}){kind=icon}
Insight Generation
-Learn how Cloud SIEM correlates Signals by entity to create Insights.
+Learn how Cloud SIEM correlates signals by entity to create insights.
})
@@ -39,7 +39,7 @@ Here’s one row from the List view. The numbered definitions below correspond t
1. **Global Confidence**. If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight is shown.
1. **Assignee**. The analyst assigned to the Incident.
1. The [MITRE ATT&CK](https://attack.mitre.org/) tactics and techniques exhibited by the insight.
-1. **Severity**. The severity of the insight. The value is a function of the configured Entity Activity Score threshold for insight generation. For more information, see [About Insight Severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity).
+1. **Severity**. The severity of the insight. The value is a function of the configured entity activity score threshold for insight generation. For more information, see [About insight severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity).
1. **Entity**. The entity associated with the insight.
1. **Signal Data**. This area has three bits of information:
* The count of signals that caused the insight to be created.
@@ -62,7 +62,7 @@ You can switch back to the list view by clicking the **Show List** icon, near th
You can use the **Filters** area near the top of the page to narrow down the insights that appear on the insights page. You can filter by:
* Assignee
-* [Custom Resolution](/docs/cse/administration/manage-custom-insight-resolutions/)
+* [Custom resolution](/docs/cse/administration/manage-custom-insight-resolutions/)
* Created
* Entity
* Event Time
@@ -91,7 +91,7 @@ The left pane of the insight details page displays detailed information about th
})
-1. **Actions.** The [Insight Actions](/docs/cse/administration/create-cse-actions#insight-actions) defined in your environment.
+1. **Actions.** The [insight actions](/docs/cse/administration/create-cse-actions#insight-actions) defined in your environment.
1. **Close Insight.** Use this option to close an insight. When you click this option, you’re prompted to select an insight resolution.
1. **Delete Icon.** Use this option to delete an insight. You’ll be prompted to confirm your choice.
1. **Status.** Current status of the insight.
@@ -138,7 +138,7 @@ Below the signal timeline, you’ll see a list of signals. By default, only atta
})
-1. **Remove** button. Removes multiple signals selected with the checkbox. You cannot select all signals for removal. If you do, the **Remove** button is disabled and this message appears when you hover over it with your mouse: **Bulk removal of signals is disabled as a minimum of 1 signal must be attached to the Insight. Deselect 1 or more signals to enable bulk removal.**
+1. **Remove** button. Removes multiple signals selected with the checkbox. You cannot select all signals for removal. If you do, the **Remove** button is disabled and this message appears when you hover over it with your mouse: **Bulk removal of signals is disabled as a minimum of 1 signal must be attached to the insight. Deselect 1 or more signals to enable bulk removal.**
1. **Checkbox**. Click to select multiple signals for removal.
1. **Signal name**. Click to view signal details.
1. **Remove** button. Removes an individual signal.
@@ -255,8 +255,8 @@ When you select an entity on the page, the right pane displays details about tha
* Geographic location
* Suppression Status
* Tags
-* [Entity Criticality](/docs/cse/records-signals-entities-insights/entity-criticality), if it is set to something other than the default
-* Metadata such as geographic location, Inventory information, the [Network Blocks](/docs/cse/administration/create-use-network-blocks) it falls within, as applicable, and so on.
+* [Entity criticality](/docs/cse/records-signals-entities-insights/entity-criticality), if it is set to something other than the default
+* Metadata such as geographic location, Inventory information, the [network blocks](/docs/cse/administration/create-use-network-blocks) it falls within, as applicable, and so on.
* A signal graph if the entity was the primary entity in any signals during the detection window (time/date is the horizontal axis and severity of each signal is the vertical axis; the icon/color for each point depends on the signal type)
* Lists of the recent signals and insights the entity has been associated with, and links to each object’s details page.
diff --git a/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md b/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
index a44af49b0c..7cd9eeb8d6 100644
--- a/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
+++ b/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
@@ -7,7 +7,7 @@ description: The Cloud SIEM Content Catalog shows the out-of-the-box Rules, Sche
import useBaseUrl from '@docusaurus/useBaseUrl';
-The Cloud SIEM Content Catalog is a public GitHub repository of Cloud SIEM's Rules, Schema, Mappings, and Parsers. This repository serves as a single place to view Cloud SIEM content in both markdown form and CSVs. This catalog is automatically generated based on content included out-of-the-box as it is released.
+The Cloud SIEM Content Catalog is a public GitHub repository of Cloud SIEM's rules, schema, mappings, and parsers. This repository serves as a single place to view Cloud SIEM content in both markdown form and CSVs. This catalog is automatically generated based on content included out-of-the-box as it is released.
Access the Cloud SIEM Content Catalog here:
[https://github.com/SumoLogic/cloud-siem-content-catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md)
diff --git a/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md b/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
index 16af5a85d6..d5bf4db534 100644
--- a/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
+++ b/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
@@ -35,10 +35,10 @@ The classic UI is the traditional way to navigate in Sumo Logic. For more inform
This menu appears at the top of the Cloud SIEM screen: })
Use the top menu to access:
-* }){kind=icon}
[**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* }){kind=icon}
[**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* }){kind=icon}
[**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
-* }){kind=icon}
[**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
* }){kind=icon}
[**Content**](#content-menu). Create Cloud SIEM content, such as rules.
* }){kind=icon}
[**Configuration**](#configuration-menu). Configure Cloud SIEM.
* }){kind=icon}
**Help**. Access feature guides, documentation, release notes, and system status.
@@ -55,9 +55,9 @@ Use the **Content** menu to access:
* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
#### Configuration menu
@@ -66,20 +66,20 @@ The **Configuration** menu allows you to configure Cloud SIEM. To access this me
Use the **Configuration** menu to access:
* **Incoming Data**
- * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+ * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
* **Entities**
- * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
- * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
+ * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of entities that can be used in rules.
+ * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process.
* [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
- * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+ * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
* **Workflow**
- * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
- * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
- * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
- * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
+ * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold.
+ * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+ * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+ * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules.
* **Integrations**
- * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to Record attributes.
- * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
+ * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to record attributes.
+ * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
* [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
* [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
* [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
@@ -93,22 +93,22 @@ The new UI provides a streamlined way to navigate in Sumo Logic. For more inform
Click **Cloud SIEM** in the main Sumo Logic menu to open the sidebar menu. })
Use the **Cloud SIEM** sidebar menu to access:
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
+* **Search Cloud SIEM**. Search for [insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
* **Security Events**
* [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
- * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
- * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
- * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
- * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+ * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+ * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+ * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+ * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
* **Security Detection**
* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
* [**Match List**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
- * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+ * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules
- * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+ * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
#### Top menu
@@ -128,31 +128,31 @@ The **Go To...** menu allows you to launch Sumo Logic features, including for Cl
Use the **Go To...** menu to access these Cloud SIEM features:
* [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
-* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
-* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
+* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
* [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
* [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
-* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
* [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
* [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
-* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
-* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
-* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
-* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold.
+* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
* [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
* [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
* [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
-* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process.
+* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
* [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
* [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
+* **Search Cloud SIEM**. Search for [insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
* [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
-* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
-* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
+* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
+* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules.
* [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
#### Configuration menu
@@ -163,18 +163,18 @@ Use the **Configuration** menu to access:
* **Cloud SIEM Integrations**
* [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
- * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
- * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
+ * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
+ * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
* [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
* [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
* [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
* **Cloud SIEM Entities**
- * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules.
- * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.
+ * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of entities that can be used in rules.
+ * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process.
* [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
- * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+ * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
* **Cloud SIEM Workflow**
- * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
- * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
- * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
- * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
\ No newline at end of file
+ * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold.
+ * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+ * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+ * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules.
\ No newline at end of file
diff --git a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
index 33266444db..7e45967d58 100644
--- a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
+++ b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
@@ -1,28 +1,28 @@
---
id: cse-heads-up-display
title: Cloud SIEM Heads Up Display
-description: Learn about Cloud SIEM's Heads Up Display (HUD), a UI that provides an at-a-glance overview of Insight status and activity.
+description: Learn about Cloud SIEM's Heads Up Display (HUD), a UI that provides an at-a-glance overview of insight status and activity.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic describes Cloud SIEM *Heads Up Display (HUD)*, the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of Insight status and activity.
+This topic describes Cloud SIEM *Heads Up Display (HUD)*, the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of insight status and activity.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM**.
[**New UI**](/docs/get-started/sumo-logic-ui). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM > SIEM Overview**. You can also click **Go To...** at the top of the screen and select **SIEM Overview**.
:::note
-Data on the HUD is generated by internal searches that may result in slightly different results than a [log search query](/docs/search/) for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of Records, Signals, and Insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/) app.
+Data on the HUD is generated by internal searches that may result in slightly different results than a [log search query](/docs/search/) for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of records, signals, and insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/) app.
:::
## HUD overview
-The left side of the HUD is a compact view of Insight activity and status in your environment. You can see the volume of Records being processed and how many Signals and Insights those Records result in. The HUD tells you how long it’s taking your team to spot, respond, and close Insights. You can see how many Insights are open, in progress, and closed. You can adjust the time range of the display depending on your interest.
+The left side of the HUD is a compact view of insight activity and status in your environment. You can see the volume of records being processed and how many signals and insights those records result in. The HUD tells you how long it’s taking your team to spot, respond, and close insights. You can see how many insights are open, in progress, and closed. You can adjust the time range of the display depending on your interest.
-The middle part of the HUD—the radar—visualizes the Record, Signal, and Insight volumes that are summarized on the left side of the page. It’s a circular timeline. The outer blue ring shows Record volume. Just inside the ring of Records is a histogram-like view of Signal volume. Nearest to the center are triangles that represent Insights. As you mouse around the radar, small popups provide a count of the Records, Signals, or Insights in that timeslice, depending on your focus.
+The middle part of the HUD—the radar—visualizes the record, signal, and insight volumes that are summarized on the left side of the page. It’s a circular timeline. The outer blue ring shows record volume. Just inside the ring of records is a histogram-like view of signal volume. Nearest to the center are triangles that represent insights. As you mouse around the radar, small popups provide a count of the records, signals, or insights in that timeslice, depending on your focus.
-The right side of the HUD contains a list of recent Insight activity. The card above the list shows key information about the latest new Insight with the highest severity.
+The right side of the HUD contains a list of recent insight activity. The card above the list shows key information about the latest new insight with the highest severity.
See the sections below for more details on each element of the HUD.
@@ -31,7 +31,7 @@ See the sections below for more details on each element of the HUD.
## 1. Records / Signals / Insights
-This section shows the count of Records ingested, Signals fired, and Insights generated during the currently selected time range, along with the percentage change compared to the previous time period. For example, if the currently selected time range is 24 hours, the percentage change is compared to the counts for the 24 hours previous to that.
+This section shows the count of records ingested, signals fired, and insights generated during the currently selected time range, along with the percentage change compared to the previous time period. For example, if the currently selected time range is 24 hours, the percentage change is compared to the counts for the 24 hours previous to that.
The default time range is 24 hours. You can change the time range using the dropdown to the right of the currently selected time range; the options range from 4 hours to 7 days. When you change the time range, the counts and metrics in the left and middle columns of the HUD update accordingly.
@@ -39,45 +39,45 @@ The default time range is 24 hours. You can change the time range using the drop
The **Insight Metrics** section displays the following metrics for the currently selected time range:
-* **Detection**. The average period of time between when the first event happened (when the first Record in the Insight occurred) and when the Insight was generated, in days. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
-* **Response**. The average response time, which is the average time between when an Insight was generated and when its status was set to **In Progress**, in seconds.
-* **Remediation**. The average remediation time, which is the average time between when the Insight was created and when its status was set to **Closed**, in seconds.
+* **Detection**. The average period of time between when the first event happened (when the first record in the insight occurred) and when the insight was generated, in days. (This differs from "dwell time", which is the time between when the first record and the last record occurred in an insight.)
+* **Response**. The average response time, which is the average time between when an insight was generated and when its status was set to **In Progress**, in seconds.
+* **Remediation**. The average remediation time, which is the average time between when the insight was created and when its status was set to **Closed**, in seconds.
-If you use an [HTTP POST V2 Action](/docs/cse/administration/create-cse-actions/) to send Insights to the Sumo Logic platform or another system, the Insight metrics are included in the Insight JSON object. The fields are `timeToDetection`, `timeToResponse` , and `timeToRemediation`.
+If you use an [HTTP POST V2 Action](/docs/cse/administration/create-cse-actions/) to send insights to the Sumo Logic platform or another system, the insight metrics are included in the insight JSON object. The fields are `timeToDetection`, `timeToResponse` , and `timeToRemediation`.
## 3. Insights by Status
-The **Insights by Status** section provides a quick view of what analysts are working on. The counts are a breakdown by current status of the Insights created during the currently selected time range. To create new statuses, see [Managing Custom Insight Statuses](/docs/cse/administration/manage-custom-insight-statuses/).
+The **Insights by Status** section provides a quick view of what analysts are working on. The counts are a breakdown by current status of the insights created during the currently selected time range. To create new statuses, see [Managing Custom Insight Statuses](/docs/cse/administration/manage-custom-insight-statuses/).
## 4. Insights created and closed
-This section contains a stacked bar chart that shows the count of Insights opened and closed over time during the time range. When you hover over a bar, you’ll see the breakdown.
+This section contains a stacked bar chart that shows the count of insights opened and closed over time during the time range. When you hover over a bar, you’ll see the breakdown.
-## 5. Insight Radar
+## 5. Insight radar
-In the middle of the display is the *Insight Radar*, the HUD’s key feature. The radar visualizes the volume of Records, Signals, and Insights over time in a bulls eye-like view. Like the panels on the left side of the HUD, the radar updates when you select a different time range. The radar automatically refreshes every 60 seconds.
+In the middle of the display is the *insight radar*, the HUD’s key feature. The radar visualizes the volume of records, signals, and insights over time in a bulls eye-like view. Like the panels on the left side of the HUD, the radar updates when you select a different time range. The radar automatically refreshes every 60 seconds.
-In the circular visualization the three outermost rings represent Records, Signals, and Insights.
+In the circular visualization the three outermost rings represent records, signals, and insights.
-The blue ring around the outside of the Radar represents Records. The selected time range is broken down into intervals, and as you hover over the outer border of the ring, traversing the time range, the count of Records created during each interval is displayed.
+The blue ring around the outside of the radar represents records. The selected time range is broken down into intervals, and as you hover over the outer border of the ring, traversing the time range, the count of records created during each interval is displayed.
-Within the blue ring is another ring that contains light blue bars, each of which represents the Signals that fired during a time interval. The height of a column corresponds to the number of Signals that fired. If no Signals fired during an interval, no column appears. As you hover over an interval, the count of Signals that fired is displayed. If you click a column, the **Signals** page appears, and displays the corresponding Signals.
+Within the blue ring is another ring that contains light blue bars, each of which represents the signals that fired during a time interval. The height of a column corresponds to the number of signals that fired. If no signals fired during an interval, no column appears. As you hover over an interval, the count of signals that fired is displayed. If you click a column, the **Signals** page appears, and displays the corresponding signals.
-The third ring contains triangles, each of which represents one or more Insights. As you hover over an interval, the count of Insights that fired is displayed. If you click a triangle, the Insights page appears, and displays the corresponding Insights.
+The third ring contains triangles, each of which represents one or more insights. As you hover over an interval, the count of insights that fired is displayed. If you click a triangle, the insights page appears, and displays the corresponding insights.
## 6. Recent Activity
-The Recent Activity pane shows recently created Insights and recent Insight activity.
+The **Recent Activity** pane shows recently created insights and recent insight activity.
-The card at the top of the pane provides key information about the latest new Insight with the highest severity. The card provides the following information:
+The card at the top of the pane provides key information about the latest new insight with the highest severity. The card provides the following information:
-* The Insight ID and name, separated by a dash character. The name is typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the name is the one supplied when the Insight was configured.
-* The Insight description, typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the description is the one supplied when the Insight was configured.
-* The Entity the Insight fired on. You can click on the Entity to view its details. Note that there is a six-button context menu that has options for searching for the Entity in other Insights and in Signals and Records. It also has the built-in **Add to Match List** and **Add to Suppressed List** actions, along with any custom [Context Actions](/docs/cse/administration/create-cse-context-actions/) defined in your environment.
-* The analyst assigned to the Insight, if the Insight has been assigned to one.
-* **Detection Time**. The time between the moment of first activity observation (when the oldest Signal in the Insight was fired) and when the Insight was created. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
-* **Signals**. The number of Signals in the Insight.
-* **Severity**. The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the Insight.
-* **Global Confidence**. [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the Insight, if available.
-* **Most Active Entities**. [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) that are currently appearing the most in activity. Hover your mouse over an Entity and click **View Timeline** to see the [Entity timeline](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entity-timeline-tab).
-* **Today**. Shows changes made today, such as Insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
+* The insight ID and name, separated by a dash character. The name is typically formed from the MITRE stage(s) associated with the signals in the insight. In the case of a custom insight, the name is the one supplied when the insight was configured.
+* The insight description, typically formed from the MITRE stage(s) associated with the signals in the insight. In the case of a custom insight, the description is the one supplied when the insight was configured.
+* The entity the insight fired on. You can click on the entity to view its details. Note that there is a six-button context menu that has options for searching for the entity in other insights and in signals and records. It also has the built-in **Add to Match List** and **Add to Suppressed List** actions, along with any custom [Context Actions](/docs/cse/administration/create-cse-context-actions/) defined in your environment.
+* The analyst assigned to the insight, if the insight has been assigned to one.
+* **Detection Time**. The time between the moment of first activity observation (when the oldest signal in the insight was fired) and when the insight was created. (This differs from "dwell time", which is the time between when the first record and the last record occurred in an insight.)
+* **Signals**. The number of signals in the insight.
+* **Severity**. The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the insight.
+* **Global Confidence**. [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight, if available.
+* **Most Active Entities**. [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) that are currently appearing the most in activity. Hover your mouse over an entity and click **View Timeline** to see the [entity timeline](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entity-timeline-tab).
+* **Today**. Shows changes made today, such as insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
diff --git a/docs/cse/get-started-with-cloud-siem/index.md b/docs/cse/get-started-with-cloud-siem/index.md
index 5348a9378a..370cfce448 100644
--- a/docs/cse/get-started-with-cloud-siem/index.md
+++ b/docs/cse/get-started-with-cloud-siem/index.md
@@ -35,19 +35,19 @@ This guide helps you get started using Cloud SIEM for threat hunting.
Learn how Cloud SIEM correlates Signals by entity to create Insights.
+Learn how Cloud SIEM correlates signals by entity to create insights.
Learn about the contents of the Insights UI in Cloud SIEM.
+Learn about the contents of the insights UI in Cloud SIEM.
}){kind=icon}
See the out-of-the-box Rules, Schema, Mappings, and Parsers for Cloud SIEM.
+See the out-of-the-box rules, schema, mappings, and parsers for Cloud SIEM.
})
-Note that the screenshot above shows an *Activity Score* for each entity. The following section explains what an Activity Score is and how it relates to the Insight creation process.
+Note that the screenshot above shows an *activity score* for each entity. The following section explains what an activity score is and how it relates to the insight creation process.
-## Understanding Entity Activity Scores
+## Understanding entity activity scores
-An entity’s Activity Score is the sum of the severities of the unique Signals associated with that entity during the previous two weeks, unless a [different detection period is configured](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold). What makes a Signal unique? A Signal takes its name from the rule that fired it, so unless a rule's name has a unique templated value in it, the Signals that the rule generates are not unique.
+An entity’s activity score is the sum of the severities of the unique signals associated with that entity during the previous two weeks, unless a [different detection period is configured](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold). What makes a signal unique? A signal takes its name from the rule that fired it, so unless a rule's name has a unique templated value in it, the signals that the rule generates are not unique.
Here are a couple practical examples:
-* If the `RDP Brute Force Attempt` rule fires 10 times, the Signals all have the same name, and are not unique. So, the severity of just one of the 10 Signals would be included in the entity’s Activity Score.
-* If the `RDP Brute Force Attempt {{threat_name}}` rule fires three times, where threat name is “bad”, “bad” and “worse”, two of the three Signals are unique:
+* If the `RDP Brute Force Attempt` rule fires 10 times, the signals all have the same name, and are not unique. So, the severity of just one of the 10 signals would be included in the entity’s activity score.
+* If the `RDP Brute Force Attempt {{threat_name}}` rule fires three times, where threat name is “bad”, “bad” and “worse”, two of the three signals are unique:
* `RDP Brute Force Attempt bad`
* `RDP Brute Force Attempt bad`
* `RDP Brute Force Attempt worse`
-The severities of the `RDP Brute Force Attempt bad` and the `RDP Brute Force Attempt worse` Signals would be included in the entity’s Activity Score.
+The severities of the `RDP Brute Force Attempt bad` and the `RDP Brute Force Attempt worse` signals would be included in the entity’s activity score.
-By default, when an entity’s Activity Score exceeds the threshold of 12, Cloud SIEM generates an Insight on the entity. Like the detection period, you can [configure a different Activity Score threshold value](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold) for Insight generation. When Cloud SIEM creates an Insight on an Entity, it resets the Entity’s Activity Score to 0.
+By default, when an entity’s activity score exceeds the threshold of 12, Cloud SIEM generates an insight on the entity. Like the detection period, you can [configure a different activity score threshold value](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold) for insight generation. When Cloud SIEM creates an insight on an entity, it resets the entity’s activity score to 0.
-After Cloud SIEM fires a particular Signal on a particular Entity, it suppresses Signals for that Signal-Entity combination for a time to prevent redundant Signals. For more information, see [Redundant Signal suppression](#redundant-signal-suppression), below.
+After Cloud SIEM fires a particular signal on a particular entity, it suppresses signals for that signal-entity combination for a time to prevent redundant signals. For more information, see [Redundant signal suppression](#redundant-signal-suppression), below.
-### Example of an Entity that has exceeded Activity Score threshold
+### Example of an entity that has exceeded activity score threshold
-In the screenshot below, the **Details** pane on the left shows that the Insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the Signals that contributed to the Insight. You can see each of the Signals relate to the IP address for which the Insight was created; in the Record underlying each of the Signals, is mapped to the `srcDevice_ip` schema attribute.
+In the screenshot below, the **Details** pane on the left shows that the insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the signals that contributed to the insight. You can see each of the signals relate to the IP address for which the insight was created; in the record underlying each of the signals, is mapped to the `srcDevice_ip` schema attribute.
-The severity of each Signal is also shown. Cloud SIEM generated an Insight for entity “217.xxx.x.x” because the cumulative severity of Signals fired for that entity within a two week period exceeds the threshold Activity Score.
+The severity of each signal is also shown. Cloud SIEM generated an insight for entity “217.xxx.x.x” because the cumulative severity of signals fired for that entity within a two week period exceeds the threshold activity score.
})
-### Redundant Signal suppression
+### Redundant signal suppression
-Under certain circumstances, Cloud SIEM suppresses Signals to prevent generation of multiple, virtually identical Insights. A few unique Signals firing numerous times for the same entity in a short period of time could cause the entity’s Activity Score to climb, resulting in an Insight. At that point, the Entity’s Activity score is reset, and the cycle could repeat, leading to several Insights in succession on the same entity that contain a very similar or identical set of unique Signals.
+Under certain circumstances, Cloud SIEM suppresses signals to prevent generation of multiple, virtually identical insights. A few unique signals firing numerous times for the same entity in a short period of time could cause the entity’s activity score to climb, resulting in an insight. At that point, the entity’s Activity score is reset, and the cycle could repeat, leading to several insights in succession on the same entity that contain a very similar or identical set of unique signals.
-This makes Insight triage less than ideal for the analyst since they're getting multiple Insights for the same sets of Signals. Cloud SIEM prevents this by suppressing Signals that have the same name and are on the same Entity during a 12 hour time window, or up to 72 hours if Signals for the Signal-Entity combination are firing continuously.
+This makes insight triage less than ideal for the analyst since they're getting multiple insights for the same sets of signals. Cloud SIEM prevents this by suppressing signals that have the same name and are on the same entity during a 12 hour time window, or up to 72 hours if signals for the signal-entity combination are firing continuously.
**Example 1**
-If Signal A fires on Entity X at hour 0 and continues to fire once every 30 minutes for 24 hours, the Signals that fired after the first one are suppressed. This prevents those subsequent Signals from being analyzed by the Insight engine.
+If signal A fires on entity X at hour 0 and continues to fire once every 30 minutes for 24 hours, the signals that fired after the first one are suppressed. This prevents those subsequent signals from being analyzed by the insight engine.
**Example 2**
-Signal B fires on Entity Y fires at hour 0, and doesn’t fire again until hour 13. The Signal that fired at hour 13 will not be suppressed, and will be analyzed by the Insight engine.
+Signal B fires on entity Y fires at hour 0, and doesn’t fire again until hour 13. The signal that fired at hour 13 will not be suppressed, and will be analyzed by the insight engine.
:::note
-Prototype Signals, which are are not included in Insights, are not suppressed.
+Prototype signals, which are are not included in insights, are not suppressed.
:::
-## About Insight Severity
+## About insight severity
-The severity of an Insight is indicated as Low, Medium, High, or Critical. Note that there are only two situations in which an Insight can have the Critical severity level:
+The severity of an insight is indicated as Low, Medium, High, or Critical. Note that there are only two situations in which an insight can have the Critical severity level:
-* You can assign a severity of Critical to a [Custom Insight](/docs/cse/records-signals-entities-insights/configure-custom-insight) configuration.
-* You can change the severity of an Insight from the severity it was assigned by Cloud SIEM at generation time. In the [Insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) pane, click the icon that appears next to **Severity** to display the severity levels, and select a new level.
+* You can assign a severity of Critical to a [custom insight](/docs/cse/records-signals-entities-insights/configure-custom-insight) configuration.
+* You can change the severity of an insight from the severity it was assigned by Cloud SIEM at generation time. In the [insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) pane, click the icon that appears next to **Severity** to display the severity levels, and select a new level.
-Insights that are generated by the Cloud SIEM Insight generation algorithm will only have severity levels of Low, Medium, or High. Severity is a function of the Entity Activity Score of the Insight’s Entity.
+Insights that are generated by the Cloud SIEM insight generation algorithm will only have severity levels of Low, Medium, or High. Severity is a function of the entity activity score of the insight’s entity.
-By default the threshold Entity Activity Score for Insight generation is 12.The table below shows how severity values map to Activity Scores, if you haven’t changed the threshold value.
+By default the threshold entity activity score for insight generation is 12.The table below shows how severity values map to activity scores, if you haven’t changed the threshold value.
-| Insight Severity value | Activity Score |
+| Insight severity value | Activity score |
|:------------------------|:----------------|
| Low | 13 |
| Medium | 14 or 15 |
| High | 16 or higher |
-If your Entity Activity Score threshold value is set to a value other than 12, you can work out the mapping yourself. If `t` is your configured threshold:
+If your entity activity score threshold value is set to a value other than 12, you can work out the mapping yourself. If `t` is your configured threshold:
```
Low = (t + 1)
diff --git a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
index 2edac0575c..2db794d195 100644
--- a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
+++ b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
@@ -59,7 +59,7 @@ Cloud SIEM access is controlled through the unified role-based access controls (
* Cloud SIEM
* View Cloud SIEM
* Insights
- * Comment on Insights
+ * Comment on insights
* **Cloud SIEM Administrator**})
+3. For a more granular look at the incoming records, you can also search Sumo Logic for Carbon Black Cloud records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
index ac65c7d96e..ca6def2349 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
@@ -63,4 +63,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Check Point Firewall security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
index 3ab5c7bed7..c76a3e8af8 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
@@ -61,4 +61,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco ASA security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
index 191d10d5d8..cfcccf414c 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
@@ -62,4 +62,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco Meraki security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index de36b78a29..0f4e8be796 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -71,4 +71,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Corelight Zeek security records.})
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
index 466bdf7ec5..2d19da005e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
@@ -71,4 +71,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for FortiGate security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
index a5441e39c7..45e29bc9bc 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
@@ -64,4 +64,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Kemp security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
index 45c8553b73..fb5296e0af 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
@@ -88,4 +88,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Linux OS security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
index b4a98102ab..f423d6c092 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
@@ -66,4 +66,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Nginx security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
index b1845dad9a..693253d7f2 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
@@ -66,4 +66,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search Sumo Logic for ProxySG records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
index 66f23a3619..6b41f12e93 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
@@ -73,4 +73,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
index 2aa93b9068..2bcc71b931 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
@@ -62,4 +62,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. })
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for ZScaler NSS security records.
diff --git a/docs/cse/ingestion/sumo-logic-ingest-mapping.md b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
index c858b08fdf..fe6f9fd841 100644
--- a/docs/cse/ingestion/sumo-logic-ingest-mapping.md
+++ b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
@@ -7,7 +7,7 @@ description: Learn how to configure Sumo Logic and Cloud SIEM to enable Sumo Log
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has instructions for creating a Cloud SIEM ingest mapping for a data source. An ingest mapping gives Cloud SIEM the information it needs in order to map message fields to Record attributes. These are referred to as mapping hints, and include: Format, Vendor, Product, and Event ID Pattern.
+This topic has instructions for creating a Cloud SIEM ingest mapping for a data source. An ingest mapping gives Cloud SIEM the information it needs in order to map message fields to record attributes. These are referred to as mapping hints, and include: Format, Vendor, Product, and Event ID Pattern.
:::note
The use of ingest mappings is recommended only if there is no Sumo Logic parser or Cloud-to-Cloud connector for the target data source. For more information, see [Cloud SIEM Ingestion Best Practices](/docs/cse/ingestion/cse-ingestion-best-practices/).
@@ -59,8 +59,7 @@ You need to know how your messages are formatted. Cloud SIEM supports messages i
* Structured syslog data (key-value pairs) with a syslog header
* Microsoft Windows event logs in XML format
* Winlogbeats
-* Messages that have been processed by Sumo Logic [Field Extraction
- Rules](/docs/manage/field-extractions).
+* Messages that have been processed by Sumo Logic [Field Extraction Rules](/docs/manage/field-extractions).
### Determining Product, Vendor, and Event ID pattern
diff --git a/docs/cse/ingestion/view-mappers-for-product.md b/docs/cse/ingestion/view-mappers-for-product.md
index 871bab98af..ff0734db53 100644
--- a/docs/cse/ingestion/view-mappers-for-product.md
+++ b/docs/cse/ingestion/view-mappers-for-product.md
@@ -9,7 +9,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
This topic has instructions for find the log mappers that Cloud SIEM provides for particular product or service.
-See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md) for a complete list of [Mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md), [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md), and [Products](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/README.md).
+See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md) for a complete list of [mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md), [vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md), and [products](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/README.md).
Cloud SIEM may have more than one log mapping for a particular product. For example, there may be a separate mapping for each message type issued by a product. You can view the available mappings in the Cloud SIEM UI.
diff --git a/docs/cse/records-signals-entities-insights/about-signal-suppression.md b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
index e52103246c..b61fcbcd12 100644
--- a/docs/cse/records-signals-entities-insights/about-signal-suppression.md
+++ b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
@@ -2,7 +2,7 @@
id: about-signal-suppression
title: About Signal Suppression
sidebar_label: Signal Suppression
-description: Learn about the ways that Cloud SIEM Signals can be suppressed, and so excluded from the Insight generation process.
+description: Learn about the ways that Cloud SIEM signals can be suppressed, and so excluded from the insight generation process.
keywords:
- Cloud SIEM
- entity
@@ -11,57 +11,57 @@ keywords:
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic describes the various ways that Signals can get suppressed.
+This topic describes the various ways that signals can get suppressed.
-In Cloud SIEM, a *suppressed Signal* is a Signal that Cloud SIEM's Insight algorithm will exclude from the Insight generation process. In other words, a suppressed Signal does not contribute to or become a part of an Insight. By default, Signals are automatically suppressed for 72 hours.
+In Cloud SIEM, a *suppressed signal* is a signal that Cloud SIEM's insight algorithm will exclude from the insight generation process. In other words, a suppressed signal does not contribute to or become a part of an insight. By default, signals are automatically suppressed for 72 hours.
-Signal suppression can occur for a variety of reasons, including [Entity suppression](#suppress-by-entity), [network blocks](#suppress-by-network-block), [suppression lists](#suppress-by-indicator), and identifying [redundant Signals](#automatic-suppression-of-redundant-signals) by our rules correlation engine. In all cases, Signals will still be generated in the suppressed state. Depending on the reason, the field `suppressedReasons` will be populated in the `sec_signal` index. For example, this may include the Signal ID of an identical Signal that caused subsequent redundant Signals to be suppressed, or it may contain the name of the network block with suppression enabled.
+Signal suppression can occur for a variety of reasons, including [entity suppression](#suppress-by-entity), [network blocks](#suppress-by-network-block), [suppression lists](#suppress-by-indicator), and identifying [redundant signals](#automatic-suppression-of-redundant-signals) by our rules correlation engine. In all cases, signals will still be generated in the suppressed state. Depending on the reason, the field `suppressedReasons` will be populated in the `sec_signal` index. For example, this may include the signal ID of an identical signal that caused subsequent redundant signals to be suppressed, or it may contain the name of the network block with suppression enabled.
-## Set the global Signal suppression value
+## Set the global signal suppression value
-By default, Signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the **Global Signal Suppression** setting on the **Insight Detection** page. See [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/).
+By default, signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the **Global Signal Suppression** setting on the **Insight Detection** page. See [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/).
})
-### Override global Signal suppression
+### Override global signal suppression
-You can override the [global Signal suppression](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) in any rule. This allows the rule to generate Signals in a shorter time frame than the 72-hour default. This can be helpful, for example, when you want the rule to generate Signals for time-sensitive issues that cannot wait for 72 hours before generating a Signal.})
+You can override the [global signal suppression](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) in any rule. This allows the rule to generate signals in a shorter time frame than the 72-hour default. This can be helpful, for example, when you want the rule to generate signals for time-sensitive issues that cannot wait for 72 hours before generating a signal.
-To override global Signal suppression in a rule:
+To override global signal suppression in a rule:
1. Create or edit a [rule](/docs/cse/rules/).
1. Click **Show Advanced** on the **Then Create a Signal** tab.
1. Select the **Override Global Signal Suppression** check box.
-1. Enter the hours and/or minutes to suppress Signal generation.
+1. Enter the hours and/or minutes to suppress signal generation.
For certain rule types (Threshold, Chain, or Aggregation), the minimum valid value you can enter is determined by the time value in the **If Triggered** tab. })
-## Suppress by Entity
+## Suppress by entity
-You can suppress an Entity on its [details page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) in the Cloud SIEM UI using the suppression slider.
+You can suppress an entity on its [details page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) in the Cloud SIEM UI using the suppression slider.
})
-You can suppress multiple Entities at once on the [Entities list page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-list-page) in the Cloud SIEM UI. Note that in the screenshot below, the row for an Entity that is currently suppressed contains a **Suppressed** indicator.
+You can suppress multiple entities at once on the [entities list page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-list-page) in the Cloud SIEM UI. Note that in the screenshot below, the row for an Entity that is currently suppressed contains a **Suppressed** indicator.
-})
+
-When you checkmark one or more Entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select Entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic.
+When you checkmark one or more entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic.
-You can see what Entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**. })
+You can see what entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**.
## Suppress by indicator
-Signals can be suppressed based on the presence of a suppressed indicator in any of the Records associated with a Signal. You create lists of indicators, which are things like IPs, hostnames, URLs, domains, and so. You can set a TTL (time to live) after which an indicator will be unsuppressed. You can create these lists on the [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/) page, available from the content menu.
+Signals can be suppressed based on the presence of a suppressed indicator in any of the records associated with a signal. You create lists of indicators, which are things like IPs, hostnames, URLs, domains, and so. You can set a TTL (time to live) after which an indicator will be unsuppressed. You can create these lists on the [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/) page, available from the content menu.
-})
+
-## Suppress by Network Block
+## Suppress by network block
-You can suppress Signals on all of the IP addresses in a Network Block. You can see on the Network Blocks page whether or not Signals are suppressed for IPs in the block. For more information, see [Create and Use Network Blocks](/docs/cse/administration/create-use-network-blocks/).
+You can suppress signals on all of the IP addresses in a network block. You can see on the network blocks page whether or not signals are suppressed for IPs in the block. For more information, see [Create and Use Network Blocks](/docs/cse/administration/create-use-network-blocks/).
})
-## Automatic suppression of redundant Signals
+## Automatic suppression of redundant signals
-Cloud SIEM suppresses redundant Signals to prevent the generation of multiple, virtually identical Insights. For information about how this works, see [Redundant Signal suppression](/docs/cse/get-started-with-cloud-siem/insight-generation-process#redundant-signal-suppression).
+Cloud SIEM suppresses redundant signals to prevent the generation of multiple, virtually identical insights. For information about how this works, see [Redundant signal suppression](/docs/cse/get-started-with-cloud-siem/insight-generation-process#redundant-signal-suppression).
diff --git a/docs/cse/records-signals-entities-insights/configure-custom-insight.md b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
index efc88d3b56..b51b422545 100644
--- a/docs/cse/records-signals-entities-insights/configure-custom-insight.md
+++ b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
@@ -2,7 +2,7 @@
id: configure-custom-insight
title: Configure a Custom Insight
sidebar_label: Custom Insights
-description: Learn how to set up Custom Insight configurations, which you can use to automatically generate Insights on some basis other than Entity Activity Scores.
+description: Learn how to set up custom insight configurations, which you can use to automatically generate insights on some basis other than entity activity scores.
keywords:
- custom insight
- cloud siem
@@ -10,55 +10,55 @@ keywords:
import useBaseUrl from '@docusaurus/useBaseUrl';
-As described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, Cloud SIEM automatically generates an Insight based on an Entity’s Activity Score, which is the cumulative severity of the unique Signals that have fired on an Entity during a period of time. In some cases, you may want Cloud SIEM to generate an Insight on some basis other than Entity Activity Scores. For example, you might want an Insight generated whenever a particular set of Signals are fired in a particular order.
+As described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, Cloud SIEM automatically generates an insight based on an entity’s activity score, which is the cumulative severity of the unique signals that have fired on an entity during a period of time. In some cases, you may want Cloud SIEM to generate an insight on some basis other than entity activity scores. For example, you might want an insight generated whenever a particular set of signals are fired in a particular order.
-This topic has instructions for defining a Custom Insight, which is a configuration you set up that causes Cloud SIEM to generate Insights based purely on one or more Signals being fired.
+This topic has instructions for defining a custom insight, which is a configuration you set up that causes Cloud SIEM to generate insights based purely on one or more signals being fired.
-## Ways to define a Custom Insight
+## Ways to define a custom insight
-There are two ways you can define a Custom Insight. You can specify that the Insight should be generated each time:
+There are two ways you can define a custom insight. You can specify that the insight should be generated each time:
-* One or more selected rules fire a Signal.
+* One or more selected rules fire a signal.
* Signals whose name matches a specified wildcard expression are fired.
-Which method should you use? The difference is whether you’re going to create an Insight based on the name of the rule that fired the Signal, or based on the name of the Signal that was fired. Typically, Signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [Normalized Threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the Signals that a normalized rule fires vary by data source. So, if you want your Custom Insight configuration to generate Insights for Signals fired by normalized rules, you should base it on Signal names, rather than rule names.
+Which method should you use? The difference is whether you’re going to create an insight based on the name of the rule that fired the signal, or based on the name of the signal that was fired. Typically, signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [normalized threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the signals that a normalized rule fires vary by data source. So, if you want your custom insight configuration to generate insights for signals fired by normalized rules, you should base it on signal names, rather than rule names.
-When the conditions of a Custom Insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an Insight will be generated for each Entity involved. In other words, if each of the Signals in a Custom Insight configuration fired on a different Entity, an Insight will be created on each of those Entities. The generated Insights will include not only the Signals that it fired on, but also any related Signals.
+When the conditions of a custom insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an insight will be generated for each entity involved. In other words, if each of the signals in a custom insight configuration fired on a different entity, an insight will be created on each of those entities. The generated insights will include not only the signals that it fired on, but also any related signals.
-## Create a Custom Insight
+## Create a custom insight
-To create a Custom Insight:
+To create a custom insight:
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu, select **Content > Custom Insights**. })
-4. In the **Name** field, enter a name for the Custom Insight.
-5. If you want the Custom Insight to be generated based on one or more rules firing Signals, jump to step 6, below. Otherwise:
+3. The **Configure the Custom Insight** popup appears.
+4. In the **Name** field, enter a name for the custom insight.
+5. If you want the custom insight to be generated based on one or more rules firing signals, jump to step 6, below. Otherwise:
1. Leave the **When Signals are created from the following...** clause set to **Signal names**.
- 2. Enter an expression that matches the name(s) of the Signals of interest. For example: `Critical Severity Intrusion Signature *`
+ 2. Enter an expression that matches the name(s) of the signals of interest. For example: `Critical Severity Intrusion Signature *`
3. Click **Add**.
- 4. If you want to, you can enter one or more additional Signal expressions.
- 5. If you’ve configured more than one Signal expression, use the **in ... order** clause to specify whether the Signals must occur in **exact** order, or whether the Signals can occur in **any** order.
-6. If you want the Custom Insight to be generated based on one or more rules firing Signals:
- 1. Change the **When Signals are created from the following...** clause to **rule** .
+ 4. If you want to, you can enter one or more additional signal expressions.
+ 5. If you’ve configured more than one signal expression, use the **in ... order** clause to specify whether the signals must occur in **exact** order, or whether the signals can occur in **any** order.
+6. If you want the custom insight to be generated based on one or more rules firing signals:
+ 1. Change the **When Signals are created from the following...** clause to **rule**.
2. In the **Type to add a Rule** area, enter a string that the ID of the desired rule contains.
3. In the list of rules that appears, scroll to the desired rule and click it.
4. If you want to, you can search for and select one or more additional rules.
- 5. If you’ve configured more than one rule, use the **in ... order** clause to specify whether the rules must fire Signals in exact order, or in any order.
-7. In the **Then Create an Insight** section on the right side of the popup, enter a name for the Insight.
-8. Enter a description of the Insight, as desired.
-9. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the Signals that trigger the Insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical.
-10. To configure dynamic severity for the custom Insight:
+ 5. If you’ve configured more than one rule, use the **in ... order** clause to specify whether the rules must fire signals in exact order, or in any order.
+7. In the **Then Create an Insight** section on the right side of the popup, enter a name for the insight.
+8. Enter a description of the insight, as desired.
+9. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the signals that trigger the insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical.
+10. To configure dynamic severity for the custom insight:
1. Choose **dynamic** severity.
:::note
You can define dynamic severity for record fields on [Match rules](/docs/cse/rules/write-match-rule#configure-then-create-a-signal-settings) and [Aggregation rules](/docs/cse/rules/write-aggregation-rule/#configure-then-create-a-signal-settings).
:::
1. Select a default severity, one of **Low**, **Medium**, **High**, or **Critical**.
- 1. **Minimum Signal Severity** and **Insight Severity**. Enter a minimum Signal severity and associated Insight severity value. For example, if you enter 8 and select high, if any Signal in the Insight has a severity of 8 or higher, the custom Insight will have High severity.
- 1. If desired, you can enter a minimum Signal severity value for other Insight severity levels. For example, you could configure a minimum Signal severity of 4 as the threshold for an Insight severity level of Medium. If you do define multiple thresholds, we honor them from highest to lowest. For example, with the following configuration:
+ 1. **Minimum Signal Severity** and **Insight Severity**. Enter a minimum signal severity and associated insight severity value. For example, if you enter 8 and select high, if any signal in the insight has a severity of 8 or higher, the custom insight will have High severity.
+ 1. If desired, you can enter a minimum signal severity value for other insight severity levels. For example, you could configure a minimum signal severity of 4 as the threshold for an insight severity level of Medium. If you do define multiple thresholds, we honor them from highest to lowest. For example, with the following configuration:
* If the highest signal severity was at least 3, severity is Low.
- * If the highest Signal severity was at least 5, severity is Medium.
- * If the highest Signal severity was at least 7, severity is Critical.
+ * If the highest signal severity was at least 5, severity is Medium.
+ * If the highest signal severity was at least 7, severity is Critical.
})
-11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the Custom Insight.
-12. Click **Submit** to save your Custom Insight configuration.
+11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the custom insight.
+12. Click **Submit** to save your custom insight configuration.
diff --git a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
index 68b4dd2e47..7ae3ee87e4 100644
--- a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+++ b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
@@ -2,86 +2,86 @@
id: configure-entity-lookup-table
title: Configure an Entity Lookup Table
sidebar_label: Entity Lookup Tables
-description: Entity Lookup Tables allow you to normalize the names of users and hosts (machines) in your environment
+description: Entity lookup tables allow you to normalize the names of users and hosts (machines) in your environment
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic describes Entity Lookup Tables and how to configure them.
+This topic describes entity lookup tables and how to configure them.
:::note
-Entity Lookup Tables are supported if your Cloud SIEM URL ends in `sumologic.com`.
+Entity lookup tables are supported if your Cloud SIEM URL ends in `sumologic.com`.
:::
-## What are Entity Lookup Tables good for?
+## What are entity lookup tables good for?
-Entity Lookup Tables allow you to normalize the names of users and hosts (machines) in your environment. This is important because the username or hostname formats found in messages tend to vary by data source. For example, you’ll likely encounter the following forms of user names across the services you use:
+Entity lookup tables allow you to normalize the names of users and hosts (machines) in your environment. This is important because the username or hostname formats found in messages tend to vary by data source. For example, you’ll likely encounter the following forms of user names across the services you use:
* `jdoe@acme.com`
* `joseph.doe`
* `jdoe`
-In addition, in some systems a user or a host has both a name and a unique ID, the latter of which is generally not a friendly identifier. For example, the host ID and hostname below both identify a host. It makes sense to replace the host ID in Records with the hostname.
+In addition, in some systems a user or a host has both a name and a unique ID, the latter of which is generally not a friendly identifier. For example, the host ID and hostname below both identify a host. It makes sense to replace the host ID in records with the hostname.
* `d8ece0f8-10a4-3c62-b8a3-2e636a3a0509`
* `testk-122.testlabs.local`
-Multiple identifiers for the same user or host are a problem when it comes to correlating Signals around a common Entity. Unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
+Multiple identifiers for the same user or host are a problem when it comes to correlating signals around a common entity. Unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
-### Examples of when you create Lookup Tables
+### Examples of when you create lookup tables
-Following are some examples of situations when you'd want to use Entity Lookup Tables:
+Following are some examples of situations when you'd want to use entity lookup tables:
* CrowdStrike FDR data uses an agent ID (AID) instead of a hostname for some messages.
* Mail Transfer Agent (MTA) systems report usernames in an email format.
* Your users have different login names on different systems (for example, Windows, Linux, and AWS).
-### How does an Entity Lookup Table work?
+### How does an entity lookup table work?
-An Entity Lookup Table defines two sets of values: a lookup value to look for in an incoming message and a substitution value. You can create Entity Lookup Tables to support the following types of normalization:
+An entity lookup table defines two sets of values: a lookup value to look for in an incoming message and a substitution value. You can create entity lookup tables to support the following types of normalization:
* **Host ID to Normalized Hostname**
* **User ID to Normalized Username**
* **Username to Normalized Username**
-Entity Lookup Tables are based on Sumo Logic’s [Lookup Tables](/docs/search/lookup-tables/) feature. Here is an example of a **Host ID to Normalized Hostname** Lookup Table in the Sumo Logic Library:
+Entity lookup tables are based on Sumo Logic’s [lookup tables](/docs/search/lookup-tables/) feature. Here is an example of a **Host ID to Normalized Hostname** lookup table in the Sumo Logic Library:
-})
+
-## Creating a Lookup Table
+## Creating a lookup table
-Before you configure a Lookup Table in Cloud SIEM, you must [create the Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic platform. There are a variety of ways to create a Lookup Table.
+Before you configure a lookup table in Cloud SIEM, you must [create the lookup table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic platform. There are a variety of ways to create a lookup table.
### Limitations
-You can configure a maximum of five Entity Lookup Tables.
+You can configure a maximum of five entity lookup tables.
### Populate table from inventory data
-You can create Lookup Tables from information about hosts and users–known as inventory data–in your environment. Inventory data is collected by Sumo Logic core platform inventory sources, typically by an Active Directory source running on a Sumo Logic Installed Collector, and also by sources that leverage the Sumo Logic Cloud-to-Cloud Integration Framework.
+You can create lookup tables from information about hosts and users–known as inventory data–in your environment. Inventory data is collected by Sumo Logic core platform inventory sources, typically by an Active Directory source running on a Sumo Logic Installed Collector, and also by sources that leverage the Sumo Logic Cloud-to-Cloud Integration Framework.
-This method–the typical way to populate a Lookup Table for the purpose of Entity normalization–involves running a log search against data collected by a Cloud SIEM Inventory source, and then saving and scheduling the search. This process is described in the [Save Inventory Data to a Lookup Table](/docs/cse/administration/save-inventory-data-lookup-table) topic. After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
+This method–the typical way to populate a lookup table for the purpose of entity normalization–involves running a log search against data collected by a Cloud SIEM Inventory source, and then saving and scheduling the search. This process is described in the [Save Inventory Data to a Lookup Table](/docs/cse/administration/save-inventory-data-lookup-table) topic. After creating the table, perform the steps in [Configure the lookup table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
### Existing lookups
-If you already have a Lookup Table that contains normalization data, you can configure it in Cloud SIEM. Or, if you have existing normalization data that is not currently in a Lookup Table you can create a Lookup Table with that data. Note that your Lookup Table must contain a field that contains a lookup value and one that contains a substitution value. There is no requirement for particular column names.
+If you already have a lookup table that contains normalization data, you can configure it in Cloud SIEM. Or, if you have existing normalization data that is not currently in a lookup table you can create a lookup table with that data. Note that your lookup table must contain a field that contains a lookup value and one that contains a substitution value. There is no requirement for particular column names.
-For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-lookup-table/). After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
+For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-lookup-table/). After creating the table, perform the steps in [Configure the lookup table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
-### Configure the Lookup Table in Cloud SIEM
+### Configure the lookup table in Cloud SIEM
-After you've [created your Entity Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
+After you've [created your entity lookup table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. })
+1. The **Existing Lookup Table** popup appears. Following is an example.
1. Click **Edit** to configure the lookup table. Note that most fields are read-only.
- 1. **Path**. The path to the existing Lookup Table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames` })
+ 1. **Path**. The path to the existing lookup table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames`
1. **Type**. The type of normalization:
* **Host ID to Normalized Hostname**. Maps unique host IDs to recognizable hostnames.
* **User ID to Normalized Username**. Maps unique user IDs to recognizable usernames.
* **Username to Normalized Username**. Maps a username in one format to a username in another format.
- 1. **Column Name**. The name of the Lookup Table column that contains the primary key for the table.
- 1. **Sub Column Name**. The name of the Lookup Table column that contains the value you want to substitute for the lookup column.
- 1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to Records that are tagged with that source category.
+ 1. **Column Name**. The name of the lookup table column that contains the primary key for the table.
+ 1. **Sub Column Name**. The name of the lookup table column that contains the value you want to substitute for the lookup column.
+ 1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to records that are tagged with that source category.
1. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/create-an-entity-group.md b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
index 64c4752b60..128cd1c7d5 100644
--- a/docs/cse/records-signals-entities-insights/create-an-entity-group.md
+++ b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
@@ -2,57 +2,57 @@
id: create-an-entity-group
title: Create an Entity Group
sidebar_label: Entity Groups
-description: You can use Entity Groups to automatically group entities in terms of criteria like name or IP Address.
+description: You can use entity groups to automatically group entities in terms of criteria like name or IP Address.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-An administrator can use the _Entity Groups_ feature to define groups of Entities and to assign attributes to them at the group level. You can define the members of an Entity Group in two ways:
+An administrator can use the _entity groups_ feature to define groups of entities and to assign attributes to them at the group level. You can define the members of an entity group in two ways:
-* Based on Entity name or an IP address range.
+* Based on entity name or an IP address range.
* Based on membership in a group in an Inventory system like Active Directory.
-Note that membership in an Entity Group is not configured by explicitly assigning individual Entities to the group. Instead you define an Entity Group in terms of criteria, like name or IP address, so that Entities will automatically inherit the properties of Entity Groups they match without manual edits.
+Note that membership in an entity group is not configured by explicitly assigning individual entities to the group. Instead you define an entity group in terms of criteria, like name or IP address, so that entities will automatically inherit the properties of entity groups they match without manual edits.
-You can assign [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/), [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), and [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) status to an Entity Group, and those settings will be applied to all of the Entities in the group.
+You can assign [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/), [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), and [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) status to an entity group, and those settings will be applied to all of the entities in the group.
-Consider an Entity Group configured to:
+Consider an entity group configured to:
* Include any host in the Active Directory “laptops” group, and
* Set a (pre-configured) criticality to group members.
-Each laptop in the “laptops” group will automatically inherit the criticality defined for the Entity Group, and so will laptops assigned to the “laptops” group in the future. In other words, when an Entity is added, if it matches the membership criteria of an existing Entity Group, it will be automatically added to that group.
+Each laptop in the “laptops” group will automatically inherit the criticality defined for the entity group, and so will laptops assigned to the “laptops” group in the future. In other words, when an entity is added, if it matches the membership criteria of an existing entity group, it will be automatically added to that group.
-Note that when an Insight is created, any tags that are assigned to the primary Entity in the Insight are automatically inherited by the Insight. So, tags that an Entity inherits from an Entity Group will also be inherited by Insights that fire on the Entity. (Such inheritance is not retro-active: Insights that fired on an Entity prior to the Entity being tagged won’t be tagged.)
+Note that when an insight is created, any tags that are assigned to the primary entity in the insight are automatically inherited by the insight. So, tags that an entity inherits from an entity group will also be inherited by insights that fire on the entity. (Such inheritance is not retro-active: insights that fired on an entity prior to the entity being tagged won’t be tagged.)
-## Entity Group limits
+## Entity group limits
-The number of Entity Groups you can configure per org varies by the type of the group:
+The number of entity groups you can configure per org varies by the type of the group:
-* You can configure a maximum of 1000 Entity Groups based on membership in a group in an Inventory system.
-* You can configure a maximum of 10000 Entity Groups based on Entity name or an IP address range.
+* You can configure a maximum of 1000 entity groups based on membership in a group in an Inventory system.
+* You can configure a maximum of 10000 entity groups based on entity name or an IP address range.
-## Overlapping Entity Groups
+## Overlapping entity groups
-It’s possible to define Entity Groups that overlap, in terms of the Entities they contain. However, for the sake of simplicity, we recommend you configure your Entity Groups to not overlap. If an Entity does belong to more than one group, the tags from all of the groups are applied to the Entity. Criticality and suppression status are applied by the first Entity Group that matches in this order:
+It’s possible to define entity groups that overlap, in terms of the entities they contain. However, for the sake of simplicity, we recommend you configure your entity groups to not overlap. If an entity does belong to more than one group, the tags from all of the groups are applied to the entity. Criticality and suppression status are applied by the first entity group that matches in this order:
-1. Entity Groups based on Inventory source and group are processed in alphabetical order, by Entity Group name.
-1. Entity Groups based on IP address ranges are processed in order from most specific (smallest block) to least specific (largest block).
-1. Entity Groups based on name are processed in order, by the length of the match string configured as either Prefix or Suffix, then alphabetically, by Entity Group name.
+1. Entity groups based on Inventory source and group are processed in alphabetical order, by entity group name.
+1. Entity groups based on IP address ranges are processed in order from most specific (smallest block) to least specific (largest block).
+1. Entity groups based on name are processed in order, by the length of the match string configured as either Prefix or Suffix, then alphabetically, by entity group name.
-## Create an Entity Group based on Entity attributes
+## Create an entity group based on entity attributes
-Follow these instructions to create an Entity Group based on Entity name or whether the Entity is within a specified range of IP addresses.
+Follow these instructions to create an entity group based on entity name or whether the entity is within a specified range of IP addresses.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Groups**. })
-1. **Name**. Enter a name for the Entity Group.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)
+1. **Name**. Enter a name for the entity group.
1. **Description**. (Optional.)
1. **Configuration Type**. Select **Values**.
-1. **Entity Types**. Select one of the following Entity types:
+1. **Entity Types**. Select one of the following entity types:
* **IP Address**
* **MAC Address**
* **Username**
@@ -66,54 +66,54 @@ Follow these instructions to create an Entity Group based on Entity name or whet
* **URL**
* **File**
1. **Match Condition**. Select one of the following match types:
- * **Prefix**. After you select this option, a **Prefix** field appears. Enter a string that matches the leading characters of the names of the Entities you want to include in the group.
- * **Suffix**. After you select this option, a **Suffix** field appears. Enter a string that matches the trailing characters of the names of the Entities you want to include in the group.
+ * **Prefix**. After you select this option, a **Prefix** field appears. Enter a string that matches the leading characters of the names of the entities you want to include in the group.
+ * **Suffix**. After you select this option, a **Suffix** field appears. Enter a string that matches the trailing characters of the names of the entities you want to include in the group.
* **IP Address Range.** After you select this option, an **IP Address Range** field appears. Enter a CIDR block of IP addresses.
* **Sensor Zone**. This field is present if you selected _IP Address _as the **Entity Type** above. Optionally, select a **Sensor Zone** from the pulldown.
:::note
- If you select a [Sensor Zone](/docs/cse/administration/using-sensor-zones), the IP addresses assigned to the Entity Group will be limited to addresses that are within the specified **IP Address Range** and also have been assigned the selected Sensor Zone.
+ If you select a [Sensor Zone](/docs/cse/administration/using-sensor-zones), the IP addresses assigned to the entity group will be limited to addresses that are within the specified **IP Address Range** and also have been assigned the selected Sensor Zone.
:::
-1. **Tags**. Select any tags you’d like to apply to Entities in the group.
-1. **Criticality**. If desired, select a Criticality.
-1. **Suppression**. Select **Suppressed** if you want to suppress Signals on Entities in the group.
+1. **Tags**. Select any tags you’d like to apply to entities in the group.
+1. **Criticality**. If desired, select a criticality.
+1. **Suppression**. Select **Suppressed** if you want to suppress signals on entities in the group.
-## Create an Entity Group based on inventory group membership
+## Create an entity group based on inventory group membership
-Follow these instructions to create an Entity Group that corresponds to a group in an inventory service in your infrastructure.
+Follow these instructions to create an entity group that corresponds to a group in an inventory service in your infrastructure.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Groups**. })
-1. **Name**. Enter a name for the Entity Group.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)
+1. **Name**. Enter a name for the entity group.
1. **Description**. (Optional.)
1. **Configuration Type**. Select **Inventory**.
1. **Inventory Type**. Select one of:
* Computer
* User
-1. **Inventory Key**. Select an attribute to use from the **Inventory Type** selected above. You can use second-level unnormalized inventory attributes in this field (for example, `fields.foo.bar`). Select **groups** if you want to use an existing Entity Group attribute.
+1. **Inventory Key**. Select an attribute to use from the **Inventory Type** selected above. You can use second-level unnormalized inventory attributes in this field (for example, `fields.foo.bar`). Select **groups** if you want to use an existing entity group attribute.
1. **Source**. Select an inventory source from the pull-down list.
-1. **Value**. Enter a value for the attribute selected in the **Inventory Key** field above. You can use REGEX expressions in this field (for example, in the screenshot above, the value is `.*OU\=ADFS.*`). })
-2. The corresponding Cloud SIEM Entity inventory enrichment for the data is as follows. Notice how the `distinguishedName` field is defined: })
-3. Now, to ensure that we add the data for these Entities to an "ADFS Servers" Entity Group, we create the Entity Group as shown in the [screenshot above](#create-an-entity-group-based-on-inventory-group-membership). We set the inventory key as `fields.distinguishedname`, the value as `.*OU\=ADFS.*`, and the tag to be applied as `adfs_server`.
-4. Then when the Entity Group is processed, the tag we specified is applied to each Entity in the group, like in this example from the Entities details page: })
+1. Let's say you want to create an entity group for ADFS servers. The Active Directory inventory data for your ADFS servers adheres to the following pattern. Notice the computer name, and how it appears in the `distinguishedName` field:
+2. The corresponding Cloud SIEM entity inventory enrichment for the data is as follows. Notice how the `distinguishedName` field is defined:
+3. Now, to ensure that we add the data for these entities to an "ADFS Servers" entity group, we create the entity group as shown in the [screenshot above](#create-an-entity-group-based-on-inventory-group-membership). We set the inventory key as `fields.distinguishedname`, the value as `.*OU\=ADFS.*`, and the tag to be applied as `adfs_server`.
+4. Then when the entity group is processed, the tag we specified is applied to each entity in the group, like in this example from the entities details page:
## Using tags in rule expressions
-If you've applied a tag to an Entity, you can use the tag in a [rule expression](/docs/cse/rules/about-cse-rules/#about-rule-expressions). For example, if you've attached a keyword tag "DB Server" to an Entity, this `array_contains` statement will return "true" if the Entity in a Record's `srcDevice_ip` field has the tag "DB Server"
+If you've applied a tag to an entity, you can use the tag in a [rule expression](/docs/cse/rules/about-cse-rules/#about-rule-expressions). For example, if you've attached a keyword tag "DB Server" to an entity, this `array_contains` statement will return "true" if the entity in a record's `srcDevice_ip` field has the tag "DB Server"
```
array_contains(fieldTags["srcDevice_ip"], "DB Server")
@@ -121,4 +121,4 @@ array_contains(fieldTags["srcDevice_ip"], "DB Server")
## API support
-You can use the `/entity-group-configuration` API to create, read, update, and delete Entity Groups. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
+You can use the `/entity-group-configuration` API to create, read, update, and delete entity groups. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
diff --git a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
index fe862d86df..b0180098c4 100644
--- a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
+++ b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
@@ -2,32 +2,32 @@
id: create-custom-entity-type
title: Create a Custom Entity Type
sidebar_label: Custom Entity Types
-description: Learn how to create a custom Entity type.
+description: Learn how to create a custom entity type.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has instructions for how to create custom Entity types in Cloud SIEM.
+This topic has instructions for how to create custom entity types in Cloud SIEM.
-In Cloud SIEM, *Entities* are fundamental to the Insight generation process. When a Cloud SIEM Rule fires, it generates a Signal for each “on-Entity” attribute configured for the rule. Cloud SIEM correlates Signals by Entity to create Insights. This process is described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic.
+In Cloud SIEM, *entities* are fundamental to the insight generation process. When a Cloud SIEM rule fires, it generates a signal for each “on-entity” attribute configured for the rule. Cloud SIEM correlates signals by entity to create insights. This process is described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic.
-Cloud SIEM has a number of built-in [Entity types](/docs/cse/records-signals-entities-insights/view-manage-entities#about-entities), for example, IP Address, Hostname, and Username.
+Cloud SIEM has a number of built-in [entity types](/docs/cse/records-signals-entities-insights/view-manage-entities#about-entities), for example, IP Address, Hostname, and Username.
-When you create a Rule, in the Signal configuration section, the Rules Editor prompts you to select an “On-Entity” attribute from a list of all of the Cloud SIEM schema attributes that hold Entities. What if you want to correlate Signals by something other than an item that is one of Cloud SIEM standard Entity types? That’s what custom Entity types are for.
+When you create a rule, in the signal configuration section, the rules editor prompts you to select an “on-entity” attribute from a list of all of the Cloud SIEM schema attributes that hold entities. What if you want to correlate signals by something other than an item that is one of Cloud SIEM standard entity types? That’s what custom entity types are for.
-If you’d like to be able to correlate Signals by a different type of Entity, you can create a custom Entity type. For example, you might want to correlate Signals by file hash. When you create a custom Entity type, you identify the Cloud SIEM schema attributes that hold data of the custom type. Given the example of a file hash Entity type, you would select attributes that contain file hashes, like `file_hash_md5`, `file_hash_sha1`, and so on. The attributes you configure for your custom Entity type will be available in the **On-Entity** selector list in the **Then Create a Signal** section of the rule configuration UI.
+If you’d like to be able to correlate signals by a different type of entity, you can create a custom entity type. For example, you might want to correlate signals by file hash. When you create a custom entity type, you identify the Cloud SIEM schema attributes that hold data of the custom type. Given the example of a file hash entity type, you would select attributes that contain file hashes, like `file_hash_md5`, `file_hash_sha1`, and so on. The attributes you configure for your custom entity type will be available in the **On-Entity** selector list in the **Then Create a Signal** section of the rule configuration UI.
-Just as for Entities of built-in types listed above—IP addresses, MAC addresses, hostnames, and so on—when a rule fires on a custom Entity, if the Entity doesn’t already exist in Cloud SIEM, it is added, and can be viewed on the Entity list page.
+Just as for entities of built-in types listed above—IP addresses, MAC addresses, hostnames, and so on—when a rule fires on a custom entity, if the entity doesn’t already exist in Cloud SIEM, it is added, and can be viewed on the entity list page.
-To create a custom Entity type:
+To create a custom entity type:
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Custom Types**. })
-3. **Name**. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom Entity type on the **Custom Entity Type** page.
-4. **Identifier**. Enter a unique identifier for the custom Entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the Entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
+2. The **Add Custom Entity Type** popup appears.
+3. **Name**. Enter a meaningful name for the custom entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom entity type on the **Custom Entity Type** page.
+4. **Identifier**. Enter a unique identifier for the custom entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
:::note
- The Entity type Identifier cannot be changed once you’ve saved it.
+ The entity type Identifier cannot be changed once you’ve saved it.
:::
-5. **Fields**. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom Entity type.
+5. **Fields**. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom entity type.
6. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/entity-criticality.md b/docs/cse/records-signals-entities-insights/entity-criticality.md
index e58e4bf8b8..6fe6c3dc53 100644
--- a/docs/cse/records-signals-entities-insights/entity-criticality.md
+++ b/docs/cse/records-signals-entities-insights/entity-criticality.md
@@ -1,47 +1,45 @@
---
id: entity-criticality
title: Entity Criticality
-description: You can use Entity Criticality to adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+description: You can use entity criticality to adjust the severity of signals for specific Entities based on some risk factor or other consideration.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This page describes Cloud SIEM’s Entity Criticality feature and how to use it.
+This page describes Cloud SIEM’s entity criticality feature and how to use it.
-You can use Entity Criticality to adjust the severity of Signals for specific Entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so Signals related to that Entity should have a higher severity. To allow for this, you define a Criticality, which is a single arithmetic expression that will be used to adjust the severity of Signals on Entities the Criticality is assigned to. For example:
+You can use entity criticality to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher severity. To allow for this, you define a criticality, which is a single arithmetic expression that will be used to adjust the severity of signals on entities the criticality is assigned to. For example: `severity+3`
-`severity+3`
+A signal’s normal severity is specified in the rule that fires the signal. The criticality is applied to the normal severity. To ensure that signals that fire on your executives’ laptops have an elevated severity, you can configure a criticality like the example above, and then apply it to the entities that correspond to the executives’ laptops.
-A Signal’s normal severity is specified in the rule that fires the Signal. The Criticality is applied to the normal severity. To ensure that Signals that fire on your executives’ laptops have an elevated severity, you can configure a Criticality like the example above, and then apply it to the Entities that correspond to the executives’ laptops.
-
-Just as you can use Criticality to increase severity, you can use it to decrease the severity of the Signals fired on an Entity.
+Just as you can use criticality to increase severity, you can use it to decrease the severity of the signals fired on an entity.
If the formula you specify results in a number that isn’t whole, the value is rounded down to the nearest integer.
-## About Criticality and Insight generation
+## About criticality and insight generation
-The maximum severity that can be assigned to a Cloud SIEM rule is 10, so normally, Signal severity is also limited to 1. Note however that Cloud SIEM doesn’t impose a maximum value on the severity that results from a Criticality, although the minimum value will always be 0.
+The maximum severity that can be assigned to a Cloud SIEM rule is 10, so normally, signal severity is also limited to 1. Note however that Cloud SIEM doesn’t impose a maximum value on the severity that results from a criticality, although the minimum value will always be 0.
-As described in the [Insight Generation](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, an Insight is generated on an Entity based on the cumulative severity of the unique Signals that have fired on it over the previous two weeks, unless a different period is configured. The cumulative
-severity is referred to as the Entity’s Activity Score. Keep in mind that higher Signal severities will increase an Entity’s Active Score and result in Insight’s being generated sooner.
+As described in the [insight generation](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, an insight is generated on an entity based on the cumulative severity of the unique signals that have fired on it over the previous two weeks, unless a different period is configured. The cumulative
+severity is referred to as the entity’s activity score. Keep in mind that higher signal severities will increase an entity’s activity score and result in insight’s being generated sooner.
-You can configure both the detection window and the threshold Activity Score for Insight generation, as described in the [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) topic.
+You can configure both the detection window and the threshold activity score for insight generation, as described in the [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) topic.
-## Define a Criticality
+## Define a criticality
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Criticality**. })
+1. The **Add Criticality** popup appears.
2. **Name**. Enter a name.
3. **Severity Expression**. Enter a formula for adjusting a severity value. You can use a plus sign (+), minus sign (-), an asterisk (\*), or a forward slash (/). Enter the formula in this format: `severity+2 `
-4. Click **Save** to save the Criticality.
+4. Click **Save** to save the criticality.
-## Assign a Criticality to an Entity
+## Assign a criticality to an entity
-You can associate a Criticality with one or more Entities.
+You can associate a criticality with one or more entities.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen. })
-3. Click a Criticality to apply it to the Entity.
+3. Click a criticality to apply it to the entity.
diff --git a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
index dda9d3d054..f703674feb 100644
--- a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
+++ b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
@@ -1,14 +1,14 @@
---
id: global-intelligence-security-insights
title: Global Intelligence for Security Insights
-description: Insight Confidence scores, predicted by Sumo Logic’s Global Intelligence machine learning model, help you triage and prioritize Insights.
+description: Insight Confidence scores, predicted by Sumo Logic’s Global Intelligence machine learning model, help you triage and prioritize insights.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This page describes Global Intelligence for Security Insights, implemented in Cloud SIEM as Global Confidence scores. This feature helps security analysts triage and prioritize Insights.
+This page describes Global Intelligence for security insights, implemented in Cloud SIEM as Global Confidence scores. This feature helps security analysts triage and prioritize insights.
-Watch this micro lesson to learn more about Global Intelligence for Insights.
+Watch this micro lesson to learn more about Global Intelligence for insights.
-The score is generated based on the underlying pattern of Signals in an Insight. The model compares this pattern to previously observed patterns from Insights that were closed with either a **False Positive** or **Resolved** resolution. The model does such comparisons broadly—across the global installed base of Cloud SIEM customers—so it can generate a Confidence score based on the patterns seen at one customer when encountered at another. In addition to leveraging the patterns discovered across the Cloud SIEM installed base, the model customizes scores for Insights in your account based on your customized content, including tuned and custom rules.
+The score is generated based on the underlying pattern of signals in an insight. The model compares this pattern to previously observed patterns from insights that were closed with either a **False Positive** or **Resolved** resolution. The model does such comparisons broadly—across the global installed base of Cloud SIEM customers—so it can generate a Confidence score based on the patterns seen at one customer when encountered at another. In addition to leveraging the patterns discovered across the Cloud SIEM installed base, the model customizes scores for insights in your account based on your customized content, including tuned and custom rules.
:::tip Fear not
All information used by the model is anonymized and no customer-confidential information is processed or retained.
:::
-The score is on a scale of 0 to 100. A higher score indicates higher confidence that the Insight is actionable. If the model does not have enough information, it will not make a prediction and no score will be listed (you’ll see either “No prediction” or “N/A”).
+The score is on a scale of 0 to 100. A higher score indicates higher confidence that the insight is actionable. If the model does not have enough information, it will not make a prediction and no score will be listed (you’ll see either “No prediction” or “N/A”).
## Prerequisites for using Global Confidence scores
-The only prerequisite for taking full advantage of Confidence scores is to make sure your content is available to Sumo Logic’s machine learning model. If you do not close Insights with an appropriate resolution, the model won’t be able to consider your content and may not be able to generate Global Confidence scores for your Insights. To take full advantage of this feature, make sure you close your Insights as False Positive or Resolved.
+The only prerequisite for taking full advantage of Confidence scores is to make sure your content is available to Sumo Logic’s machine learning model. If you do not close insights with an appropriate resolution, the model won’t be able to consider your content and may not be able to generate Global Confidence scores for your insights. To take full advantage of this feature, make sure you close your insights as False Positive or Resolved.
## Using Global Confidence scores
-The Global Confidence score is a valuable data point to consider when prioritizing which Insights to triage first.
+The Global Confidence score is a valuable data point to consider when prioritizing which insights to triage first.
-An Insight’s Confidence score is shown for each Insight on the Insights list page. You can sort the Insight list by the Global Confidence score, as well as by Severity.
+An insight’s Confidence score is shown for each insight on the insights list page. You can sort the insight list by the Global Confidence score, as well as by Severity.
})
diff --git a/docs/cse/records-signals-entities-insights/index.md b/docs/cse/records-signals-entities-insights/index.md
index 12eaf3cd24..3e8c6d82bc 100644
--- a/docs/cse/records-signals-entities-insights/index.md
+++ b/docs/cse/records-signals-entities-insights/index.md
@@ -1,10 +1,10 @@
---
slug: /cse/records-signals-entities-insights
title: Records, Signals, Entities, and Insights
-description: Learn about Insight generation, working with Entities, and how to query Cloud SIEM Records.
+description: Learn about insight generation, working with entities, and how to query Cloud SIEM records.
---
-Learn about Insight generation, working with Entities, and how to query Cloud SIEM Records.
+Learn about insight generation, working with entities, and how to query Cloud SIEM records.
import useBaseUrl from '@docusaurus/useBaseUrl';
@@ -14,43 +14,43 @@ In this section, we'll introduce the following concepts:
Learn how to configure the detection window and the threshold Activity Score for Insight generation.
+Learn how to configure the detection window and the threshold activity score for insight generation.
Learn how to triage and prioritize Insights.
+Learn how to triage and prioritize insights.
Learn how to set up Custom Insight configurations.
+Learn how to set up custom insight configurations.
Learn about all the Entities in Cloud SIEM and their Activity Scores.
+Learn about all the entities in Cloud SIEM and their activity scores.
Learn how to adjust the severity of Signals for specific Entities.
+Learn how to adjust the severity of signals for specific entities.
Learn how to create custom Entity types in Cloud SIEM.
+Learn how to create custom entity types in Cloud SIEM.
Learn how to automatically group entities in terms of criteria like name or IP Address.
+Learn how to automatically group entities in terms of criteria like name or IP address.
Learn how to view Records associated with a Signal in Cloud SIEM.
+Learn how to view records associated with a signal in Cloud SIEM.
Learn about ways to suppress and exclude Cloud SIEM Signals from the Insight generation process.
+Learn about ways to suppress and exclude Cloud SIEM signals from the insight generation process.
Learn to search the Sumo Logic platform for Records and Signals that have been forwarded from Cloud SIEM.
+Learn to search the Sumo Logic platform for records and signals that have been forwarded from Cloud SIEM.
})
-## Search Records from the Partitions page
+## Search records from the Partitions page
If you have the **View Partitions** role capability, you can search Cloud SIEM partitions from the **Partitions** page in the Sumo Logic UI.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Partitions**. })
+1. The partitions that contain Cloud SIEM records begin with the string "sec_record".
2. To search for all content in the partition, click the icon that appears next to a Partition name when you hover over a row.
-3. A log search tab opens with a query, like `_index=PartitionName`, that returns all of the logs created within the currently selected time range, 15 minutes by default. For a description of the results, see [Search all Records in a partition](#search-all-record-partitions), below.
+3. A log search tab opens with a query, like `_index=PartitionName`, that returns all of the logs created within the currently selected time range, 15 minutes by default. For a description of the results, see [Search all records in a partition](#search-all-record-partitions), below.
## Search data in a log search tab
@@ -84,9 +84,9 @@ To search a Sumo Logic partition, you specify the name of the partition using
To open a log search tab in Sumo Logic, go to the **Home** screen and select **Log Search**.
-## Search all Records or Signals in a partition
+## Search all records or signals in a partition
-To return all the Records or Signals in a partition, all you need to include in your query is the partition name. For example, to search all Records in the `sec_record_network` partition, choose a time range, enter the query below, and then click **Start**:
+To return all the records or signals in a partition, all you need to include in your query is the partition name. For example, to search all records in the `sec_record_network` partition, choose a time range, enter the query below, and then click **Start**:
```sql
_index=sec_record_network
@@ -96,8 +96,8 @@ _index=sec_record_network
Note that:
-* The query returns all of the Record types that are stored in the partition: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
-* By default, two Record fields are displayed: `Time` and `Security Record Details`, which contains all of the data from the underlying Record. You can display additional fields by checkmarking desired fields in the **Hidden Fields** area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section.
+* The query returns all of the record types that are stored in the partition: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
+* By default, two record fields are displayed: `Time` and `Security Record Details`, which contains all of the data from the underlying record. You can display additional fields by checkmarking desired fields in the **Hidden Fields** area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section.
#### Save a query with predefined display fields
@@ -105,7 +105,7 @@ You can use the `fields` operator to choose the fields you want to be displayed
To add display fields:
-This query adds the `objectType` (which contains the Record type) and the `user_username` fields to the displayed output:
+This query adds the `objectType` (which contains the record type) and the `user_username` fields to the displayed output:
```sql
_index = sec_record_audit
@@ -120,31 +120,31 @@ _index = sec_record_audit
## Search multiple partitions
-You can search multiple partitions by using `OR` in the query. For example, to search all Records in the `sec_record_audit` and `sec_record_network` partitions:
+You can search multiple partitions by using `OR` in the query. For example, to search all records in the `sec_record_audit` and `sec_record_network` partitions:
```sql
_index = sec_record_audit OR _index = sec_record_network
```
-## Search all Record partitions
+## Search all record partitions
-To search all Records in all of the in partitions that contain Cloud SIEM Records, use an asterisk (`*`)wildcard.
+To search all records in all of the in partitions that contain Cloud SIEM records, use an asterisk (`*`)wildcard.
```sql
_index = sec_record_*
```
-## Query by Record type
+## Query by record type
-The `objectType` field in a Record indicates its Record type. To restrict results to a particular Record type, use `_index` to identify the partition that contains that Record type, and `objectType` to specify the Record type. For example, to search for NetworkHTTP Records in the `sec_record_network` partition:
+The `objectType` field in a record indicates its record type. To restrict results to a particular record type, use `_index` to identify the partition that contains that record type, and `objectType` to specify the record type. For example, to search for NetworkHTTP records in the `sec_record_network` partition:
```sql
_index = sec_record_network objectType=NetworkHTTP
```
-## Return a count of Records by Record type
+## Return a count of records by record type
-You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all partitions that contain Cloud SIEM Records, and count the results by `objectType`, which contains the Record type. The following query returns the count of Records of each type.
+You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all partitions that contain Cloud SIEM records, and count the results by `objectType`, which contains the record type. The following query returns the count of records of each type.
```
_index = sec_record_*
@@ -160,7 +160,7 @@ You can search Cloud SIEM fields by keyword, for example:
### Referencing nested JSON fields
-The **Security Record Details** field contains a JSON object with all of the fields from the underlying Record or Signal. Some of the data is nested in one or more sub-objects, like the `fields` object for Record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying Record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.
+The **Security Record Details** field contains a JSON object with all of the fields from the underlying record or signal. Some of the data is nested in one or more sub-objects, like the `fields` object for record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.
})
@@ -174,8 +174,8 @@ _index=sec_record_authentication
## Security index search limitations
-* When you use wildcards for field values in a query scope, only Records in which those fields are present and not null will be returned. For example, the following query will only return Records if the `srcDevice_ip` is present and not null:
+* When you use wildcards for field values in a query scope, only records in which those fields are present and not null will be returned. For example, the following query will only return records if the `srcDevice_ip` is present and not null:
```
_index = sec_record_* srcDevice_ip=*
```
-* The partitions that contain Cloud SIEM Records and Signals are stored in a dedicated security data tier. You can’t access data in the security indexes and data in other data tiers (Continuous, Frequent, or Infrequent) and flex in the same query.
+* The partitions that contain Cloud SIEM records and signals are stored in a dedicated security data tier. You can’t access data in the security indexes and data in other data tiers (Continuous, Frequent, or Infrequent) and flex in the same query.
diff --git a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
index 4439c28ba9..3670ad9ad1 100644
--- a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
+++ b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
@@ -2,23 +2,23 @@
id: set-insight-generation-window-threshold
title: Set Insight Generation Window and Threshold
sidebar_label: Insight Generation Settings
-description: Learn how to configure the detection window and the threshold Activity Score for Insight generation.
+description: Learn how to configure the detection window and the threshold activity score for insight generation.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This section has instructions for changing the detection window and the threshold Activity Score for Insight generation.
+This section has instructions for changing the detection window and the threshold activity score for insight generation.
-By default, the detection window is 14 days, and the threshold Activity Score is 12. That means if an Entity's Activity Score goes from 0 to 13 within a 14 day period, Cloud SIEM will generate an Insight on that Entity. For information about how that works, see [Understanding Entity Activity Scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic.
+By default, the detection window is 14 days, and the threshold activity score is 12. That means if an entity's activity score goes from 0 to 13 within a 14 day period, Cloud SIEM will generate an insight on that entity. For information about how that works, see [Understanding entity activity scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic.
-To change the Insight generation settings:
+To change the insight generation settings:
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Workflow** select **Detection**. })
1. Enter values for **Detection Threshold** and **Signal Suppression**:
* **Standard Threshold**
- * **Detection Window (Days)**. Enter the duration, in days, during which an Entity's Activity Score must exceed the threshold to result in an Insight being generated for the Entity.
- * **Threshold**. Enter the threshold Activity Score value that an Entity must exceed during the detection window to result in an Insight being generated for the Entity.
+ * **Detection Window (Days)**. Enter the duration, in days, during which an entity's activity score must exceed the threshold to result in an insight being generated for the entity.
+ * **Threshold**. Enter the threshold activity score value that an entity must exceed during the detection window to result in an insight being generated for the entity.
* **Global Signal Suppression**
- * **Maximum Period (Hours)**. By default, redundant Signals for a Signal-Entity combination are automatically suppressed for a maximum period of 72 hours to avoid repeated Signals contributing to Insight generation. This setting lets you modify this period based upon your organizational needs. To change this setting, select the number of hours to suppress Signals, anywhere from 24 hours to 72 hours. For additional ways to control signal suppression, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
+ * **Maximum Period (Hours)**. By default, redundant signals for a signal-entity combination are automatically suppressed for a maximum period of 72 hours to avoid repeated signals contributing to insight generation. This setting lets you modify this period based upon your organizational needs. To change this setting, select the number of hours to suppress signals, anywhere from 24 hours to 72 hours. For additional ways to control signal suppression, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
1. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
index 54a3e495c2..b38814e465 100644
--- a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
+++ b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
@@ -2,25 +2,25 @@
id: tags-insights-signals-entities-rules
title: Using Tags with Insights, Signals, Entities, and Rules
sidebar_label: Using Tags
-description: Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
+description: Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
## What are tags?
-Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
+Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
There are two types of tags:
* **Schema keys**. These are predefined key-value pairs, which are useful for ensuring that users use consistent values when assigning tags to items. There are two built-in schema tags: **Tactic** and **Technique**, which relate to the Mitre ATT&CK framework.
- You can create your own schema tags as well, as described in [Create a Custom Tag Schema](/docs/cse/administration/create-a-custom-tag-schema/). You can optionally configure a URL for each value in a custom tag schema. If you do, a user will be able to open that URL from the tag’s Action menu when it’s presented in the Cloud SIEM UI. See [Tag Actions](#tag-actions) below for an example.
+ You can create your own schema tags as well, as described in [Create a Custom Tag Schema](/docs/cse/administration/create-a-custom-tag-schema/). You can optionally configure a URL for each value in a custom tag schema. If you do, a user will be able to open that URL from the tag’s Action menu when it’s presented in the Cloud SIEM UI. See [Tag actions](#tag-actions) below for an example.
- You can assign schema key tags to custom Rules you’ve developed. For built-in rules, you can assign or delete new schema tags, but you can’t change or remove the tags that come with the rule. You can also assign schema key tags to Insights, both Cloud SIEM-generated and custom.
-* **Keyword tags**. These are arbitrary labels that you define yourself. You can assign keyword tags to custom Rules, Entities, and Insights, both Cloud SIEM-generated and custom. You can’t remove or change the tags that come with built-in rules.
+ You can assign schema key tags to custom rules you’ve developed. For built-in rules, you can assign or delete new schema tags, but you can’t change or remove the tags that come with the rule. You can also assign schema key tags to insights, both Cloud SIEM-generated and custom.
+* **Keyword tags**. These are arbitrary labels that you define yourself. You can assign keyword tags to custom rules, entities, and insights, both Cloud SIEM-generated and custom. You can’t remove or change the tags that come with built-in rules.
-A tag attached to a Rule is applied to Signals that the Rule generates. Similarly, tags applied to a Signal are applied to the Insights the Signal contributes to. All of the tags applied to an Insight's contributing Signals are aggregated, de-duplicated, and applied to the Insight. Note that an item is tagged when it is created. So, if you add a tag to a rule, Signals and Insights created before you updated the rule will not have that tag applied.
+A tag attached to a rule is applied to signals that the rule generates. Similarly, tags applied to a signal are applied to the insights the signal contributes to. All of the tags applied to an insight's contributing signals are aggregated, de-duplicated, and applied to the insight. Note that an item is tagged when it is created. So, if you add a tag to a rule, signals and insights created before you updated the rule will not have that tag applied.
## Tags and types
@@ -32,20 +32,20 @@ summarizes this behavior.
|:--------------------------|:-----------------------------------|:---------------------------------|
| Built-in rule | yes | \- |
| Custom rule | yes | \- |
-| Custom Insight | yes | \- |
-| System-generated Insight | yes | Rule(s), Entity, Custom Insight |
+| Custom insight | yes | \- |
+| System-generated insight | yes | Rule(s), entity, custom insight |
| Entity | yes | \- |
-| Signal | no | Rule(s), Entity |
+| Signal | no | Rule(s), entity |
## View tags
-You can view tags on the pages that provide summary views of Insights, Signals, Entities, and Rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular Insight, Signal, Entity, or Rule.
+You can view tags on the pages that provide summary views of insights, signals, entities, and rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular insight, signal, entity, or rule.
-This is an overview of an Insight from the Insights page. Multiple schema key tags are attached to the Insight.
+This is an overview of an insight from the insights page. Multiple schema key tags are attached to the insight.
})
-The screenshot below shows an Entity to which a schema tag is attached.
+The screenshot below shows an entity to which a schema tag is attached.
})
@@ -58,38 +58,38 @@ The actions menu for a tag allows you to:
## Find the tagging UI
-The procedure for tagging Rules, Entities, and Insights is similar. The
+The procedure for tagging rules, entities, and insights is similar. The
difference is where you do the tagging.
-### UI for tagging a Rule
+### UI for tagging a rule
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. })
-### UI for tagging an Entity
+### UI for tagging an entity
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen. })
+2. To add a tag, follow the instructions in [Add a keyword tag](#apply-a-keyword-tag).
-### UI for tagging an Cloud SIEM-generated Insight
+### UI for tagging an Cloud SIEM-generated insight
-Note that in addition to tags that you manually assign to an Insight, an Insight will inherit any tags that were applied to the content that went into the Insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the Insight.
+Note that in addition to tags that you manually assign to an insight, an insight will inherit any tags that were applied to the content that went into the insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the insight.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Insights** at the top of the screen. })
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
-### UI for tagging a custom Insight
+### UI for tagging a custom insight
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Custom Insights**.
+1. Navigate to a custom insight.
+1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the insight editor.
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).
## Apply a schema key tag
@@ -101,15 +101,15 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
### Apply a keyword tag
-1. Navigate to the Rule, Entity, or Insight to which you want to add a tag, as described in [Find the tagging UI](#find-the-tagging-ui).
+1. Navigate to the rule, entity, or insight to which you want to add a tag, as described in [Find the tagging UI](#find-the-tagging-ui).
1. In the tagging section, click the chevron icon.}){kind=icon}
-1. A list of keyword tags that have already been assigned to items of the current type (Rule, Entity, or Insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.})
+1. A list of keyword tags that have already been assigned to items of the current type (rule, entity, or insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.
1. To add a new tag, enter it and press Return.
1. The tag is added to the item.
## Search by tag
-### Search Insights, Signals, or Entities by tag
+### Search insights, signals, or entities by tag
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Near the top of the screen, click in the Cloud SIEM search area and then click the funnel icon. }){kind=icon}
1. Select **Insights**, **Signals**, or **Entities** from the **Sources** list.})
@@ -117,7 +117,7 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
1. Choose **contain** or **do not contain** from the **Operators** list.})
1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords list**, items that match are listed.
-### Search Rules by tag
+### Search rules by tag
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. })
@@ -126,11 +126,11 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
### Filter a list view by clicking a tag
-On the Insights, Signals, Rules, or Entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an Insight, like this:
+On the insights, signals, rules, or entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an insight, like this:
})
-the page will be filtered to show only Insights that have that tag:
+the page will be filtered to show only insights that have that tag:
})
diff --git a/docs/cse/records-signals-entities-insights/view-manage-entities.md b/docs/cse/records-signals-entities-insights/view-manage-entities.md
index 1cc38e833d..9b2fa3bbf5 100644
--- a/docs/cse/records-signals-entities-insights/view-manage-entities.md
+++ b/docs/cse/records-signals-entities-insights/view-manage-entities.md
@@ -1,7 +1,7 @@
---
id: view-manage-entities
title: View and Manage Entities
-description: The Entities page lists all of the Entities in Cloud SIEM and their Activity Scores.
+description: The Entities page lists all of the entities in Cloud SIEM and their activity scores.
keywords:
- Cloud SIEM
- entity
@@ -10,13 +10,13 @@ keywords:
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has information about the **Entities** page in Cloud SIEM UI, which lists all of the Entities in Cloud SIEM and their Activity Scores, and the **Entities > Details** page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.
+This topic has information about the **Entities** page in Cloud SIEM UI, which lists all of the entities in Cloud SIEM and their activity scores, and the **Entities > Details** page, which presents information about a particular entity, including signals and insights associated with the entity.
-The **Entities** page is useful for monitoring Entities that are close to having an Insight created. On the **Entities > Details** page, you can view Signals and Insights for an Entity, and, as desired, manually create an Insight from Signals associated with the Entity.
+The **Entities** page is useful for monitoring entities that are close to having an insight created. On the **Entities > Details** page, you can view signals and insights for an entity, and, as desired, manually create an insight from signals associated with the entity.
-You can also update the [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) state, and [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) assigned to Entities, as described below in the [Update Multiple Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) section below.
+You can also update the [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) state, and [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) assigned to entities, as described below in the [Update multiple entities](#update-multiple-entities) section below.
-Watch this micro lesson to learn more about Entities.
+Watch this micro lesson to learn more about entities.