 
 Follow these instructions to create a Network Block using the Cloud SIEM UI. For information about creating multiple Network Blocks by file upload, see [Upload a CSV file of Network Blocks](#upload-a-csv-file-of-network-blocks).
@@ -118,13 +116,17 @@ In the table below, the left column contains schema fields that contain IP addre
 | `srcDevice_ip `| `srcDevice_ip_location` | `srcDevice_ip_isInternal` |
 | `srcDevice_natIp`	 | `srcDevice_natIp_location` | `srcDevice_natIp_isInternal` |
 
+<!-- Can't reproduce the screenshot
+
 The screenshot below shows a Record that contains several Network Block-related enrichment fields. Note that:
 
 * `dstDevice_ip_isInternal` and `srcDevice_ip_isInternal` indicate that the `dstDevice_ip` and `srcDevice_ip` are both in Network Blocks that are marked Internal.
 * `srcDevice_ip_location` indicates that `srcDevice_ip` is in the “test_internal” Network Block.
 
 <img src={useBaseUrl('img/cse/record.png')} alt="Example enrichment fields" style={{border: '1px solid gray'}} width="600"/>
 
+-->
+
 ## Using enrichment fields
 
 You can use the `*_location` and `*_isInternal` fields the same way you do other Record fields. You can use them to filter Records in rule expressions or in searches. 
@@ -11,7 +11,7 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filter** bar near the top of the page.
+You can filter and search the list pages in Cloud SIEM—**Insights**, **Signals**, **Entities**, **Records**, **Rules**, and **Network Blocks**—using the **Filters** bar near the top of the page.
 
 <img src={useBaseUrl('img/cse/list-page-search.png')} alt="Filters box at the top of the page " width="500" />