From a9c714d402c4503573d0f6f52441515e7bce5186 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 17 Dec 2024 10:56:47 -0600
Subject: [PATCH 1/5] Make terms lowercase in 'Get Started' section

---
 .../about-cse-insight-ui.md                   | 14 +--
 .../cloud-siem-content-catalog.md             |  2 +-
 .../cloud-siem-ui.md                          | 94 +++++++++----------
 .../cse-heads-up-display.md                   | 62 ++++++------
 .../insight-generation-process.md             | 68 +++++++-------
 .../onboarding-checklist-cse.md               | 24 ++---
 6 files changed, 132 insertions(+), 132 deletions(-)

diff --git a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md
index eb6372cef7..a648ddfeb4 100644
--- a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md
+++ b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md
@@ -23,7 +23,7 @@ Cloud SIEM displays insights and the signals attached to them in the Cloud SIEM
 
 ### List view
 
-This screenshot shows the **Insights** page in List view. 
+This screenshot shows the **Insights** page in list view. 
 
 <img src={useBaseUrl('img/cse/insights-page.png')} alt="Insights page" style={{border: '1px solid gray'}} width="800"/>
 
@@ -39,7 +39,7 @@ Here’s one row from the List view. The numbered definitions below correspond t
 1. **Global Confidence**. If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight is shown. 
 1. **Assignee**. The analyst assigned to the Incident.
 1. The [MITRE ATT&CK](https://attack.mitre.org/) tactics and techniques exhibited by the insight.
-1. **Severity**. The severity of the insight. The value is a function of the configured Entity Activity Score threshold for insight generation. For more information, see [About Insight Severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity).
+1. **Severity**. The severity of the insight. The value is a function of the configured entity activity score threshold for insight generation. For more information, see [About insight severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity).
 1. **Entity**. The entity associated with the insight.
 1. **Signal Data**. This area has three bits of information:
    * The count of signals that caused the insight to be created.
@@ -62,7 +62,7 @@ You can switch back to the list view by clicking the **Show List** icon, near th
 You can use the **Filters** area near the top of the page to narrow down the insights that appear on the insights page. You can filter by:
 
 * Assignee
-* [Custom Resolution](/docs/cse/administration/manage-custom-insight-resolutions/)
+* [Custom resolution](/docs/cse/administration/manage-custom-insight-resolutions/)
 * Created
 * Entity
 * Event Time
@@ -91,7 +91,7 @@ The left pane of the insight details page displays detailed information about th
 
 <img src={useBaseUrl('img/cse/insight-details.png')} alt="Insight details" style={{border: '1px solid gray'}} width="300"/>
 
-1. **Actions.** The [Insight Actions](/docs/cse/administration/create-cse-actions#insight-actions) defined in your environment.
+1. **Actions.** The [insight actions](/docs/cse/administration/create-cse-actions#insight-actions) defined in your environment.
 1. **Close Insight.** Use this option to close an insight. When you click this option, you’re prompted to select an insight resolution.
 1. **Delete Icon.** Use this option to delete an insight. You’ll be prompted to confirm your choice.
 1. **Status.** Current status of the insight.
@@ -138,7 +138,7 @@ Below the signal timeline, you’ll see a list of signals. By default, only atta
 
 <img src={useBaseUrl('img/cse/signal-list-area.png')} alt="Signal list area" style={{border: '1px solid gray'}} width="600"/>
 
-1. **Remove** button. Removes multiple signals selected with the checkbox. You cannot select all signals for removal. If you do, the **Remove** button is disabled and this message appears when you hover over it with your mouse: **Bulk removal of signals is disabled as a minimum of 1 signal must be attached to the Insight. Deselect 1 or more signals to enable bulk removal.**
+1. **Remove** button. Removes multiple signals selected with the checkbox. You cannot select all signals for removal. If you do, the **Remove** button is disabled and this message appears when you hover over it with your mouse: **Bulk removal of signals is disabled as a minimum of 1 signal must be attached to the insight. Deselect 1 or more signals to enable bulk removal.**
 1. **Checkbox**. Click to select multiple signals for removal. 
 1. **Signal name**. Click to view signal details.
 1. **Remove** button. Removes an individual signal.
@@ -255,8 +255,8 @@ When you select an entity on the page, the right pane displays details about tha
 * Geographic location
 * Suppression Status
 * Tags
-* [Entity Criticality](/docs/cse/records-signals-entities-insights/entity-criticality), if it is set to something other than the default
-* Metadata such as geographic location, Inventory information, the [Network Blocks](/docs/cse/administration/create-use-network-blocks) it falls within, as applicable, and so on.
+* [Entity criticality](/docs/cse/records-signals-entities-insights/entity-criticality), if it is set to something other than the default
+* Metadata such as geographic location, Inventory information, the [network blocks](/docs/cse/administration/create-use-network-blocks) it falls within, as applicable, and so on.
 * A signal graph if the entity was the primary entity in any signals during the detection window (time/date is the horizontal axis and severity of each signal is the vertical axis; the icon/color for each point depends on the signal type)
 * Lists of the recent signals and insights the entity has been associated with, and links to each object’s details page.
 
diff --git a/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md b/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
index a44af49b0c..7cd9eeb8d6 100644
--- a/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
+++ b/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog.md
@@ -7,7 +7,7 @@ description: The Cloud SIEM Content Catalog shows the out-of-the-box Rules, Sche
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-The Cloud SIEM Content Catalog is a public GitHub repository of Cloud SIEM's Rules, Schema, Mappings, and Parsers. This repository serves as a single place to view Cloud SIEM content in both markdown form and CSVs. This catalog is automatically generated based on content included out-of-the-box as it is released. 
+The Cloud SIEM Content Catalog is a public GitHub repository of Cloud SIEM's rules, schema, mappings, and parsers. This repository serves as a single place to view Cloud SIEM content in both markdown form and CSVs. This catalog is automatically generated based on content included out-of-the-box as it is released. 
 
 Access the Cloud SIEM Content Catalog here:
 [https://github.com/SumoLogic/cloud-siem-content-catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md)
diff --git a/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md b/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
index 16af5a85d6..d5bf4db534 100644
--- a/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
+++ b/docs/cse/get-started-with-cloud-siem/cloud-siem-ui.md
@@ -35,10 +35,10 @@ The classic UI is the traditional way to navigate in Sumo Logic. For more inform
 This menu appears at the top of the Cloud SIEM screen: <br/><img src={useBaseUrl('img/cse/cloud-siem-menu.png')} alt="Top menu bar" style={{border: '1px solid gray'}} width="800"/>
 
 Use the top menu to access:
-* <img src={useBaseUrl('img/cse/cloud-siem-insights-icon.png')} alt="Insights menu icon" style={{border: '1px solid gray'}} width="30"/> [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* <img src={useBaseUrl('img/cse/cloud-siem-signals-icon.png')} alt="Signals menu icon" style={{border: '1px solid gray'}} width="30"/> [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* <img src={useBaseUrl('img/cse/cloud-siem-entities-icon.png')} alt="Entities menu icon" style={{border: '1px solid gray'}} width="30"/> [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
-* <img src={useBaseUrl('img/cse/cloud-siem-records-icon.png')} alt="Records menu icon" style={{border: '1px solid gray'}} width="30"/> [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* <img src={useBaseUrl('img/cse/cloud-siem-insights-icon.png')} alt="Insights menu icon" style={{border: '1px solid gray'}} width="30"/> [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* <img src={useBaseUrl('img/cse/cloud-siem-signals-icon.png')} alt="Signals menu icon" style={{border: '1px solid gray'}} width="30"/> [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+* <img src={useBaseUrl('img/cse/cloud-siem-entities-icon.png')} alt="Entities menu icon" style={{border: '1px solid gray'}} width="30"/> [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* <img src={useBaseUrl('img/cse/cloud-siem-records-icon.png')} alt="Records menu icon" style={{border: '1px solid gray'}} width="30"/> [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
 * <img src={useBaseUrl('img/cse/cloud-siem-content-icon.png')} alt="Content menu icon" style={{border: '1px solid gray'}} width="30"/> [**Content**](#content-menu). Create Cloud SIEM content, such as rules.
 * <img src={useBaseUrl('img/cse/cloud-siem-configuration-menu-icon.png')} alt="Configuration menu icon" style={{border: '1px solid gray'}} width="30"/> [**Configuration**](#configuration-menu). Configure Cloud SIEM.
 * <img src={useBaseUrl('img/cse/cloud-siem-help-icon.png')} alt="Help menu icon" style={{border: '1px solid gray'}} width="30"/> **Help**. Access feature guides, documentation, release notes, and system status.
@@ -55,9 +55,9 @@ Use the **Content** menu to access:
 * [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources. 
 * [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
 * [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
 * [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
 * [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
 
 #### Configuration menu
@@ -66,20 +66,20 @@ The **Configuration** menu allows you to configure Cloud SIEM. To access this me
 
 Use the **Configuration** menu to access:
 * **Incoming Data**
-   * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+   * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
 * **Entities**
-   * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules. 
-   * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process.  
+   * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of entities that can be used in rules. 
+   * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process.  
    * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
-   * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+   * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
 * **Workflow**
-   * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold. 
-   * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
-   * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
-   * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules. 
+   * [**Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold. 
+   * [**Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+   * [**Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+   * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules. 
 * **Integrations**
-   * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to Record attributes. 
-   * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record. 
+   * [**Sumo Logic**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Configure mapping of message fields to record attributes. 
+   * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record. 
    * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
    * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
    * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
@@ -93,22 +93,22 @@ The new UI provides a streamlined way to navigate in Sumo Logic. For more inform
 Click **Cloud SIEM** in the main Sumo Logic menu to open the sidebar menu. <br/><img src={useBaseUrl('img/cse/cloud-siem-sidebar-menu.png')} alt="Cloud SIEM sidebar menu" style={{border: '1px solid gray'}} width="400"/>
 
 Use the **Cloud SIEM** sidebar menu to access:
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on. 
+* **Search Cloud SIEM**. Search for [insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on. 
 * **Security Events**
     * [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display. 
-    * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-    * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-    * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
-    * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+    * [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+    * [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+    * [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+    * [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
 * **Security Detection**
     * [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
     * [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
     * [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
     * [**Match List**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
     * [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules.
-    * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+    * [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
     * [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules
-    * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
+    * [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
     * [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
 
 #### Top menu
@@ -128,31 +128,31 @@ The **Go To...** menu allows you to launch Sumo Logic features, including for Cl
 
 Use the **Go To...** menu to access these Cloud SIEM features:
 * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
-* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record.
-* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
-* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom Insights, methods to generate Insights on some basis other than Entity Activity Scores.
+* [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
+* [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
+* [**Custom Insights**](/docs/cse/records-signals-entities-insights/configure-custom-insight/). Manage custom insights, methods to generate insights on some basis other than entity Activity Scores.
 * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
 * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
-* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View Entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
+* [**Entities**](/docs/cse/records-signals-entities-insights/view-manage-entities/). View entities, unique actors encountered in incoming messages, such as a user, IP address, or host.
 * [**File Analysis**](/docs/cse/rules/import-yara-rules/). Manage sources for YARA rules. 
 * [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
-* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold.
-* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
-* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
-* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View Insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
-* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
+* [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold.
+* [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+* [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+* [**Insights**](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/). View insights, clusters of events that require investigation. An insight is created when a high level of suspicious activity is detected for a single entity, such as a user, IP address, host, or domain.
+* [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
 * [**Match Lists**](/docs/cse/match-lists-suppressed-lists/create-match-list/). Manage match lists, lists of important indicators and identifiers that you want to be addressed by rules.
 * [**MITRE ATT&CK Coverage**](/docs/cse/administration/mitre-coverage/). View the MITRE ATT&CK Threat Coverage Explorer, a screen that shows the MITRE ATT&CK adversary tactics, techniques, and procedures that are covered by rules in your system.
 * [**Network Blocks**](/docs/cse/administration/create-use-network-blocks/). Manage network blocks, groups of IP addresses that you can use in rules.
-* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process. 
-* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Records, collections of normalized data created from a message.
+* [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process. 
+* [**Records**](/docs/cse/records-signals-entities-insights/view-records-signal/). View records, collections of normalized data created from a message.
 * [**Rule Tuning**](/docs/cse/rules/rule-tuning-expressions/). Manage rule tuning expressions, which are extensions to rules.
 * [**Rules**](/docs/cse/rules/). Manage rules, sets of logic that create signals based on information in incoming records.
-* **Search Cloud SIEM**. Search for [Insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [Signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [Records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
+* **Search Cloud SIEM**. Search for [insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/), [signals](/docs/cse/records-signals-entities-insights/view-records-signal/), [entities](/docs/cse/records-signals-entities-insights/view-manage-entities/), and [records](/docs/cse/records-signals-entities-insights/view-records-signal/). When you click in the search bar, you're prompted to select one of those types. Once you select a type, you're presented with a list of fields to filter on.
 * [**SIEM Overview**](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display/). View the Cloud SIEM Heads Up Display.
-* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View Signals, indicators for events of interest that fire when rule conditions are met.
-* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress Signal generation.
-* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
+* [**Signals**](/docs/cse/records-signals-entities-insights/view-records-signal/). View signals, indicators for events of interest that fire when rule conditions are met.
+* [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/). Manage suppressed lists, lists of indicators that can suppress signal generation.
+* [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules.
 * [**Threat Intelligence**](/docs/cse/administration/create-custom-threat-intel-source/). Manage sources of threat intelligence indicators, individual data points about threats that are gathered from external sources.
 
 #### Configuration menu
@@ -163,18 +163,18 @@ Use the **Configuration** menu to access:
 
 * **Cloud SIEM Integrations**
     * [**Ingest Mappings**](/docs/cse/ingestion/sumo-logic-ingest-mapping/). Manage the mapping for data ingestion from a data source to Cloud SIEM.
-    * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
-    * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record. 
+    * [**Log Mappings**](/docs/cse/schema/create-structured-log-mapping/). Manage log mappings, maps that tell Cloud SIEM how to build a record from the key-value pairs extracted from messages.
+    * [**Context Actions**](/docs/cse/administration/create-cse-context-actions/). Create actions that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record. 
     * [**Actions**](/docs/cse/administration/create-cse-actions/). Create actions to issue a notification to another service when certain events occur in Cloud SIEM.
     * [**Enrichment**](/docs/cse/integrations/enrichments-and-indicators/). Manage elements that enrich data in Cloud SIEM.
     * [**Automation**](/docs/cse/automation/). Create smart actions that trigger automatically when certain events occur in Cloud SIEM.
 * **Cloud SIEM Entities**
-    * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of Entities that can be used in rules. 
-    * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in Records during the parsing and mapping process. 
+    * [**Groups**](/docs/cse/records-signals-entities-insights/create-an-entity-group/). Manage groupings of entities that can be used in rules. 
+    * [**Normalization**](/docs/cse/schema/username-and-hostname-normalization/). Manage normalizing usernames and hostnames in records during the parsing and mapping process. 
     * [**Custom Types**](/docs/cse/records-signals-entities-insights/create-custom-entity-type/). Manage custom types to more precisely categorize entities.
-    * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+    * [**Criticality**](/docs/cse/records-signals-entities-insights/entity-criticality/). Adjust the severity of signals for specific entities based on some risk factor or other consideration.
 * **Cloud SIEM Workflow**
-    * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the Insight detection threshold. 
-    * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom Insight statuses.
-    * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom Insight resolutions.
-    * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to Insights, Signals, Entities, and Rules.
\ No newline at end of file
+    * [**Insight Detection**](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/). Set the insight detection threshold. 
+    * [**Insight Statuses**](/docs/cse/administration/manage-custom-insight-statuses/). Manage custom insight statuses.
+    * [**Insight Resolutions**](/docs/cse/administration/manage-custom-insight-resolutions/). Manage custom insight resolutions.
+    * [**Tag Schemas**](/docs/cse/administration/create-a-custom-tag-schema/). Manage schemas for tags, metadata you can attach to insights, signals, entities, and rules.
\ No newline at end of file
diff --git a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
index 33266444db..7e45967d58 100644
--- a/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
+++ b/docs/cse/get-started-with-cloud-siem/cse-heads-up-display.md
@@ -1,28 +1,28 @@
 ---
 id: cse-heads-up-display
 title: Cloud SIEM Heads Up Display
-description: Learn about Cloud SIEM's Heads Up Display (HUD), a UI that provides an at-a-glance overview of Insight status and activity.
+description: Learn about Cloud SIEM's Heads Up Display (HUD), a UI that provides an at-a-glance overview of insight status and activity.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic describes Cloud SIEM *Heads Up Display (HUD)*, the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of Insight status and activity.
+This topic describes Cloud SIEM *Heads Up Display (HUD)*, the landing page for the Cloud SIEM UI. The HUD provides an at-a-glance overview of insight status and activity.
 
 [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM**. 
 
 [**New UI**](/docs/get-started/sumo-logic-ui). To access the HUD, in the main Sumo Logic menu select **Cloud SIEM > SIEM Overview**. You can also click **Go To...** at the top of the screen and select **SIEM Overview**.
  
 :::note
-Data on the HUD is generated by internal searches that may result in slightly different results than a [log search query](/docs/search/) for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of Records, Signals, and Insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/) app.
+Data on the HUD is generated by internal searches that may result in slightly different results than a [log search query](/docs/search/) for the same time period, because of the way each method calculates time periods. But these differences cancel out over time. So while there may be a small variance between numbers of records, signals, and insights in a given time frame, the effect is only noticeable when viewing very small time slices, for example, under 30 minutes. If you need to get exact tracking for reporting or other use cases, use dashboards in apps like the [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/) app.
 :::
 
 ## HUD overview
 
-The left side of the HUD is a compact view of Insight activity and status in your environment. You can see the volume of Records being processed and how many Signals and Insights those Records result in. The HUD tells you how long it’s taking your team to spot, respond, and close Insights. You can see how many Insights are open, in progress, and closed. You can adjust the time range of the display depending on your interest. 
+The left side of the HUD is a compact view of insight activity and status in your environment. You can see the volume of records being processed and how many signals and insights those records result in. The HUD tells you how long it’s taking your team to spot, respond, and close insights. You can see how many insights are open, in progress, and closed. You can adjust the time range of the display depending on your interest. 
 
-The middle part of the HUD—the radar—visualizes the Record, Signal, and Insight volumes that are summarized on the left side of the page. It’s a circular timeline. The outer blue ring shows Record volume. Just inside the ring of Records is a histogram-like view of Signal volume. Nearest to the center are triangles that represent Insights. As you mouse around the radar, small popups provide a count of the Records, Signals, or Insights in that timeslice, depending on your focus.
+The middle part of the HUD—the radar—visualizes the record, signal, and insight volumes that are summarized on the left side of the page. It’s a circular timeline. The outer blue ring shows record volume. Just inside the ring of records is a histogram-like view of signal volume. Nearest to the center are triangles that represent insights. As you mouse around the radar, small popups provide a count of the records, signals, or insights in that timeslice, depending on your focus.
 
-The right side of the HUD contains a list of recent Insight activity. The card above the list shows key information about the latest new Insight with the highest severity. 
+The right side of the HUD contains a list of recent insight activity. The card above the list shows key information about the latest new insight with the highest severity. 
 
 See the sections below for more details on each element of the HUD.
 
@@ -31,7 +31,7 @@ See the sections below for more details on each element of the HUD.
 
 ## 1. Records / Signals / Insights
 
-This section shows the count of Records ingested, Signals fired, and Insights generated during the currently selected time range, along with the percentage change compared to the previous time period. For example, if the currently selected time range is 24 hours, the percentage change is compared to the counts for the 24 hours previous to that.
+This section shows the count of records ingested, signals fired, and insights generated during the currently selected time range, along with the percentage change compared to the previous time period. For example, if the currently selected time range is 24 hours, the percentage change is compared to the counts for the 24 hours previous to that.
 
 The default time range is 24 hours. You can change the time range using the dropdown to the right of the currently selected time range; the options range from 4 hours to 7 days. When you change the time range, the counts and metrics in the left and middle columns of the HUD update accordingly.
 
@@ -39,45 +39,45 @@ The default time range is 24 hours. You can change the time range using the drop
 
 The **Insight Metrics** section displays the following metrics for the currently selected time range:
 
-* **Detection**. The average period of time between when the first event happened (when the first Record in the Insight occurred) and when the Insight was generated, in days. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
-* **Response**. The average response time, which is the average time between when an Insight was generated and when its status was set to **In Progress**, in seconds. 
-* **Remediation**. The average remediation time, which is the average time between when the Insight was created and when its status was set to **Closed**, in seconds. 
+* **Detection**. The average period of time between when the first event happened (when the first record in the insight occurred) and when the insight was generated, in days. (This differs from "dwell time", which is the time between when the first record and the last record occurred in an insight.)
+* **Response**. The average response time, which is the average time between when an insight was generated and when its status was set to **In Progress**, in seconds. 
+* **Remediation**. The average remediation time, which is the average time between when the insight was created and when its status was set to **Closed**, in seconds. 
 
-If you use an [HTTP POST V2 Action](/docs/cse/administration/create-cse-actions/) to send Insights to the Sumo Logic platform or another system, the Insight metrics are included in the Insight JSON object. The fields are `timeToDetection`, `timeToResponse` , and `timeToRemediation`. 
+If you use an [HTTP POST V2 Action](/docs/cse/administration/create-cse-actions/) to send insights to the Sumo Logic platform or another system, the insight metrics are included in the insight JSON object. The fields are `timeToDetection`, `timeToResponse` , and `timeToRemediation`. 
 
 ## 3. Insights by Status 
 
-The **Insights by Status** section provides a quick view of what analysts are working on. The counts are a breakdown by current status of the Insights created during the currently selected time range. To create new statuses, see [Managing Custom Insight Statuses](/docs/cse/administration/manage-custom-insight-statuses/).
+The **Insights by Status** section provides a quick view of what analysts are working on. The counts are a breakdown by current status of the insights created during the currently selected time range. To create new statuses, see [Managing Custom Insight Statuses](/docs/cse/administration/manage-custom-insight-statuses/).
 
 ## 4. Insights created and closed
 
-This section contains a stacked bar chart that shows the count of Insights opened and closed over time during the time range. When you hover over a bar, you’ll see the breakdown.
+This section contains a stacked bar chart that shows the count of insights opened and closed over time during the time range. When you hover over a bar, you’ll see the breakdown.
 
-## 5. Insight Radar
+## 5. Insight radar
 
-In the middle of the display is the *Insight Radar*, the HUD’s key feature. The radar visualizes the volume of Records, Signals, and Insights over time in a bulls eye-like view. Like the panels on the left side of the HUD, the radar updates when you select a different time range. The radar automatically refreshes every 60 seconds.
+In the middle of the display is the *insight radar*, the HUD’s key feature. The radar visualizes the volume of records, signals, and insights over time in a bulls eye-like view. Like the panels on the left side of the HUD, the radar updates when you select a different time range. The radar automatically refreshes every 60 seconds.
 
-In the circular visualization the three outermost rings represent Records, Signals, and Insights.
+In the circular visualization the three outermost rings represent records, signals, and insights.
 
-The blue ring around the outside of the Radar represents Records. The selected time range is broken down into intervals, and as you hover over the outer border of the ring, traversing the time range, the count of Records created during each interval is displayed. 
+The blue ring around the outside of the radar represents records. The selected time range is broken down into intervals, and as you hover over the outer border of the ring, traversing the time range, the count of records created during each interval is displayed. 
 
-Within the blue ring is another ring that contains light blue bars, each of which represents the Signals that fired during a time interval. The height of a column corresponds to the number of Signals that fired. If no Signals fired during an interval, no column appears. As you hover over an interval, the count of Signals that fired is displayed. If you click a column, the **Signals** page appears, and displays the corresponding Signals.
+Within the blue ring is another ring that contains light blue bars, each of which represents the signals that fired during a time interval. The height of a column corresponds to the number of signals that fired. If no signals fired during an interval, no column appears. As you hover over an interval, the count of signals that fired is displayed. If you click a column, the **Signals** page appears, and displays the corresponding signals.
 
-The third ring contains triangles, each of which represents one or more Insights. As you hover over an interval, the count of Insights that fired is displayed. If you click a triangle, the Insights page appears, and displays the corresponding Insights.
+The third ring contains triangles, each of which represents one or more insights. As you hover over an interval, the count of insights that fired is displayed. If you click a triangle, the insights page appears, and displays the corresponding insights.
 
 ## 6. Recent Activity
 
-The Recent Activity pane shows recently created Insights and recent Insight activity.
+The **Recent Activity** pane shows recently created insights and recent insight activity.
 
-The card at the top of the pane provides key information about the latest new Insight with the highest severity. The card provides the following information:
+The card at the top of the pane provides key information about the latest new insight with the highest severity. The card provides the following information:
 
-* The Insight ID and name, separated by a dash character. The name is typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the name is the one supplied when the Insight was configured.  
-* The Insight description, typically formed from the MITRE stage(s) associated with the Signals in the Insight. In the case of a custom Insight, the description is the one supplied when the Insight was configured.
-* The Entity the Insight fired on. You can click on the Entity to view its details. Note that there is a six-button context menu that has options for searching for the Entity in other Insights and in Signals and Records. It also has the built-in **Add to Match List** and **Add to Suppressed List** actions, along with any custom [Context Actions](/docs/cse/administration/create-cse-context-actions/) defined in your environment.
-* The analyst assigned to the Insight, if the Insight has been assigned to one.
-* **Detection Time**. The time between the moment of first activity observation (when the oldest Signal in the Insight was fired) and when the Insight was created. (This differs from "dwell time", which is the time between when the first Record and the last Record occurred in an Insight.)
-* **Signals**. The number of Signals in the Insight.
-* **Severity**. The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the Insight.
-* **Global Confidence**. [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the Insight, if available.
-* **Most Active Entities**. [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) that are currently appearing the most in activity. Hover your mouse over an Entity and click **View Timeline** to see the [Entity timeline](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entity-timeline-tab). 
-* **Today**. Shows changes made today, such as Insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
+* The insight ID and name, separated by a dash character. The name is typically formed from the MITRE stage(s) associated with the signals in the insight. In the case of a custom insight, the name is the one supplied when the insight was configured.  
+* The insight description, typically formed from the MITRE stage(s) associated with the signals in the insight. In the case of a custom insight, the description is the one supplied when the insight was configured.
+* The entity the insight fired on. You can click on the entity to view its details. Note that there is a six-button context menu that has options for searching for the entity in other insights and in signals and records. It also has the built-in **Add to Match List** and **Add to Suppressed List** actions, along with any custom [Context Actions](/docs/cse/administration/create-cse-context-actions/) defined in your environment.
+* The analyst assigned to the insight, if the insight has been assigned to one.
+* **Detection Time**. The time between the moment of first activity observation (when the oldest signal in the insight was fired) and when the insight was created. (This differs from "dwell time", which is the time between when the first record and the last record occurred in an insight.)
+* **Signals**. The number of signals in the insight.
+* **Severity**. The [severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity) of the insight.
+* **Global Confidence**. [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight, if available.
+* **Most Active Entities**. [Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) that are currently appearing the most in activity. Hover your mouse over an entity and click **View Timeline** to see the [entity timeline](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entity-timeline-tab). 
+* **Today**. Shows changes made today, such as insights created, status changes, and comments. Items are listed in chronological order, with the newest first.
diff --git a/docs/cse/get-started-with-cloud-siem/insight-generation-process.md b/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
index a52913ea2e..cedd0ef53e 100644
--- a/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
+++ b/docs/cse/get-started-with-cloud-siem/insight-generation-process.md
@@ -2,16 +2,16 @@
 id: insight-generation-process
 title: Insight Generation Process
 sidebar_label: Insight Generation
-description: Learn how Cloud SIEM correlates Signals by entity to create Insights.
+description: Learn how Cloud SIEM correlates signals by entity to create insights.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This page explains Cloud SIEM's Insight generation process. 
+This page explains Cloud SIEM's insight generation process. 
 
-The concept of an *entity* is central to the process Cloud SIEM uses to correlate Signals and create Insights. So, what is an entity? In Cloud SIEM, an entity is a actor, for example, a  hostname, username, or MAC address encountered in an incoming message. For more information about Entities and Entity types, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities).
+The concept of an *entity* is central to the process Cloud SIEM uses to correlate signals and create insights. So, what is an entity? In Cloud SIEM, an entity is a actor, for example, a  hostname, username, or MAC address encountered in an incoming message. For more information about entities and entity types, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities).
 
-Watch this micro lesson to learn how Insights are created.
+Watch this micro lesson to learn how insights are created.
 
 <Iframe url="https://www.youtube.com/embed/MjzJlozR6mE?rel=0"
         width="854px"
@@ -29,9 +29,9 @@ import Iframe from 'react-iframe'; 
 
 ## Entities in messages are mapped to entity-type schema attributes
 
-During the next step of the [Record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following Cloud SIEM schema entity attributes:
+During the next step of the [record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following Cloud SIEM schema entity attributes:
 
-| Entity Type | Schema Attributes |
+| Entity type | Schema attributes |
 |:----- |:----- |
 | Command | `commandLine` |
 | Domain | `http_referer_fqdn`, `http_url_fqdn` |
@@ -49,7 +49,7 @@ During the next step of the [Record processing flow](/docs/cse/schema/record-pro
 Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245"
 to `srcDevice_ip`. 
 
-## Rules have one or more On Entity attributes
+## Rules have one or more On entity attributes
 
 When you write a rule, you select one or more *On Entity* attributes in the **Then Create a Signal** area of the **Rules Editor**. Here is an example of an existing rule that has two On Entity attributes: `srcDevice_ip` and `dstDevice_ip`.
 
@@ -57,9 +57,9 @@ When you write a rule, you select one or more *On Entity* attributes in the **Th
 
 ## Entities are created when rules fire
 
-Cloud SIEM creates an Entity when a Rule generates a Signal, unless the Entity already exists in Cloud SIEM. When a Record matches the conditions of a rule, Cloud SIEM generates a separate Signal for each On Entity attribute from the Record.   
+Cloud SIEM creates an entity when a rule generates a signal, unless the entity already exists in Cloud SIEM. When a record matches the conditions of a rule, Cloud SIEM generates a separate signal for each On Entity attribute from the record.   
 
-The **Signals** page shows the Entity associated with each Signal.
+The **Signals** page shows the entity associated with each signal.
 
 <img src={useBaseUrl('img/cse/signal-list.png')} alt="Signals" style={{border: '1px solid gray'}} width="800"/>
 
@@ -69,70 +69,70 @@ You can view the entities that have been extracted from messages on the **Entiti
 
 <img src={useBaseUrl('img/cse/entity-list-page.png')} alt="Entities page" style={{border: '1px solid gray'}} width="800"/>
 
-Note that the screenshot above shows an *Activity Score* for each entity. The following section explains what an Activity Score is and how it relates to the Insight creation process.
+Note that the screenshot above shows an *activity score* for each entity. The following section explains what an activity score is and how it relates to the insight creation process.
 
-## Understanding Entity Activity Scores
+## Understanding entity activity scores
 
-An entity’s Activity Score is the sum of the severities of the unique Signals associated with that entity during the previous two weeks, unless a [different detection period is configured](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold). What makes a Signal unique? A Signal takes its name from the rule that fired it, so unless a rule's name has a unique templated value in it, the Signals that the rule generates are not unique. 
+An entity’s activity score is the sum of the severities of the unique signals associated with that entity during the previous two weeks, unless a [different detection period is configured](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold). What makes a signal unique? A signal takes its name from the rule that fired it, so unless a rule's name has a unique templated value in it, the signals that the rule generates are not unique. 
 
 Here are a couple practical examples:
 
-* If the `RDP Brute Force Attempt` rule fires 10 times, the Signals all have the same name, and are not unique. So, the severity of just one of the 10 Signals would be included in the entity’s Activity Score.
-* If the `RDP Brute Force Attempt {{threat_name}}` rule fires three times, where threat name is “bad”, “bad” and “worse”, two of the three Signals are unique:
+* If the `RDP Brute Force Attempt` rule fires 10 times, the signals all have the same name, and are not unique. So, the severity of just one of the 10 signals would be included in the entity’s activity score.
+* If the `RDP Brute Force Attempt {{threat_name}}` rule fires three times, where threat name is “bad”, “bad” and “worse”, two of the three signals are unique:
   * `RDP Brute Force Attempt bad`
   * `RDP Brute Force Attempt bad`
   * `RDP Brute Force Attempt worse`
 
-The severities of the `RDP Brute Force Attempt bad` and the `RDP Brute Force Attempt worse` Signals would be included in the entity’s Activity Score.
+The severities of the `RDP Brute Force Attempt bad` and the `RDP Brute Force Attempt worse` signals would be included in the entity’s activity score.
 
-By default, when an entity’s Activity Score exceeds the threshold of 12, Cloud SIEM generates an Insight on the entity. Like the detection period, you can [configure a different Activity Score threshold value](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold) for Insight generation. When Cloud SIEM creates an Insight on an Entity, it resets the Entity’s Activity Score to 0.
+By default, when an entity’s activity score exceeds the threshold of 12, Cloud SIEM generates an insight on the entity. Like the detection period, you can [configure a different activity score threshold value](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold) for insight generation. When Cloud SIEM creates an insight on an entity, it resets the entity’s activity score to 0.
 
-After Cloud SIEM fires a particular Signal on a particular Entity, it suppresses Signals for that Signal-Entity combination for a time to prevent redundant Signals. For more information, see [Redundant Signal suppression](#redundant-signal-suppression), below.
+After Cloud SIEM fires a particular signal on a particular entity, it suppresses signals for that signal-entity combination for a time to prevent redundant signals. For more information, see [Redundant signal suppression](#redundant-signal-suppression), below.
 
-### Example of an Entity that has exceeded Activity Score threshold
+### Example of an entity that has exceeded activity score threshold
 
-In the screenshot below, the **Details** pane on the left shows that the Insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the Signals that contributed to the Insight. You can see each of the Signals relate to the IP address for which the Insight was created; in the Record underlying each of the Signals, is mapped to the `srcDevice_ip` schema attribute. 
+In the screenshot below, the **Details** pane on the left shows that the insight was created for the entity “217.xxx.x.x”, an IP address. The right side of the page shows the signals that contributed to the insight. You can see each of the signals relate to the IP address for which the insight was created; in the record underlying each of the signals, is mapped to the `srcDevice_ip` schema attribute. 
 
-The severity of each Signal is also shown. Cloud SIEM generated an Insight for entity “217.xxx.x.x” because the cumulative severity of Signals fired for that entity within a two week period exceeds the threshold Activity Score.
+The severity of each signal is also shown. Cloud SIEM generated an insight for entity “217.xxx.x.x” because the cumulative severity of signals fired for that entity within a two week period exceeds the threshold activity score.
 
 <img src={useBaseUrl('img/cse/insight.png')} alt="Insight" style={{border: '1px solid gray'}} width="800"/>
 
-### Redundant Signal suppression
+### Redundant signal suppression
 
-Under certain circumstances, Cloud SIEM suppresses Signals to prevent generation of multiple, virtually identical Insights. A few unique Signals firing numerous times for the same entity in a short period of time could cause the entity’s Activity Score to climb, resulting in an Insight. At that point, the Entity’s Activity score is reset, and the cycle could repeat, leading to several Insights in succession on the same entity that contain a very similar or identical set of unique Signals. 
+Under certain circumstances, Cloud SIEM suppresses signals to prevent generation of multiple, virtually identical insights. A few unique signals firing numerous times for the same entity in a short period of time could cause the entity’s activity score to climb, resulting in an insight. At that point, the entity’s Activity score is reset, and the cycle could repeat, leading to several insights in succession on the same entity that contain a very similar or identical set of unique signals. 
 
-This makes Insight triage less than ideal for the analyst since they're getting multiple Insights for the same sets of Signals. Cloud SIEM prevents this by suppressing Signals that have the same name and are on the same Entity during a 12 hour time window, or up to 72 hours if Signals for the Signal-Entity combination are firing continuously.   
+This makes insight triage less than ideal for the analyst since they're getting multiple insights for the same sets of signals. Cloud SIEM prevents this by suppressing signals that have the same name and are on the same entity during a 12 hour time window, or up to 72 hours if signals for the signal-entity combination are firing continuously.   
 
 **Example 1**
 
-If Signal A fires on Entity X at hour 0 and continues to fire once every 30 minutes for 24 hours, the Signals that fired after the first one are suppressed. This prevents those subsequent Signals from being analyzed by the Insight engine.  
+If signal A fires on entity X at hour 0 and continues to fire once every 30 minutes for 24 hours, the signals that fired after the first one are suppressed. This prevents those subsequent signals from being analyzed by the insight engine.  
 
 **Example 2**
 
-Signal B fires on Entity Y fires at hour 0, and doesn’t fire again until hour 13. The Signal that fired at hour 13 will not be suppressed, and will be analyzed by the Insight engine.  
+Signal B fires on entity Y fires at hour 0, and doesn’t fire again until hour 13. The signal that fired at hour 13 will not be suppressed, and will be analyzed by the insight engine.  
 
 :::note
-Prototype Signals, which are are not included in Insights, are not suppressed.
+Prototype signals, which are are not included in insights, are not suppressed.
 :::
 
-## About Insight Severity
+## About insight severity
 
-The severity of an Insight is indicated as Low, Medium, High, or Critical. Note that there are only two situations in which an Insight can have the Critical severity level:
+The severity of an insight is indicated as Low, Medium, High, or Critical. Note that there are only two situations in which an insight can have the Critical severity level:
 
-* You can assign a severity of Critical to a [Custom Insight](/docs/cse/records-signals-entities-insights/configure-custom-insight) configuration.
-* You can change the severity of an Insight from the severity it was assigned by Cloud SIEM at generation time. In the [Insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) pane, click the icon that appears next to **Severity** to display the severity levels, and select a new level. 
+* You can assign a severity of Critical to a [custom insight](/docs/cse/records-signals-entities-insights/configure-custom-insight) configuration.
+* You can change the severity of an insight from the severity it was assigned by Cloud SIEM at generation time. In the [insight details](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/) pane, click the icon that appears next to **Severity** to display the severity levels, and select a new level. 
 
-Insights that are generated by the Cloud SIEM Insight generation algorithm will only have severity levels of Low, Medium, or High. Severity is a function of the Entity Activity Score of the Insight’s Entity.
+Insights that are generated by the Cloud SIEM insight generation algorithm will only have severity levels of Low, Medium, or High. Severity is a function of the entity activity score of the insight’s entity.
 
-By default the threshold Entity Activity Score for Insight generation is 12.The table below shows how severity values map to Activity Scores, if you haven’t changed the threshold value.   
+By default the threshold entity activity score for insight generation is 12.The table below shows how severity values map to activity scores, if you haven’t changed the threshold value.   
 
-| Insight Severity value | Activity Score |
+| Insight severity value | Activity score |
 |:------------------------|:----------------|
 | Low                    | 13          |
 | Medium                 | 14 or 15          |
 | High                   | 16 or higher   |
 
-If your Entity Activity Score threshold value is set to a value other than 12, you can work out the mapping yourself. If `t` is your configured threshold:
+If your entity activity score threshold value is set to a value other than 12, you can work out the mapping yourself. If `t` is your configured threshold:
 
 ```
 Low = (t + 1)
diff --git a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
index 2edac0575c..2db794d195 100644
--- a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
+++ b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
@@ -59,7 +59,7 @@ Cloud SIEM access is controlled through the unified role-based access controls (
    * Cloud SIEM
       * View Cloud SIEM
       * Insights
-         * Comment on Insights
+         * Comment on insights
 * **Cloud SIEM Administrator**<br/>Add the following capabilities (add all capabilities under Cloud SIEM):
    * Cloud SIEM
       * View Cloud SIEM
@@ -96,7 +96,7 @@ See:
 
 #### Configure partitions
 
-Cloud SIEM Insights are stored within two audit partitions. These partitions also store configuration changes made to the Cloud SIEM environment. Because historical reporting of this information may be required, we recommend increasing the retention of these two partitions to 365 days:
+Cloud SIEM insights are stored within two audit partitions. These partitions also store configuration changes made to the Cloud SIEM environment. Because historical reporting of this information may be required, we recommend increasing the retention of these two partitions to 365 days:
 * `_index=sumologic_audit_events`
 * `_index=sumologic_system_events`
 
@@ -128,7 +128,7 @@ Perform the following tasks to install security apps that provide data to Cloud
 
 #### Install security apps
 
-Install the Cloud SIEM App to monitor data that is parsed, along with all the signals and Insights that records generate. The app contains multiple folders of searches and dashboards related to Cloud SIEM.
+Install the Cloud SIEM App to monitor data that is parsed, along with all the signals and insights that records generate. The app contains multiple folders of searches and dashboards related to Cloud SIEM.
 
 Also install any out-of-the-box apps or dashboards for security data sources we support, including CrowdStrike’s Threat Intel Quick Analysis app. These apps are useful for quick visualizations and configuring context actions to pivot directly to from Cloud SIEM.
 
@@ -151,19 +151,19 @@ Work with Professional Services to perform the tasks in the following sections t
 
 ### Set detection thresholds
 
-One of the most important aspects of Cloud SIEM is detection configuration for Insight generation. While you can define the detection window and the threshold Activity Score for Insight generation yourself, in most cases the default settings are ideal.
+One of the most important aspects of Cloud SIEM is detection configuration for insight generation. While you can define the detection window and the threshold Activity Score for insight generation yourself, in most cases the default settings are ideal.
 
 See: [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/)
 
 ### Create custom statuses
 
-Cloud SIEM statuses allow you to organize your incident response pipeline and track the progress of Insight remediation. Create custom statuses as needed for your environment.
+Cloud SIEM statuses allow you to organize your incident response pipeline and track the progress of insight remediation. Create custom statuses as needed for your environment.
 
 See: [Managing Custom Insight Statuses](/docs/cse/administration/manage-custom-insight-statuses/)
 
 ### Define network blocks
 
-Network blocks tag records with descriptive information that will help analysts and responders have the context of records, signals, and Insights. To define network blocks, you can often export the information from DHCP servers or other network devices.
+Network blocks tag records with descriptive information that will help analysts and responders have the context of records, signals, and insights. To define network blocks, you can often export the information from DHCP servers or other network devices.
 
 See: [Create and Use Network Blocks](/docs/cse/administration/create-use-network-blocks/)
 
@@ -212,15 +212,15 @@ Perform the following tasks to create actions to run in Cloud SIEM.
 
 #### Create Cloud SIEM actions
 
-You can create actions in Cloud SIEM to issue notifications when certain events occur. For example, you can create an action that sends information about an Insight to another system, either automatically when the Insight is created, or on-demand from the Insight's **Actions** menu. You can also create actions for other use cases, such as integrations with tools (for example, Jira, Slack, etc.), or to send an email to analysts when they are assigned Insights.
+You can create actions in Cloud SIEM to issue notifications when certain events occur. For example, you can create an action that sends information about an insight to another system, either automatically when the insight is created, or on-demand from the insight's **Actions** menu. You can also create actions for other use cases, such as integrations with tools (for example, Jira, Slack, etc.), or to send an email to analysts when they are assigned insights.
 
 See: [Create Cloud SIEM Actions](/docs/cse/administration/create-cse-actions/)
 
-#### Create Context Actions
+#### Create context actions
 
-A Context Action is an option that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record. For example, you could create a Context Action to check an IP address against a threat intel service, look up a username, or run a log search in Sumo Logic for a hostname.
+A context action is an option that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record. For example, you could create a context action to check an IP address against a threat intel service, look up a username, or run a log search in Sumo Logic for a hostname.
 
-You could also create a Context Action to show users’ Google activity. For example, install the Google Workspace app and set up the User Activity dashboard. Then create a context action to pivot directly to the dashboard from Cloud SIEM usernames.
+You could also create a context action to show users’ Google activity. For example, install the Google Workspace app and set up the User Activity dashboard. Then create a context action to pivot directly to the dashboard from Cloud SIEM usernames.
 
 See:
 * [Create Cloud SIEM Context Actions](/docs/cse/administration/create-cse-context-actions/)
@@ -247,7 +247,7 @@ See: [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions/)
 
 #### Configure First Seen rule baseline
 
-First Seen rules allow you to generate a signal when behavior by an Entity (such as a user) is encountered that hasn't been seen before. Cloud SIEM automatically creates a baseline model of normal behavior over a 30-day period. Typically longer baselines (such as 30 days) reduce alert noise. However, for testing purposes, you may want to reduce the time window to generate signal data before the full baseline window has occurred.
+First Seen rules allow you to generate a signal when behavior by an entity (such as a user) is encountered that hasn't been seen before. Cloud SIEM automatically creates a baseline model of normal behavior over a 30-day period. Typically longer baselines (such as 30 days) reduce alert noise. However, for testing purposes, you may want to reduce the time window to generate signal data before the full baseline window has occurred.
 
 See: [Write a First Seen Rule](/docs/cse/rules/write-first-seen-rule/)
 
@@ -259,6 +259,6 @@ See: [Improve Rules with Insight Trainer](/docs/cse/rules/insight-trainer/)
 
 ### Configure the Automation Service
 
-The Automation Service allows you to automate smart actions, including enrichments and notifications. You can run automations manually, or at Insight creation or closure.
+The Automation Service allows you to automate smart actions, including enrichments and notifications. You can run automations manually, or at insight creation or closure.
 
 See: [Automation](/docs/cse/automation/)

From 46e8285836e1a4982a34446923a72a8cf2743237 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 17 Dec 2024 12:17:37 -0600
Subject: [PATCH 2/5] Change terms to lowercase in 'Records, Signals, Entities,
 and Insights' section

---
 docs/cse/get-started-with-cloud-siem/index.md |   6 +-
 .../about-signal-suppression.md               |  44 ++---
 .../configure-custom-insight.md               |  58 +++---
 .../configure-entity-lookup-table.md          |  54 +++---
 .../create-an-entity-group.md                 |  92 +++++-----
 .../create-custom-entity-type.md              |  26 +--
 .../entity-criticality.md                     |  36 ++--
 .../global-intelligence-security-insights.md  |  18 +-
 .../index.md                                  |  24 +--
 .../search-cse-records-in-sumo.md             |  58 +++---
 ...set-insight-generation-window-threshold.md |  14 +-
 .../tags-insights-signals-entities-rules.md   |  62 +++----
 .../view-manage-entities.md                   | 168 +++++++++---------
 .../view-records-signal.md                    |   2 +-
 14 files changed, 330 insertions(+), 332 deletions(-)

diff --git a/docs/cse/get-started-with-cloud-siem/index.md b/docs/cse/get-started-with-cloud-siem/index.md
index 5348a9378a..370cfce448 100644
--- a/docs/cse/get-started-with-cloud-siem/index.md
+++ b/docs/cse/get-started-with-cloud-siem/index.md
@@ -35,19 +35,19 @@ This guide helps you get started using Cloud SIEM for threat hunting.
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/get-started-with-cloud-siem/insight-generation-process"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Shield on a workflow icon" width="40"/><h4>Insight Generation</h4></a>
-  <p>Learn how Cloud SIEM correlates Signals by entity to create Insights.</p>
+  <p>Learn how Cloud SIEM correlates signals by entity to create insights.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Shield on a workflow icon" width="40"/><h4>Cloud SIEM Insight UI</h4></a>
-  <p>Learn about the contents of the Insights UI in Cloud SIEM.</p>
+  <p>Learn about the contents of the insights UI in Cloud SIEM.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/get-started-with-cloud-siem/cloud-siem-content-catalog"><img src={useBaseUrl('img/icons/security/compliance.png')} alt="Checklist icon" width="40"/><h4>Cloud SIEM Content Catalog</h4></a>
-  <p>See the out-of-the-box Rules, Schema, Mappings, and Parsers for Cloud SIEM.</p>
+  <p>See the out-of-the-box rules, schema, mappings, and parsers for Cloud SIEM.</p>
   </div>
 </div>
 <div className="box smallbox card">
diff --git a/docs/cse/records-signals-entities-insights/about-signal-suppression.md b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
index e52103246c..b61fcbcd12 100644
--- a/docs/cse/records-signals-entities-insights/about-signal-suppression.md
+++ b/docs/cse/records-signals-entities-insights/about-signal-suppression.md
@@ -2,7 +2,7 @@
 id: about-signal-suppression
 title: About Signal Suppression
 sidebar_label: Signal Suppression
-description: Learn about the ways that Cloud SIEM Signals can be suppressed, and so excluded from the Insight generation process.
+description: Learn about the ways that Cloud SIEM signals can be suppressed, and so excluded from the insight generation process.
 keywords:
     - Cloud SIEM
     - entity
@@ -11,57 +11,57 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic describes the various ways that Signals can get suppressed.
+This topic describes the various ways that signals can get suppressed.
 
-In Cloud SIEM, a *suppressed Signal* is a Signal that Cloud SIEM's Insight algorithm will exclude from the Insight generation process. In other words, a suppressed Signal does not contribute to or become a part of an Insight. By default, Signals are automatically suppressed for 72 hours. 
+In Cloud SIEM, a *suppressed signal* is a signal that Cloud SIEM's insight algorithm will exclude from the insight generation process. In other words, a suppressed signal does not contribute to or become a part of an insight. By default, signals are automatically suppressed for 72 hours. 
 
-Signal suppression can occur for a variety of reasons, including [Entity suppression](#suppress-by-entity), [network blocks](#suppress-by-network-block), [suppression lists](#suppress-by-indicator), and identifying [redundant Signals](#automatic-suppression-of-redundant-signals) by our rules correlation engine. In all cases, Signals will still be generated in the suppressed state. Depending on the reason, the field `suppressedReasons` will be populated in the `sec_signal` index. For example, this may include the Signal ID of an identical Signal that caused subsequent redundant Signals to be suppressed, or it may contain the name of the network block with suppression enabled.
+Signal suppression can occur for a variety of reasons, including [entity suppression](#suppress-by-entity), [network blocks](#suppress-by-network-block), [suppression lists](#suppress-by-indicator), and identifying [redundant signals](#automatic-suppression-of-redundant-signals) by our rules correlation engine. In all cases, signals will still be generated in the suppressed state. Depending on the reason, the field `suppressedReasons` will be populated in the `sec_signal` index. For example, this may include the signal ID of an identical signal that caused subsequent redundant signals to be suppressed, or it may contain the name of the network block with suppression enabled.
 
-## Set the global Signal suppression value
+## Set the global signal suppression value
 
-By default, Signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the **Global Signal Suppression** setting on the **Insight Detection** page. See [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/).
+By default, signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the **Global Signal Suppression** setting on the **Insight Detection** page. See [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/).
 
 <img src={useBaseUrl('img/cse/detection-threshold-global-signal-suppression.png')} alt="Detection threshold settings" style={{border: '1px solid gray'}} width="600"/>
 
-### Override global Signal suppression
+### Override global signal suppression
 
-You can override the [global Signal suppression](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) in any rule. This allows the rule to generate Signals in a shorter time frame than the 72-hour default. This can be helpful, for example, when you want the rule to generate Signals for time-sensitive issues that cannot wait for 72 hours before generating a Signal.<br/><img src={useBaseUrl('img/cse/override-global-signal-suppression.png')} alt="Override Global Signal Suppression" style={{border: '1px solid gray'}} width="500"/>
+You can override the [global signal suppression](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) in any rule. This allows the rule to generate signals in a shorter time frame than the 72-hour default. This can be helpful, for example, when you want the rule to generate signals for time-sensitive issues that cannot wait for 72 hours before generating a signal.<br/><img src={useBaseUrl('img/cse/override-global-signal-suppression.png')} alt="Override Global Signal Suppression" style={{border: '1px solid gray'}} width="500"/>
 
-To override global Signal suppression in a rule:
+To override global signal suppression in a rule:
 1. Create or edit a [rule](/docs/cse/rules/).
 1. Click **Show Advanced** on the **Then Create a Signal** tab.
 1. Select the **Override Global Signal Suppression** check box.
-1. Enter the hours and/or minutes to suppress Signal generation.
+1. Enter the hours and/or minutes to suppress signal generation.
 
 For certain rule types (Threshold, Chain, or Aggregation), the minimum valid value you can enter is determined by the time value in the **If Triggered** tab. <br/><img src={useBaseUrl('img/cse/override-global-signal-suppression-grouped-by.png')} alt="Minimum valid value" style={{border: '1px solid gray'}} width="600"/>
 
-## Suppress by Entity
+## Suppress by entity
 
-You can suppress an Entity on its [details page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) in the Cloud SIEM UI using the suppression slider. 
+You can suppress an entity on its [details page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-details-page) in the Cloud SIEM UI using the suppression slider. 
 
 <img src={useBaseUrl('img/cse/suppression-slider.png')} alt="Entity suppression slider" style={{border: '1px solid gray'}} width="300"/>
 
-You can suppress multiple Entities at once on the [Entities list page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-list-page) in the Cloud SIEM UI. Note that in the screenshot below, the row for an Entity that is currently suppressed contains a **Suppressed** indicator.
+You can suppress multiple entities at once on the [entities list page](/docs/cse/records-signals-entities-insights/view-manage-entities#about-the-entities-list-page) in the Cloud SIEM UI. Note that in the screenshot below, the row for an Entity that is currently suppressed contains a **Suppressed** indicator.
 
-<img src={useBaseUrl('img/cse/entity-page.png')} alt="Suppression on the Entities page" style={{border: '1px solid gray'}} width="800"/>
+<img src={useBaseUrl('img/cse/entity-page.png')} alt="Suppression on the entities page" style={{border: '1px solid gray'}} width="800"/>
 
-When you checkmark one or more Entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select Entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic. 
+When you checkmark one or more entities, the **Update Suppression** button appears. When you click it you’re prompted to set the suppression state for the select entities. You can also create a .csv file with your suppression changes, and use the **Import Metadata** button to upload it to Cloud SIEM. For details, see the [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities) topic. 
 
-You can see what Entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**. <br/><img src={useBaseUrl('img/cse/suppressed-entities-page.png')} alt="Suppressed Entities" style={{border: '1px solid gray'}} width="300"/>
+You can see what entities are currently suppressed on the **Entities** page by filtering the list by **Suppressed**. <br/><img src={useBaseUrl('img/cse/suppressed-entities-page.png')} alt="Suppressed entities" style={{border: '1px solid gray'}} width="300"/>
 
 ## Suppress by indicator
 
-Signals can be suppressed based on the presence of a suppressed indicator in any of the Records associated with a Signal. You create lists of indicators, which are things like IPs, hostnames, URLs, domains, and so. You can set a TTL (time to live) after which an indicator will be unsuppressed. You can create these lists on the [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/) page, available from the content menu. 
+Signals can be suppressed based on the presence of a suppressed indicator in any of the records associated with a signal. You create lists of indicators, which are things like IPs, hostnames, URLs, domains, and so. You can set a TTL (time to live) after which an indicator will be unsuppressed. You can create these lists on the [**Suppressed Lists**](/docs/cse/match-lists-suppressed-lists/suppressed-lists/) page, available from the content menu. 
 
-<img src={useBaseUrl('img/cse/suppressed-lists.png')} alt="Suppress Entities by indicator" style={{border: '1px solid gray'}} width="800"/>
+<img src={useBaseUrl('img/cse/suppressed-lists.png')} alt="Suppress entities by indicator" style={{border: '1px solid gray'}} width="800"/>
 
-## Suppress by Network Block
+## Suppress by network block
 
-You can suppress Signals on all of the IP addresses in a Network Block. You can see on the Network Blocks page whether or not Signals are suppressed for IPs in the block. For more information, see [Create and Use Network Blocks](/docs/cse/administration/create-use-network-blocks/).
+You can suppress signals on all of the IP addresses in a network block. You can see on the network blocks page whether or not signals are suppressed for IPs in the block. For more information, see [Create and Use Network Blocks](/docs/cse/administration/create-use-network-blocks/).
 
 <img src={useBaseUrl('img/cse/network-block-page.png')} alt="Suppress by network block" style={{border: '1px solid gray'}} width="800"/>
 
-## Automatic suppression of redundant Signals
+## Automatic suppression of redundant signals
 
-Cloud SIEM suppresses redundant Signals to prevent the generation of multiple, virtually identical Insights. For information about how this works, see [Redundant Signal suppression](/docs/cse/get-started-with-cloud-siem/insight-generation-process#redundant-signal-suppression).  
+Cloud SIEM suppresses redundant signals to prevent the generation of multiple, virtually identical insights. For information about how this works, see [Redundant signal suppression](/docs/cse/get-started-with-cloud-siem/insight-generation-process#redundant-signal-suppression).  
  
diff --git a/docs/cse/records-signals-entities-insights/configure-custom-insight.md b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
index efc88d3b56..b51b422545 100644
--- a/docs/cse/records-signals-entities-insights/configure-custom-insight.md
+++ b/docs/cse/records-signals-entities-insights/configure-custom-insight.md
@@ -2,7 +2,7 @@
 id: configure-custom-insight
 title: Configure a Custom Insight
 sidebar_label: Custom Insights
-description: Learn how to set up Custom Insight configurations, which you can use to automatically generate Insights on some basis other than Entity Activity Scores.
+description: Learn how to set up custom insight configurations, which you can use to automatically generate insights on some basis other than entity activity scores.
 keywords:
   - custom insight
   - cloud siem
@@ -10,55 +10,55 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-As described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, Cloud SIEM automatically generates an Insight based on an Entity’s Activity Score, which is the cumulative severity of the unique Signals that have fired on an Entity during a period of time. In some cases, you may want Cloud SIEM to generate an Insight on some basis other than Entity Activity Scores. For example, you might want an Insight generated whenever a particular set of Signals are fired in a particular order. 
+As described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, Cloud SIEM automatically generates an insight based on an entity’s activity score, which is the cumulative severity of the unique signals that have fired on an entity during a period of time. In some cases, you may want Cloud SIEM to generate an insight on some basis other than entity activity scores. For example, you might want an insight generated whenever a particular set of signals are fired in a particular order. 
 
-This topic has instructions for defining a Custom Insight, which is a configuration you set up that causes Cloud SIEM to generate Insights based purely on one or more Signals being fired. 
+This topic has instructions for defining a custom insight, which is a configuration you set up that causes Cloud SIEM to generate insights based purely on one or more signals being fired. 
 
-## Ways to define a Custom Insight
+## Ways to define a custom insight
 
-There are two ways you can define a Custom Insight. You can specify that the Insight should be generated each time:
+There are two ways you can define a custom insight. You can specify that the insight should be generated each time:
 
-* One or more selected rules fire a Signal.
+* One or more selected rules fire a signal.
 * Signals whose name matches a specified wildcard expression are fired. 
 
-Which method should you use? The difference is whether you’re going to create an Insight based on the name of the rule that fired the Signal, or based on the name of the Signal that was fired. Typically, Signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [Normalized Threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the Signals that a normalized rule fires vary by data source. So, if you want your Custom Insight configuration to generate Insights for Signals fired by normalized rules, you should base it on Signal names, rather than rule names.
+Which method should you use? The difference is whether you’re going to create an insight based on the name of the rule that fired the signal, or based on the name of the signal that was fired. Typically, signals that a rule generates have the same name as the rule. That is not the case with Cloud SIEM’s normalized rules. That’s because normalized rules, for example [normalized threat rules](/docs/cse/rules/normalized-threat-rules/), are written to work with multiple data sources. The names of the signals that a normalized rule fires vary by data source. So, if you want your custom insight configuration to generate insights for signals fired by normalized rules, you should base it on signal names, rather than rule names.
 
-When the conditions of a Custom Insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an Insight will be generated for each Entity involved. In other words, if each of the Signals in a Custom Insight configuration fired on a different Entity, an Insight will be created on each of those Entities. The generated Insights will include not only the Signals that it fired on, but also any related Signals. 
+When the conditions of a custom insight configuration are met during the currently configured [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/), an insight will be generated for each entity involved. In other words, if each of the signals in a custom insight configuration fired on a different entity, an insight will be created on each of those entities. The generated insights will include not only the signals that it fired on, but also any related signals. 
  
-## Create a Custom Insight
+## Create a custom insight
 
-To create a Custom Insight:
+To create a custom insight:
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu, select **Content > Custom Insights**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Custom Insights**. You can also click the **Go To...** menu at the top of the screen and select **Custom Insights**.  
 2. Click **Create** on the **Custom Insights** page.
-3. The **Configure the Custom Insight** popup appears. <br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Configure an Insight" style={{border: '1px solid gray'}} width="600"/>
-4. In the **Name** field, enter a name for the Custom Insight.
-5. If you want the Custom Insight to be generated based on one or more rules firing Signals, jump to step 6, below. Otherwise: 
+3. The **Configure the Custom Insight** popup appears. <br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Configure an insight" style={{border: '1px solid gray'}} width="600"/>
+4. In the **Name** field, enter a name for the custom insight.
+5. If you want the custom insight to be generated based on one or more rules firing signals, jump to step 6, below. Otherwise: 
    1. Leave the **When Signals are created from the following...** clause set to **Signal names**.
-   2. Enter an expression that matches the name(s) of the Signals of interest. For example: `Critical Severity Intrusion Signature *`
+   2. Enter an expression that matches the name(s) of the signals of interest. For example: `Critical Severity Intrusion Signature *`
    3. Click **Add**.
-   4. If you want to, you can enter one or more additional Signal expressions.
-   5. If you’ve configured more than one Signal expression, use the **in ... order** clause to specify whether the Signals must occur in **exact** order, or whether the Signals can occur in **any** order. 
-6. If you want the Custom Insight to be generated based on one or more rules firing Signals:
-   1. Change the **When Signals are created from the following...** clause to **rule** . 
+   4. If you want to, you can enter one or more additional signal expressions.
+   5. If you’ve configured more than one signal expression, use the **in ... order** clause to specify whether the signals must occur in **exact** order, or whether the signals can occur in **any** order. 
+6. If you want the custom insight to be generated based on one or more rules firing signals:
+   1. Change the **When Signals are created from the following...** clause to **rule**. 
    2. In the **Type to add a Rule** area, enter a string that the ID of the desired rule contains.
    3. In the list of rules that appears, scroll to the desired rule and click it.
    4. If you want to, you can search for and select one or more additional rules.
-   5. If you’ve configured more than one rule, use the **in ... order** clause to specify whether the rules must fire Signals in exact order, or in any order. 
-7. In the **Then Create an Insight** section on the right side of the popup, enter a name for the Insight.
-8. Enter a description of the Insight, as desired.
-9. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the Signals that trigger the Insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical. 
-10. To configure dynamic severity for the custom Insight:
+   5. If you’ve configured more than one rule, use the **in ... order** clause to specify whether the rules must fire signals in exact order, or in any order. 
+7. In the **Then Create an Insight** section on the right side of the popup, enter a name for the insight.
+8. Enter a description of the insight, as desired.
+9. For severity, you can choose between a constant severity, or a dynamic severity that is based on the severity of the signals that trigger the insight. If you want to configure dynamic severity, skip to the next step. To configure constant severity, select one of: Low, Medium, High, or Critical. 
+10. To configure dynamic severity for the custom insight:
     1. Choose **dynamic** severity.
           :::note
           You can define dynamic severity for record fields on [Match rules](/docs/cse/rules/write-match-rule#configure-then-create-a-signal-settings) and [Aggregation rules](/docs/cse/rules/write-aggregation-rule/#configure-then-create-a-signal-settings). 
           :::
     1. Select a default severity, one of **Low**, **Medium**, **High**, or **Critical**. 
-    1. **Minimum Signal Severity** and **Insight Severity**. Enter a minimum Signal severity and associated Insight severity value. For example, if you enter 8 and select high, if any Signal in the Insight has a severity of 8 or higher, the custom Insight will have High severity. 
-    1. If desired, you can enter a minimum Signal severity value for other Insight severity levels. For example, you could configure a minimum Signal severity of 4 as the threshold for an Insight severity level of Medium. If you do define multiple thresholds, we honor them from highest to lowest. For example, with the following configuration:
+    1. **Minimum Signal Severity** and **Insight Severity**. Enter a minimum signal severity and associated insight severity value. For example, if you enter 8 and select high, if any signal in the insight has a severity of 8 or higher, the custom insight will have High severity. 
+    1. If desired, you can enter a minimum signal severity value for other insight severity levels. For example, you could configure a minimum signal severity of 4 as the threshold for an insight severity level of Medium. If you do define multiple thresholds, we honor them from highest to lowest. For example, with the following configuration:
        * If the highest signal severity was at least 3, severity is Low.
-       * If the highest Signal severity was at least 5, severity is Medium.
-       * If the highest Signal severity was at least 7, severity is Critical.
+       * If the highest signal severity was at least 5, severity is Medium.
+       * If the highest signal severity was at least 7, severity is Critical.
       <br/><img src={useBaseUrl('img/cse/example-dynamic.png')} alt="Example dynamic severity" style={{border: '1px solid gray'}} width="300"/>
-11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the Custom Insight. 
-12. Click **Submit** to save your Custom Insight configuration.
+11. If desired, select [Tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) that you want assigned to the custom insight. 
+12. Click **Submit** to save your custom insight configuration.
diff --git a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
index 68b4dd2e47..7ae3ee87e4 100644
--- a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+++ b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
@@ -2,86 +2,86 @@
 id: configure-entity-lookup-table
 title: Configure an Entity Lookup Table
 sidebar_label: Entity Lookup Tables
-description: Entity Lookup Tables allow you to normalize the names of users and hosts (machines) in your environment
+description: Entity lookup tables allow you to normalize the names of users and hosts (machines) in your environment
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic describes Entity Lookup Tables and how to configure them.
+This topic describes entity lookup tables and how to configure them.
 
 :::note
-Entity Lookup Tables are supported if your Cloud SIEM URL ends in `sumologic.com`.
+Entity lookup tables are supported if your Cloud SIEM URL ends in `sumologic.com`.
 :::
 
-## What are Entity Lookup Tables good for?
+## What are entity lookup tables good for?
 
-Entity Lookup Tables allow you to normalize the names of users and hosts (machines) in your environment. This is important because the username or hostname formats found in messages tend to vary by data source. For example, you’ll likely encounter the following forms of user names across the services you use:
+Entity lookup tables allow you to normalize the names of users and hosts (machines) in your environment. This is important because the username or hostname formats found in messages tend to vary by data source. For example, you’ll likely encounter the following forms of user names across the services you use:
 
 * `jdoe@acme.com`
 * `joseph.doe`
 * `jdoe`
 
-In addition, in some systems a user or a host has both a name and a unique ID, the latter of which is generally not a friendly identifier. For example, the host ID and hostname below both identify a host. It makes sense to replace the host ID in Records with the hostname.
+In addition, in some systems a user or a host has both a name and a unique ID, the latter of which is generally not a friendly identifier. For example, the host ID and hostname below both identify a host. It makes sense to replace the host ID in records with the hostname.
 
 * `d8ece0f8-10a4-3c62-b8a3-2e636a3a0509`
 * `testk-122.testlabs.local`
 
-Multiple identifiers for the same user or host are a problem when it comes to correlating Signals around a common Entity. Unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
+Multiple identifiers for the same user or host are a problem when it comes to correlating signals around a common entity. Unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
 
-### Examples of when you create Lookup Tables
+### Examples of when you create lookup tables
 
-Following are some examples of situations when you'd want to use Entity Lookup Tables:
+Following are some examples of situations when you'd want to use entity lookup tables:
 * CrowdStrike FDR data uses an agent ID (AID) instead of a hostname for some messages.
 * Mail Transfer Agent (MTA) systems report usernames in an email format.
 * Your users have different login names on different systems (for example, Windows, Linux, and AWS).
 
-### How does an Entity Lookup Table work?
+### How does an entity lookup table work?
 
-An Entity Lookup Table defines two sets of values: a lookup value to look for in an incoming message and a substitution value. You can create Entity Lookup Tables to support the following types of normalization:
+An entity lookup table defines two sets of values: a lookup value to look for in an incoming message and a substitution value. You can create entity lookup tables to support the following types of normalization:
 
 * **Host ID to Normalized Hostname**
 * **User ID to Normalized Username**
 * **Username to Normalized Username**
 
-Entity Lookup Tables are based on Sumo Logic’s [Lookup Tables](/docs/search/lookup-tables/) feature. Here is an example of a **Host ID to Normalized Hostname** Lookup Table in the Sumo Logic Library:
+Entity lookup tables are based on Sumo Logic’s [lookup tables](/docs/search/lookup-tables/) feature. Here is an example of a **Host ID to Normalized Hostname** lookup table in the Sumo Logic Library:
 
-<img src={useBaseUrl('img/cse/example-table.png')} alt="Example Entity lookup table" style={{border: '1px solid gray'}} width="800"/>
+<img src={useBaseUrl('img/cse/example-table.png')} alt="Example entity lookup table" style={{border: '1px solid gray'}} width="800"/>
 
-## Creating a Lookup Table
+## Creating a lookup table
 
-Before you configure a Lookup Table in Cloud SIEM, you must [create the Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic platform. There are a variety of ways to create a Lookup Table. 
+Before you configure a lookup table in Cloud SIEM, you must [create the lookup table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic platform. There are a variety of ways to create a lookup table. 
 
 ### Limitations
 
-You can configure a maximum of five Entity Lookup Tables. 
+You can configure a maximum of five entity lookup tables. 
 
 ### Populate table from inventory data
 
-You can create Lookup Tables from information about hosts and users–known as inventory data–in your environment. Inventory data is collected by Sumo Logic core platform inventory sources, typically by an Active Directory source running on a Sumo Logic Installed Collector, and also by sources that leverage the Sumo Logic Cloud-to-Cloud Integration Framework.
+You can create lookup tables from information about hosts and users–known as inventory data–in your environment. Inventory data is collected by Sumo Logic core platform inventory sources, typically by an Active Directory source running on a Sumo Logic Installed Collector, and also by sources that leverage the Sumo Logic Cloud-to-Cloud Integration Framework.
 
-This method–the typical way to populate a Lookup Table for the purpose of Entity normalization–involves running a log search against data collected by a Cloud SIEM Inventory source, and then saving and scheduling the search. This process is described in the [Save Inventory Data to a Lookup Table](/docs/cse/administration/save-inventory-data-lookup-table) topic. After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
+This method–the typical way to populate a lookup table for the purpose of entity normalization–involves running a log search against data collected by a Cloud SIEM Inventory source, and then saving and scheduling the search. This process is described in the [Save Inventory Data to a Lookup Table](/docs/cse/administration/save-inventory-data-lookup-table) topic. After creating the table, perform the steps in [Configure the lookup table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
 
 ### Existing lookups
 
-If you already have a Lookup Table that contains normalization data, you can configure it in Cloud SIEM. Or, if you have existing normalization data that is not currently in a Lookup Table you can create a Lookup Table with that data. Note that your Lookup Table must contain a field that contains a lookup value and one that contains a substitution value. There is no requirement for particular column names.
+If you already have a lookup table that contains normalization data, you can configure it in Cloud SIEM. Or, if you have existing normalization data that is not currently in a lookup table you can create a lookup table with that data. Note that your lookup table must contain a field that contains a lookup value and one that contains a substitution value. There is no requirement for particular column names.
 
-For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-lookup-table/). After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
+For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-lookup-table/). After creating the table, perform the steps in [Configure the lookup table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
 
-### Configure the Lookup Table in Cloud SIEM
+### Configure the lookup table in Cloud SIEM
 
-After you've [created your Entity Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
+After you've [created your entity lookup table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Normalization**. You can also click the **Go To...** menu at the top of the screen and select **Normalization**.  
 1. On the **Normalization** tab, click **Lookup Tables**.
 1. Select the lookup table.
-1. The **Existing Lookup Table** popup appears. Following is an example.<br/><img src={useBaseUrl('img/cse/existing-lookup-table.png')} alt="Existing Lookup Table dialog" style={{border: '1px solid gray'}} width="400"/>
+1. The **Existing Lookup Table** popup appears. Following is an example.<br/><img src={useBaseUrl('img/cse/existing-lookup-table.png')} alt="Existing lookup table dialog" style={{border: '1px solid gray'}} width="400"/>
 1. Click **Edit** to configure the lookup table. Note that most fields are read-only.
-    1. **Path**. The path to the existing Lookup Table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames` <br/>To see the path to the [Lookup Table](/docs/search/lookup-tables/create-lookup-table) in the Sumo Logic Library, hover over the row for the table in the Library, and select **Copy path to clipboard** from the three-dot kebab menu.<br/><img src={useBaseUrl('img/cse/tree-dot.png')} alt="Kebab button on a library item" style={{border: '1px solid gray'}} width="800"/>
+    1. **Path**. The path to the existing lookup table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames` <br/>To see the path to the [lookup table](/docs/search/lookup-tables/create-lookup-table) in the Sumo Logic Library, hover over the row for the table in the Library, and select **Copy path to clipboard** from the three-dot kebab menu.<br/><img src={useBaseUrl('img/cse/tree-dot.png')} alt="Kebab button on a library item" style={{border: '1px solid gray'}} width="800"/>
     1. **Type**. The type of normalization:
        * **Host ID to Normalized Hostname**. Maps unique host IDs to recognizable hostnames.
        * **User ID to Normalized Username**. Maps unique user IDs to recognizable usernames.
        * **Username to Normalized Username**. Maps a username in one format to a username in another format.  
-    1. **Column Name**. The name of the Lookup Table column that contains the primary key for the table.
-    1. **Sub Column Name**. The name of the Lookup Table column that contains the value you want to substitute for the lookup column.
-    1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to Records that are tagged with that source category.
+    1. **Column Name**. The name of the lookup table column that contains the primary key for the table.
+    1. **Sub Column Name**. The name of the lookup table column that contains the value you want to substitute for the lookup column.
+    1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to records that are tagged with that source category.
     1. Click **Save**.     
diff --git a/docs/cse/records-signals-entities-insights/create-an-entity-group.md b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
index 64c4752b60..128cd1c7d5 100644
--- a/docs/cse/records-signals-entities-insights/create-an-entity-group.md
+++ b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
@@ -2,57 +2,57 @@
 id: create-an-entity-group
 title: Create an Entity Group
 sidebar_label: Entity Groups
-description: You can use Entity Groups to automatically group entities in terms of criteria like name or IP Address.
+description: You can use entity groups to automatically group entities in terms of criteria like name or IP Address.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-An administrator can use the _Entity Groups_ feature to define groups of Entities and to assign attributes to them at the group level. You can define the members of an Entity Group in two ways:
+An administrator can use the _entity groups_ feature to define groups of entities and to assign attributes to them at the group level. You can define the members of an entity group in two ways:
 
-* Based on Entity name or an IP address range.
+* Based on entity name or an IP address range.
 * Based on membership in a group in an Inventory system like Active Directory.
 
-Note that membership in an Entity Group is not configured by explicitly assigning individual Entities to the group. Instead you define an Entity Group in terms of criteria, like name or IP address, so that Entities will automatically inherit the properties of Entity Groups they match without manual edits.
+Note that membership in an entity group is not configured by explicitly assigning individual entities to the group. Instead you define an entity group in terms of criteria, like name or IP address, so that entities will automatically inherit the properties of entity groups they match without manual edits.
 
-You can assign [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/), [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), and [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) status to an Entity Group, and those settings will be applied to all of the Entities in the group.
+You can assign [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/), [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), and [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) status to an entity group, and those settings will be applied to all of the entities in the group.
 
-Consider an Entity Group configured to:
+Consider an entity group configured to:
 
 * Include any host in the Active Directory “laptops” group, and
 * Set a (pre-configured) criticality to group members.
 
-Each laptop in the “laptops” group will automatically inherit the criticality defined for the Entity Group, and so will laptops assigned to the “laptops” group in the future. In other words, when an Entity is added, if it matches the membership criteria of an existing Entity Group, it will be automatically added to that group.
+Each laptop in the “laptops” group will automatically inherit the criticality defined for the entity group, and so will laptops assigned to the “laptops” group in the future. In other words, when an entity is added, if it matches the membership criteria of an existing entity group, it will be automatically added to that group.
 
-Note that when an Insight is created, any tags that are assigned to the primary Entity in the Insight are automatically inherited by the Insight. So, tags that an Entity inherits from an Entity Group will also be inherited by Insights that fire on the Entity. (Such inheritance is not retro-active: Insights that fired on an Entity prior to the Entity being tagged won’t be tagged.)
+Note that when an insight is created, any tags that are assigned to the primary entity in the insight are automatically inherited by the insight. So, tags that an entity inherits from an entity group will also be inherited by insights that fire on the entity. (Such inheritance is not retro-active: insights that fired on an entity prior to the entity being tagged won’t be tagged.)
 
-## Entity Group limits
+## Entity group limits
 
-The number of Entity Groups you can configure per org varies by the type of the group:
+The number of entity groups you can configure per org varies by the type of the group:
 
-* You can configure a maximum of 1000 Entity Groups based on membership in a group in an Inventory system.
-* You can configure a maximum of 10000 Entity Groups based on Entity name or an IP address range.
+* You can configure a maximum of 1000 entity groups based on membership in a group in an Inventory system.
+* You can configure a maximum of 10000 entity groups based on entity name or an IP address range.
 
 
-## Overlapping Entity Groups
+## Overlapping entity groups
 
-It’s possible to define Entity Groups that overlap, in terms of the Entities they contain. However, for the sake of simplicity, we recommend you configure your Entity Groups to not overlap. If an Entity does belong to more than one group, the tags from all of the groups are applied to the Entity. Criticality and suppression status are applied by the first Entity Group that matches in this order:
+It’s possible to define entity groups that overlap, in terms of the entities they contain. However, for the sake of simplicity, we recommend you configure your entity groups to not overlap. If an entity does belong to more than one group, the tags from all of the groups are applied to the entity. Criticality and suppression status are applied by the first entity group that matches in this order:
 
-1. Entity Groups based on Inventory source and group are processed in alphabetical order, by Entity Group name.
-1. Entity Groups based on IP address ranges are processed in order from most specific (smallest block) to least specific (largest block).
-1. Entity Groups based on name are processed in order, by the length of the match string configured as either Prefix or Suffix, then alphabetically, by Entity Group name.
+1. Entity groups based on Inventory source and group are processed in alphabetical order, by entity group name.
+1. Entity groups based on IP address ranges are processed in order from most specific (smallest block) to least specific (largest block).
+1. Entity groups based on name are processed in order, by the length of the match string configured as either Prefix or Suffix, then alphabetically, by entity group name.
 
 
-## Create an Entity Group based on Entity attributes
+## Create an entity group based on entity attributes
 
-Follow these instructions to create an Entity Group based on Entity name or whether the Entity is within a specified range of IP addresses.
+Follow these instructions to create an entity group based on entity name or whether the entity is within a specified range of IP addresses.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Groups**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.  
 1. On the **Entity Groups** page, click **+ Add Entity Group**.
-1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)<br/><img src={useBaseUrl('/img/cse/create-entity-group-values.png')} alt="Create an Entity Group based on attributes" style={{border: '1px solid gray'}} width="400" />
-1. **Name**. Enter a name for the Entity Group.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)<br/><img src={useBaseUrl('/img/cse/create-entity-group-values.png')} alt="Create an entity group based on attributes" style={{border: '1px solid gray'}} width="400" />
+1. **Name**. Enter a name for the entity group.
 1. **Description**. (Optional.)
 1. **Configuration Type**. Select **Values**.
-1. **Entity Types**. Select one of the following Entity types:
+1. **Entity Types**. Select one of the following entity types:
     * **IP Address**
     * **MAC Address**
     * **Username**
@@ -66,54 +66,54 @@ Follow these instructions to create an Entity Group based on Entity name or whet
     * **URL**
     * **File**
 1. **Match Condition**. Select one of the following match types:
-    * **Prefix**. After you select this option, a **Prefix** field appears. Enter a string that matches the leading characters of the names of the Entities you want to include in the group.
-    * **Suffix**. After you select this option, a **Suffix** field appears. Enter a string that matches the trailing characters of the names of the Entities you want to include in the group.
+    * **Prefix**. After you select this option, a **Prefix** field appears. Enter a string that matches the leading characters of the names of the entities you want to include in the group.
+    * **Suffix**. After you select this option, a **Suffix** field appears. Enter a string that matches the trailing characters of the names of the entities you want to include in the group.
     * **IP Address Range.** After you select this option, an **IP Address Range** field appears. Enter a CIDR block of IP addresses.
     * **Sensor Zone**. This field is present if you selected _IP Address _as the **Entity Type** above. Optionally, select a **Sensor Zone** from the pulldown.
     :::note
-    If you select a [Sensor Zone](/docs/cse/administration/using-sensor-zones), the IP addresses assigned to the Entity Group will be limited to addresses that are within the specified **IP Address Range** and also have been assigned the selected Sensor Zone.
+    If you select a [Sensor Zone](/docs/cse/administration/using-sensor-zones), the IP addresses assigned to the entity group will be limited to addresses that are within the specified **IP Address Range** and also have been assigned the selected Sensor Zone.
     :::
-1. **Tags**. Select any tags you’d like to apply to Entities in the group.
-1. **Criticality**. If desired, select a Criticality.
-1. **Suppression**. Select **Suppressed** if you want to suppress Signals on Entities in the group.
+1. **Tags**. Select any tags you’d like to apply to entities in the group.
+1. **Criticality**. If desired, select a criticality.
+1. **Suppression**. Select **Suppressed** if you want to suppress signals on entities in the group.
 
-## Create an Entity Group based on inventory group membership
+## Create an entity group based on inventory group membership
 
-Follow these instructions to create an Entity Group that corresponds to a group in an inventory service in your infrastructure.
+Follow these instructions to create an entity group that corresponds to a group in an inventory service in your infrastructure.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Groups**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.  
 1. On the **Entity Groups** page, click **+ Add Entity Group**.
-1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.) <br/><img src={useBaseUrl('/img/cse/create-entity-group-inventory.png')} alt="Create an Entity Group based on inventory" style={{border: '1px solid gray'}} width="400"/>
-1. **Name**. Enter a name for the Entity Group.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.) <br/><img src={useBaseUrl('/img/cse/create-entity-group-inventory.png')} alt="Create an entity group based on inventory" style={{border: '1px solid gray'}} width="400"/>
+1. **Name**. Enter a name for the entity group.
 1. **Description**. (Optional.)
 1. **Configuration Type**. Select **Inventory**.
 1. **Inventory Type**. Select one of:
     * Computer
     * User
-1. **Inventory Key**. Select an attribute to use from the **Inventory Type** selected above. You can use second-level unnormalized inventory attributes in this field (for example, `fields.foo.bar`). Select **groups** if you want to use an existing Entity Group attribute. 
+1. **Inventory Key**. Select an attribute to use from the **Inventory Type** selected above. You can use second-level unnormalized inventory attributes in this field (for example, `fields.foo.bar`). Select **groups** if you want to use an existing entity group attribute. 
 1. **Source**. Select an inventory source from the pull-down list.
-1. **Value**. Enter a value for the attribute selected in the **Inventory Key** field above. You can use REGEX expressions in this field (for example, in the screenshot above, the value is `.*OU\=ADFS.*`). <br/>If **groups** was selected in the **Inventory Key** field, enter the name of the group in the inventory system that contains the entities you want to add to the Entity Group. 
+1. **Value**. Enter a value for the attribute selected in the **Inventory Key** field above. You can use REGEX expressions in this field (for example, in the screenshot above, the value is `.*OU\=ADFS.*`). <br/>If **groups** was selected in the **Inventory Key** field, enter the name of the group in the inventory system that contains the entities you want to add to the entity group. 
    :::note
    **Value** refers to a normalized attribute. The name of the raw attribute varies depending on the inventory source. And if you are entering a value for a group, keep in mind that just as not all inventory sources provide user or computer data, not all inventory sources have an attribute that gets mapped to groups. For information about how attributes are normalized from inventory sources, see [Inventory Sources and Data](/docs/cse/administration/inventory-sources-and-data).
    :::
-1. **Dynamic Schema Tags**. Select if you'd like to apply a [custom tag schema](/docs/cse/administration/create-a-custom-tag-schema) to the Entities in the group. If you select this option, the **Value** field changes to *, indicating the value will be automatically generated from the custom tag schema. 
-1. **Tag Schema**. Select the tag schema to use for the Entity group.
-1. **Tags**. Select any tags you’d like to apply to Entities in the group. If you previously selected **Dynamic Schema Tags**, the phrase **(in addition to dynamic)** appears, indicating that the tags you select here will be added to the automatically-generated schema tags.
-1. **Criticality**. If desired, select a Criticality.
-1. **Suppression**. Select **Suppressed** if you want to suppress Signals on Entities in the group.
+1. **Dynamic Schema Tags**. Select if you'd like to apply a [custom tag schema](/docs/cse/administration/create-a-custom-tag-schema) to the entities in the group. If you select this option, the **Value** field changes to *, indicating the value will be automatically generated from the custom tag schema. 
+1. **Tag Schema**. Select the tag schema to use for the entity group.
+1. **Tags**. Select any tags you’d like to apply to entities in the group. If you previously selected **Dynamic Schema Tags**, the phrase **(in addition to dynamic)** appears, indicating that the tags you select here will be added to the automatically-generated schema tags.
+1. **Criticality**. If desired, select a criticality.
+1. **Suppression**. Select **Suppressed** if you want to suppress signals on entities in the group.
 
 ### Example
 
-The [screenshot above](#create-an-entity-group-based-on-inventory-group-membership) where we create an "ADFS server" Entity Group corresponds to the following example:
+The [screenshot above](#create-an-entity-group-based-on-inventory-group-membership) where we create an "ADFS server" entity group corresponds to the following example:
 
-1. Let's say you want to create an Entity Group for ADFS servers. The Active Directory inventory data for your ADFS servers adheres to the following pattern. Notice the computer name, and how it appears in the `distinguishedName` field:  <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-1.png')} alt="Active Directory inventory data" style={{border: '1px solid gray'}} width="800"/>
-2. The corresponding Cloud SIEM Entity inventory enrichment for the data is as follows. Notice how the `distinguishedName` field is defined: <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-2.png')} alt="Entity enrichment data" style={{border: '1px solid gray'}} width="600"/>
-3. Now, to ensure that we add the data for these Entities to an "ADFS Servers" Entity Group, we create the Entity Group as shown in the [screenshot above](#create-an-entity-group-based-on-inventory-group-membership). We set the inventory key as `fields.distinguishedname`, the value as `.*OU\=ADFS.*`, and the tag to be applied as `adfs_server`. 
-4. Then when the Entity Group is processed, the tag we specified is applied to each Entity in the group, like in this example from the Entities details page: <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-3.png')} alt="Tag applied to entity" style={{border: '1px solid gray'}} width="300"/>
+1. Let's say you want to create an entity group for ADFS servers. The Active Directory inventory data for your ADFS servers adheres to the following pattern. Notice the computer name, and how it appears in the `distinguishedName` field:  <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-1.png')} alt="Active Directory inventory data" style={{border: '1px solid gray'}} width="800"/>
+2. The corresponding Cloud SIEM entity inventory enrichment for the data is as follows. Notice how the `distinguishedName` field is defined: <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-2.png')} alt="Entity enrichment data" style={{border: '1px solid gray'}} width="600"/>
+3. Now, to ensure that we add the data for these entities to an "ADFS Servers" entity group, we create the entity group as shown in the [screenshot above](#create-an-entity-group-based-on-inventory-group-membership). We set the inventory key as `fields.distinguishedname`, the value as `.*OU\=ADFS.*`, and the tag to be applied as `adfs_server`. 
+4. Then when the entity group is processed, the tag we specified is applied to each entity in the group, like in this example from the entities details page: <br/><img src={useBaseUrl('/img/cse/entity-group-inventory-example-3.png')} alt="Tag applied to entity" style={{border: '1px solid gray'}} width="300"/>
 
 ## Using tags in rule expressions
 
-If you've applied a tag to an Entity, you can use the tag in a [rule expression](/docs/cse/rules/about-cse-rules/#about-rule-expressions). For example, if you've attached a keyword tag "DB Server" to an Entity, this `array_contains` statement will return "true" if the Entity in a Record's `srcDevice_ip` field has the tag "DB Server"
+If you've applied a tag to an entity, you can use the tag in a [rule expression](/docs/cse/rules/about-cse-rules/#about-rule-expressions). For example, if you've attached a keyword tag "DB Server" to an entity, this `array_contains` statement will return "true" if the entity in a record's `srcDevice_ip` field has the tag "DB Server"
 
 ```
 array_contains(fieldTags["srcDevice_ip"], "DB Server")
@@ -121,4 +121,4 @@ array_contains(fieldTags["srcDevice_ip"], "DB Server")
 
 ## API support
 
-You can use the `/entity-group-configuration` API to create, read, update, and delete Entity Groups. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
+You can use the `/entity-group-configuration` API to create, read, update, and delete entity groups. For more information, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis).
diff --git a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
index fe862d86df..b0180098c4 100644
--- a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
+++ b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
@@ -2,32 +2,32 @@
 id: create-custom-entity-type
 title: Create a Custom Entity Type
 sidebar_label: Custom Entity Types
-description: Learn how to create a custom Entity type.
+description: Learn how to create a custom entity type.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has instructions for how to create custom Entity types in Cloud SIEM.
+This topic has instructions for how to create custom entity types in Cloud SIEM.
 
-In Cloud SIEM, *Entities* are fundamental to the Insight generation process. When a Cloud SIEM Rule fires, it generates a Signal for each “on-Entity” attribute configured for the rule. Cloud SIEM correlates Signals by Entity to create Insights. This process is described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic.
+In Cloud SIEM, *entities* are fundamental to the insight generation process. When a Cloud SIEM rule fires, it generates a signal for each “on-entity” attribute configured for the rule. Cloud SIEM correlates signals by entity to create insights. This process is described in the [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic.
 
-Cloud SIEM has a number of built-in [Entity types](/docs/cse/records-signals-entities-insights/view-manage-entities#about-entities), for example, IP Address, Hostname, and Username.
+Cloud SIEM has a number of built-in [entity types](/docs/cse/records-signals-entities-insights/view-manage-entities#about-entities), for example, IP Address, Hostname, and Username.
 
-When you create a Rule, in the Signal configuration section, the Rules Editor prompts you to select an “On-Entity” attribute from a list of all of the Cloud SIEM schema attributes that hold Entities. What if you want to correlate Signals by something other than an item that is one of Cloud SIEM standard Entity types? That’s what custom Entity types are for.
+When you create a rule, in the signal configuration section, the rules editor prompts you to select an “on-entity” attribute from a list of all of the Cloud SIEM schema attributes that hold entities. What if you want to correlate signals by something other than an item that is one of Cloud SIEM standard entity types? That’s what custom entity types are for.
 
-If you’d like to be able to correlate Signals by a different type of Entity, you can create a custom Entity type. For example, you might want to correlate Signals by file hash. When you create a custom Entity type, you identify the Cloud SIEM schema attributes that hold data of the custom type. Given the example of a file hash Entity type, you would select attributes that contain file hashes, like `file_hash_md5`, `file_hash_sha1`, and so on. The attributes you configure for your custom Entity type will be available in the **On-Entity** selector list in the **Then Create a Signal** section of the rule configuration UI. 
+If you’d like to be able to correlate signals by a different type of entity, you can create a custom entity type. For example, you might want to correlate signals by file hash. When you create a custom entity type, you identify the Cloud SIEM schema attributes that hold data of the custom type. Given the example of a file hash entity type, you would select attributes that contain file hashes, like `file_hash_md5`, `file_hash_sha1`, and so on. The attributes you configure for your custom entity type will be available in the **On-Entity** selector list in the **Then Create a Signal** section of the rule configuration UI. 
 
-Just as for Entities of built-in types listed above—IP addresses, MAC addresses, hostnames, and so on—when a rule fires on a custom Entity, if the Entity doesn’t already exist in Cloud SIEM, it is added, and can be viewed on the Entity list page.
+Just as for entities of built-in types listed above—IP addresses, MAC addresses, hostnames, and so on—when a rule fires on a custom entity, if the entity doesn’t already exist in Cloud SIEM, it is added, and can be viewed on the entity list page.
 
-To create a custom Entity type:
+To create a custom entity type:
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Custom Types**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Custom Types**. You can also click the **Go To...** menu at the top of the screen and select **Custom Types**.  
 1. On the **Custom Entity Types** tab click **+ Add Custom Type**. 
-2. The **Add Custom Entity Type** popup appears. <br/><img src={useBaseUrl('img/cse/create-custom-entity-type.png')} alt="Create custom Entity type" style={{border: '1px solid gray'}} width="400"/>
-3. **Name**. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom Entity type on the **Custom Entity Type** page. 
-4. **Identifier**. Enter a unique identifier for the custom Entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the Entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
+2. The **Add Custom Entity Type** popup appears. <br/><img src={useBaseUrl('img/cse/create-custom-entity-type.png')} alt="Create custom entity type" style={{border: '1px solid gray'}} width="400"/>
+3. **Name**. Enter a meaningful name for the custom entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom entity type on the **Custom Entity Type** page. 
+4. **Identifier**. Enter a unique identifier for the custom entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
     :::note
-    The Entity type Identifier cannot be changed once you’ve saved it.
+    The entity type Identifier cannot be changed once you’ve saved it.
     :::
-5. **Fields**. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom Entity type.
+5. **Fields**. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom entity type.
 6. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/entity-criticality.md b/docs/cse/records-signals-entities-insights/entity-criticality.md
index e58e4bf8b8..6fe6c3dc53 100644
--- a/docs/cse/records-signals-entities-insights/entity-criticality.md
+++ b/docs/cse/records-signals-entities-insights/entity-criticality.md
@@ -1,47 +1,45 @@
 ---
 id: entity-criticality
 title: Entity Criticality
-description: You can use Entity Criticality to adjust the severity of Signals for specific Entities based on some risk factor or other consideration.
+description: You can use entity criticality to adjust the severity of signals for specific Entities based on some risk factor or other consideration.
 
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This page describes Cloud SIEM’s Entity Criticality feature and how to use it.
+This page describes Cloud SIEM’s entity criticality feature and how to use it.
 
-You can use Entity Criticality to adjust the severity of Signals for specific Entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so Signals related to that Entity should have a higher severity. To allow for this, you define a Criticality, which is a single arithmetic expression that will be used to adjust the severity of Signals on Entities the Criticality is assigned to. For example:
+You can use entity criticality to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher severity. To allow for this, you define a criticality, which is a single arithmetic expression that will be used to adjust the severity of signals on entities the criticality is assigned to. For example: `severity+3`
 
-`severity+3`
+A signal’s normal severity is specified in the rule that fires the signal. The criticality is applied to the normal severity. To ensure that signals that fire on your executives’ laptops have an elevated severity, you can configure a criticality like the example above, and then apply it to the entities that correspond to the executives’ laptops. 
 
-A Signal’s normal severity is specified in the rule that fires the Signal. The Criticality is applied to the normal severity. To ensure that Signals that fire on your executives’ laptops have an elevated severity, you can configure a Criticality like the example above, and then apply it to the Entities that correspond to the executives’ laptops. 
-
-Just as you can use Criticality to increase severity, you can use it to decrease the severity of the Signals fired on an Entity.
+Just as you can use criticality to increase severity, you can use it to decrease the severity of the signals fired on an entity.
 
 If the formula you specify results in a number that isn’t whole, the value is rounded down to the nearest integer.
 
-## About Criticality and Insight generation
+## About criticality and insight generation
 
-The maximum severity that can be assigned to a Cloud SIEM rule is 10, so normally, Signal severity is also limited to 1. Note however that Cloud SIEM doesn’t impose a maximum value on the severity that results from a Criticality, although the minimum value will always be 0. 
+The maximum severity that can be assigned to a Cloud SIEM rule is 10, so normally, signal severity is also limited to 1. Note however that Cloud SIEM doesn’t impose a maximum value on the severity that results from a criticality, although the minimum value will always be 0. 
 
-As described in the [Insight Generation](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, an Insight is generated on an Entity based on the cumulative severity of the unique Signals that have fired on it over the previous two weeks, unless a different period is configured. The cumulative
-severity is referred to as the Entity’s Activity Score. Keep in mind that higher Signal severities will increase an Entity’s Active Score and result in Insight’s being generated sooner. 
+As described in the [insight generation](/docs/cse/get-started-with-cloud-siem/insight-generation-process/) topic, an insight is generated on an entity based on the cumulative severity of the unique signals that have fired on it over the previous two weeks, unless a different period is configured. The cumulative
+severity is referred to as the entity’s activity score. Keep in mind that higher signal severities will increase an entity’s activity score and result in insight’s being generated sooner. 
 
-You can configure both the detection window and the threshold Activity Score for Insight generation, as described in the [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) topic.
+You can configure both the detection window and the threshold activity score for insight generation, as described in the [Set Insight Generation Window and Threshold](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) topic.
 
-## Define a Criticality
+## Define a criticality
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Entities** select **Criticality**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Criticality**. You can also click the **Go To...** menu at the top of the screen and select **Criticality**.  
 1. On the **Criticality** tab, click **+ Add Criticality**. 
-1. The **Add Criticality** popup appears.<br/><img src={useBaseUrl('img/cse/criticality-popup.png')} alt="Create Entity Criticality dialog" style={{border: '1px solid gray'}} width="400"/>
+1. The **Add Criticality** popup appears.<br/><img src={useBaseUrl('img/cse/criticality-popup.png')} alt="Create entity criticality dialog" style={{border: '1px solid gray'}} width="400"/>
 2. **Name**. Enter a name. 
 3. **Severity Expression**. Enter a formula for adjusting a severity value. You can use a plus sign (+), minus sign (-), an asterisk (\*), or a forward slash (/). Enter the formula in this format:   `severity+2 `
-4. Click **Save** to save the Criticality.
+4. Click **Save** to save the criticality.
 
-## Assign a Criticality to an Entity
+## Assign a criticality to an entity
 
-You can associate a Criticality with one or more Entities. 
+You can associate a criticality with one or more entities. 
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**.  
-1. Navigate to the Entity you want to assign a Criticality and click on it to display the **Entity Details** page. 
+1. Navigate to the entity you want to assign a criticality and click on it to display the **Entity Details** page. 
 2. On the **Entity Details** page, click the **Criticality** field to display a list of Criticalities. <br/><img src={useBaseUrl('img/cse/entity-details-criticality.png')} alt="Entity criticality details" style={{border: '1px solid gray'}} width="300"/>
-3. Click a Criticality to apply it to the Entity.
+3. Click a criticality to apply it to the entity.
diff --git a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
index dda9d3d054..f703674feb 100644
--- a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
+++ b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md
@@ -1,14 +1,14 @@
 ---
 id: global-intelligence-security-insights
 title: Global Intelligence for Security Insights
-description: Insight Confidence scores, predicted by Sumo Logic’s Global Intelligence machine learning model, help you triage and prioritize Insights.
+description: Insight Confidence scores, predicted by Sumo Logic’s Global Intelligence machine learning model, help you triage and prioritize insights.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This page describes Global Intelligence for Security Insights, implemented in Cloud SIEM as Global Confidence scores. This feature helps security analysts triage and prioritize Insights.
+This page describes Global Intelligence for security insights, implemented in Cloud SIEM as Global Confidence scores. This feature helps security analysts triage and prioritize insights.
 
-Watch this micro lesson to learn more about Global Intelligence for Insights.
+Watch this micro lesson to learn more about Global Intelligence for insights.
 
 <Iframe url="https://www.youtube.com/embed/toAvKsfVbHc?rel=0"
      width="854px"
@@ -24,26 +24,26 @@ Watch this micro lesson to learn more about Global Intelligence for Insights.
 import Iframe from 'react-iframe';
 
 ## What is a Global Confidence score?
-An Insight’s Global Confidence score represents a level of confidence, predicted by Sumo Logic’s Global Intelligence machine learning model, that the Insight is actionable. 
+An insight’s Global Confidence score represents a level of confidence, predicted by Sumo Logic’s Global Intelligence machine learning model, that the insight is actionable. 
 
 <img src={useBaseUrl('img/cse/closeup.png')} alt="Global confidence score example" style={{border: '1px solid gray'}} width="400"/>
 
-The score is generated based on the underlying pattern of Signals in an Insight. The model compares this pattern to previously observed patterns from Insights that were closed with either a **False Positive** or **Resolved** resolution. The model does such comparisons broadly—across the global installed base of Cloud SIEM customers—so it can generate a Confidence score based on the patterns seen at one customer when encountered at another. In addition to leveraging the patterns discovered across the Cloud SIEM installed base, the model customizes scores for Insights in your account based on your customized content, including tuned and custom rules.
+The score is generated based on the underlying pattern of signals in an insight. The model compares this pattern to previously observed patterns from insights that were closed with either a **False Positive** or **Resolved** resolution. The model does such comparisons broadly—across the global installed base of Cloud SIEM customers—so it can generate a Confidence score based on the patterns seen at one customer when encountered at another. In addition to leveraging the patterns discovered across the Cloud SIEM installed base, the model customizes scores for insights in your account based on your customized content, including tuned and custom rules.
 
 :::tip Fear not
 All information used by the model is anonymized and no customer-confidential information is processed or retained.
 :::
 
 
-The score is on a scale of 0 to 100. A higher score indicates higher confidence that the Insight is actionable. If the model does not have enough information, it will not make a prediction and no score will be listed (you’ll see either “No prediction” or “N/A”).
+The score is on a scale of 0 to 100. A higher score indicates higher confidence that the insight is actionable. If the model does not have enough information, it will not make a prediction and no score will be listed (you’ll see either “No prediction” or “N/A”).
 
 ## Prerequisites for using Global Confidence scores
-The only prerequisite for taking full advantage of Confidence scores is to make sure your content is available to Sumo Logic’s machine learning model. If you do not close Insights with an appropriate resolution, the model won’t be able to consider your content and may not be able to generate Global Confidence scores for your Insights. To take full advantage of this feature, make sure you close your Insights as False Positive or Resolved.
+The only prerequisite for taking full advantage of Confidence scores is to make sure your content is available to Sumo Logic’s machine learning model. If you do not close insights with an appropriate resolution, the model won’t be able to consider your content and may not be able to generate Global Confidence scores for your insights. To take full advantage of this feature, make sure you close your insights as False Positive or Resolved.
 
 ## Using Global Confidence scores
-The Global Confidence score is a valuable data point to consider when prioritizing which Insights to triage first.
+The Global Confidence score is a valuable data point to consider when prioritizing which insights to triage first.
 
-An Insight’s Confidence score is shown for each Insight on the Insights list page. You can sort the Insight list by the Global Confidence score, as well as by Severity.
+An insight’s Confidence score is shown for each insight on the insights list page. You can sort the insight list by the Global Confidence score, as well as by Severity.
 
 <img src={useBaseUrl('img/cse/Confidence-Screenshot.png')} alt="Global confidence screen image example" width="800"/>
  
diff --git a/docs/cse/records-signals-entities-insights/index.md b/docs/cse/records-signals-entities-insights/index.md
index 12eaf3cd24..3e8c6d82bc 100644
--- a/docs/cse/records-signals-entities-insights/index.md
+++ b/docs/cse/records-signals-entities-insights/index.md
@@ -1,10 +1,10 @@
 ---
 slug: /cse/records-signals-entities-insights
 title: Records, Signals, Entities, and Insights
-description: Learn about Insight generation, working with Entities, and how to query Cloud SIEM Records.
+description: Learn about insight generation, working with entities, and how to query Cloud SIEM records.
 ---
 
-Learn about Insight generation, working with Entities, and how to query Cloud SIEM Records. 
+Learn about insight generation, working with entities, and how to query Cloud SIEM records. 
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
@@ -14,43 +14,43 @@ In this section, we'll introduce the following concepts:
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Insight Generation Settings</h4></a>
-  <p>Learn how to configure the detection window and the threshold Activity Score for Insight generation.</p>
+  <p>Learn how to configure the detection window and the threshold activity score for insight generation.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/global-intelligence-security-insights"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Global Intelligence for Security Insights</h4></a>
-  <p>Learn how to triage and prioritize Insights.</p>
+  <p>Learn how to triage and prioritize insights.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/configure-custom-insight"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Custom Insights</h4></a>
-  <p>Learn how to set up Custom Insight configurations.</p>
+  <p>Learn how to set up custom insight configurations.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/view-manage-entities"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>View and Manage Entities</h4></a>
-  <p>Learn about all the Entities in Cloud SIEM and their Activity Scores.</p>
+  <p>Learn about all the entities in Cloud SIEM and their activity scores.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/entity-criticality"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Entity Criticality</h4></a>
-  <p>Learn how to adjust the severity of Signals for specific Entities.</p>
+  <p>Learn how to adjust the severity of signals for specific entities.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/create-custom-entity-type"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Custom Entity Types</h4></a>
-  <p>Learn how to create custom Entity types in Cloud SIEM.</p>
+  <p>Learn how to create custom entity types in Cloud SIEM.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/create-an-entity-group"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Entity Groups</h4></a>
-  <p>Learn how to automatically group entities in terms of criteria like name or IP Address.</p>
+  <p>Learn how to automatically group entities in terms of criteria like name or IP address.</p>
   </div>
 </div>
 <div className="box smallbox card">
@@ -62,19 +62,19 @@ In this section, we'll introduce the following concepts:
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/view-records-signal"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>View Records for a Signal</h4></a>
-  <p>Learn how to view Records associated with a Signal in Cloud SIEM.</p>
+  <p>Learn how to view records associated with a signal in Cloud SIEM.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/about-signal-suppression"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Signal Suppression</h4></a>
-  <p>Learn about ways to suppress and exclude Cloud SIEM Signals from the Insight generation process.</p>
+  <p>Learn about ways to suppress and exclude Cloud SIEM signals from the insight generation process.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo"><img src={useBaseUrl('img/icons/security/siem-challenges.png')} alt="Icon of a shield on a flow diagram" width="40"/><h4>Search Sumo Logic for Cloud SIEM Records</h4></a>
-  <p>Learn to search the Sumo Logic platform for Records and Signals that have been forwarded from Cloud SIEM.</p>
+  <p>Learn to search the Sumo Logic platform for records and signals that have been forwarded from Cloud SIEM.</p>
   </div>
 </div>
 <div className="box smallbox card">
diff --git a/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md b/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md
index f701636d00..2789606dc7 100644
--- a/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md
+++ b/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo.md
@@ -2,23 +2,23 @@
 id: search-cse-records-in-sumo
 title: Searching for Cloud SIEM Records in Sumo Logic
 sidebar_label: Search Sumo Logic for Cloud SIEM Records
-description: Learn how to search the Sumo Logic platform for Cloud SIEM Records.
+description: Learn how to search the Sumo Logic platform for Cloud SIEM records.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about how to search the Sumo Logic platform for Records and Signals that have been forwarded from Cloud SIEM. For more information about performing log searches in Sumo Logic, see [Search Basics](/docs/search/get-started-with-search/search-basics).
+This topic has information about how to search the Sumo Logic platform for records and signals that have been forwarded from Cloud SIEM. For more information about performing log searches in Sumo Logic, see [Search Basics](/docs/search/get-started-with-search/search-basics).
 
 ## Partitions with Cloud SIEM data
 This section has information about the Sumo Logic partitions that contain Cloud SIEM data.
 
-### Partitions for Cloud SIEM Records
+### Partitions for Cloud SIEM records
 
-In Cloud SIEM, normalized Records are categorized by [Record type](/docs/cse/schema/cse-record-types/), for example, Audit, Authentication, Network, NetworkDHCP, and so on.
+In Cloud SIEM, normalized records are categorized by [record type](/docs/cse/schema/cse-record-types/), for example, Audit, Authentication, Network, NetworkDHCP, and so on.
 
-In Sumo Logic, Records are stored in partitions, which are indexes that enable better search performance. The table below shows which partition each Record type is stored in. Note that some partitions contain multiple Record types.
+In Sumo Logic, records are stored in partitions, which are indexes that enable better search performance. The table below shows which partition each record type is stored in. Note that some partitions contain multiple record types.
 
-| Cloud SIEM Record type                   | Sumo Logic partition      |
+| Cloud SIEM record type                   | Sumo Logic partition      |
 |:-----------------------------------|:---------------------------|
 | Audit                             | sec_record_audit          |
 | AuditChange                       | sec_record_audit          |
@@ -40,11 +40,11 @@ In Sumo Logic, Records are stored in partitions, which are indexes that enable b
 | NotificationVulnerability         | sec_record_notification   |
 
 
-There is a separate partition for forwarded raw messages for which Records were not created, because no log mapper was available.   
+There is a separate partition for forwarded raw messages for which records were not created, because no log mapper was available.   
 
 ### Partition for unparsed or unmapped messages
 
-| Cloud SIEM Record Type | Sumo Logic partition |
+| Cloud SIEM record type | Sumo Logic partition |
 |:-----------------|:----------------------|
 | FailedRecord    | sec_record_failure   |
 
@@ -54,27 +54,27 @@ Within a FailedRecord, `fields.reason` will contain the reason why the FailedRec
 _index=sec_record_failure | fields %fields.reason
 ```
 
-### Partition for Cloud SIEM Signals
+### Partition for Cloud SIEM signals
 
-Cloud SIEM Signals are retained in the **sec_signal** partition. Signals are saved in JSON format, and support search by keyword and nested attributes.
+Cloud SIEM signals are retained in the **sec_signal** partition. Signals are saved in JSON format, and support search by keyword and nested attributes.
 
 The **sec_signal** partition is automatically generated, and its contents are retained for two years, at no additional cost.
 
 ## About the Security Record Details view
 
-When you query Cloud SIEM Records or Signalsin a Sumo Logic log search tab, the contents of each Record or Signal are presented in a field named **Security Record Details**. The **Security Record Details** is somewhat unique in that it cannot be referenced in a query itself. It is a read-only field. Note however, that you can add subfields of the **Security Record Details** field as separate columns in the field browser. You can see an example of doing that in [Save a query with predefined display fields](#save-a-query-with-predefined-display-fields) below. And like any other field, you can hide the **Security Record Details** field, if desired.
+When you query Cloud SIEM records or signals in a Sumo Logic log search tab, the contents of each record or signal are presented in a field named **Security Record Details**. The **Security Record Details** is somewhat unique in that it cannot be referenced in a query itself. It is a read-only field. Note however, that you can add subfields of the **Security Record Details** field as separate columns in the field browser. You can see an example of doing that in [Save a query with predefined display fields](#save-a-query-with-predefined-display-fields) below. And like any other field, you can hide the **Security Record Details** field, if desired.
 
 <img src={useBaseUrl('img/cse/security-record-details.png')} alt="Security records details" style={{border: '1px solid gray'}} width="600"/>
 
 
-## Search Records from the Partitions page
+## Search records from the Partitions page
 
 If you have the **View Partitions** role capability, you can search Cloud SIEM partitions from the **Partitions** page in the Sumo Logic UI.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Partitions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Partitions**. You can also click the **Go To...** menu at the top of the screen and select **Partitions**.
-1. The partitions that contain Cloud SIEM Records begin with the string "sec_record".<br/><img src={useBaseUrl('img/cse/security-partitions.png')} alt="Security partitions" style={{border: '1px solid gray'}} width="800"/>  
+1. The partitions that contain Cloud SIEM records begin with the string "sec_record".<br/><img src={useBaseUrl('img/cse/security-partitions.png')} alt="Security partitions" style={{border: '1px solid gray'}} width="800"/>  
 2. To search for all content in the partition, click the icon that appears next to a Partition name when you hover over a row.  
-3. A log search tab opens with a query, like `_index=PartitionName`, that returns all of the logs created within the currently selected time range, 15 minutes by default. For a description of the results, see [Search all Records in a partition](#search-all-record-partitions), below.
+3. A log search tab opens with a query, like `_index=PartitionName`, that returns all of the logs created within the currently selected time range, 15 minutes by default. For a description of the results, see [Search all records in a partition](#search-all-record-partitions), below.
 
 ## Search data in a log search tab
 
@@ -84,9 +84,9 @@ To  search a Sumo Logic partition, you specify the name of the partition using
 
 To open a log search tab in Sumo Logic, go to the **Home** screen and select **Log Search**.
 
-## Search all Records or Signals in a partition 
+## Search all records or signals in a partition 
 
-To return all the Records or Signals in a partition, all you need to include in your query is the partition name. For example, to search all Records in the `sec_record_network` partition, choose a time range, enter the query below, and then click **Start**:
+To return all the records or signals in a partition, all you need to include in your query is the partition name. For example, to search all records in the `sec_record_network` partition, choose a time range, enter the query below, and then click **Start**:
 
 ```sql
 _index=sec_record_network
@@ -96,8 +96,8 @@ _index=sec_record_network
 
 Note that:
 
-* The query returns all of the Record types that are stored in the partition: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
-* By default, two Record fields are displayed: `Time` and `Security Record Details`, which contains all of the data from the underlying Record.  You can display additional fields by checkmarking desired fields in the **Hidden Fields** area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section. 
+* The query returns all of the record types that are stored in the partition: Network, NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, and NetworkProxy
+* By default, two record fields are displayed: `Time` and `Security Record Details`, which contains all of the data from the underlying record.  You can display additional fields by checkmarking desired fields in the **Hidden Fields** area. You can also use the fields operator to specify the fields you want displayed and save the search as described in the following section. 
 
 #### Save a query with predefined display fields
 
@@ -105,7 +105,7 @@ You can use the `fields` operator to choose the fields you want to be displayed
 
 To add display fields:
 
-This query adds the `objectType` (which contains the Record type) and the `user_username` fields to the displayed output:
+This query adds the `objectType` (which contains the record type) and the `user_username` fields to the displayed output:
 
 ```sql
 _index = sec_record_audit
@@ -120,31 +120,31 @@ _index = sec_record_audit
 
 ## Search multiple partitions
 
-You can search multiple partitions by using `OR` in the query. For example, to search all Records in the `sec_record_audit` and `sec_record_network` partitions: 
+You can search multiple partitions by using `OR` in the query. For example, to search all records in the `sec_record_audit` and `sec_record_network` partitions: 
 
 ```sql
 _index = sec_record_audit OR _index = sec_record_network
 ```
 
-## Search all Record partitions
+## Search all record partitions
 
-To search all Records in all of the in partitions that contain Cloud SIEM Records, use an asterisk (`*`)wildcard.
+To search all records in all of the in partitions that contain Cloud SIEM records, use an asterisk (`*`)wildcard.
 
 ```sql
 _index = sec_record_*
 ```
 
-## Query by Record type
+## Query by record type
 
-The `objectType` field in a Record indicates its Record type. To restrict results to a particular Record type, use `_index` to identify the partition that contains that Record type, and `objectType` to specify the Record type. For example, to search for NetworkHTTP Records in the `sec_record_network` partition:
+The `objectType` field in a record indicates its record type. To restrict results to a particular record type, use `_index` to identify the partition that contains that record type, and `objectType` to specify the record type. For example, to search for NetworkHTTP records in the `sec_record_network` partition:
 
 ```sql
 _index = sec_record_network objectType=NetworkHTTP
 ```
 
-## Return a count of Records by Record type 
+## Return a count of records by record type 
 
-You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all partitions that contain Cloud SIEM Records, and count the results by `objectType`, which contains the Record type. The following query returns the count of Records of each type. 
+You can use the count operator to aggregate your query results. In the following query, we use the asterisk wildcard to search across all partitions that contain Cloud SIEM records, and count the results by `objectType`, which contains the record type. The following query returns the count of records of each type. 
 
 ```
 _index = sec_record_*
@@ -160,7 +160,7 @@ You can search Cloud SIEM fields by keyword, for example:
 
 ### Referencing nested JSON fields
 
-The **Security Record Details** field contains a JSON object with all of the fields from the underlying Record or Signal. Some of the data is nested in one or more sub-objects, like the `fields` object for Record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying Record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.
+The **Security Record Details** field contains a JSON object with all of the fields from the underlying record or signal. Some of the data is nested in one or more sub-objects, like the `fields` object for record., shown expanded in the screenshot below. The fields object contains the contents of the [fields](/docs/cse/schema/schema-attributes) field in the underlying record, which is all of the unnormalized data from the original log message before it was normalized to the Cloud SIEM schema.
 
 <img src={useBaseUrl('img/cse/nested-fields.png')} alt="Nested fields" style={{border: '1px solid gray'}} width="800"/>
 
@@ -174,8 +174,8 @@ _index=sec_record_authentication
 
 ## Security index search limitations
 
-* When you use wildcards for field values in a query scope, only Records in which those fields are present and not null will be returned. For example, the following query will only return Records if the `srcDevice_ip` is present and not null:
+* When you use wildcards for field values in a query scope, only records in which those fields are present and not null will be returned. For example, the following query will only return records if the `srcDevice_ip` is present and not null:
     ```
     _index = sec_record_* srcDevice_ip=*
     ```  
-* The partitions that contain Cloud SIEM Records and Signals are stored in a dedicated security data tier. You can’t access data in the security indexes and data in other data tiers (Continuous, Frequent, or Infrequent) and flex in the same query.
+* The partitions that contain Cloud SIEM records and signals are stored in a dedicated security data tier. You can’t access data in the security indexes and data in other data tiers (Continuous, Frequent, or Infrequent) and flex in the same query.
diff --git a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
index 4439c28ba9..3670ad9ad1 100644
--- a/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
+++ b/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold.md
@@ -2,23 +2,23 @@
 id: set-insight-generation-window-threshold
 title: Set Insight Generation Window and Threshold
 sidebar_label: Insight Generation Settings
-description: Learn how to configure the detection window and the threshold Activity Score for Insight generation.
+description: Learn how to configure the detection window and the threshold activity score for insight generation.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This section has instructions for changing the detection window and the threshold Activity Score for Insight generation.
+This section has instructions for changing the detection window and the threshold activity score for insight generation.
 
-By default, the detection window is 14 days, and the threshold Activity Score is 12. That means if an Entity's Activity Score goes from 0 to 13 within a 14 day period, Cloud SIEM will generate an Insight on that Entity. For information about how that works, see [Understanding Entity Activity Scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic.
+By default, the detection window is 14 days, and the threshold activity score is 12. That means if an entity's activity score goes from 0 to 13 within a 14 day period, Cloud SIEM will generate an insight on that entity. For information about how that works, see [Understanding entity activity scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic.
 
-To change the Insight generation settings:
+To change the insight generation settings:
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Workflow** select **Detection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu click **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Detection**. You can also click the **Go To...** menu at the top of the screen and select **Insight Detection**.  
 <br/>Your current detection settings are displayed on the Insight Detection page.<br/><img src={useBaseUrl('img/cse/detection-threshold-popup.png')} alt="Detection threshold settings" style={{border: '1px solid gray'}} width="600"/>
 1. Enter values for **Detection Threshold** and **Signal Suppression**:
      *  **Standard Threshold**
-         * **Detection Window (Days)**. Enter the duration, in days, during which an Entity's Activity Score must exceed the threshold to result in an Insight being generated for the Entity. 
-         * **Threshold**. Enter the threshold Activity Score value that an Entity must exceed during the detection window to result in an Insight being generated for the Entity. 
+         * **Detection Window (Days)**. Enter the duration, in days, during which an entity's activity score must exceed the threshold to result in an insight being generated for the entity. 
+         * **Threshold**. Enter the threshold activity score value that an entity must exceed during the detection window to result in an insight being generated for the entity. 
      * **Global Signal Suppression**
-         * **Maximum Period (Hours)**. By default, redundant Signals for a Signal-Entity combination are automatically suppressed for a maximum period of 72 hours to avoid repeated Signals contributing to Insight generation. This setting lets you modify this period based upon your organizational needs. To change this setting, select the number of hours to suppress Signals, anywhere from 24 hours to 72 hours. For additional ways to control signal suppression, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
+         * **Maximum Period (Hours)**. By default, redundant signals for a signal-entity combination are automatically suppressed for a maximum period of 72 hours to avoid repeated signals contributing to insight generation. This setting lets you modify this period based upon your organizational needs. To change this setting, select the number of hours to suppress signals, anywhere from 24 hours to 72 hours. For additional ways to control signal suppression, see [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/).
 1. Click **Save**. 
diff --git a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
index 54a3e495c2..b38814e465 100644
--- a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
+++ b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md
@@ -2,25 +2,25 @@
 id: tags-insights-signals-entities-rules
 title: Using Tags with Insights, Signals, Entities, and Rules
 sidebar_label: Using Tags
-description: Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
+description: Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 ## What are tags?
 
-Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
+Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag.
 
 There are two types of tags: 
 
 * **Schema keys**. These are predefined key-value pairs, which are useful for ensuring that users use  consistent values when assigning tags to items. There are two built-in schema tags: **Tactic** and **Technique**, which relate to the Mitre ATT&CK framework.
 
-    You can create your own schema tags as well, as described in [Create a Custom Tag Schema](/docs/cse/administration/create-a-custom-tag-schema/). You can optionally configure a URL for each value in a custom tag schema. If you do, a user will be able to open that URL from the tag’s Action menu when it’s presented in the Cloud SIEM UI. See [Tag Actions](#tag-actions) below for an example.
+    You can create your own schema tags as well, as described in [Create a Custom Tag Schema](/docs/cse/administration/create-a-custom-tag-schema/). You can optionally configure a URL for each value in a custom tag schema. If you do, a user will be able to open that URL from the tag’s Action menu when it’s presented in the Cloud SIEM UI. See [Tag actions](#tag-actions) below for an example.
 
-    You can assign schema key tags to custom Rules you’ve developed.  For  built-in rules, you can assign or delete new  schema tags, but you can’t change or remove the tags that come with the rule. You can also assign schema key tags to Insights, both Cloud SIEM-generated and custom.    
-* **Keyword tags**. These are arbitrary labels that you define yourself. You can assign keyword tags to custom Rules, Entities, and Insights, both Cloud SIEM-generated and custom. You can’t remove or change the tags that come with built-in rules. 
+    You can assign schema key tags to custom rules you’ve developed.  For  built-in rules, you can assign or delete new  schema tags, but you can’t change or remove the tags that come with the rule. You can also assign schema key tags to insights, both Cloud SIEM-generated and custom.    
+* **Keyword tags**. These are arbitrary labels that you define yourself. You can assign keyword tags to custom rules, entities, and insights, both Cloud SIEM-generated and custom. You can’t remove or change the tags that come with built-in rules. 
 
-A tag attached to a Rule is applied to Signals that the Rule generates. Similarly, tags applied to a Signal are applied to the Insights the Signal contributes to. All of the tags applied to an Insight's contributing Signals are aggregated, de-duplicated, and applied to the Insight. Note that an item is tagged when it is created. So, if you add a tag to a rule, Signals and Insights created before you updated the rule will not have that tag applied.
+A tag attached to a rule is applied to signals that the rule generates. Similarly, tags applied to a signal are applied to the insights the signal contributes to. All of the tags applied to an insight's contributing signals are aggregated, de-duplicated, and applied to the insight. Note that an item is tagged when it is created. So, if you add a tag to a rule, signals and insights created before you updated the rule will not have that tag applied.
 
 ## Tags and types
 
@@ -32,20 +32,20 @@ summarizes this behavior.
 |:--------------------------|:-----------------------------------|:---------------------------------|
 | Built-in rule            | yes                               | \-                              |
 | Custom rule              | yes                               | \-                              |
-| Custom Insight           | yes                               | \-                              |
-| System-generated Insight | yes                               | Rule(s), Entity, Custom Insight |
+| Custom insight           | yes                               | \-                              |
+| System-generated insight | yes                               | Rule(s), entity, custom insight |
 | Entity                   | yes                               | \-                              |
-| Signal                   | no                                | Rule(s), Entity                 |
+| Signal                   | no                                | Rule(s), entity                 |
 
 ## View tags
 
-You can view tags on the pages that provide summary views of Insights, Signals, Entities, and Rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular Insight, Signal, Entity, or Rule. 
+You can view tags on the pages that provide summary views of insights, signals, entities, and rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular insight, signal, entity, or rule. 
 
-This is an overview of an Insight from the Insights page. Multiple schema key tags are attached to the Insight.
+This is an overview of an insight from the insights page. Multiple schema key tags are attached to the insight.
 
 <img src={useBaseUrl('img/cse/insight-list-tags.png')} alt="Insight list tags" style={{border: '1px solid gray'}} width="800"/>
 
-The screenshot below shows an Entity to which a schema tag is attached.
+The screenshot below shows an entity to which a schema tag is attached.
 
 <img src={useBaseUrl('img/cse/entity-list-tags.png')} alt="Entity list tags" style={{border: '1px solid gray'}} width="800"/>
 
@@ -58,38 +58,38 @@ The actions menu for a tag allows you to:
 
 ## Find the tagging UI
 
-The procedure for tagging Rules, Entities, and Insights is similar. The
+The procedure for tagging rules, entities, and insights is similar. The
 difference is where you do the tagging. 
 
-### UI for tagging a Rule
+### UI for tagging a rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**.  
 1. Navigate to a custom rule.
 1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the **Rule Editor**.
 1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag). <br/><img src={useBaseUrl('img/cse/tag-a-rule.png')} alt="Tag a rule" style={{border: '1px solid gray'}} width="350"/>
 
-### UI for tagging an Entity
+### UI for tagging an entity
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen.  <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**. 
-1. Navigate to the Entity to which you want to attach a tag.
+1. Navigate to the entity to which you want to attach a tag.
 1. The UI for tagging is at the bottom of the **Details** pane.
-2. To add a tag, follow the instructions in [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/tag-an-entity.png')} alt="Tag an Entity" style={{border: '1px solid gray'}} width="350"/>
+2. To add a tag, follow the instructions in [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/tag-an-entity.png')} alt="Tag an entity" style={{border: '1px solid gray'}} width="350"/>
 
-### UI for tagging an Cloud SIEM-generated Insight
+### UI for tagging an Cloud SIEM-generated insight
 
-Note that in addition to tags that you manually assign to an Insight, an Insight will inherit any tags that were applied to the content that went into the Insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the Insight. 
+Note that in addition to tags that you manually assign to an insight, an insight will inherit any tags that were applied to the content that went into the insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the insight. 
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Insights** at the top of the screen. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Insights**. You can also click the **Go To...** menu at the top of the screen and select **Insights**. 
-1. Navigate to the Insight to which you want to attach a tag.
+1. Navigate to the insight to which you want to attach a tag.
 1. The UI for tagging is at the bottom of the **Details** pane.
-1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/tag-an-insight.png')} alt="Tag an Insight" style={{border: '1px solid gray'}} width="350"/>
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/tag-an-insight.png')} alt="Tag an insight" style={{border: '1px solid gray'}} width="350"/>
 
-### UI for tagging a custom Insight
+### UI for tagging a custom insight
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Custom Insights**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Custom Insights**. You can also click the **Go To...** menu at the top of the screen and select **Custom Insights**.  
-1. Navigate to a custom Insight.
-1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the Insight Editor.
-1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Tag a Custom Insight" style={{border: '1px solid gray'}} width="600"/>
+1. Navigate to a custom insight.
+1. The UI for tagging is at the bottom of the **Then Create a Signal** area of the insight editor.
+1. To add a tag, follow the instructions in [Add a schema key tag](#applya-schema-key-tag) or [Add a keyword tag](#apply-a-keyword-tag).<br/><img src={useBaseUrl('img/cse/custom-insight.png')} alt="Tag a custom insight" style={{border: '1px solid gray'}} width="600"/>
 
 ## Apply a schema key tag
 
@@ -101,15 +101,15 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
 
 ### Apply a keyword tag
 
-1. Navigate to the Rule, Entity, or Insight to which you want to add a tag, as described in [Find the tagging UI](#find-the-tagging-ui).
+1. Navigate to the rule, entity, or insight to which you want to add a tag, as described in [Find the tagging UI](#find-the-tagging-ui).
 1. In the tagging section, click the chevron icon.<br/><img src={useBaseUrl('img/cse/chevron-icon.png')} alt="Chevron icon" style={{border: '1px solid gray'}} width="400"/>
-1. A list of keyword tags that have already been assigned to items of the current type (Rule, Entity, or Insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.<br/><img src={useBaseUrl('img/cse/freeform-tag-list.png')} alt="Freeform tag list" style={{border: '1px solid gray'}} width="400"/>
+1. A list of keyword tags that have already been assigned to items of the current type (rule, entity, or insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.<br/><img src={useBaseUrl('img/cse/freeform-tag-list.png')} alt="Freeform tag list" style={{border: '1px solid gray'}} width="400"/>
 1. To add a new tag, enter it and press Return.
 1. The tag is added to the item. 
 
 ## Search by tag
 
-### Search Insights, Signals, or Entities by tag
+### Search insights, signals, or entities by tag
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Near the top of the screen, click in the Cloud SIEM search area and then click the funnel icon.  <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Search Cloud SIEM**, and click the funnel icon. You can also click the **Go To...** menu at the top of the screen and select **Search Cloud SIEM**. <br/><img src={useBaseUrl('img/cse/funnel-icon.png')} alt="Funnel icon" width="400"/>
 1. Select **Insights**, **Signals**, or **Entities** from the **Sources** list.<br/><img src={useBaseUrl('img/cse/sources.png')} alt="Sources" style={{border: '1px solid gray'}} width="300"/>
@@ -117,7 +117,7 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
 1. Choose **contain** or **do not contain** from the **Operators** list.<br/><img src={useBaseUrl('img/cse/operators.png')} alt="Operators" style={{border: '1px solid gray'}} width="300"/>
 1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords list**, items that match are listed.
 
-### Search Rules by tag
+### Search rules by tag
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**.  
 1. Click in the **Filters** area and select **Tags** from the **Fields** list.<br/><img src={useBaseUrl('img/cse/search-rules-by-tag.png')} alt="Search rules by tag" style={{border: '1px solid gray'}} width="400"/>
@@ -126,11 +126,11 @@ Note that in addition to tags that you manually assign to an Insight, an Insight
 
 ### Filter a list view by clicking a tag
 
-On the Insights, Signals, Rules, or Entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an Insight, like this:
+On the insights, signals, rules, or entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an insight, like this:
 
 <img src={useBaseUrl('img/cse/filter-list-by-tag.png')} alt="Filter list by tag" style={{border: '1px solid gray'}} width="800"/>
 
-the page will be filtered to show only Insights that have that tag:
+the page will be filtered to show only insights that have that tag:
 
 <img src={useBaseUrl('img/cse/filtered-list.png')} alt="Filtered list" style={{border: '1px solid gray'}} width="800"/>
 
diff --git a/docs/cse/records-signals-entities-insights/view-manage-entities.md b/docs/cse/records-signals-entities-insights/view-manage-entities.md
index 1cc38e833d..9b2fa3bbf5 100644
--- a/docs/cse/records-signals-entities-insights/view-manage-entities.md
+++ b/docs/cse/records-signals-entities-insights/view-manage-entities.md
@@ -1,7 +1,7 @@
 ---
 id: view-manage-entities
 title: View and Manage Entities
-description: The Entities page lists all of the Entities in Cloud SIEM and their Activity Scores.
+description: The Entities page lists all of the entities in Cloud SIEM and their activity scores.
 keywords:
     - Cloud SIEM
     - entity
@@ -10,13 +10,13 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about the **Entities** page in Cloud SIEM UI, which lists all of the Entities in Cloud SIEM and their Activity Scores, and the **Entities > Details** page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.
+This topic has information about the **Entities** page in Cloud SIEM UI, which lists all of the entities in Cloud SIEM and their activity scores, and the **Entities > Details** page, which presents information about a particular entity, including signals and insights associated with the entity.
 
-The **Entities** page is useful for monitoring Entities that are close to having an Insight created. On the **Entities > Details** page, you can view Signals and Insights for an Entity, and, as desired, manually create an Insight from Signals associated with the Entity.
+The **Entities** page is useful for monitoring entities that are close to having an insight created. On the **Entities > Details** page, you can view signals and insights for an entity, and, as desired, manually create an insight from signals associated with the entity.
 
-You can also update the [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) state, and [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) assigned to Entities, as described below in the [Update Multiple Entities](/docs/cse/records-signals-entities-insights/view-manage-entities/) section below. 
+You can also update the [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/), [suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/) state, and [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) assigned to entities, as described below in the [Update multiple entities](#update-multiple-entities) section below. 
 
-Watch this micro lesson to learn more about Entities.
+Watch this micro lesson to learn more about entities.
 
 <Iframe url="https://www.youtube.com/embed/cIpLaDQAOAw?rel=0"
         width="854px"
@@ -31,9 +31,9 @@ Watch this micro lesson to learn more about Entities.
 
 import Iframe from 'react-iframe'; 
 
-## About Entities
+## About entities
 
-In Cloud SIEM, an Entity is a unique actor that a Signal fired upon. Cloud SIEM has a number of built-in Entity types:
+In Cloud SIEM, an entity is a unique actor that a signal fired upon. Cloud SIEM has a number of built-in entity types:
 
 * Command
 * Domain
@@ -48,140 +48,140 @@ In Cloud SIEM, an Entity is a unique actor that a Signal fired upon. Cloud SIEM
 * User Agent
 * Username
 
-You can create custom Entity types as well. For more information, see [Create a Custom Entity Type](/docs/cse/records-signals-entities-insights/create-custom-entity-type/).
+You can create custom entity types as well. For more information, see [Create a Custom Entity Type](/docs/cse/records-signals-entities-insights/create-custom-entity-type/).
 
-When a Signal is fired, if an Entity doesn’t already exist in Cloud SIEM for the item that the Signal fired on, Cloud SIEM creates an Entity for it. For more information about Entities and Signal and Insight generation, see [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process).
+When a signal is fired, if an entity doesn’t already exist in Cloud SIEM for the item that the signal fired on, Cloud SIEM creates an entity for it. For more information about entities and signal and insight generation, see [Insight Generation Process](/docs/cse/get-started-with-cloud-siem/insight-generation-process).
 
 ## About the Entities list page
 
-[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view Entities, click **Entities** at the top of the screen. 
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view entities, click **Entities** at the top of the screen. 
 
-[**New UI**](/docs/get-started/sumo-logic-ui). To view Entities, in the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**. 
+[**New UI**](/docs/get-started/sumo-logic-ui). To view entities, in the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**. 
 
 <img src={useBaseUrl('img/cse/entities-page-2.png')} alt="Entities page" style={{border: '1px solid gray'}} width="800"/>
 
 
 | Letter | Description |
 |:--|:--|
-| a | This area shows the total number of unique Entities in Cloud SIEM. |
-| b | In the **Filters** area, you can filter the list of Entities by Activity Score, Hostname, IP Address, Username, Tags, Type, and Suppressed. |
-| c | In this area you can sort Entities by Activity Score, Name, or Type.  |
-| d | The Import Metadata option allows you to upload a .csv file of updates to Entity tags, suppression state, and Criticality, as described in [Update Multiple Entities](#update-multiple-entities). |
-| e | Shows the Entity Type and its value.  |
-| f | If an Entity has the **Suppressed** indicator, that means that Signals will not be fired on the Entity. |
-| g | The **Criticality** column shows whether a [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default". |
-| h | The current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see [Understanding Entity Activity Scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic. |
-| i | The total amount of Signal severity for the Entity. |
+| a | This area shows the total number of unique entities in Cloud SIEM. |
+| b | In the **Filters** area, you can filter the list of entities by activity score, hostname, IP address, username, tags, type, and suppressed. |
+| c | In this area you can sort entities by activity score, name, or type.  |
+| d | The Import Metadata option allows you to upload a .csv file of updates to entity tags, suppression state, and criticality, as described in [Update multiple entities](#update-multiple-entities). |
+| e | Shows the entity type and its value.  |
+| f | If an entity has the **Suppressed** indicator, that means that signals will not be fired on the entity. |
+| g | The **Criticality** column shows whether a [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) has been assigned to the entity. A criticality adjusts the severity of signals for specific entities based on some risk factor or other consideration. If a criticality hasn't been assigned to an entity, the column contains "default". |
+| h | The current activity score for the entity, which by default is the sum of the severities of the signals that have fired on the entity over the previous two weeks. For more information, see [Understanding entity activity scores](/docs/cse/get-started-with-cloud-siem/insight-generation-process#understanding-entity-activity-scores), in the *Insight Generation Process* topic. |
+| i | The total amount of signal severity for the entity. |
 
-If you see a link below the Entity value, it’s a [tag](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/). You can click it to filter Entities by that tag. 
+If you see a link below the entity value, it’s a [tag](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/). You can click it to filter entities by that tag. 
 
-## About the Entities Details page
+## About the entities details page
 
-When you click an Entity on the **Entities** page, a details page for
-the Entity appears.
+When you click an entity on the **Entities** page, a details page for
+the entity appears.
 
 <img src={useBaseUrl('img/cse/entity-details-new-host.png')} alt="Entity details page" style={{border: '1px solid gray'}} width="900"/>
 
 | Letter | Description |
 |:--|:--|
-| a | **Suppression**. Shows whether or not the Entity is currently [suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression). You can use the slider to suppress the Entity so that it is excluded from the Insight generation process.  |
-| b | **Automations**. Click to view [automations](/docs/cse/automation/automations-in-cloud-siem/#run-an-automation-manually-on-entities) available to be run on the Entity. |
-| c | **Tags**. Lists any [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity. |
-| d | **Criticality**. An Entity’s [Criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration. You can reset the Criticality here. |
-| e | **Signal Severity Total**.  The total amount of Signal severity for the Entity. |
-| f | **Indicators**.  The indicators on the Entity, whether from enrichments or threat intelligence. |
-| g | **Metadata**. This section lists the contents of enrichment fields  that were added during Record processing. |
-| h | **Network Blocks**.  [Network blocks](/docs/cse/administration/create-use-network-blocks/) for the Entity.  |
-| i | **Inventory**. If the selected Entity is standard Entity type (as opposed to a custom Entity type), this area provides selected information about the Inventory object associated with the Entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from Entities in Insights data to provide context to Signals. |
-| j | **Notes**. Contains any notes added to the Entity.|
-| k | **Audit Log**. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed.|
-| l | **Recent Activity**. Provides a count of how many Signals or Insights included the Entity within the last 30 days. Click the plus sign (+) next to **Signals** or **Insights** to expand the list. |
-| m | **Activity**. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals.
-| n | **Enrichments** tab. If you use Cloud SIEM’s automation as a service, Entity enrichments obtained from Cloud SOAR may be available on this tab.   |
-| o | **Timeline**. A timeline appears for the Entity's activity over a three-day period. For more information, see [About the Entity Timeline tab](#about-the-entity-timeline-tab).|
-| p | **Related Entities**. Entities related to the current Entity. |
-| q | **Automations**. [Automations](/docs/cse/automation/automations-in-cloud-siem/#view-results-of-an-automation) that have been run on the Entity. |
-| r | **Create Insight**. You can use this option to create an Insight on the Entity, as described below in [Create an Insight](#create-an-insight), below. |
-| s | The **Current State** section lists Signals that were generated for the Entity during the current [Detection Window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) that are not already part of an Insight. (The Detection Window is the period over which Cloud SIEM evaluates Signals, which is 14 days, by default. The Detection Window is configured on the **Content > Custom Insights** page in the Cloud SIEM UI.) |
-
-Below the **Current State** section there may be a **Prior Activity** section. This section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity. 
+| a | **Suppression**. Shows whether or not the entity is currently [suppressed](/docs/cse/records-signals-entities-insights/about-signal-suppression). You can use the slider to suppress the entity so that it is excluded from the insight generation process.  |
+| b | **Automations**. Click to view [automations](/docs/cse/automation/automations-in-cloud-siem/#run-an-automation-manually-on-entities) available to be run on the entity. |
+| c | **Tags**. Lists any [tags](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules/) assigned to the entity. You can add a new tag, select a tag to assign, or remove a tag from the entity. |
+| d | **Criticality**. An entity’s [criticality](/docs/cse/records-signals-entities-insights/entity-criticality/) is a setting that adjusts the severity of signals that fire on the entity, based on a risk factor or other consideration. You can reset the criticality here. |
+| e | **Signal Severity Total**.  The total amount of signal severity for the entity. |
+| f | **Indicators**.  The indicators on the entity, whether from enrichments or threat intelligence. |
+| g | **Metadata**. This section lists the contents of enrichment fields  that were added during record processing. |
+| h | **Network Blocks**.  [Network blocks](/docs/cse/administration/create-use-network-blocks/) for the entity.  |
+| i | **Inventory**. If the selected entity is standard entity type (as opposed to a custom entity type), this area provides selected information about the Inventory object associated with the entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from entities in insights data to provide context to signals. |
+| j | **Notes**. Contains any notes added to the entity.|
+| k | **Audit Log**. This area will list any audit events that have been logged for the entity. An audit log is generated each time an entity is suppressed or unsuppressed.|
+| l | **Recent Activity**. Provides a count of how many signals or insights included the entity within the last 30 days. Click the plus sign (+) next to **Signals** or **Insights** to expand the list. |
+| m | **Activity**. This tab displays a visualization of signals on the entity over time.The x-axis is time, the y-axis is severity. The icons represent signals.
+| n | **Enrichments** tab. If you use Cloud SIEM’s automation as a service, entity enrichments obtained from Cloud SOAR may be available on this tab.   |
+| o | **Timeline**. A timeline appears for the entity's activity over a three-day period. For more information, see [About the Entity Timeline tab](#about-the-entity-timeline-tab).|
+| p | **Related Entities**. Entities related to the current entity. |
+| q | **Automations**. [Automations](/docs/cse/automation/automations-in-cloud-siem/#view-results-of-an-automation) that have been run on the entity. |
+| r | **Create Insight**. You can use this option to create an insight on the entity, as described below in [Create an insight](#create-an-insight), below. |
+| s | The **Current State** section lists signals that were generated for the entity during the current [detection window](/docs/cse/records-signals-entities-insights/set-insight-generation-window-threshold/) that are not already part of an insight. (The detection window is the period over which Cloud SIEM evaluates signals, which is 14 days, by default. The detection window is configured on the **Content > Custom Insights** page in the Cloud SIEM UI.) |
+
+Below the **Current State** section there may be a **Prior Activity** section. This section lists signals that were generated for the entity prior to the current detection window, and all insights for the entity. 
 
 ## About the Entity Timeline tab
 
-The **Entity Timeline** tab provides visibility into Entity inventory data, Entity relationships, Records, Signals, and Insights over a default three-day time period. This view gives information about what else the Entity doing before, during, and after Signals and Insights involving the Entity were generated.
+The **Entity Timeline** tab provides visibility into entity inventory data, entity relationships, records, signals, and insights over a default three-day time period. This view gives information about what else the entity doing before, during, and after signals and insights involving the entity were generated.
 
-The right side of the tab organizes Records by Record Type and vendor, with a Record count. For example, the screenshot below indicates that there were two email Records from Microsoft Office 365 at 4:41:02 AM. The orange icon to the left of the Record summary indicates that the Record aggregation contains a Signal. The indented item below the Record summary is a link to the Signal.
+The right side of the tab organizes records by record type and vendor, with a record count. For example, the screenshot below indicates that there were two email records from Microsoft Office 365 at 4:41:02 AM. The orange icon to the left of the record summary indicates that the record aggregation contains a signal. The indented item below the record summary is a link to the signal.
 
-Similarly, a red icon indicates that the Record set contains an Insight, and the link below the summary is a link to the Insight.
+Similarly, a red icon indicates that the record set contains an insight, and the link below the summary is a link to the insight.
 
 <img src={useBaseUrl('img/cse/entity-timeline.png')} alt="Entity timeline" style={{border: '1px solid gray'}} width="800"/>
 
-You can view a summary of the Records in a Record set by clicking on it. The Records are listed on the right side of the **Entity Timeline** tab. To view the complete Record, click the link in the upper right corner of the card for a Record.
+You can view a summary of the records in a record set by clicking on it. The records are listed on the right side of the **Entity Timeline** tab. To view the complete record, click the link in the upper right corner of the card for a record.
 
 <img src={useBaseUrl('img/cse/timeline-records.png')} alt="Timeline records" style={{border: '1px solid gray'}} width="800"/>
 
-## Create an Insight
+## Create an insight
 
-You can create an Insight for an Entity based on one or more Signals on the Entity. To do so, checkmark each Signal you want to include in the Insight, and click **Create Insight**.
+You can create an insight for an entity based on one or more signals on the entity. To do so, checkmark each signal you want to include in the insight, and click **Create Insight**.
 
-<img src={useBaseUrl('img/cse/create-insight.png')} alt="Create Insight" style={{border: '1px solid gray'}} width="800"/>
+<img src={useBaseUrl('img/cse/create-insight.png')} alt="Create insight" style={{border: '1px solid gray'}} width="800"/>
 
-The page refreshes and shows the selected Signals grouped in a new Insight.
+The page refreshes and shows the selected signals grouped in a new insight.
 
 
-## Update multiple Entities
+## Update multiple entities
 
 This section describes how to update the tags, suppression state,
-or Criticality for one or more Entities.
+or criticality for one or more entities.
 
-### Update Entities from the UI
+### Update entities from the UI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). Click **Entities** at the top of the screen. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM > Entities**. You can also click the **Go To...** menu at the top of the screen and select **Entities**.  
-1. Note that there is a checkbox at the left end of each Entity row, and one above the Entities list. <br/><img src={useBaseUrl('img/cse/entities-page.png')} alt="Entities page" style={{border: '1px solid gray'}} width="800"/>
-1. Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update. 
-1. Note that once you select an Entity, three options appear at the top of the Entities list. <br/><img src={useBaseUrl('img/cse/update-options.png')} alt="Update options" style={{border: '1px solid gray'}} width="800"/> 
+1. Note that there is a checkbox at the left end of each entity row, and one above the entities list. <br/><img src={useBaseUrl('img/cse/entities-page.png')} alt="Entities page" style={{border: '1px solid gray'}} width="800"/>
+1. Click the top checkbox to select all of the entities on the page, or click the checkbox next to each entity you want to update. 
+1. Note that once you select an entity, three options appear at the top of the entities list. <br/><img src={useBaseUrl('img/cse/update-options.png')} alt="Update options" style={{border: '1px solid gray'}} width="800"/> 
 <br/>See the instructions for each option below:
    * [Update Tags](#update-tags)
    * [Update Suppression](#update-suppression)
    * [Update Criticality](#update-criticality)
 
-#### Update tags
+#### Update Tags
 
-1. After selecting the Entities you want to update, click **Update Tags**. 
+1. After selecting the entities you want to update, click **Update Tags**. 
 2. Click the down arrow to display the options: <br/><img src={useBaseUrl('img/cse/tag-options.png')} alt="Tag options" style={{border: '1px solid gray'}} width="400"/>
-   * **Add.** Select this option to add one or more tags to the Entity, without affecting any tags already assigned to the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select  multiple tags to add.
-   * **Remove**. Select his option to remove one or more tags from the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select multiple tags to remove. If a selected Entity doesn't have the specified tags, no change will be made to the Entity. 
-   * **Replace**. Select this option to remove all of the tags currently assigned to the Entity and add one or more specified tags. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. 
+   * **Add.** Select this option to add one or more tags to the entity, without affecting any tags already assigned to the entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select  multiple tags to add.
+   * **Remove**. Select his option to remove one or more tags from the entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select multiple tags to remove. If a selected entity doesn't have the specified tags, no change will be made to the entity. 
+   * **Replace**. Select this option to remove all of the tags currently assigned to the entity and add one or more specified tags. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. 
     :::important
     When you use the **Replace** option, be sure to specify new tags. If you do not, the existing tags will still be removed.
     :::
-3. As you select tags, they’ll appear in the update popup. <br/><img src={useBaseUrl('img/cse/tags-to-add.png')} alt="Add tags to Entities" style={{border: '1px solid gray'}} width="400"/>
+3. As you select tags, they’ll appear in the update popup. <br/><img src={useBaseUrl('img/cse/tags-to-add.png')} alt="Add tags to entities" style={{border: '1px solid gray'}} width="400"/>
 4. When you are done selecting tags, click **Update Entity Tags**.
 
-#### Update suppression
+#### Update Suppression
 
-1. After selecting the Entities you want to update, click **Update Suppression**. 
+1. After selecting the entities you want to update, click **Update Suppression**. 
 2. The **Update Suppression** popup appears, with the suppression toggle set to **Not Suppressed**. <br/><img src={useBaseUrl('img/cse/before-suppression.png')} alt="Update suppression" style={{border: '1px solid gray'}} width="400"/>
-3. If you want to unsuppress the selected Entities, click **Update Entity Suppression**. Otherwise, if you want to suppress the Entity, toggle the slider to **Suppressed**, supply a comment if desired, and then click **Update Entity Suppression**. 
+3. If you want to unsuppress the selected entities, click **Update Entity Suppression**. Otherwise, if you want to suppress the entity, toggle the slider to **Suppressed**, supply a comment if desired, and then click **Update Entity Suppression**. 
 
 #### Update Criticality
 
-1. After selecting the Entities you want to update, click **Update Criticality**. 
+1. After selecting the entities you want to update, click **Update Criticality**. 
 2. The **Update Criticality** popup appears. <br/><img src={useBaseUrl('img/cse/update-criticalities.png')} alt="Update criticalities" style={{border: '1px solid gray'}} width="400"/>
-3. If you want to assign default Criticality to the selected Entities, click **Update Entity Criticality**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticality**.
+3. If you want to assign default criticality to the selected entities, click **Update Entity Criticality**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticality**.
 
-### Import Entity updates from a CSV file
+### Import entity updates from a CSV file
 
-You can update Entities by uploading a .csv file to Cloud SIEM. 
+You can update entities by uploading a .csv file to Cloud SIEM. 
 
 #### CSV file format
 
-There are two supported formats. The difference is in how you identify the target Entity. 
+There are two supported formats. The difference is in how you identify the target entity. 
 
-* **Format 1**—You use the `id` field to specify a target Entity.   `id, suppressed, criticality, tags, tags_to_add, tags_to_remove`
-* **Format 2**—You use the `type` and `value` fields to specify the target Entity.   `type, value, suppressed, criticality, tags, tags_to_add, tags_to_remove`
+* **Format 1**—You use the `id` field to specify a target entity.   `id, suppressed, criticality, tags, tags_to_add, tags_to_remove`
+* **Format 2**—You use the `type` and `value` fields to specify the target entity.   `type, value, suppressed, criticality, tags, tags_to_add, tags_to_remove`
 
-Regardless of the format you use, there are a couple of approaches to updating Entity tags.
+Regardless of the format you use, there are a couple of approaches to updating entity tags.
 
 * You can use `tags_to_add` and `tags_to_remove` to add new tags and remove existing tags, respectively.
 * You can use a `tags` value to specify replacement tags. This will remove all existing tags and add all of the specified replacement tags.
@@ -200,15 +200,15 @@ Note that:
 
 | Column | Description |
 |:--|:--|
-| `id` | **This field is required for Format 1.**<br/>To form the id field value, concatenate the Entity `type` and the value of the Entity, separated by a dash character (-) where the Entity `type` is one of the following:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>`<br/><br/>The `id` for an IP address would look like:<br/><br/>`_ip-1.2.3.4` <br/><br/>You can optionally specify an Entity’s sensor zone as a part of the `id` column, in this format:<br/><br/> `_<entity_type>-<sensor_zone>-<entity_value>`  <br/><br/>For example: <br/><br/> `_ip-zone1-172.18.20.3`|
-| `type` | **This field is required for Format 2.**<br/>Identifies the type of Entity, one of:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>` |
-| `value` | **This field is required for Format 2.**<br/>The value of the Entity, for example, for an IP address:<br/>`1.2.3.4` |
-| `sensor_zone` | Identifies the sensor zone for the Entity. <br/><br/>Don’t include this column if you are specifying Entity sensor zones in the `id` column, as described above. |
-| `suppressed` | When *true*, Cloud SIEM suppresses the Entity. |
-| `criticality` | Assigns a Criticality to the Entity. (An Entity’s Criticality is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration.) You can only specify a Criticality that has already been configured in Cloud SIEM. Allowable values:<br/>`default`<br/>`<CustomCriticality>` |
+| `id` | **This field is required for Format 1.**<br/>To form the id field value, concatenate the entity `type` and the value of the entity, separated by a dash character (-) where the entity `type` is one of the following:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>`<br/><br/>The `id` for an IP address would look like:<br/><br/>`_ip-1.2.3.4` <br/><br/>You can optionally specify an entity’s sensor zone as a part of the `id` column, in this format:<br/><br/> `_<entity_type>-<sensor_zone>-<entity_value>`  <br/><br/>For example: <br/><br/> `_ip-zone1-172.18.20.3`|
+| `type` | **This field is required for Format 2.**<br/>Identifies the type of entity, one of:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>` |
+| `value` | **This field is required for Format 2.**<br/>The value of the entity, for example, for an IP address:<br/>`1.2.3.4` |
+| `sensor_zone` | Identifies the sensor zone for the entity. <br/><br/>Don’t include this column if you are specifying entity sensor zones in the `id` column, as described above. |
+| `suppressed` | When *true*, Cloud SIEM suppresses the entity. |
+| `criticality` | Assigns a criticality to the entity. (An entity’s criticality is a setting that adjusts the severity of signals that fire on the entity, based on a risk factor or other consideration.) You can only specify a criticality that has already been configured in Cloud SIEM. Allowable values:<br/>`default`<br/>`<CustomCriticality>` |
 | `tags` | The tags to assign to the target. This column can’t be present if the file contains a tags_to_add or tags_to_remove column.<br/>Specify a schema key tag as `key:value`.<br/>To assign multiple tags, enclose them in double quotes. For example:<br/>`"<tag>,<tag>,<tag>"` or `"<key>:<value>,<key>:<value>"` |
-| `tags_to_add` | The tag to assign to the target Entity. This column can’t be present if the file contains a tags column.<br/>Specify a schema key tag as `key:value`. |
-| `tags_to_remove` | The tag to remove from the target Entity. This column can’t be present if the file contains a tags column.<br/>Specify a schema key tag as `key:value`. |
+| `tags_to_add` | The tag to assign to the target entity. This column can’t be present if the file contains a tags column.<br/>Specify a schema key tag as `key:value`. |
+| `tags_to_remove` | The tag to remove from the target entity. This column can’t be present if the file contains a tags column.<br/>Specify a schema key tag as `key:value`. |
 
 #### Example CSV files
 
diff --git a/docs/cse/records-signals-entities-insights/view-records-signal.md b/docs/cse/records-signals-entities-insights/view-records-signal.md
index 20f99d0d2f..64c4715298 100644
--- a/docs/cse/records-signals-entities-insights/view-records-signal.md
+++ b/docs/cse/records-signals-entities-insights/view-records-signal.md
@@ -10,7 +10,7 @@ Cloud SIEM uses rules to evaluate incoming records, and when the conditions of
  
 ## View record details
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view signals, click **Signals** at the top of the screen. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). To view Signals, in the main Sumo Logic menu select **Cloud SIEM > Signals**. You can also click the **Go To...** menu at the top of the screen and select **Signals**. 
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view signals, click **Signals** at the top of the screen. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). To view signals, in the main Sumo Logic menu select **Cloud SIEM > Signals**. You can also click the **Go To...** menu at the top of the screen and select **Signals**. 
 1. Select a signal. The signal's details display. <br/>When you view the details page for a signal that was triggered by a threshold, aggregation, or chain rule, you’ll see a section that displays records that matched the rules conditions. These records will continue to be associated with the signal as long as the signal is available. 
 1. Click the plus sign (+) for a record to view its details. 
 1. Use the following to work with the records: 

From 6993724215a5b6a91a0ca911be808b059fe73786 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 17 Dec 2024 14:22:04 -0600
Subject: [PATCH 3/5] Make terms lowercase in 'Ingestion' section

---
 docs/cse/ingestion/cse-ingestion-best-practices.md          | 6 +++---
 .../ingestion-sources-for-cloud-siem/carbon-black.md        | 2 +-
 .../check-point-firewall.md                                 | 2 +-
 .../ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md | 2 +-
 .../ingestion-sources-for-cloud-siem/cisco-meraki.md        | 2 +-
 .../ingestion-sources-for-cloud-siem/corelight-zeek.md      | 2 +-
 .../ingestion-sources-for-cloud-siem/fortigate-firewall.md  | 2 +-
 .../ingestion-sources-for-cloud-siem/kemp-loadmaster.md     | 2 +-
 .../ingestion-sources-for-cloud-siem/linux-os-syslog.md     | 2 +-
 .../ingestion-sources-for-cloud-siem/nginx-access-logs.md   | 2 +-
 .../ingestion/ingestion-sources-for-cloud-siem/osquery.md   | 2 +-
 .../symantec-proxy-secure-gateway-blue-coat-proxy.md        | 2 +-
 .../symantec-proxy-secure-gateway.md                        | 2 +-
 .../ingestion-sources-for-cloud-siem/zscaler-nss.md         | 2 +-
 docs/cse/ingestion/sumo-logic-ingest-mapping.md             | 5 ++---
 docs/cse/ingestion/view-mappers-for-product.md              | 2 +-
 16 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/docs/cse/ingestion/cse-ingestion-best-practices.md b/docs/cse/ingestion/cse-ingestion-best-practices.md
index 8df56b624e..eca46b31ee 100644
--- a/docs/cse/ingestion/cse-ingestion-best-practices.md
+++ b/docs/cse/ingestion/cse-ingestion-best-practices.md
@@ -2,18 +2,18 @@
 id: cse-ingestion-best-practices
 title: Cloud SIEM Ingestion Best Practices
 sidebar_label: Cloud SIEM Ingestion Best Practices
-description: Learn how to send log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into Records.
+description: Learn how to send log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into Records. 
+This topic has information about sending log messages collected by a Sumo Logic Source or Cloud-to-Cloud Connector on to Cloud SIEM to be transformed into records. 
 
 :::note
 Cloud SIEM must be enabled in your Sumo Logic account in order to send data from Sumo Logic to Cloud SIEM. If it isn’t, contact your Sumo Logic Technical Account Manager or Sales Engineer.
 :::
 
-The process consists of configuring a source or collector to forward messages to Cloud SIEM, and ensuring that the forwarded messages are correctly tagged with the information Cloud SIEM needs in order to map messages fields to Record attributes. These are referred to as *mapping hints*, and include: Format, Vendor, Product, and an Event ID template.
+The process consists of configuring a source or collector to forward messages to Cloud SIEM, and ensuring that the forwarded messages are correctly tagged with the information Cloud SIEM needs in order to map messages fields to record attributes. These are referred to as *mapping hints*, and include: Format, Vendor, Product, and an Event ID template.
 
 The diagram below is a high level illustration of several alternative processing flows from a data source to a Sumo Logic collector or source, and on to Cloud SIEM. 
 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
index 8ac8da19a6..8b379f2c8a 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
@@ -77,4 +77,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 2. On the **Log Mappings** tab search for Carbon Black Cloud and check the **Records** columns.
-3. For a more granular look at the incoming Records, you can also search Sumo Logic for Carbon Black Cloud Records.<br/> <img src={useBaseUrl('img/cse/carbon-black-search.png')} alt="A Carbon Black query" style={{border: '1px solid gray'}} width="500" />
+3. For a more granular look at the incoming records, you can also search Sumo Logic for Carbon Black Cloud records.<br/> <img src={useBaseUrl('img/cse/carbon-black-search.png')} alt="A Carbon Black query" style={{border: '1px solid gray'}} width="500" />
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
index ac65c7d96e..ca6def2349 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
@@ -63,4 +63,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "checkpoint" and check the **Records** columns.
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Check Point Firewall security records.<br/><img src={useBaseUrl('img/cse/checkpoint-search.png')} alt="Checkpoint search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Check Point Firewall security records.<br/><img src={useBaseUrl('img/cse/checkpoint-search.png')} alt="Checkpoint search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
index 3ab5c7bed7..c76a3e8af8 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
@@ -61,4 +61,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Cisco ASA" and check the **Records** columns. A list of mappers for Cisco ASA Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco ASA security records.<br/><img src={useBaseUrl('img/cse/cisco-asa-search.png')} alt="Cisco ASA search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco ASA security records.<br/><img src={useBaseUrl('img/cse/cisco-asa-search.png')} alt="Cisco ASA search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
index 191d10d5d8..cfcccf414c 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
@@ -62,4 +62,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Cisco Meraki" and check the **Records** columns. A list of mappers for Cisco Meraki will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco Meraki security records.<br/><img src={useBaseUrl('img/cse/cisco-meraki-search.png')} alt="Cisco Meraki search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Cisco Meraki security records.<br/><img src={useBaseUrl('img/cse/cisco-meraki-search.png')} alt="Cisco Meraki search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index de36b78a29..0f4e8be796 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -71,4 +71,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/corelight-record-volume.png')} alt="Corelight record volume" style={{border: '1px solid gray'}} width="800"/>
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Corelight Zeek security records.<br/><img src={useBaseUrl('img/cse/corelight-search.png')} alt="Corelight search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.<br/><img src={useBaseUrl('img/cse/corelight-search.png')} alt="Corelight search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
index 466bdf7ec5..2d19da005e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
@@ -71,4 +71,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "FortiGate" and check the **Records** columns. A list of mappers for FortiGate will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for FortiGate security records.  <br/><img src={useBaseUrl('img/cse/fortigate-search.png')} alt="Fortigate search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for FortiGate security records.  <br/><img src={useBaseUrl('img/cse/fortigate-search.png')} alt="Fortigate search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
index a5441e39c7..45e29bc9bc 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
@@ -64,4 +64,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Kemp" and check the **Records** column. A list of mappers for Kemp will appear and you can see if logs are coming in. 
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Kemp security records. <br/><img src={useBaseUrl('img/cse/kemp-search.png')} alt="Kemp search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Kemp security records. <br/><img src={useBaseUrl('img/cse/kemp-search.png')} alt="Kemp search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
index 45c8553b73..fb5296e0af 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
@@ -88,4 +88,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Linux OS" and check the **Records** columns. A list of mappers for Linux OS Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Linux OS security records.<br/><img src={useBaseUrl('img/cse/search.png')} alt="Search" style={{border: '1px solid gray'}} width="400"/>  
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Linux OS security records.<br/><img src={useBaseUrl('img/cse/search.png')} alt="Search" style={{border: '1px solid gray'}} width="400"/>  
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
index b4a98102ab..f423d6c092 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
@@ -66,4 +66,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Nginx" and check the **Records** columns. A list of mappers for Nginx will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Nginx security records. <br/><img src={useBaseUrl('img/cse/nginx-search.png')} alt="Nginix search" style={{border: '1px solid gray'}} width="400"/> 
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Nginx security records. <br/><img src={useBaseUrl('img/cse/nginx-search.png')} alt="Nginix search" style={{border: '1px solid gray'}} width="400"/> 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
index b1845dad9a..693253d7f2 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
@@ -66,4 +66,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab, search for *osquery* and check the **Records** columns.
-1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery Records.
+1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
index 3f6194e0f7..0c05297f2f 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
@@ -69,4 +69,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming Records, you can also search Sumo Logic for ProxySG Records. <br/><img src={useBaseUrl('img/cse/proxysg-search.png')} alt="ProxySG search" style={{border: '1px solid gray'}} width="500"/> 
+1. For a more granular look at the incoming records, you can also search Sumo Logic for ProxySG records. <br/><img src={useBaseUrl('img/cse/proxysg-search.png')} alt="ProxySG search" style={{border: '1px solid gray'}} width="500"/> 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
index 66f23a3619..6b41f12e93 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
@@ -73,4 +73,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG Syslog will appear and you can see if logs are coming in.
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security Records. <br/><img src={useBaseUrl('img/cse/search-blue-coat-psg.png')} alt="PSG search" style={{border: '1px solid gray'}} width="500"/> 
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security records. <br/><img src={useBaseUrl('img/cse/search-blue-coat-psg.png')} alt="PSG search" style={{border: '1px solid gray'}} width="500"/> 
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
index 2aa93b9068..2bcc71b931 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
@@ -62,4 +62,4 @@ In this step, you verify that your logs are successfully making it into Cloud SI
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Nanolog Streaming Service" and check the **Records** columns.
-1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for ZScaler NSS security Records. <br/><img src={useBaseUrl('img/cse/zscaler-nss-search.png')} alt="Zscaler NSS search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for ZScaler NSS security records. <br/><img src={useBaseUrl('img/cse/zscaler-nss-search.png')} alt="Zscaler NSS search" style={{border: '1px solid gray'}} width="400"/>
diff --git a/docs/cse/ingestion/sumo-logic-ingest-mapping.md b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
index c858b08fdf..fe6f9fd841 100644
--- a/docs/cse/ingestion/sumo-logic-ingest-mapping.md
+++ b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
@@ -7,7 +7,7 @@ description: Learn how to configure Sumo Logic and Cloud SIEM to enable Sumo Log
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has instructions for creating a Cloud SIEM ingest mapping for a data source. An ingest mapping gives Cloud SIEM the information it needs in order to map message fields to Record attributes. These are referred to as mapping hints, and include: Format, Vendor, Product, and Event ID Pattern.
+This topic has instructions for creating a Cloud SIEM ingest mapping for a data source. An ingest mapping gives Cloud SIEM the information it needs in order to map message fields to record attributes. These are referred to as mapping hints, and include: Format, Vendor, Product, and Event ID Pattern.
 
 :::note
 The use of ingest mappings is recommended only if there is no Sumo Logic parser or Cloud-to-Cloud connector for the target data source. For more information, see [Cloud SIEM Ingestion Best Practices](/docs/cse/ingestion/cse-ingestion-best-practices/).
@@ -59,8 +59,7 @@ You need to know how your messages are formatted. Cloud SIEM supports messages i
 * Structured syslog data (key-value pairs) with a syslog header
 * Microsoft Windows event logs in XML format
 * Winlogbeats
-* Messages that have been processed by Sumo Logic [Field Extraction
-    Rules](/docs/manage/field-extractions).
+* Messages that have been processed by Sumo Logic [Field Extraction Rules](/docs/manage/field-extractions).
 
 ### Determining Product, Vendor, and Event ID pattern
 
diff --git a/docs/cse/ingestion/view-mappers-for-product.md b/docs/cse/ingestion/view-mappers-for-product.md
index 871bab98af..ff0734db53 100644
--- a/docs/cse/ingestion/view-mappers-for-product.md
+++ b/docs/cse/ingestion/view-mappers-for-product.md
@@ -9,7 +9,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This topic has instructions for find the log mappers that Cloud SIEM provides for particular product or service. 
 
-See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md) for a complete list of [Mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md), [Vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md), and [Products](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/README.md).
+See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md) for a complete list of [mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md), [vendors](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/README.md), and [products](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/README.md).
 
 Cloud SIEM may have more than one log mapping for a particular product. For example, there may be a separate mapping for each message type issued by a product. You can view the available mappings in the Cloud SIEM UI.
 

From 696893f086a5b80cc6388d1e6d369dd28942a813 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 17 Dec 2024 15:30:07 -0600
Subject: [PATCH 4/5] Make terms lowercase in 'Rules' section

---
 docs/cse/rules/about-cse-rules.md             | 78 +++++++++---------
 docs/cse/rules/before-writing-custom-rule.md  | 18 ++--
 docs/cse/rules/cse-built-in-rules.md          |  2 +-
 docs/cse/rules/cse-rules-syntax.md            | 10 +--
 docs/cse/rules/import-yara-rules.md           |  4 +-
 docs/cse/rules/index.md                       |  4 +-
 docs/cse/rules/insight-trainer.md             | 56 ++++++-------
 .../rules/normalized-authentication-rules.md  | 12 +--
 docs/cse/rules/normalized-threat-rules.md     |  6 +-
 docs/cse/rules/rule-tuning-expressions.md     | 14 ++--
 docs/cse/rules/tailor-global-rule.md          | 20 ++---
 docs/cse/rules/write-aggregation-rule.md      | 82 +++++++++----------
 docs/cse/rules/write-chain-rule.md            | 40 ++++-----
 docs/cse/rules/write-first-seen-rule.md       | 70 ++++++++--------
 docs/cse/rules/write-match-rule.md            | 58 ++++++-------
 docs/cse/rules/write-outlier-rule.md          | 72 ++++++++--------
 docs/cse/rules/write-threshold-rule.md        | 46 +++++------
 17 files changed, 296 insertions(+), 296 deletions(-)

diff --git a/docs/cse/rules/about-cse-rules.md b/docs/cse/rules/about-cse-rules.md
index 7090dda5a9..a33d7599b9 100644
--- a/docs/cse/rules/about-cse-rules.md
+++ b/docs/cse/rules/about-cse-rules.md
@@ -7,11 +7,11 @@ description: Learn about Cloud SIEM rules, rules syntax, and how to write rules.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-A Cloud SIEM rule is logic that fires based on information in incoming Records. When a rule fires, it creates a Signal.
+A Cloud SIEM rule is logic that fires based on information in incoming records. When a rule fires, it creates a signal.
 
-[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view Rules, in the top menu select **Content > Rules**. 
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To view rules, in the top menu select **Content > Rules**. 
 
-[**New UI**](/docs/get-started/sumo-logic-ui). To view Rules, in the main Sumo Logic menu select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
+[**New UI**](/docs/get-started/sumo-logic-ui). To view rules, in the main Sumo Logic menu select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
  
 :::tip
 For a complete list of out-of-the-box rules, see [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).
@@ -35,7 +35,7 @@ import Iframe from 'react-iframe'; 
 
 ## About rule expressions
 
-The key element of a Cloud SIEM rule is a *rule expression*. A rule expression defines what conditions the rule will look for. A rule expression includes one or more equality statements, each of which evaluates a field value in incoming Records, typically comparing it to a constant value, for example `description = 'CMS Domain Match'`. A simple rule expression might be a single equality expression, or multiple expressions combined with logical operators. A rule expression evaluates to a boolean value. When a rule’s conditions are met, it creates a Signal. 
+The key element of a Cloud SIEM rule is a *rule expression*. A rule expression defines what conditions the rule will look for. A rule expression includes one or more equality statements, each of which evaluates a field value in incoming records, typically comparing it to a constant value, for example `description = 'CMS Domain Match'`. A simple rule expression might be a single equality expression, or multiple expressions combined with logical operators. A rule expression evaluates to a boolean value. When a rule’s conditions are met, it creates a signal. 
 
 The following rule expression, which looks for any event that stops AWS CloudTrail logging, is an example of a rule expression that contains only equality statements.
 
@@ -49,19 +49,19 @@ The [Before You Write a Custom Rule](/docs/cse/rules/before-writing-custom-rule)
 
 ## About tuning expressions
 
-Like a rule expression, a tuning expression is matched against incoming Records. As an example, consider the following rule expression, which detects that an attempt was made to clear the Windows Security Event Log.
+Like a rule expression, a tuning expression is matched against incoming records. As an example, consider the following rule expression, which detects that an attempt was made to clear the Windows Security Event Log.
 
 ```sql
 metadata_vendor = 'Microsoft' and metadata_product = 'Windows' and metadata_deviceEventId = 'Security-1102' and fields['Provider.Name'] = 'Microsoft-Windows-Eventlog'
 ```
 
-If you don’t want the rule to generate a Signal if the person performing the action is “jdoe”, you can add a tuning expression like this to the rule:
+If you don’t want the rule to generate a signal if the person performing the action is “jdoe”, you can add a tuning expression like this to the rule:
 
 ```sql
 user_userId = !jdoe
 ```
 
-The tuning expression is AND’d with the rule expression—the rule will only generate a Signal if a Record matches both expressions. 
+The tuning expression is AND’d with the rule expression—the rule will only generate a signal if a record matches both expressions. 
 
 Rule tuning expressions allow you to tailor the logic of a built-in rule without replicating and modifying the rule. The benefit of using a tuning expression, over the copy and edit method, is that when Cloud SIEM updates built-in rules, your tuning expressions are preserved. This division of logic means that you don’t need to create as many custom rules. If you use tuning expressions in combination with multi-entity rules you’ll further reduce the need for custom rules.   
 
@@ -69,28 +69,28 @@ You create tuning expressions on the **Rule Tuning** page, which is available fr
 
 ## "On Entity" configuration
 
-In Cloud SIEM, the term *Entity* refers to an IP address, hostname, username, or MAC address. When you create a Cloud SIEM rule, you select one or more *On Entity attributes* in the **Then Create a Signal** part of the UI. An On Entity attribute is a Cloud SIEM schema attribute that hold an IP address, hostname, username, or MAC address.
+In Cloud SIEM, the term *entity* refers to an IP address, hostname, username, or MAC address. When you create a Cloud SIEM rule, you select one or more *On Entity attributes* in the **Then Create a Signal** part of the UI. An On Entity attribute is a Cloud SIEM schema attribute that hold an IP address, hostname, username, or MAC address.
 
 The screenshot below shows a rule whose "On Entity" attributes are `srcDevice_ip` and `dstDevice_ip`.
 
 <img src={useBaseUrl('img/cse/on-entity.png')} alt="On Entity configuration" width="300"/>
 
-When an incoming Record meets a rule's conditions, a Signal is generated for each of the rule's On Entity attributes found in the Record. When the example rule above fires, it generates two Signals: one on the IP address held in the `srcDevice_ip` attribute, and  another on the IP address held in the `dstDevice_ip` attribute.
+When an incoming record meets a rule's conditions, a signal is generated for each of the rule's On Entity attributes found in the record. When the example rule above fires, it generates two signals: one on the IP address held in the `srcDevice_ip` attribute, and  another on the IP address held in the `dstDevice_ip` attribute.
 
 ## Rule types
 
-There are several kinds of rules. Each supports a different sort of firing behavior (For a complete list of out-of-the-box rules, see [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).)
+There are several kinds of rules. Each supports a different sort of firing behavior. (For a complete list of out-of-the-box rules, see [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).)
 
-* **Match rule**. Fires when an incoming Record matches the rule expression. A Match rule is stateless: it looks at a single Record, and it either fires or it doesn’t. The expression in the previous section is an example of a Match rule expression. If a Record matches the expression, the rule fires. For more information about Match rules, see [Write a Match Rule](/docs/cse/rules/write-match-rule).
-* **Chain rule**. You can use a Chain rule to look for two or more types of events, and to fire, based on the frequency of each over a time window. For example, when a user has more than 10 failed login attempts and one successful login attempt in a one hour window. Like a Threshold rule, a Chain rule is stateful and counts multiple Records—the difference is that a Chain rule applies multiple expressions to a Record. For more information about Chain rules, see [Write a Chain Rule](/docs/cse/rules/write-chain-rule).
-* **Aggregation rule**. Fires when up to three aggregation conditions are met within a specified period of time. For example, when a large variety of different AWS CloudTrail event IDs from the same `device_ip` are observed within a 30 minute period. For more information about Aggregation rules, see [Write an Aggregation Rule](/docs/cse/rules/write-aggregation-rule).
-* **Threshold rule**. Fires when the rule expression is matched at least a certain number times during a specified length of time. For example, if there are five or more failed login attempts for the same IP address within one hour. A Threshold rule is stateful, a condition must be satisfied by multiple Records over a period of time. For more information about Threshold rules, see [Write a Threshold Rule](/docs/cse/rules/write-threshold-rule).
-* **First Seen rule**. Fires when behavior by an Entity is encountered that hasn't been seen before. For example, the first time when a user logs in from a new location, or when a new admin account is created. For more information about First Seen rules, see [Write a First Seen Rule](/docs/cse/rules/write-first-seen-rule).
-* **Outlier rule**. Fires when behavior by an Entity is encountered that deviates from its baseline activity. For each Outlier rule, Cloud SIEM automatically creates a baseline model of normal behavior. After the baseline learning period is completed, activity that deviates from the mean (normal baseline behavior) creates a Signal. For more information about Outlier rules, see [Write an Outlier Rule](/docs/cse/rules/write-outlier-rule).
+* **Match rule**. Fires when an incoming record matches the rule expression. A match rule is stateless: it looks at a single record, and it either fires or it doesn’t. The expression in the previous section is an example of a match rule expression. If a record matches the expression, the rule fires. For more information about match rules, see [Write a Match Rule](/docs/cse/rules/write-match-rule).
+* **Chain rule**. You can use a chain rule to look for two or more types of events, and to fire, based on the frequency of each over a time window. For example, when a user has more than 10 failed login attempts and one successful login attempt in a one hour window. Like a threshold rule, a chain rule is stateful and counts multiple records. The difference is that a chain rule applies multiple expressions to a record. For more information about chain rules, see [Write a Chain Rule](/docs/cse/rules/write-chain-rule).
+* **Aggregation rule**. Fires when up to three aggregation conditions are met within a specified period of time. For example, when a large variety of different AWS CloudTrail event IDs from the same `device_ip` are observed within a 30 minute period. For more information about aggregation rules, see [Write an Aggregation Rule](/docs/cse/rules/write-aggregation-rule).
+* **Threshold rule**. Fires when the rule expression is matched at least a certain number times during a specified length of time. For example, if there are five or more failed login attempts for the same IP address within one hour. A threshold rule is stateful, a condition must be satisfied by multiple records over a period of time. For more information about threshold rules, see [Write a Threshold Rule](/docs/cse/rules/write-threshold-rule).
+* **First seen rule**. Fires when behavior by an entity is encountered that hasn't been seen before. For example, the first time when a user logs in from a new location, or when a new admin account is created. For more information about first seen rules, see [Write a First Seen Rule](/docs/cse/rules/write-first-seen-rule).
+* **Outlier rule**. Fires when behavior by an entity is encountered that deviates from its baseline activity. For each outlier rule, Cloud SIEM automatically creates a baseline model of normal behavior. After the baseline learning period is completed, activity that deviates from the mean (normal baseline behavior) creates a signal. For more information about outlier rules, see [Write an Outlier Rule](/docs/cse/rules/write-outlier-rule).
 
 ## Product identification metadata fields
 
-During the Record parsing process, Cloud SIEM adds metadata that identifies the product or service that generated the Record. You use this metadata in a rule to specify what Records the rule should be applied to. For example, the rule fragment below will match Records generated by Trend Micro Deep Security devices with IDs in a specified range: 
+During the record parsing process, Cloud SIEM adds metadata that identifies the product or service that generated the record. You use this metadata in a rule to specify what records the rule should be applied to. For example, the rule fragment below will match records generated by Trend Micro Deep Security devices with IDs in a specified range: 
 
 ```sql
 metadata_vendor = 'Trend Micro' and metadata_product = 'Deep Security'  and metadata_deviceEventId between '2000000' and '2999999'
@@ -106,32 +106,32 @@ Some of the key metadata fields are defined below.
 
 ## Rules and other content
 
-This section describes two key Cloud SIEM features that enable you to write richer rules that can look up information about the entities that are actors in a Record. For example, you could compare a domain in a Record to a list of allowed listed domains. Or you could compare an IP address to a list of IP addresses known to be indicators of compromise.  
+This section describes two key Cloud SIEM features that enable you to write richer rules that can look up information about the entities that are actors in a record. For example, you could compare a domain in a record to a list of allowed listed domains. Or you could compare an IP address to a list of IP addresses known to be indicators of compromise.  
 
-### Match Lists
+### Match lists
 
-The subsections below explain how Match Lists work, and how to leverage them in Cloud SIEM rules. For more information about Match Lists, see [Match Lists and Suppressed Lists](/docs/cse/match-lists-suppressed-lists/).
+The subsections below explain how match lists work, and how to leverage them in Cloud SIEM rules. For more information about match lists, see [Match Lists and Suppressed Lists](/docs/cse/match-lists-suppressed-lists/).
 
-#### Match Lists are used to enrich Record data
+#### Match lists are used to enrich record data
 
-This section describes what [Match Lists](/docs/cse/match-lists-suppressed-lists) are, and how Cloud SIEM uses them to enrich Record data. The short story is that when a Record is ingested, Cloud SIEM uses Match Lists to add information to the Record. So, your rule doesn’t directly refer to a Match List, it checks the Record for data that Cloud SIEM may have added to the Record at the time of ingestion. 
+This section describes what [match lists](/docs/cse/match-lists-suppressed-lists) are, and how Cloud SIEM uses them to enrich record data. The short story is that when a record is ingested, Cloud SIEM uses match lists to add information to the record. So, your rule doesn’t directly refer to a match list, it checks the record for data that Cloud SIEM may have added to the record at the time of ingestion. 
 
-Match Lists are lists of important indicators and identifiers, typically configured by a Cloud SIEM analyst. Match Lists are often used to define allowlists of entities, like IP addresses, URLs, and hostnames, and so on, that you want to exempt from ordinary rule processing. For example, you might want to prevent a rule from firing for Records that contain one of a certain set of IP addresses. 
+Match lists are lists of important indicators and identifiers, typically configured by a Cloud SIEM analyst. Match lists are often used to define allowlists of entities, like IP addresses, URLs, and hostnames, and so on, that you want to exempt from ordinary rule processing. For example, you might want to prevent a rule from firing for records that contain one of a certain set of IP addresses. 
 
-Here’s an example of a Match List in the Cloud SIEM UI. 
+Here’s an example of a match list in the Cloud SIEM UI. 
 
 <img src={useBaseUrl('img/cse/example-match-list.png')} alt="Example match list" width="800"/>
 
-You can take advantage of Match Lists in rules, but Match Lists actually come into play when Records are ingested. Here’s how it works:  When a Record is ingested, Cloud SIEM compares the entries in all Match Lists to fields in the Record. Of course, Cloud SIEM doesn’t compare the entries in a given Match List to all fields in a Record; it wouldn’t make sense to compare a domain name to an IP address. You could say that Cloud SIEM understands the difference between apples and oranges: Cloud SIEM distinguishes which Record fields contain IP addresses, which contain domain name and so on. So, Cloud SIEM compares a Match List of IP addresses to Record fields that contain IP addresses. Similarly, Cloud SIEMs compares a Match List of usernames to Record fields that contain usernames. For more information about how that works, see [Match Fields Reference](/docs/cse/match-lists-suppressed-lists/match-fields-reference). 
+You can take advantage of match lists in rules, but match lists actually come into play when records are ingested. Here’s how it works:  When a record is ingested, Cloud SIEM compares the entries in all match lists to fields in the record. Of course, Cloud SIEM doesn’t compare the entries in a given match list to all fields in a record; it wouldn’t make sense to compare a domain name to an IP address. You could say that Cloud SIEM understands the difference between apples and oranges: Cloud SIEM distinguishes which record fields contain IP addresses, which contain domain name and so on. So, Cloud SIEM compares a match list of IP addresses to record fields that contain IP addresses. Similarly, Cloud SIEMs compares a match list of usernames to record fields that contain usernames. For more information about how that works, see [Match Fields Reference](/docs/cse/match-lists-suppressed-lists/match-fields-reference). 
 
-When a Record contains a value that *exactly* matches one or more Match Lists (partial matches are not supported), two fields in the Record get populated:
+When a record contains a value that *exactly* matches one or more match lists (partial matches are not supported), two fields in the record get populated:
 
-* `listMatches.` Cloud SIEM adds the names of the Match Lists that the Record matched, and the column values of those lists. For example, if an IP address in a Record matches the `SourceIP` address in the “vuln_scanners” Match List, the `listMatches` field would look like this: `listMatches: ['vuln_scanners', 'column:SourceIp']`    
-* `matchedItems`. Cloud SIEM adds the actual key-value pairs that were matched. For example, continuing the example above, if “vuln_scanners” Match List contained an entry “5.6.7.8”, and the Record’s `SourceIp `is also “5.6.7.8”, the assuming the `SourceIP` address in the “vuln_scanners” Match List, the `matchedItems` field would like like this: `matchedItems: [ { value: '5.6.7.8', …other metadata about list item } ]`
+* `listMatches.` Cloud SIEM adds the names of the match lists that the record matched, and the column values of those lists. For example, if an IP address in a record matches the `SourceIP` address in the “vuln_scanners” match list, the `listMatches` field would look like this: `listMatches: ['vuln_scanners', 'column:SourceIp']`    
+* `matchedItems`. Cloud SIEM adds the actual key-value pairs that were matched. For example, continuing the example above, if “vuln_scanners” match list contained an entry “5.6.7.8”, and the record’s `SourceIp `is also “5.6.7.8”, the assuming the `SourceIP` address in the “vuln_scanners” match list, the `matchedItems` field would like like this: `matchedItems: [ { value: '5.6.7.8', …other metadata about list item } ]`
 
-Because the information about list matches gets persisted within Records, you can reference it downstream in both rules and search. 
+Because the information about list matches gets persisted within records, you can reference it downstream in both rules and search. 
 
-#### Rules look for match data in Records
+#### Rules look for match data in records
 
 When you’re writing a rule that needs to take advantage of the results of the list matching process described above, you extend your rule expression with the `array_contains` function. 
 
@@ -151,13 +151,13 @@ If the name of the list you are referencing with `array_contains` contains any s
 
 Depending on your goal, you precede the `array_contains` function with either AND or AND NOT. 
 
-For example, the fragment below looks at a Record for a field named `listMatches` that contains the value “vuln_scanners”. If not encountered, that indicates that the IP address is not a vulnerable scanner, so, given that the rest of the rule expression is matched, a Signal will be fired for that Record. 
+For example, the fragment below looks at a record for a field named `listMatches` that contains the value “vuln_scanners”. If not encountered, that indicates that the IP address is not a vulnerable scanner, so, given that the rest of the rule expression is matched, a signal will be fired for that record. 
 
 ```sql
 ... AND NOT array_contains(listMatches, "vuln_scanners")
 ```
 
-This example below checks a Record for a field named `listMatches` that contains either “vul_scanners” or  “business_ips”. Notice that the two `array_contains` statements  are combined with an OR and enclosed in parentheses:  
+This example below checks a record for a field named `listMatches` that contains either “vul_scanners” or  “business_ips”. Notice that the two `array_contains` statements  are combined with an OR and enclosed in parentheses:  
    
 ```sql
 ...AND NOT (array_contains(listMatches, 'vuln_scanners') OR array_contains(listMatches, 'business_ips'))
@@ -165,17 +165,17 @@ This example below checks a Record for a field named `listMatches` that contains
 
 ### Threat Intelligence
 
-Cloud SIEM’s Threat Intelligence lists are very similar to Match Lists, and you leverage them in rules in the same way. Threat Intelligence lists contain values that, when encountered in a Record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Create a Custom Threat Intelligence Source](/docs/cse/administration/create-custom-threat-intel-source/).
+Cloud SIEM’s Threat Intelligence lists are very similar to match lists, and you leverage them in rules in the same way. Threat Intelligence lists contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Create a Custom Threat Intelligence Source](/docs/cse/administration/create-custom-threat-intel-source/).
 
 Here’s an example of a Threat Intelligence list in the Cloud SIEM UI. 
 
 <img src={useBaseUrl('img/cse/example-threat-intl.png')} alt="Example threat intelligence list" width="800"/>
 
-Like Match Lists, Threat Intelligence lists are used at the time of Record ingestion. When a Record is ingested, Cloud SIEM determines whether any of the fields in the Record exist in any of your configured Threat Intelligence lists.
+Like match lists, Threat Intelligence lists are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your configured Threat Intelligence lists.
 
-When a Record contains a value that matches an entry in one or more Threat Intelligence lists, just like with Match List data, two fields in the Record get populated: a `listMatches` field that contains the names of Threat Intelligence lists that the Record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  
+When a record contains a value that matches an entry in one or more Threat Intelligence lists, just like with match list data, two fields in the record get populated: a `listMatches` field that contains the names of Threat Intelligence lists that the record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  
 
-For example, given a Record whose `SourceIp` column matches a entry in My Threat Intelligence List, the `listMatches` field added to the Record would look like this:
+For example, given a record whose `SourceIp` column matches a entry in My Threat Intelligence List, the `listMatches` field added to the record would look like this:
 
 ```sql
 listMatches: \['threat_Ip_My_Threat_Intel_List', 'source:My_Threat_Intel_List', 'column:Ip', 'column:SrcIp' 'threat'\]
@@ -184,14 +184,14 @@ where:
 
 * `threat_Ip_My_Threat_Intel_List` is formed by concatenating the following, separated by underscore characters (_):
    * the string `threat` 
-   * the type of the column–Ip Domain, FileHash, and so on–in the Record that matched an Indicator from the threat intelligence source
+   * the type of the column–Ip Domain, FileHash, and so on–in the record that matched an Indicator from the threat intelligence source
 * The name of the threat intelligence source, with embedded spaces replaced by underscore characters (_).
 * `source:My_Threat_Intel_List` identifies the threat intelligence list.
 * `column:Ip` identifies the type of the field where the match was found.
 * `column:SrcIp` identifies the name of the field where the match was found.
-* `threat `is a string that Cloud SIEM uses to indicate that the Record field matched a threat source, rather than another type of list.
+* `threat `is a string that Cloud SIEM uses to indicate that the record field matched a threat source, rather than another type of list.
   
-Because the threat intelligence information is persisted within Records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
+Because the threat intelligence information is persisted within records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
 
 ```sql
 array_contains(listMatches, "threat-intel-list-name")
diff --git a/docs/cse/rules/before-writing-custom-rule.md b/docs/cse/rules/before-writing-custom-rule.md
index 7fea7c9327..fed444b438 100644
--- a/docs/cse/rules/before-writing-custom-rule.md
+++ b/docs/cse/rules/before-writing-custom-rule.md
@@ -13,28 +13,28 @@ This topic has information about writing custom Cloud SIEM rules.
 Before you create a custom rule, check to see if there is a [built-in rule](/docs/cse/rules/cse-built-in-rules) that meets or comes close to meeting your need. You can easily tailor built-in rules using [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions).
 :::
 
-By tuning and using a built-in rule, you avoid the effort of writing a rule, and get the benefit of on-going improvements when we update core rule logic. Added bonus: Signals and Insights from built-in rules leverage crowd-sourced machine learning that custom rules cannot.
+By tuning and using a built-in rule, you avoid the effort of writing a rule, and get the benefit of on-going improvements when we update core rule logic. Added bonus: signals and insights from built-in rules leverage crowd-sourced machine learning that custom rules cannot.
 
 ## Related topics
 
 The following topics provide information that’s relevant to the process of writing a custom rule:
 
-* [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline). This topic describes how Cloud SIEM creates Records for incoming messages. It provides facts about how message fields are mapped to Cloud SIEM schema attributes; about the attributes Cloud SIEM adds to Records to enrich and provide context about IP address, URLs, and domains; “list” features, like Match Lists and Suppress Lists that allow you to include or exclude Records based on indentiers found in Records; how to leverage threat intel data and more.
-* [Schema Attributes](/docs/cse/schema/schema-attributes). This topic defines the Record attributes you can reference in rules.
+* [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline). This topic describes how Cloud SIEM creates records for incoming messages. It provides facts about how message fields are mapped to Cloud SIEM schema attributes; about the attributes Cloud SIEM adds to records to enrich and provide context about IP address, URLs, and domains; “list” features, like Match Lists and Suppress Lists that allow you to include or exclude records based on indentifiers found in records; how to leverage threat intel data and more.
+* [Schema Attributes](/docs/cse/schema/schema-attributes). This topic defines the record attributes you can reference in rules.
 * [Cloud SIEM Rules Syntax](/docs/cse/rules/cse-rules-syntax). This topic describes rules language functions and syntax, which you’ll use in writing rule expressions.
-* [Searching for Cloud SIEM Records in Sumo Logic](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). This topic explains how to search Cloud SIEM Records in the Sumo Logic platform. Typically, you’ll build and refine your rule expressions in Sumo Logic. Once you’re happy with the results, you’ll copy the query into the rule expression field in the Rules Editor.
+* [Searching for Cloud SIEM Records in Sumo Logic](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). This topic explains how to search Cloud SIEM records in the Sumo Logic platform. Typically, you’ll build and refine your rule expressions in Sumo Logic. Once you’re happy with the results, you’ll copy the query into the rule expression field in the rules editor.
 
 ## Step 1: Perform use case analysis and select rule type
 
 The first step is determining your use case. In part, this involves deciding what behavior you want the rule to detect, and which of your data sources will provide evidence of that behavior. 
 
-In addition to what you're looking for, and where you can find it, you’ll decide on what sort of logic to apply when the rule encounters the target behavior. For example, is detecting one Record that matches your rule expression sufficient to fire a Signal, or should multiple matching Records be a condition for firing? Perhaps you need to look for multiple different types of events related by a common entity. The answers to these questions will determine what type of rule is appropriate for your use case. 
+In addition to what you're looking for, and where you can find it, you’ll decide on what sort of logic to apply when the rule encounters the target behavior. For example, is detecting one record that matches your rule expression sufficient to fire a signal, or should multiple matching records be a condition for firing? Perhaps you need to look for multiple different types of events related by a common entity. The answers to these questions will determine what type of rule is appropriate for your use case. 
 
 Review the standard [rule types](/docs/cse/rules/about-cse-rules#rule-types) to determine if any of them can address your use case. 
 
 ## Step 2: Review the log mapping for your source
 
-Before you write a rule, you’ll want to verify what attributes are available in the Records created from the target data source. You can do this by reviewing the log mapping for the data source.  
+Before you write a rule, you’ll want to verify what attributes are available in the records created from the target data source. You can do this by reviewing the log mapping for the data source.  
 
 Let’s say you’re going to write a rule that fires every time a successful Windows login occurs from a user account that doesn’t match your standard account naming convention. You know, maybe because you’ve checked Microsoft documentation, that the Windows event that records successful logins is Security Log Event ID 4624. So, you’ll take a look at the Cloud SIEM log mapping for that event, assuming there is one.
 
@@ -42,7 +42,7 @@ To find and review a log mapping:
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu click **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. You can use the filter area at the top of the **Log Mappings** tab to search for a mapping by various options. The screenshot below shows the results when we enter the filter `Name matches wildcard pattern *4624`. A mapping matches. For the mapping, you can see how many times it’s been used in the last 24 hrs and also over the last 7 days. Select the mapping. <br/><img src={useBaseUrl('img/cse/matching-mappings.png')} alt="Selected mapping" width="800"/>
-1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the Records produced by the mapping. <br/><img src={useBaseUrl('img/cse/selected-mapping-top.png')} alt="Mapping dialog" width="600"/>
+1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the records produced by the mapping. <br/><img src={useBaseUrl('img/cse/selected-mapping-top.png')} alt="Mapping dialog" width="600"/>
 1. The **Fields** section of the page shows how raw message fields are mapped to Cloud SIEM schema attributes. In this mapping, `EventData.LogonProcessName` is mapped to `application`, `EventData.WorkstationName` is mapped to `device_hostname`, and so on. <br/><img src={useBaseUrl('img/cse/selected-mapping-bottom.png')} alt="Fields on the mapping" width="800"/>
 
 Now that we understand the mapping in Cloud SIEM, we can see we will want to be looking for logs where the `metadata_vendor` is “Microsoft”, `metadata_product` is “Windows”, and `metadata_deviceEventId` is “Security-4624”, and we will also want to use the `user_username` field to find users that don’t match our naming convention.
@@ -97,11 +97,11 @@ _index=sec_record_*
 | where metadata_vendor = "Microsoft" and metadata_product = "Windows" and metadata_deviceEventId = "Security-4624" and !(user_username matches /^[a-zA-Z]*$/ or user_username matches "*-*$") and user_username != "anonymous logon" and process_name matches "*.exe"
 ```
 
-Now we have a query we can use as the rule expression for our rule. Note that when you paste it into the Rules Editor you should remove the first portion of the query, which is only necessary when you are querying Records in Sumo Logic:
+Now we have a query we can use as the rule expression for our rule. Note that when you paste it into the rules editor you should remove the first portion of the query, which is only necessary when you are querying records in Sumo Logic:
 
 `_index=sec_record_*`  
 
-You can use an expression like this example in any rule type. Here is an example Match rule with the expression, shown in the Rules Editor.
+You can use an expression like this example in any rule type. Here is an example Match rule with the expression, shown in the rules editor.
 
 <img src={useBaseUrl('img/cse/example-in-editor.png')} alt="Example in editor" width="700"/>
 
diff --git a/docs/cse/rules/cse-built-in-rules.md b/docs/cse/rules/cse-built-in-rules.md
index 08381a497c..4eb7e9b623 100644
--- a/docs/cse/rules/cse-built-in-rules.md
+++ b/docs/cse/rules/cse-built-in-rules.md
@@ -5,6 +5,6 @@ sidebar_label: Built-In Rules
 description: See a list and descriptions of Cloud SIEM's built-in rules.
 ---
 
-A Cloud SIEM rule is logic that fires based on information in incoming Records. When a rule fires, it creates a Signal. There are several types of rules, each of which supports a different sort of firing behavior. While you can write your own rules, there are hundreds of rules that Cloud SIEM provides out-of-the-box. Before writing your own rule, look at the built-in rules to see if there's one that provides the behavior you need. 
+A Cloud SIEM rule is logic that fires based on information in incoming records. When a rule fires, it creates a signal. There are several types of rules, each of which supports a different sort of firing behavior. While you can write your own rules, there are hundreds of rules that Cloud SIEM provides out-of-the-box. Before writing your own rule, look at the built-in rules to see if there's one that provides the behavior you need. 
 
 For the complete list of built-in rules, see [Rules](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md#rules) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).
\ No newline at end of file
diff --git a/docs/cse/rules/cse-rules-syntax.md b/docs/cse/rules/cse-rules-syntax.md
index 366ae4c09d..2748005ee5 100644
--- a/docs/cse/rules/cse-rules-syntax.md
+++ b/docs/cse/rules/cse-rules-syntax.md
@@ -2,7 +2,7 @@
 id: cse-rules-syntax
 title: Cloud SIEM Rules Syntax
 sidebar_label: Rules Syntax
-description: Learn about the functions you can use when writing Cloud SIEM Rules.
+description: Learn about the functions you can use when writing Cloud SIEM rules.
 ---
 
 This topic describes commonly used Cloud SIEM rules language functions. Rules language functions are used in Cloud SIEM rule expressions. For information about rules and rule expressions, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules).
@@ -364,11 +364,11 @@ The following expression returns "3.141592653589793" (pi):
 
 Returns “true” if a specified array contains a particular value. 
 
-Cloud SIEM rules use `array_contains` statements to look for a value in a Record field. This is useful if you want to check a Record’s `listMatches field` for [Match Lists](/docs/cse/match-lists-suppressed-lists/create-match-list) or threat intel list matches. You can also check the contents of the `fieldTags` field to see if matches a keyword tag or schema key tag value.
+Cloud SIEM rules use `array_contains` statements to look for a value in a record field. This is useful if you want to check a record’s `listMatches field` for [Match Lists](/docs/cse/match-lists-suppressed-lists/create-match-list) or threat intel list matches. You can also check the contents of the `fieldTags` field to see if matches a keyword tag or schema key tag value.
 
 **Syntax for matching to lists**
 
-The syntax for checking for the existence of a Match List name or a threat intel list name in a Record’s `listMatches` field is: 
+The syntax for checking for the existence of a Match List name or a threat intel list name in a record’s `listMatches` field is: 
 
 `array_contains(listMatches, 'match_list_name')`
 
@@ -388,7 +388,7 @@ The syntax for checking to see if the the `fieldsTag` field contains a particula
 
 where:
 
-* `field `is the name of a Record field
+* `field `is the name of a record field
 * `keyword-tag` is a keyword tag
 
 **Syntax for matching to a schema key tag**
@@ -399,7 +399,7 @@ The syntax for checking to see if the the `fieldTag` field contains a particular
 
 where:
 
-* `field` is the name of a Record field
+* `field` is the name of a record field
 * `schema-key` is the name of a schema key tag
 * `schema-value` is the value of a schema key tag
 
diff --git a/docs/cse/rules/import-yara-rules.md b/docs/cse/rules/import-yara-rules.md
index 689742f895..097a3188fa 100644
--- a/docs/cse/rules/import-yara-rules.md
+++ b/docs/cse/rules/import-yara-rules.md
@@ -13,7 +13,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This section has instructions for importing YARA rules from GitHub into Cloud SIEM.
 
-YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [Network Sensor](/docs/cse/sensors/network-sensor-deployment-guide). When a file matches a YARA rule, Cloud SIEM creates a special Record which results in a “File Analysis” Signal being created.  Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
+YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [network sensor](/docs/cse/sensors/network-sensor-deployment-guide). When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created.  Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
 
 To import YARA rules:
 
@@ -28,4 +28,4 @@ To import YARA rules:
 1. **GitHub Machine Username**. Enter a username if the repository is private.
 1. **GitHub Machine Token**. Enter a token if the repository is private.
 1. **YARA file Regex**. The regex in this field is matched to rule names in the repository. The default regex will match rule files whose file extension is `.yar`, `.yara`, or `.rule`.  
-1. **Default Severity**. Enter the severity to be assigned when the Signal is created.
+1. **Default Severity**. Enter the severity to be assigned when the signal is created.
diff --git a/docs/cse/rules/index.md b/docs/cse/rules/index.md
index 079aab7ab7..8033c3f4da 100644
--- a/docs/cse/rules/index.md
+++ b/docs/cse/rules/index.md
@@ -26,7 +26,7 @@ In this section, we'll introduce the following concepts:
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/rules/cse-rules-syntax"><img src={useBaseUrl('img/icons/operations/rules.png')} alt="Flow diagram icon" width="40"/><h4>Rules Syntax</h4></a>
-  <p>Learn about the functions you can use when writing Cloud SIEM Rules.</p>
+  <p>Learn about the functions you can use when writing Cloud SIEM rules.</p>
   </div>
 </div>
 <div className="box smallbox card">
@@ -104,7 +104,7 @@ In this section, we'll introduce the following concepts:
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/rules/insight-trainer"><img src={useBaseUrl('img/icons/operations/rules.png')} alt="Flow diagram icon" width="40"/><h4>Insight Trainer</h4></a>
-  <p>Learn how to adjust rules to improve Insight generation.</p>
+  <p>Learn how to adjust rules to improve insight generation.</p>
   </div>
 </div>
 </div>
diff --git a/docs/cse/rules/insight-trainer.md b/docs/cse/rules/insight-trainer.md
index e9492a3b59..2e2eed7990 100644
--- a/docs/cse/rules/insight-trainer.md
+++ b/docs/cse/rules/insight-trainer.md
@@ -2,7 +2,7 @@
 id: insight-trainer
 title: Improve Rules with Insight Trainer
 sidebar_label: Improve Rules with Insight Trainer
-description: The Cloud SIEM Insight Trainer dashboard recommends adjustments to rules to improve Insight generation.  
+description: The Cloud SIEM Insight Trainer dashboard recommends adjustments to rules to improve insight generation.  
 keywords:
   - cloud siem
   - insight trainer
@@ -11,7 +11,7 @@ keywords:
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-[Cloud SIEM - Insight Trainer](/docs/integrations/sumo-apps/cse#insight-trainer) is a dashboard in the Enterprise Audit - Cloud SIEM app. Insight Trainer offers suggestions for making adjustments to rules, such as writing rule tuning expressions and changing severities. Implementing the recommendations causes rules to be more effective at creating high-fidelity Signals, resulting in generation of more meaningful Insights. 
+[Cloud SIEM - Insight Trainer](/docs/integrations/sumo-apps/cse#insight-trainer) is a dashboard in the Enterprise Audit - Cloud SIEM app. Insight Trainer offers suggestions for making adjustments to rules, such as writing rule tuning expressions and changing severities. Implementing the recommendations causes rules to be more effective at creating high-fidelity signals, resulting in generation of more meaningful insights. 
 
 Watch this micro lesson to learn how to use the Insight Trainer dashboard.
 
@@ -30,22 +30,22 @@ import Iframe from 'react-iframe';
 
 ## About Insight Trainer
 
-When you [close an Insight](/docs/cse/administration/manage-custom-insight-resolutions/#close-an-insight-using-a-custom-resolution), you can give it one of the following built-in [Insight resolutions](/docs/cse/administration/manage-custom-insight-resolutions/): 
+When you [close an insight](/docs/cse/administration/manage-custom-insight-resolutions/#close-an-insight-using-a-custom-resolution), you can give it one of the following built-in [insight resolutions](/docs/cse/administration/manage-custom-insight-resolutions/): 
 
 * **Duplicate**. The insight has triggered before on the same entity and is a duplicate.
 * **False Positive**. A false alarm, possibly due to an error in the detection logic of the rule or inapplicability to your environment.
-* **No Action**. A valid detection, but no action is necessary due to effective containment measures. Rules participating in repeated No Action Insights may also be good tuning expression candidates.
+* **No Action**. A valid detection, but no action is necessary due to effective containment measures. Rules participating in repeated No Action insights may also be good tuning expression candidates.
 * **Resolved**. A valid detection where investigation was necessary.
 
-As you resolve Insights, you may find you have a high ratio of False Positive and No Action resolutions compared to Resolved resolutions. By reducing the number of Signals that produce Insights that turn out to be false positives or require no action, you can produce more reliable Insights. 
+As you resolve insights, you may find you have a high ratio of False Positive and No Action resolutions compared to Resolved resolutions. By reducing the number of signals that produce insights that turn out to be false positives or require no action, you can produce more reliable insights. 
 
 :::note
-For Insight Trainer to work correctly, it needs a balanced set of Insights in a closed state with an appropriate mix of resolution statuses, such as **False Positive**, **No Action**, and **Resolved**. Unbalanced datasets can occur if resolutions are unrealistically assigned, for example, if all Insights are closed with a single closed state such as **False Positive**.
+For Insight Trainer to work correctly, it needs a balanced set of insights in a closed state with an appropriate mix of resolution statuses, such as **False Positive**, **No Action**, and **Resolved**. Unbalanced datasets can occur if resolutions are unrealistically assigned, for example, if all insights are closed with a single closed state such as **False Positive**.
 :::
 
 You could use trial-and-error to tune rules, but the Insight Trainer dashboard provides a data-driven approach. Once a week, the Insight Trainer provides fresh recommendations based on analysis of the last 60 days of data. Machine learning and AI learn historical patterns from your own data to suggest rule severity adjustments that minimize false positives without missing out on actual incidents. To see fresh recommendation every week, you must make suggested tuning adjustments at least once every two weeks. If you implement the suggested changes on a regular basis, the number of false positive resolutions can be greatly reduced. 
 
-The dashboard makes two kinds of suggestions, either a “tunability” score to help you write tuning expressions for Entities, or recommendations to change the severity level of rules. We recommend you first look at rules with the highest tunability score and assess the dominant Entities (like users and IPs) to write tuning expressions for. Only after implementing tuning expressions do we recommend you adjust rule severities. This [suggested workflow](#suggested-workflow) will give you the best results over time.
+The dashboard makes two kinds of suggestions, either a “tunability” score to help you write tuning expressions for entities, or recommendations to change the severity level of rules. We recommend you first look at rules with the highest tunability score and assess the dominant entities (like users and IPs) to write tuning expressions for. Only after implementing tuning expressions do we recommend you adjust rule severities. This [suggested workflow](#suggested-workflow) will give you the best results over time.
 
 ## Cloud SIEM - Insight Trainer page
 
@@ -62,7 +62,7 @@ Use the fields at the top of the page to filter the kinds of recommendations you
 
 <img src={useBaseUrl('img/cse/cloud-siem-insight-trainer-filters.png')} alt="Insight Trainer filters" width="800"/>
 
-1. **minimize**. The types of [Insight resolutions](/docs/cse/administration/manage-custom-insight-resolutions) you want to minimize:
+1. **minimize**. The types of [insight resolutions](/docs/cse/administration/manage-custom-insight-resolutions) you want to minimize:
    * **False positive**. Display recommendations only for reducing False Positive resolutions.
    * **False positive & No action**. Display recommendations for reducing both False Positive and No Action resolutions. 
 1. **show_rules**. The types of rules you want to show recommendations for:
@@ -70,27 +70,27 @@ Use the fields at the top of the page to filter the kinds of recommendations you
    * **Rules with severity recommendations**. Provide recommendations only for those rules with suggested changes to their severity.
 1. **deployment**. The deployment whose rules you want recommendations for. 
 1. **domain**. The domain whose rules you want recommendations for.
-1. **Date Range**. Once a week, the Insight Trainer provides fresh recommendations. The date range displayed is the model training period and is read-only. Model retraining is weekly, based on a rolling history of your Insights data. The funnel shows the number of Insights eligible for recommendations. For example, in the image above, 24 Insights out of 30 are eligible for recommendations. In many cases, Insights are eligible for recommendations because they originate from rules that have a static severity that can be updated.
-The funnel depicts algorithmic Insights that remain after filtering Insights based on:
+1. **Date Range**. Once a week, the Insight Trainer provides fresh recommendations. The date range displayed is the model training period and is read-only. Model retraining is weekly, based on a rolling history of your insights data. The funnel shows the number of insights eligible for recommendations. For example, in the image above, 24 insights out of 30 are eligible for recommendations. In many cases, insights are eligible for recommendations because they originate from rules that have a static severity that can be updated.
+The funnel depicts algorithmic insights that remain after filtering insights based on:
    * Date range
    * Insights containing dynamic severity rules
-   * Non-algorithmic detection (that is, rule and user Insights)
-   * Duplicate Insights
+   * Non-algorithmic detection (that is, rule and user insights)
+   * Duplicate insights
    * Data completeness 
-1. **Insight Source**. The primary source of Insights (for example, by algorithm, rule, or user).
+1. **Insight Source**. The primary source of insights (for example, by algorithm, rule, or user).
 
 ### Recommendations Summary
 
-This panel summarizes the changes to Insight resolutions if you implement the recommended rule changes. 
+This panel summarizes the changes to insight resolutions if you implement the recommended rule changes. 
 
 <img src={useBaseUrl('img/cse/cloud-siem-insight-trainer-recommendations-summary.png')} alt="Insight Trainer Recommendations Summary" width="800"/>
 
-1. **Total Eligible Insights (prior to optimization)**. The number of Insights that could be reduced.
-1. **Optimized Labeled Insights (OLI)**. The number of Insights remaining with a resolution label.
-1. **Forecasted Unlabeled Insights (FUI)**. The number of Insights that will no longer have a resolution label.
-1. **Total Optimized Insights (FUI + OLI)**. The total number of Insights with a resolution label either added or removed.
-1. **False Positive Rate: Eligible Insights**. The false positive rate for Insights that are eligible for optimization.
-1. **False Positive Rate: Optimized Insights**. The false positive rate for Insights after optimization.
+1. **Total Eligible Insights (prior to optimization)**. The number of insights that could be reduced.
+1. **Optimized Labeled Insights (OLI)**. The number of insights remaining with a resolution label.
+1. **Forecasted Unlabeled Insights (FUI)**. The number of insights that will no longer have a resolution label.
+1. **Total Optimized Insights (FUI + OLI)**. The total number of insights with a resolution label either added or removed.
+1. **False Positive Rate: Eligible Insights**. The false positive rate for insights that are eligible for optimization.
+1. **False Positive Rate: Optimized Insights**. The false positive rate for insights after optimization.
 1. **Insight Counts by Resolution: Eligible v. Optimized Labeled Insights**. Bar chart showing the relative number of Resolved versus False Positive resolutions that would result if you implement the recommended rule changes. 
 
 
@@ -103,21 +103,21 @@ This panel shows the rules recommended for severity changes.
 1. **rule**. The rule recommended to change the severity level for.
 1. **current_severity**. The rule’s current severity level.
 1. **recommended_severity**. The recommended severity level.
-1. **signal_count**. The number of Signals generated by the rule in the time period set in the dashboard’s filter.
-1. **tunability**. The score indicating how good a candidate the rule is for having a tuning expression change. The closer to 100 the score is, the better a candidate is. Click the score to get a list of the Entities that you can add tuning expressions for.
-1. **eligible_count**. The number of Insights that use the rule that had False Positive and No Action resolutions for the time period set in the dashboard’s filter. 
-1. **optimized_count**. The number of Insights anticipated to have False Positive and No Action resolutions for the set time period if the rule’s severity is updated per the recommendation.
+1. **signal_count**. The number of signals generated by the rule in the time period set in the dashboard’s filter.
+1. **tunability**. The score indicating how good a candidate the rule is for having a tuning expression change. The closer to 100 the score is, the better a candidate is. Click the score to get a list of the entities that you can add tuning expressions for.
+1. **eligible_count**. The number of insights that use the rule that had False Positive and No Action resolutions for the time period set in the dashboard’s filter. 
+1. **optimized_count**. The number of insights anticipated to have False Positive and No Action resolutions for the set time period if the rule’s severity is updated per the recommendation.
 
-Before making changes to a rule’s severity, check the rule’s tunability score to see if it is a good candidate for a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) change, and click the score to get a list of Entities to tune the rule for. Scores closer to 100 are better candidates. Because a small number of Entities can cause many False Positive and No Action resolutions, it’s preferable to write a tuning expression for a rule rather than change its severity. This will result in a more long-term reduction in false positive Insights. 
+Before making changes to a rule’s severity, check the rule’s tunability score to see if it is a good candidate for a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) change, and click the score to get a list of entities to tune the rule for. Scores closer to 100 are better candidates. Because a small number of entities can cause many False Positive and No Action resolutions, it’s preferable to write a tuning expression for a rule rather than change its severity. This will result in a more long-term reduction in false positive insights. 
 
-In general, fewer Insights are generated if you decrease severities on rules, and more Insights are generated if you increase severities on rules. If more Insights are generated because you increase severity, the incrementally changed Insights no longer have a resolution label (are “unlabeled”). 
+In general, fewer insights are generated if you decrease severities on rules, and more insights are generated if you increase severities on rules. If more insights are generated because you increase severity, the incrementally changed insights no longer have a resolution label (are “unlabeled”). 
 
 ## Suggested workflow
 
 Following is the suggested workflow to use the Insight Trainer dashboard:
 1. Review severity recommendations once a week. The Insight Trainer provides fresh recommendations weekly, provided that you regularly implement recommendations. 
-1. Look at the rules with the highest tunability scores and assess the dominant Entities to write [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions) for (like users and IP addresses).
-1. Write tuning expressions for Entities, where possible.
+1. Look at the rules with the highest tunability scores and assess the dominant entities to write [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions) for (like users and IP addresses).
+1. Write tuning expressions for entities, where possible.
 1. Adjust rule severities if needed.
 
 We suggest adjusting rule severities to the recommended levels only after you have written rule tuning expressions and seen how they result in lowering false positives. The algorithm adjusts its recommendations continuously. So if at first you do not see your false positives change much, wait a few days, and you will notice new recommendations.  
diff --git a/docs/cse/rules/normalized-authentication-rules.md b/docs/cse/rules/normalized-authentication-rules.md
index d82b11ab95..663e86b6c0 100644
--- a/docs/cse/rules/normalized-authentication-rules.md
+++ b/docs/cse/rules/normalized-authentication-rules.md
@@ -2,17 +2,17 @@
 id: normalized-authentication-rules
 title: Normalized Authentication Rules
 sidebar_label: Normalized Authentication Rules
-description: Cloud SIEM's Normalized Authentication Rules detect activities that compromise accounts using authentication logs from any data source that Cloud SIEM parsers and mappings support.
+description: Cloud SIEM's normalized authentication rules detect activities that compromise accounts using authentication logs from any data source that Cloud SIEM parsers and mappings support.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-*Normalized Authentication Rules* detect activities that compromise accounts using authentication logs from any data source that Cloud SIEM parsers and mappings support. New authentication data sources can immediately take advantage of this rule logic without the need to customize for the
+*Normalized authentication rules* detect activities that compromise accounts using authentication logs from any data source that Cloud SIEM parsers and mappings support. New authentication data sources can immediately take advantage of this rule logic without the need to customize for the
 specific product or vendor.  
 
 ## Requirements and prerequisites
 
-Out of the box, the Normalized Authentication Rules support a variety of data sources, ranging from cloud-based authentication services like AWS
+Out of the box, the normalized authentication rules support a variety of data sources, ranging from cloud-based authentication services like AWS
 CloudTrail, VPN authentication services like Cisco ASA, and OS-based authentication like that provided by Windows and Linux. 
 
 For the rules to support a particular product or service, the log mapping for that service must map several fields correctly.
@@ -23,8 +23,8 @@ The mapping requirements are:
 
 | Output field | Mapping requirement |
 |:--|:--|
-| `objectType` | This field is populated as a result of the value selected for the Record Type in the log mapping. It must be set to *Authentication*. |
-| `normalizedAction` | Set to *logon* or *domainLogon* depending on the nature of the authentication attempt, as described in Normalized Authentication Rules, below. |
+| `objectType` | This field is populated as a result of the value selected for the record Type in the log mapping. It must be set to *Authentication*. |
+| `normalizedAction` | Set to *logon* or *domainLogon* depending on the nature of the authentication attempt, as described in [Normalized authentication rules](#normalized-authentication-rules), below. |
 | `success` | Set to *true* if the logon was successful, or *false* if it was not.  |
 | `mfa` | If the log message contains a field that indicates multi-factor authentication usage, set `mfa` to *true* if MFA is used or *false* if not. |
 | `user_username ` | `user_username` must be mapped to the input field that contains the user identity. If an alternative input field also contains the user identity, that field should be mapped as an alternate input field. |
@@ -36,7 +36,7 @@ This log mapping for the AWS CloudTrail ConsoleSignIn event meets the requiremen
 
 <img src={useBaseUrl('img/cse/auth-rule-mapping-1.png')} alt="Authentication rule mapping" width="600"/>
 
-## Normalized Authentication Rules
+## Normalized authentication rules
 
 * Authentication Without MFA - Detects a successful login where the account did NOT use multi-factor authentication (MFA) to gain access. We strongly recommend that you require MFA to protect accounts in the event that credentials are stolen. If you don’t require MFA for a data source, we recommend you disable this rule, or that you use a [Rule Tuning Expression](/docs/cse/rules/rule-tuning-expressions) to exclude the data source so that messages from it won’t be processed by this rule. 
 * Brute Force Attempt - Detects multiple failed login attempts for the same username over a 24 hour timeframe. This is designed to catch both slow and quick brute force type attacks. The threshold and time frame can be adjusted based on your environment. This rule only monitors events with a `normalizedAction` of *logon*.
diff --git a/docs/cse/rules/normalized-threat-rules.md b/docs/cse/rules/normalized-threat-rules.md
index 4d54433cf5..21a88d7591 100644
--- a/docs/cse/rules/normalized-threat-rules.md
+++ b/docs/cse/rules/normalized-threat-rules.md
@@ -2,7 +2,7 @@
 id: normalized-threat-rules
 title: Normalized Threat Rules
 sidebar_label: Normalized Threat Rules
-description: Cloud SIEM's built-in threat rules pass alerts from a security product to the Signal generation process, and are normalized work across multiple security products.
+description: Cloud SIEM's built-in threat rules pass alerts from a security product to the signal generation process, and are normalized work across multiple security products.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
@@ -16,7 +16,7 @@ To get a CSV of normalized threat rules, see [Rules - Useful CSVs](https://githu
 The first key fact about normalized threat rules is this: they exist to process messages that describe a security event that has already
 occurred. 
 
-Some messages logged by a security product are the result of that product’s own detection functionality, for example, by using rule sets or signatures. Typically, such messages contain a severity, risk, or impact in the message, and can be accepted as a clear indication of nefarious activity. Essentially, a normalized threat rule simply passes an alert from a security product to the Signal generation process.  
+Some messages logged by a security product are the result of that product’s own detection functionality, for example, by using rule sets or signatures. Typically, such messages contain a severity, risk, or impact in the message, and can be accepted as a clear indication of nefarious activity. Essentially, a normalized threat rule simply passes an alert from a security product to the signal generation process.  
 
 ## Normalized threat rules support multiple log sources
 
@@ -60,7 +60,7 @@ Cloud SIEM provides the following normalized intrusion rules:
 
 **Requirements for Intrusion Signature rules:**
 
-The rules that detect intrusion signatures from internal IP addresses rely upon the [normalizedSeverity](/docs/cse/schema/schema-attributes) attribute in Records being mapped as follows:
+The rules that detect intrusion signatures from internal IP addresses rely upon the [normalizedSeverity](/docs/cse/schema/schema-attributes) attribute in records being mapped as follows:
 
 * critical = 10
 * high = 9
diff --git a/docs/cse/rules/rule-tuning-expressions.md b/docs/cse/rules/rule-tuning-expressions.md
index a85bbd80b1..e9bf5ca950 100644
--- a/docs/cse/rules/rule-tuning-expressions.md
+++ b/docs/cse/rules/rule-tuning-expressions.md
@@ -7,11 +7,11 @@ description: Rule tuning expressions allow you to tailor the logic of a built-in
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has instructions for creating and using tuning expressions for Rules.
+This topic has instructions for creating and using tuning expressions for rules.
 
 ## What’s a rule tuning expression?
 
-Every Cloud SIEM rule has a rule expression, to which incoming Records are compared. When a Record matches a rule expression, and other rule criteria are satisfied, the rule generates a Signal. A rule tuning expression allows you to extend a rule expression. A rule tuning expression is combined with a rule expression—either with a logical AND or NOT—and the rule will only generate a Signal if a Record matches the combined expression.  
+Every Cloud SIEM rule has a rule expression, to which incoming records are compared. When a record matches a rule expression, and other rule criteria are satisfied, the rule generates a signal. A rule tuning expression allows you to extend a rule expression. A rule tuning expression is combined with a rule expression—either with a logical AND or NOT—and the rule will only generate a signal if a record matches the combined expression.  
 
 As an example, consider the following rule expression, which detects that an attempt was made to clear the Windows Security Event Log.
 
@@ -19,14 +19,14 @@ As an example, consider the following rule expression, which detects that an att
 metadata_vendor = 'Microsoft' and metadata_product = 'Windows' and metadata_deviceEventId = 'Security-1102' and fields['Provider.Name'] = 'Microsoft-Windows-Eventlog'
 ```
 
-If you don’t want the rule to generate a Signal if the person performing the action is “jdoe”, you can add a tuning expression like this to the rule, and configure the tuning expression to exclude Records that match the tuning expression.
+If you don’t want the rule to generate a signal if the person performing the action is “jdoe”, you can add a tuning expression like this to the rule, and configure the tuning expression to exclude records that match the tuning expression.
 
 `user_userId = "jdoe"`
 
 Rule tuning expressions allow you to tailor the logic of a built-in rule without replicating and modifying the rule. The benefit of using a tuning expression, over the copy and edit method, is that when Cloud SIEM updates built-in rules, your tuning expressions are preserved. This division of logic means that you don’t need to create as many custom rules. If you use tuning expressions in combination with multi-entity rules you’ll further reduce the need for custom rules.   
 
 :::tip
-There is another benefit of using tuning built-in rules instead of writing custom rules: you get the benefit of Cloud SIEM's [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights) model. This feature leverages crowd-sourced learning to help security analysts triage and prioritize Insights. 
+There is another benefit of using tuning built-in rules instead of writing custom rules: you get the benefit of Cloud SIEM's [Global Confidence](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights) model. This feature leverages crowd-sourced learning to help security analysts triage and prioritize insights. 
 :::
 
 You can apply multiple tuning expressions to a rule. You can assign a tuning expression to selected rules, or to all of your rules. You can also create a tuning expression without immediately assigning it to any rules.
@@ -66,10 +66,10 @@ import Iframe from 'react-iframe'; 
 1. **Description**. Enter a description of the tuning expression.
 1. In the **Tune [selected|all] Rules** section:
    * To apply the expression to all rules, choose **all**.
-   * To apply the expression to some but not all rules, choose **selected**. In the **Type to add a rule area**, enter a search string that matches Rule names or Rule IDs. To search by Rule name, you can enter a string that the Rule name contains. To search by Rule ID, you can enter the complete ID, or a subset of the ID, starting with the leading character.  The name and ID of rules that match will appear on the page..
+   * To apply the expression to some but not all rules, choose **selected**. In the **Type to add a rule area**, enter a search string that matches rule names or rule IDs. To search by rule name, you can enter a string that the rule name contains. To search by rule ID, you can enter the complete ID, or a subset of the ID, starting with the leading character.  The name and ID of rules that match will appear on the page..
 1. In the **To \[include|exclude\]... area**:
-   * Leave **include** selected if you want Signals to be fired for Records that match both the rule expression and the tuning expression.
-   * Select **exclude** from the pulldown if you want Signals to be fired for Records that match the rule expression and do not match the tuning expression.
+   * Leave **include** selected if you want signals to be fired for records that match both the rule expression and the tuning expression.
+   * Select **exclude** from the pulldown if you want signals to be fired for records that match the rule expression and do not match the tuning expression.
 1. Enter a tuning expression.
 1. Click **Submit**.
 
diff --git a/docs/cse/rules/tailor-global-rule.md b/docs/cse/rules/tailor-global-rule.md
index 03cbf84484..c40aaffc80 100644
--- a/docs/cse/rules/tailor-global-rule.md
+++ b/docs/cse/rules/tailor-global-rule.md
@@ -9,13 +9,13 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This topic has instructions for tailoring global (built-in) rules in Cloud SIEM. 
 
-You can override selected rule fields in all Cloud SIEM rule types: Match, Threshold, Chain and Aggregation. After you have overridden a field, you can revert to the original field value.
+You can override selected rule fields in all Cloud SIEM rule types: match, threshold, chain and aggregation. After you have overridden a field, you can revert to the original field value.
 
 :::note
 You cannot override fields in legacy rules—rules whose ID looks like LEGACY-*xxxxxxx*.
 :::
 
-If you want to tailor a rule expression—the expression to which incoming Records are compared—see [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions).
+If you want to tailor a rule expression—the expression to which incoming records are compared—see [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions).
 
 ## Signal generation fields you can override
 
@@ -23,9 +23,9 @@ You can override any of the settings in the **Then Create a Signal** section on
 
 | Setting | Notes |
 |:--|:--|
-| Entity | In the **On Entity** area, you can change the Entity or Entities upon which Signals will fire when the rule is triggered.  |
-| Signal name | If the **using the name** field is present, you can override the name that will be assigned to Signals fired by the rule. |
-| Summary | In the **with the summary** field, you can override the description of the situation that causes the rule to fire a Signal. |
+| Entity | In the **On Entity** area, you can change the entity or entities upon which signals will fire when the rule is triggered.  |
+| Signal name | If the **using the name** field is present, you can override the name that will be assigned to signals fired by the rule. |
+| Summary | In the **with the summary** field, you can override the description of the situation that causes the rule to fire a signal. |
 | Description | In the **with the description** field, you can override the description of what conditions the rule looks for.  |
 | Severity settings | You can change the severity type from constant to dynamic and vice versa, change the severity level for a constant severity, or change the field used for dynamic severity. |
 | Tags | You can add tags, but you can’t edit or delete the tags already configured for the rule. |
@@ -34,18 +34,18 @@ You can override any of the settings in the **Then Create a Signal** section on
 
 ## “If triggered” fields you can override
 
-You can override some of the fields in the **If Triggered** section on the left side of the Rules editor. What you can edit depends on the rule type. The table below lists the rule settings that you can override for each rule type. See [Screenshots](#screenshots) below for a visual overview.
+You can override some of the fields in the **If Triggered** section on the left side of the rules editor. What you can edit depends on the rule type. The table below lists the rule settings that you can override for each rule type. See [Screenshots](#screenshots) below for a visual overview.
 
 | Rule type | What you can override |
 |:--|:--|
 | Match | nothing |
-| Aggregation | <ul><li>grouped by—You can add and remove fields to group Records by. </li><li>within—You can change the time window over which the aggregation conditions are applied.</li></ul> |
-| Chain | <ul><li>grouped by—You can add and remove fields to group Records by.</li><li>within—You can change the time window over which the aggregation conditions are applied.</li></ul> |
-| Threshold | <ul><li>matches Records with ... values—You can override the number of Records that must match the rule expression.</li></ul> |
+| Aggregation | <ul><li>grouped by—You can add and remove fields to group records by. </li><li>within—You can change the time window over which the aggregation conditions are applied.</li></ul> |
+| Chain | <ul><li>grouped by—You can add and remove fields to group records by.</li><li>within—You can change the time window over which the aggregation conditions are applied.</li></ul> |
+| Threshold | <ul><li>matches records with ... values—You can override the number of records that must match the rule expression.</li></ul> |
 
 ## Screenshots
 
-| Aggregation rule | Chain Rule | Threshold rule |
+| Aggregation rule | Chain rule | Threshold rule |
 |:--|:--|:--|
 | <img src={useBaseUrl('img/cse/aggregation-rule-edits.png')} alt="Aggregation rule" width="300" /> | <img src={useBaseUrl('img/cse/chain-rule-edits.png')} alt="Chain rule" width="300" /> | <img src={useBaseUrl('img/cse/thresh-rule-edits.png')} alt="Threshold rule" width="300" /> |
 
diff --git a/docs/cse/rules/write-aggregation-rule.md b/docs/cse/rules/write-aggregation-rule.md
index 50d310ec74..8c6e26d3c0 100644
--- a/docs/cse/rules/write-aggregation-rule.md
+++ b/docs/cse/rules/write-aggregation-rule.md
@@ -2,42 +2,42 @@
 id: write-aggregation-rule
 title: Write an Aggregation Rule
 sidebar_label: Aggregation Rule
-description: Learn how to write an Aggregation rule.
+description: Learn how to write an aggregation rule.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
-This topic has information about Cloud SIEM Aggregation rules and how to write them.
+This topic has information about Cloud SIEM aggregation rules and how to write them.
 
 :::tip
 If you are new to writing your own Cloud SIEM rules, see [Before You Write a Custom Rule](/docs/cse/rules/before-writing-custom-rule) for tips and techniques that are useful for getting started.
 :::
 
-## About Aggregation rules
+## About aggregation rules
 
-This section describes the purpose of Aggregation rules, and gives an example of how you would use one. If you’re ready to jump in and configure a rule, see [Create an Aggregation rule](#create-an-aggregation-rule) below.
+This section describes the purpose of aggregation rules, and gives an example of how you would use one. If you’re ready to jump in and configure a rule, see [Create an aggregation rule](#create-an-aggregation-rule) below.
 
-An Aggregation rule is useful when you want to fire a Signal based multiple conditions—up to six—being met over a period of time. 
+An aggregation rule is useful when you want to fire a signal based multiple conditions—up to six—being met over a period of time. 
 
-As an example, suppose you want to  fire a Signal when the ratio of failed to successful HTTP requests is too high—75% or more. You can use an Aggregation rule to calculate the percentage of failed requests, and configure the rule to fire a signal when the request failure rate is 75% or higher.
+As an example, suppose you want to  fire a signal when the ratio of failed to successful HTTP requests is too high—75% or more. You can use an aggregation rule to calculate the percentage of failed requests, and configure the rule to fire a signal when the request failure rate is 75% or higher.
 
-The table below summarizes the rule configuration. Each row corresponds to an element of the sentence-style configuration UI for the **If Triggered** settings for an Aggregation rule.
+The table below summarizes the rule configuration. Each row corresponds to an element of the sentence-style configuration UI for the **If Triggered** settings for an aggregation rule.
 
 | Configuration setting | What it does |
 |:--|:--|
-| When Records matching the expression<br/>`!isNull(http_response_statusCode)` | Filters the Records to which the rule will be applied: only Records that contain a non-null `http_response_statusCode` field. |
+| When records matching the expression<br/>`!isNull(http_response_statusCode)` | Filters the records to which the rule will be applied: only records that contain a non-null `http_response_statusCode` field. |
 | **grouped by** `device_ip` | Specifies the field by which aggregation results will be grouped: `device_ip` |
-| **within** 5 minutes | Specifies the duration across which Records will be evaluated. |
-| Aggregation 1<br/>Name. `good`<br/>Function. `count`<br/>Expression. `http_response_statusCode <= 201` | Defines an aggregation named “good”, which counts the number of Records encountered during the within duration in which the `http_response_statusCode` value is less than or equal to 201, which indicates a request was successful. |
-| Aggregation 2<br/>Name. `bad`<br/> Function. `count`<br/>Expression. `http_response_statusCode > 201` | Defines an aggregation named “bad”, which counts the number of Records encountered during the within duration in which the `http_response_statusCode` value is less greater than 201, which indicates a request failed. |
-| that match the following condition<br/>`(bad/(good+bad))*100 > 75` | Specifies the condition for firing a Signal based on the results of the “good” and “bad” aggregation: more than 75% percent of requests failed during the within duration. |
+| **within** 5 minutes | Specifies the duration across which records will be evaluated. |
+| Aggregation 1<br/>Name. `good`<br/>Function. `count`<br/>Expression. `http_response_statusCode <= 201` | Defines an aggregation named “good”, which counts the number of records encountered during the within duration in which the `http_response_statusCode` value is less than or equal to 201, which indicates a request was successful. |
+| Aggregation 2<br/>Name. `bad`<br/> Function. `count`<br/>Expression. `http_response_statusCode > 201` | Defines an aggregation named “bad”, which counts the number of records encountered during the within duration in which the `http_response_statusCode` value is less greater than 201, which indicates a request failed. |
+| that match the following condition<br/>`(bad/(good+bad))*100 > 75` | Specifies the condition for firing a signal based on the results of the “good” and “bad” aggregation: more than 75% percent of requests failed during the within duration. |
 
 The screenshot below shows the **If Triggered** configuration for the example rule in the Rules Editor. 
 
 <img src={useBaseUrl('img/cse/agg-rule.png')} alt="If Triggered section of an aggregation rule" style={{border: '1px solid gray'}} width="400"/>
 
-Watch this micro lesson to learn how to create an Aggregation rule.
+Watch this micro lesson to learn how to create an aggregation rule.
 
 <Iframe url="https://www.youtube.com/embed/XaqQES5suWQ?rel=0"
         width="854px"
@@ -53,31 +53,31 @@ Watch this micro lesson to learn how to create an Aggregation rule.
 import Iframe from 'react-iframe'; 
 
 
-## Create an Aggregation rule
+## Create an aggregation rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
 1. On the **Create a Rule** page, click **Create** in the **Aggregation** card.
 1. In the rules editor:
    1. **Name**. At the top of the Rules Editor, enter a name for the rule. Signals fired by the rule will have the same name as the rule.
-   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it.  <br/><img src={useBaseUrl('img/cse/aggregation-rule.png')} alt="Aggregation rule dialog" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it.  <br/><img src={useBaseUrl('img/cse/aggregation-rule.png')} alt="Aggregation rule dialog" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure “If Triggered” settings
 
-On the left side of the Rules Editor, in the **If Triggered** section, you configure a filter that determines the Records to which the rule will be applied, and the conditions under which you want the rule to fire a Signal. 
-1. **When Records matching the expression**. Enter one or more boolean expressions to filter the Records you want to apply the rule to. For example: `!isNull(http_response_statusCode)`
-1. Click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. **grouped by**. Specify the Record field or fields by which aggregation results will be grouped. Note that when you define the **On Entity** field for the rule (in [Configure “Then Create a Signal” settings](#configure-then-create-a-signal-settings) below), the field you choose will automatically appear here. If you want to aggregate on other fields, you can select them from the selector list.
+On the left side of the Rules Editor, in the **If Triggered** section, you configure a filter that determines the records to which the rule will be applied, and the conditions under which you want the rule to fire a signal. 
+1. **When Records matching the expression**. Enter one or more boolean expressions to filter the records you want to apply the rule to. For example: `!isNull(http_response_statusCode)`
+1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1. **grouped by**. Specify the record field or fields by which aggregation results will be grouped. Note that when you define the **On Entity** field for the rule (in [Configure “Then Create a Signal” settings](#configure-then-create-a-signal-settings) below), the field you choose will automatically appear here. If you want to aggregate on other fields, you can select them from the selector list.
 1. **within...**. Select the length of time across which the rule is applied. The options range from 5 minutes to 5 days.
 1. **have aggregations**. To define an aggregation:
    1. **Name**. Give the aggregation a brief, meaningful name. You’ll reference the aggregation by its name in the trigger condition for the rule.
    1. **Function**. Select an aggregation function: `avg`, `count`, `count_distinct`, `first`, `last`, `max`, `min`, or `sum`.
-   1. **Expression**. Enter an expression to filter the Records to be aggregated. For example, the following expression results in the aggregation being applied to Record whose `http_response_statusCode` field is greater than 201:<br/>
+   1. **Expression**. Enter an expression to filter the records to be aggregated. For example, the following expression results in the aggregation being applied to record whose `http_response_statusCode` field is greater than 201:<br/>
    `http_response_statusCode > 201`
    :::note
     The expression you enter should make sense with the aggregation function you chose. Specifically, if your aggregation function is `count` or `count_distinct`, your expression should return countable results, like the example above. However, if you use another aggregation function — `avg`, `first`, `last`, `max`, `min`, or `sum` — your expression should be a field name, for example: `bytes` or `if(!isEmpty(bytes), bytes, bits)`, and the function will be applied to the value of that field.
    :::
    1. To define another aggregation, click **Add Aggregation** and repeat the previous three steps.
-1. **that match the following condition**. Enter one or more boolean expressions, based on the results of the configured aggregations, which when true will cause the rule to fire a Signal. For example, given the following expression, a rule will fire a Signal when the sum of `Aggregation-1` and `Aggregation-2` is greater than 1.  `Aggregation-1 + Aggregation-2 > 1`
+1. **that match the following condition**. Enter one or more boolean expressions, based on the results of the configured aggregations, which when true will cause the rule to fire a signal. For example, given the following expression, a rule will fire a signal when the sum of `Aggregation-1` and `Aggregation-2` is greater than 1.  `Aggregation-1 + Aggregation-2 > 1`
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
@@ -85,50 +85,50 @@ On the left side of the Rules Editor, in the **If Triggered** section, you confi
 
 ### Configure “Then Create a Signal” settings
 
-On the right side of the Rules Editor, in the **Then Create a Signal** section, you configure details of the Signals that your rule will fire. 
+On the right side of the Rules Editor, in the **Then Create a Signal** section, you configure details of the signals that your rule will fire. 
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Use the pull-down list to select one or more Entity fields, for example, an IP address, MAC address, hostname, and so on. When the rule is triggered, it will fire a Signal on each of the Entity fields you select.  
-1. **using the name**. Enter the name of the rule, which can be used to name the Signal generated.  
-1. **with the summary**. Enter a brief summary describing what causes the Rule to create a Signal.
-1. **with the description**. Enter a description for the Signal. The Signal description should be a good indication of what the rule looks for.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Use the pull-down list to select one or more entity fields, for example, an IP address, MAC address, hostname, and so on. When the rule is triggered, it will fire a signal on each of the entity fields you select.  
+1. **using the name**. Enter the name of the rule, which can be used to name the signal generated.  
+1. **with the summary**. Enter a brief summary describing what causes the Rule to create a signal.
+1. **with the description**. Enter a description for the signal. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
 1. **and a severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are two ways to specify Severity:
-   * **Constant**. Every Signal that the rule fires will have the same severity,
-   * **Dynamic**. Severity is based on the value of a field in the Record.
+   * **Constant**. Every signal that the rule fires will have the same severity,
+   * **Dynamic**. Severity is based on the value of a field in the record.
 1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 7. <br/><img src={useBaseUrl('img/cse/constant-severity.png')} alt="Constant severity portion of the dialog" style={{border: '1px solid gray'}} width="325"/>
 1. **Configure dynamic severity**.
    1. Choose **Dynamic**.
    1. The severity area updates. 
    1. **severity of**. Use the pulldown to select a default severity value.
-   1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the Record that matched the rule expression.
+   1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the record that matched the rule expression.
    1. The **Add More Mappings** option appears. <br/><img src={useBaseUrl('img/cse/add-more-mappings.png')} alt="Add More Mappings option" style={{border: '1px solid gray'}} width="450"/>
-   1. **Click Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the Record field you selected above.
+   1. **Click Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the record field you selected above.
    1. The **if the value is** option appears.<br/><img src={useBaseUrl('img/cse/if-the-value-is.png')} alt="If the Value Is option" style={{border: '1px solid gray'}} width="450"/>
    1. Select one of the following options:
-      * **equal to**. The Record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
-      * **less than**. The Record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
-      * **greater than**. The Record field’s value must be greater than the numeric value you supply. The match is not inclusive. For example "greater than “5" will match “5.1”, but not “5”.
-      * **between**. The Record field’s value must be between the two numeric values you supply. The match is inclusive. For example, "Between 5 and 10" will match “5”, “7”, or “10”, but not “10.1”.
-      * **not in the record**. Will match when the attribute is found in the Record. For example, if the selected field is `broirc_value`, and that field is not present in a Record, the rule will match. If `broirc_value` exists but is null or empty, the rule will not match.
+      * **equal to**. The record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
+      * **less than**. The record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
+      * **greater than**. The record field’s value must be greater than the numeric value you supply. The match is not inclusive. For example "greater than “5" will match “5.1”, but not “5”.
+      * **between**. The record field’s value must be between the two numeric values you supply. The match is inclusive. For example, "Between 5 and 10" will match “5”, “7”, or “10”, but not “10.1”.
+      * **not in the record**. Will match when the attribute is found in the record. For example, if the selected field is `broirc_value`, and that field is not present in a record, the rule will match. If `broirc_value` exists but is null or empty, the rule will not match.
    1. You can define additional conditions, as desired. To define an additional conditions, repeat the steps above, starting with **Add More Mappings**.
    :::note
    The conditions you define will be processed in the order you define them. Once a match occurs, processing stops–remaining conditions are ignored.
    :::
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any Signals created from this rule, and inherited by any insights generated from those signals.
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, insights, signals, entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any signals created from this rule, and inherited by any insights generated from those signals.
 
 ## Save as prototype 
 
-If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates Signals, but those Signals won't contribute to Insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many Signals.
+If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates signals, but those signals won't contribute to insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many signals.
 
 To make the rule a prototype, click the box next to **Save this rule as a prototype**. When you are satisfied with the rule's behavior you can uncheck the box.
 
 Click **Submit** to save the rule.
 
-## Duplicate Signals?
+## Duplicate signals?
 
-If you determine that a Threshold, Chain, or Aggregation rule is firing identical Signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than Match rules, because they support time duration conditions. For example, a Threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
+If you determine that a threshold, chain, or aggregation rule is firing identical signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than match rules, because they support time duration conditions. For example, a threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
 
-To successfully apply a rule across a sliding time window, Cloud SIEM evaluates Records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a Signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate Signals. However, as long as you don’t run the rule as a prototype, duplicate Signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).
+To successfully apply a rule across a sliding time window, Cloud SIEM evaluates records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate signals. However, as long as you don’t run the rule as a prototype, duplicate signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).
diff --git a/docs/cse/rules/write-chain-rule.md b/docs/cse/rules/write-chain-rule.md
index 8c03ddf419..82ce25a376 100644
--- a/docs/cse/rules/write-chain-rule.md
+++ b/docs/cse/rules/write-chain-rule.md
@@ -2,23 +2,23 @@
 id: write-chain-rule
 title: Write a Chain Rule
 sidebar_label: Chain Rule
-description: Learn how to write a Chain rule.
+description: Learn how to write a chain rule.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
-This topic has information about Chain rules and how to create them in the Cloud SIEM UI.
+This topic has information about chain rules and how to create them in the Cloud SIEM UI.
 
 :::note
 If you are new to writing rules, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules) for information about rule expressions and other rule options.
 :::
 
-## About Chain rules
+## About chain rules
 
-A Chain rule is similar to a Threshold rule. A Threshold rule fires when one rule expression is matched at least a certain number times during a specified length of time. In a Chain rule you configure two more rule expressions, and for each expression, the number of matches that are required for the rule to fire a Signal. The interval you define within which the matches must occur applies to all of the rule expressions in the rule.
+A chain rule is similar to a threshold rule. A threshold rule fires when one rule expression is matched at least a certain number times during a specified length of time. In a chain rule you configure two more rule expressions, and for each expression, the number of matches that are required for the rule to fire a signal. The interval you define within which the matches must occur applies to all of the rule expressions in the rule.
 
-Watch this micro lesson to learn how to create a Chain rule.
+Watch this micro lesson to learn how to create a chain rule.
 
 <Iframe url="https://www.youtube.com/embed/58h2mVnw1oE?rel=0"
         width="854px"
@@ -33,23 +33,23 @@ Watch this micro lesson to learn how to create a Chain rule.
 
 import Iframe from 'react-iframe'; 
 
-## Create a Chain rule
+## Create a chain rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
-1. On the **Create a Rule** page, click **Create** in the Chain card. 
+1. On the **Create a Rule** page, click **Create** in the **Chain** card. 
 1. In the rules editor:
    1. **Name.** Enter a name for the rule. Signals fired by the rule will have this name.
-   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/chain.png')} alt="Chain rule" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/chain.png')} alt="Chain rule" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure “If Triggered” settings
 
 1. **When at least ... Record matches expression**. Enter two or more rule expressions. For each, select the number of matches that are required.
-1. For each rule expression, click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. **grouped by**.  By default, a chain rule implicitly groups by the entity field you’ll select below when configuring the **Then Create a Signal** options. You can select additional “group by” fields with the matches grouped by option, so that a Signal is only created if the count for the group is above the threshold count specified above. 
+1. For each rule expression, click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1. **grouped by**.  By default, a chain rule implicitly groups by the entity field you’ll select below when configuring the **Then Create a Signal** options. You can select additional “group by” fields with the matches grouped by option, so that a signal is only created if the count for the group is above the threshold count specified above. 
 1. **in ... order.** Choose either:
       * **any** if matches can occur in any order.
       * **exact** if matches must occur in the same order as you have ordered the rule expressions. If you choose this option, you can only have two rule expressions.
-1. **within...**. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in **When at least n Record matches expression** for the rule to fire a Signal.
+1. **within...**. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in **When at least n Record matches expression** for the rule to fire a signal.
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
@@ -57,22 +57,22 @@ import Iframe from 'react-iframe'; 
 
 ### Configure “Then Create a Signal” settings
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Define the Entity field — for example, an IP address, hostname, and so on — in the Record that the resulting Signal should be associated with. (In Cloud SIEM, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
-1. **with the summary.** Enter a brief summary describing what causes the Rule to create a Signal.
-1. **with the description**. Enter a description for the Signal. The Signal description should be a good indication of what the rule looks for.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Define the entity field — for example, an IP address, hostname, and so on — in the record that the resulting signal should be associated with. (In Cloud SIEM, an insight is a set of signals with the same entity field.) Select a value from the pull-down list. 
+1. **with the summary.** Enter a brief summary describing what causes the rule to create a signal.
+1. **with the description**. Enter a description for the signal. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
 1. **with a severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest).
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. For more information, see [Using Tags with Insights, Signals, Entities, and Rules](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules).
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like rules, insights, signals, and entities. You can also search for and filter items by tag. For more information, see [Using Tags with Insights, Signals, Entities, and Rules](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules).
 
 ## Save as prototype
-If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates Signals, but those Signals won't contribute to Insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many Signals.
+If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates signals, but those signals won't contribute to insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many signals.
 
 To make the rule a prototype, click the box next to **Save this rule as a prototype**. When you are satisfied with the rule's behavior you can uncheck the box.
 
-### Duplicate Signals?
-If you determine that a Threshold, Chain, or Aggregation rule is firing identical Signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than Match rules, because they support time duration conditions. For example, a Threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
+### Duplicate signals?
+If you determine that a threshold, chain, or aggregation rule is firing identical signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than match rules, because they support time duration conditions. For example, a threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
 
-To successfully apply a rule across a sliding time window, Cloud SIEM evaluates Records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a Signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate Signals. However, as long as you don’t run the rule as a prototype, duplicate Signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).
+To successfully apply a rule across a sliding time window, Cloud SIEM evaluates records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate signals. However, as long as you don’t run the rule as a prototype, duplicate signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).
diff --git a/docs/cse/rules/write-first-seen-rule.md b/docs/cse/rules/write-first-seen-rule.md
index 63ae742bc2..cedcf686f1 100644
--- a/docs/cse/rules/write-first-seen-rule.md
+++ b/docs/cse/rules/write-first-seen-rule.md
@@ -2,7 +2,7 @@
 id: write-first-seen-rule
 title: Write a First Seen rule
 sidebar_label: First Seen Rule
-description: First Seen rules allow you to generate a Signal when behavior by an Entity (user) is encountered that hasn't been seen before.
+description: First seen rules allow you to generate a signal when behavior by an entity (user) is encountered that hasn't been seen before.
 keywords:
   - sumo logic
   - cloud siem
@@ -14,30 +14,30 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
 
-This topic has information about First Seen rules and how to create them in the Cloud SIEM UI.
+This topic has information about first seen rules and how to create them in the Cloud SIEM UI.
 :::tip
 If you are new to writing rules, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules) for information about rule expressions and other rule options.
 :::
 
-## About First Seen rules
-First Seen rules allow you to generate a Signal when behavior by an Entity (such as a user) is encountered that hasn't been seen before. For example, a First Seen rule might look for the events like the following:
+## About first seen rules
+First seen rules allow you to generate a signal when behavior by an entity (such as a user) is encountered that hasn't been seen before. For example, a first seen rule might look for the events like the following:
 
 * First time a user logged in from a new geographic location (geolocation)
 * Newly created or added admin accounts
 * High severity EDR alert seen for the first time
 * MFA acceptance from first seen device
 
-A First Seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a Signal. Instead, the rule expression in a First Seen rule is simply a filter condition that defines what incoming Records the rule will apply to. For each First Seen rule, Cloud SIEM automatically creates a baseline model of normal behavior evidenced by Records that match the Rule Expression. After the baseline learning period is completed, when an incoming Record includes matching activity not seen during the baseline learning period, the rule creates a Signal.
+A first seen rule is different from other Cloud SIEM rule types in that you don’t define the criteria for firing a signal. Instead, the rule expression in a first seen rule is simply a filter condition that defines what incoming records the rule will apply to. For each first seen rule, Cloud SIEM automatically creates a baseline model of normal behavior evidenced by records that match the Rule Expression. After the baseline learning period is completed, when an incoming record includes matching activity not seen during the baseline learning period, the rule creates a signal.
 
-For example, for the “First time a user logged in from a new geographic location” use case, Cloud SIEM will build a baseline model of all the geolocations from where a logon event is seen for the Entity (user). Once the baselining period is complete, Cloud SIEM will create a Signal for every new geolocation detected and incrementally add to the baseline.
+For example, for the “First time a user logged in from a new geographic location” use case, Cloud SIEM will build a baseline model of all the geolocations from where a logon event is seen for the entity (user). Once the baselining period is complete, Cloud SIEM will create a signal for every new geolocation detected and incrementally add to the baseline.
 
 :::tip
-Sumo Logic ensures that Rule processing does not impact the reliability of production environments through the implementation of "circuit breakers." If a Rule matches too many records in too short a period of time, the circuit breaker will trip and the rule will move to a degraded state, and First Seen Rules are no exception.
+Sumo Logic ensures that rule processing does not impact the reliability of production environments through the implementation of "circuit breakers." If a rule matches too many records in too short a period of time, the circuit breaker will trip and the rule will move to a degraded state, and first seen rules are no exception.
 
-On the Rule detail page, if you hover over the degraded message, you will usually see more details about what tripped the circuit breaker and how to resolve the problem. Generally speaking, a rule that is degraded probably needs to be tuned for your specific environment.
+On the rule detail page, if you hover over the degraded message, you will usually see more details about what tripped the circuit breaker and how to resolve the problem. Generally speaking, a rule that is degraded probably needs to be tuned for your specific environment.
 :::
 
-Watch this micro lesson to learn more about First Seen rules.
+Watch this micro lesson to learn more about first seen rules.
 
 <Iframe url="https://www.youtube.com/embed/ssfL_c3j_r8?rel=0"
         width="854px"
@@ -53,59 +53,59 @@ Watch this micro lesson to learn more about First Seen rules.
 import Iframe from 'react-iframe';
 
 ## Example rule
-The screenshot below shows a First Seen rule in the Cloud SIEM rules editor. For an explanation of the configuration options, see [Create a First Seen rule](#create-a-first-seen-rule), below.
-<img src={useBaseUrl('img/cse/first-seen-rule.png')} alt="Example First Seen Rule Definition" style={{border: '1px solid gray'}} width="700"/>
+The screenshot below shows a first seen rule in the Cloud SIEM rules editor. For an explanation of the configuration options, see [Create a first seen rule](#create-a-first-seen-rule), below.
+<img src={useBaseUrl('img/cse/first-seen-rule.png')} alt="Example first seen rule definition" style={{border: '1px solid gray'}} width="700"/>
 
 
-## Create a First Seen rule
+## Create a first seen rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
 1. On the **Create a Rule** page, click **Create** in the **First Seen** card.
 1. In the rules editor:
    1. **Name**. Enter a name for the rule.
-   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/empty-first-seen-rule.png')} alt="First Seen rule" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/empty-first-seen-rule.png')} alt="First seen rule" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure "If Triggered" settings
 
-The settings in the **If Triggered** section determine what Records the rule will be applied to and baseline-related options.
+The settings in the **If Triggered** section determine what records the rule will be applied to and baseline-related options.
 
-1.  **When a Record matching the expression**. Enter an expression that matches the Records that you want to rule to apply to.
-1. Click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1.  **When a Record matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
+1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
     :::
-1. **has a new value for the field(s)**. Select the Record field that will be used to build the baseline.
+1. **has a new value for the field(s)**. Select the record field that will be used to build the baseline.
 1. **after building a [global | per Entity] baseline** The settings in this section define the scope of the baseline that will be built.
-   * **global**. Baselining will be performed for all entities and not for specific Entity types. Note that global baselines are organizational baselines and are used to track first seen activity across all Entity types.
-   * **per Entity**. Baselines will be created for all entities for the Entity type or types that you specify in **for the following**. Note that a per Entity baseline creates a baseline for a particular Entity type. This baseline scope is typically used to track events that an Entity has never done before. If you select more than one Entity,a baseline is tracked only for that distinct combination of entities.
+   * **global**. Baselining will be performed for all entities and not for specific entity types. Note that global baselines are organizational baselines and are used to track first seen activity across all entity types.
+   * **per Entity**. Baselines will be created for all entities for the entity type or types that you specify in **for the following**. Note that a per entity baseline creates a baseline for a particular entity type. This baseline scope is typically used to track events that an entity has never done before. If you select more than one entity,a baseline is tracked only for that distinct combination of entities.
    :::note
    For more information about how to select the type of base line, see the [Use case](#use-case-monitor-login-from-first-seen-geolocation), below.
    :::
 1. Set the baseline and retention settings:
    1. **Baseline Retention Period (days)**. The number of days after which the data points in the baseline will expire (be dropped from the baseline). The default is 90 days. You can decrease this period, but not increase it.
-   1. **Baseline Learning Period (days)**. The minimum amount of time for which data points should be collected before firing a Signal. The default is 30 days.
+   1. **Baseline Learning Period (days)**. The minimum amount of time for which data points should be collected before firing a signal. The default is 30 days.
    :::note
-   The **Baseline Learning Period** must be shorter than the **Baseline Retention Period**. Also be aware that short baseline learning periods can potentially generate false positive Signals.
+   The **Baseline Learning Period** must be shorter than the **Baseline Retention Period**. Also be aware that short baseline learning periods can potentially generate false positive signals.
    :::
 
 ### Configure "Then Create a Signal" settings
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Select the Entity field—for example, an IP address, MAC address, hostname, and so on—in the Record that the resulting Signal should be associated with. (In Cloud SIEM, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
-1. **with the name**. Define the name for Signals fired by the rule. You can enter text, and include Record fields from the custom token list. Including Record field values in the Signal name can make it more meaningful.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Select the entity field—for example, an IP address, MAC address, hostname, and so on—in the record that the resulting signal should be associated with. (In Cloud SIEM, an insight is a set of signals with the same entity field.) Select a value from the pull-down list. 
+1. **with the name**. Define the name for signals fired by the rule. You can enter text, and include record fields from the custom token list. Including record field values in the signal name can make it more meaningful.
     :::note
     For extracted fields, you can specify a token for an extracted field using the format `{{fields["<field_name>"]}}`.
     :::
-1. **with the description**. Define the description for the Signal the same way you did the Signal name, using text and Record fields. The Signal description should be a good indication of what the rule looks for.
+1. **with the description**. Define the description for the signal the same way you did the signal name, using text and record fields. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
-1. **using the summary**. Enter a brief summary describing what causes the Rule to create a Signal.
-1. **and a constant severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). Every Signal that the rule fires will have the same severity.
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any Signals created from this rule, and inherited by any insights generated from those signals.
+1. **using the summary**. Enter a brief summary describing what causes the rule to create a signal.
+1. **and a constant severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). Every signal that the rule fires will have the same severity.
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like rules, insights, signals, entity. You can also search for and filter items by tag. Tags you set here will be automatically set on any signals created from this rule, and inherited by any insights generated from those signals.
 
-## When the baseline is reset for a First Seen rule
+## When the baseline is reset for a first seen rule
 
 The baseline learning period begins again when the following fields on the rule are updated or overridden:
 * **If Triggered**:
@@ -116,7 +116,7 @@ The baseline learning period begins again when the following fields on the rule
 
 ## Use case: Monitor login from first seen geolocation
 
-This section shows how the same First Seen rule would function with each of the two baselining strategies.
+This section shows how the same first seen rule would function with each of the two baselining strategies.
 
 Our example rule expression is:
 
@@ -126,13 +126,13 @@ with **has a new value for the field(s)** set to `srcDeviceIP_countryName`
 
 ### With a global baseline
 
-With a global baseline, and the default baseline learning period of 30 days, the rule will baseline all geolocations that users are logging in for a period of 30 days. After the 30 day baseline is completed, if a new geolocation is detected, a Signal will be created. Then, if a new hire (that wasn’t part of the 30 day baseline) logs in from any geolocation, a Signal
-will be created. As a global baseline, the 30 day baseline is shared across all Entities.
+With a global baseline, and the default baseline learning period of 30 days, the rule will baseline all geolocations that users are logging in for a period of 30 days. After the 30 day baseline is completed, if a new geolocation is detected, a signal will be created. Then, if a new hire (that wasn’t part of the 30 day baseline) logs in from any geolocation, a signal
+will be created. As a global baseline, the 30 day baseline is shared across all entity.
 
-### With per-Entity baselines
+### With per-entity baselines
 
-With a per-Entity baseline, and the default baseline learning period of 30 days, the rule will baseline all geolocations on a per-Entity basis for 30 days. It will generate a Signal when a new geolocation is not part of a user’s historic baseline. On a new hire’s first login, a 30 day baseline will begin building. After the 30 day baseline is created, if that user logs on from a new geolocation, the rule will create a Signal.
+With a per-entity baseline, and the default baseline learning period of 30 days, the rule will baseline all geolocations on a per-entity basis for 30 days. It will generate a signal when a new geolocation is not part of a user’s historic baseline. On a new hire’s first login, a 30 day baseline will begin building. After the 30 day baseline is created, if that user logs on from a new geolocation, the rule will create a signal.
 
 :::tip
-If you are unsure whether to use a per-Entity or a global baseline, consider your use case. If you’re inclined to select `user_username` in the **Has a new value for the field(s)** prompt, you’re better off creating a global baseline for that behavior. Alternatively, if you want to track a new value for a non-Entity Record field, a per-Entity baseline is appropriate.
+If you are unsure whether to use a per-entity or a global baseline, consider your use case. If you’re inclined to select `user_username` in the **Has a new value for the field(s)** prompt, you’re better off creating a global baseline for that behavior. Alternatively, if you want to track a new value for a non-entity record field, a per-entity baseline is appropriate.
 :::
diff --git a/docs/cse/rules/write-match-rule.md b/docs/cse/rules/write-match-rule.md
index 95c083b1e0..af1f076bd6 100644
--- a/docs/cse/rules/write-match-rule.md
+++ b/docs/cse/rules/write-match-rule.md
@@ -8,27 +8,27 @@ description: Learn how to write a match rule.
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
-This topic has information about Match rules and how to create them in the Cloud SIEM UI.
+This topic has information about match rules and how to create them in the Cloud SIEM UI.
 
 :::tip
 If you are new to writing rules, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules) for information about rule expressions and other rule options.
 :::
 
-## About Match rules
+## About match rules
 
-A Match rule is the simplest type of Cloud SIEM rule. Each time a single Record matches the rule expression, a Signal is fired. 
+A match rule is the simplest type of Cloud SIEM rule. Each time a single record matches the rule expression, a signal is fired. 
 
-A Match rule doesn’t allow you to define other conditions for Signal, like requiring multiple Records to match the rule expression, or looking for events of the different types within a timespan.
+A match rule doesn’t allow you to define other conditions for signal, like requiring multiple records to match the rule expression, or looking for events of the different types within a timespan.
 
-Here’s an example of the rule expression for a Match rule:
+Here’s an example of the rule expression for a match rule:
 
 ```sql
 metadata_vendor = 'Amazon AWS' AND metadata_product = 'CloudTrail' AND metadata_deviceEventId = 'AwsApiCall-CreateUserPoolClient'
 ```
 
-This rule fires a Signal each time a UserPoolClient, which has permission to call unauthenticated API operations, is created.
+This rule fires a signal each time a UserPoolClient, which has permission to call unauthenticated API operations, is created.
 
-Watch this micro lesson to learn how to create a Match rule.
+Watch this micro lesson to learn how to create a match rule.
 
 <Iframe url="https://www.youtube.com/embed/l7xOBls1ROE?rel=0"
         width="854px"
@@ -43,18 +43,18 @@ Watch this micro lesson to learn how to create a Match rule.
 
 import Iframe from 'react-iframe'; 
 
-## Create a Match rule
+## Create a match rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic, menu select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**.  
 1. On the **Create a Rule** page, click **Create** in the **Match** card.
 1. In the rules editor:
    1. **Name**. Enter a name for the rule.
-   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/match.png')} alt="Match rule" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/match.png')} alt="Match rule" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure "If Triggered" settings
 
-1.  **When a Record matches the expression.** Enter a rule expression that the rule must match before generating a Signal. 
-1. Click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1.  **When a Record matches the expression.** Enter a rule expression that the rule must match before generating a signal. 
+1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
@@ -62,44 +62,44 @@ import Iframe from 'react-iframe'; 
 
 ### Configure "Then Create a Signal" settings
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Select the Entity field—for example, an IP address, MAC address, hostname, and so on—in the Record that the resulting Signal should be associated with. (In Cloud SIEM, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
-1. **using the name**. Define the name for Signals fired by the rule. You can enter text, and include Record fields from the custom token list. Including Record field values in the Signal name can make it more meaningful.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Select the entity field—for example, an IP address, MAC address, hostname, and so on—in the record that the resulting signal should be associated with. (In Cloud SIEM, an insight is a set of signals with the same entity field.) Select a value from the pull-down list. 
+1. **using the name**. Define the name for signals fired by the rule. You can enter text, and include record fields from the custom token list. Including record field values in the signal name can make it more meaningful.
     :::note
-    * When you're configuring a Threshold and Chain rule, you do not supply a Signal name; a Signal fired by those rule types has the same name as the rule that fired it.
+    * When you're configuring a Threshold and Chain rule, you do not supply a signal name; a signal fired by those rule types has the same name as the rule that fired it.
     * For extracted fields, you can specify a token for an extracted field using the format `{{fields[<field_name>]}}`.
     :::
-1. **with the summary**. Enter a brief summary describing what causes the Rule to create a Signal.
-1. **with the description**. Define the description for the Signal the same way you did the Signal name, using text and Record fields. The Signal description should be a good indication of what the rule looks for.
+1. **with the summary**. Enter a brief summary describing what causes the rule to create a signal.
+1. **with the description**. Define the description for the signal the same way you did the signal name, using text and record fields. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
 1. **with a severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are two ways to specify Severity:
-   * **Constant**. Every Signal that the rule fires will have the same severity,
-   * **Dynamic**. Severity is based on the value of a field in the Record.
-1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 8. <br/><img src={useBaseUrl('img/cse/constant-severity.png')} alt="Match Rule dialog" style={{border: '1px solid gray'}} width="250"/>
+   * **Constant**. Every signal that the rule fires will have the same severity,
+   * **Dynamic**. Severity is based on the value of a field in the record.
+1. **Configure constant severity**. Choose **Constant**, and select a severity level. Then, proceed to Step 8. <br/><img src={useBaseUrl('img/cse/constant-severity.png')} alt="Match rule dialog" style={{border: '1px solid gray'}} width="250"/>
 1. **Configure dynamic severity**.
    1. Choose **Dynamic**.
    1. The severity area updates. 
    1. **severity of**. Use the pulldown to select a default severity value.
-   1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the Record that matched the rule expression.
+   1. **for the record field**. Use the down arrows to display a list of fields, and select one.  The dynamic severity will be based on the value of (or existence of) that field in the record that matched the rule expression.
    1. The **Add More Mappings** option appears. <br/><img src={useBaseUrl('img/cse/add-more-mappings.png')} alt="Add More Mappings option" style={{border: '1px solid gray'}} width="300"/>
-   1. Click **Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the Record field you selected above.
+   1. Click **Add More Mappings**. (Optional) You can define additional mappings if desired. If you don’t, the severity value will be the value of the record field you selected above.
    1. The **if the value is** option appears.<br/><img src={useBaseUrl('img/cse/if-the-value-is.png')} alt="If the Value is Option.png" style={{border: '1px solid gray'}} width="300"/>
    1. Select one of the following options:
-      * **greater than**. The Record field’s value must be greater than the numeric value you supply. The match is not inclusive. For example "greater than “5" will match “5.1”, but not “5”.
-      * **less than**. The Record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
-      * **between**. The Record field’s value must be between the two numeric values you supply. The match is inclusive. For example, "Between 5 and 10" will match “5”, “7”, or “10”, but not “10.1”.
-      * **equal to**. The Record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
-      * **not in the record**. Will match when the attribute is found in the Record. For example, if the selected field is `broirc_value`, and that field is not present in a Record, the rule will match. If `broirc_value` exists but is null or empty, the rule will not match.
+      * **greater than**. The record field’s value must be greater than the numeric value you supply. The match is not inclusive. For example "greater than “5" will match “5.1”, but not “5”.
+      * **less than**. The record field’s value must be less than the numeric value you supply. The match is not inclusive. For example "less than 5" will match “4.9” but not “5”.
+      * **between**. The record field’s value must be between the two numeric values you supply. The match is inclusive. For example, "Between 5 and 10" will match “5”, “7”, or “10”, but not “10.1”.
+      * **equal to**. The record field’s value must exactly match the string or numeric value you supply. For example "equal to 4" will match "4" and “4.0” but not “4.01”.
+      * **not in the record**. Will match when the attribute is found in the record. For example, if the selected field is `broirc_value`, and that field is not present in a record, the rule will match. If `broirc_value` exists but is null or empty, the rule will not match.
    1. You can define additional conditions, as desired. To define an additional condition, repeat the steps above, starting with **Add More Mappings**.
    :::note
    The conditions you define will be processed in the order you define them. Once a match occurs, processing stops–remaining conditions are ignored.
    :::
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any Signals created from this rule, and inherited by any insights generated from those signals.
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like rules, insights, signals, entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any signals created from this rule, and inherited by any insights generated from those signals.
 
 ## Save as prototype
-If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates Signals, but those Signals won't contribute to Insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many Signals.
+If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates signals, but those signals won't contribute to insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many signals.
 
 To make the rule a prototype, click the box next to **Save this rule as a prototype**. When you are satisfied with the rule's behavior you can uncheck the box.
 
diff --git a/docs/cse/rules/write-outlier-rule.md b/docs/cse/rules/write-outlier-rule.md
index eed1705894..00bc032ec0 100644
--- a/docs/cse/rules/write-outlier-rule.md
+++ b/docs/cse/rules/write-outlier-rule.md
@@ -2,7 +2,7 @@
 id: write-outlier-rule
 title: Write an Outlier rule
 sidebar_label: Outlier Rule
-description: Outlier rules allow you to generate a Signal when behavior by an Entity (such as a user) is encountered that qualifies as an outlier from expected behavior.
+description: Outlier rules allow you to generate a signal when behavior by an entity (such as a user) is encountered that qualifies as an outlier from expected behavior.
 keywords:
   - cloud siem
   - cse
@@ -13,17 +13,17 @@ keywords:
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
-This topic has information about Outlier rules and how to create them in the Cloud SIEM UI.
+This topic has information about outlier rules and how to create them in the Cloud SIEM UI.
 
 :::tip
 If you are new to writing rules, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules) for information about rule expressions and other rule options.
 :::
 
-## About Outlier rules
+## About outlier rules
 
-Outlier rules allow you to generate a Signal when behavior by an Entity (such as a user) is encountered that deviates from its baseline activity. 
+Outlier rules allow you to generate a signal when behavior by an entity (such as a user) is encountered that deviates from its baseline activity. 
 
-For each Outlier rule, you create a filter condition to look for out-of-the-ordinary behavior that could indicate risk. For example, an Outlier rule might look for the events like the following:
+For each outlier rule, you create a filter condition to look for out-of-the-ordinary behavior that could indicate risk. For example, an outlier rule might look for the events like the following:
 
 * Spike in login failures from a user
 * Abnormal number of high severity endpoint alerts
@@ -32,19 +32,19 @@ For each Outlier rule, you create a filter condition to look for out-of-the-ordi
 
 When you create the rule, you can set the amount of time Cloud SIEM analyzes data to create a baseline model of behavior, with the default period being 30 days. You can set the rule to build data hourly or daily, depending on how frequently you believe events of interest will occur, and how much data you want to gather. Data for the baseline is retained by default for 90 days. In the rule, you set the model sensitivity threshold to calculate outlier activity based on the number of standard deviations from the mean (z‑score). 
 
-After the baseline period completes, Cloud SIEM tracks aggregates of count, sum, min, max, and averages of Record values, and creates a Signal when deviations from the mean occurs. For example, for the [spike in failed logins from a user](#use-case-for-a-spike-in-failed-logins-from-a-user) use case, Cloud SIEM builds a baseline model of counts of authentication failures that are associated with a user over time, and creates a Signal when outlier behavior is detected:
+After the baseline period completes, Cloud SIEM tracks aggregates of count, sum, min, max, and averages of record values, and creates a signal when deviations from the mean occurs. For example, for the [spike in failed logins from a user](#use-case-for-a-spike-in-failed-logins-from-a-user) use case, Cloud SIEM builds a baseline model of counts of authentication failures that are associated with a user over time, and creates a signal when outlier behavior is detected:
 
 <img src={useBaseUrl('img/cse/outlier-signal-example.png')} alt="Outlier signal example" style={{border: '1px solid gray'}} width="600"/>
 
-After your rule starts generating Signals, evaluate them to determine if they truly represent outliers of concern, and adjust the rule settings as needed. For example, if too many Signals are being generated, the baseline model is too sensitive, and you need to set the model sensitivity threshold higher on the rule; if too few Signals are generated, set the threshold lower. Among other things, also evaluate if the Signals from outliers are generating enough Insights. To [generate an Insight](/docs/cse/get-started-with-cloud-siem/insight-generation-process/), by default the combined severity scores of Signals need to be 12 or higher. Change the severity level in the Outlier rule to ensure that it is high enough to generate enough Signals to trigger Insights for investigation.
+After your rule starts generating signals, evaluate them to determine if they truly represent outliers of concern, and adjust the rule settings as needed. For example, if too many signals are being generated, the baseline model is too sensitive, and you need to set the model sensitivity threshold higher on the rule; if too few signals are generated, set the threshold lower. Among other things, also evaluate if the signals from outliers are generating enough insights. To [generate an insight](/docs/cse/get-started-with-cloud-siem/insight-generation-process/), by default the combined severity scores of signals need to be 12 or higher. Change the severity level in the outlier rule to ensure that it is high enough to generate enough signals to trigger insights for investigation.
 
 :::tip
-Sumo Logic ensures that Rule processing does not impact the reliability of production environments through the implementation of "circuit breakers." If a Rule matches too many records in too short a period of time, the circuit breaker will trip and the rule will move to a degraded state, and Outlier rules are no exception.
+Sumo Logic ensures that rule processing does not impact the reliability of production environments through the implementation of "circuit breakers." If a rule matches too many records in too short a period of time, the circuit breaker will trip and the rule will move to a degraded state, and outlier rules are no exception.
 
-On the Rule detail page, if you hover over the degraded message, you will usually see more details about what tripped the circuit breaker and how to resolve the problem. Generally speaking, a rule that is degraded probably needs to be tuned for your specific environment.
+On the rule detail page, if you hover over the degraded message, you will usually see more details about what tripped the circuit breaker and how to resolve the problem. Generally speaking, a rule that is degraded probably needs to be tuned for your specific environment.
 :::
 
-Watch this micro lesson to learn more about Outlier rules.
+Watch this micro lesson to learn more about outlier rules.
 
 <Iframe url="https://www.youtube.com/embed/1HEUPWpDA_o?rel=0"
         width="854px"
@@ -61,63 +61,63 @@ import Iframe from 'react-iframe'; 
 
 ## Example rule
 
-The screenshot below shows an Outlier rule in the Cloud SIEM rules editor. For an explanation of the configuration options, see [Create an Outlier rule](#create-an-outlier-rule), below.
+The screenshot below shows an outlier rule in the Cloud SIEM rules editor. For an explanation of the configuration options, see [Create an outlier rule](#create-an-outlier-rule), below.
 
-<img src={useBaseUrl('img/cse/outlier-rule.png')} alt="Example Outlier Rule Definition" style={{border: '1px solid gray'}} width="800" />
+<img src={useBaseUrl('img/cse/outlier-rule.png')} alt="Example outlier rule definition" style={{border: '1px solid gray'}} width="800" />
 
 
-## Create an Outlier rule
+## Create an outlier rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
 1. On the **Create a Rule** page, click **Create** in the **Outlier** card.
 1. In the rules editor:
    1. **Name**. Enter a name for the rule.
-   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/empty-outlier-rule.png')} alt="Outlier rule" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default, the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it. <br/><img src={useBaseUrl('img/cse/empty-outlier-rule.png')} alt="Outlier rule" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure "If Triggered" settings
 
-The settings in the **If Triggered** section are divided into two subsections, one for providing Baseline configuration, and the other for Outlier model configuration.
+The settings in the **If Triggered** section are divided into two subsections, one for providing Baseline configuration, and the other for outlier model configuration.
 
 **Baseline Configuration**
-1. **For the records matching the expression**. Enter an expression that matches the Records that you want to rule to apply to.
-1. Click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1. **For the records matching the expression**. Enter an expression that matches the records that you want to rule to apply to.
+1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
     :::
 1. **build a daily/hourly baseline**. Select the time window for building the baseline. It can either be a daily or hourly baseline.
-1. **for the entity(ies)**. Select one or more Record fields for which you want baselines built. Selecting multiple fields will build a distinct baseline for a combination of entities.
+1. **for the entity(ies)**. Select one or more record fields for which you want baselines built. Selecting multiple fields will build a distinct baseline for a combination of entities.
 1. Set the baseline and retention settings:
    1. **Baseline Retention Period (days)**. The number of days after which the data points in the baseline will expire (be dropped from the baseline). The default is 90 days. You can decrease this period, but not increase it.
-   1. **Baseline Learning Period (days)**. The minimum amount of time for which data points should be collected before firing a Signal. The default is 30 days.
+   1. **Baseline Learning Period (days)**. The minimum amount of time for which data points should be collected before firing a signal. The default is 30 days.
    :::note
-   The **Baseline Learning Period** must be shorter than the **Baseline Retention Period**. Also be aware that short baseline learning periods may generate false positive Signals.
+   The **Baseline Learning Period** must be shorter than the **Baseline Retention Period**. Also be aware that short baseline learning periods may generate false positive signals.
    :::
 
 **Outlier Model Configuration**
-1. **Detect an outlier for the**. Select the aggregate function that applies to the field in the matched Records to build a normal behavior baseline on.
-1. **of the record field**. Select one or more Record fields to build a baseline on and detect an Outlier Signal.
-1. **Advanced Expression** (optional). When selected, disables the **of the record field** selector and allows defining Record fields within the field window. For the expression, you can use the syntax described in [Cloud SIEM Rules Syntax](/docs/cse/rules/cse-rules-syntax/). <br/>For example, in the out-of-the-box **Spike in PowerShell Command Line Length From Host** outlier rule, the **Advanced Expression** field is set to `length(commandLine)` to calculate when you see very long command lines out of the ordinary. 
-1. **Model Sensitivity Threshold** (1-5). Select the sensitivity of the model defined above. This is the number of standard deviations from the mean that the outlier model should consider for creating a Signal. Lower threshold corresponds to a more sensitive model resulting in more Signals.
-1. **Minimum Count Value** (default value 1). Enter the absolute minimum value below which an Outlier Signal will not be generated.
+1. **Detect an outlier for the**. Select the aggregate function that applies to the field in the matched records to build a normal behavior baseline on.
+1. **of the record field**. Select one or more record fields to build a baseline on and detect an outlier signal.
+1. **Advanced Expression** (optional). When selected, disables the **of the record field** selector and allows defining record fields within the field window. For the expression, you can use the syntax described in [Cloud SIEM Rules Syntax](/docs/cse/rules/cse-rules-syntax/). <br/>For example, in the out-of-the-box **Spike in PowerShell Command Line Length From Host** outlier rule, the **Advanced Expression** field is set to `length(commandLine)` to calculate when you see very long command lines out of the ordinary. 
+1. **Model Sensitivity Threshold** (1-5). Select the sensitivity of the model defined above. This is the number of standard deviations from the mean that the outlier model should consider for creating a signal. Lower threshold corresponds to a more sensitive model resulting in more signals.
+1. **Minimum Count Value** (default value 1). Enter the absolute minimum value below which an outlier signal will not be generated.
 
 ### Configure "Then Create a Signal" settings
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Select the Entity field—for example, an IP address, MAC address, hostname, and so on—in the Record that the resulting Signal should be associated with. (In Cloud SIEM, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
-1. **with the name**. Define the name for Signals fired by the rule. You can enter text, and include Record fields from the custom token list. Including Record field values in the Signal name can make it more meaningful.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Select the entity field—for example, an IP address, MAC address, hostname, and so on—in the record that the resulting signal should be associated with. (In Cloud SIEM, an insight is a set of signals with the same entity field.) Select a value from the pull-down list. 
+1. **with the name**. Define the name for signals fired by the rule. You can enter text, and include record fields from the custom token list. Including record field values in the signal name can make it more meaningful.
     :::note
     For extracted fields, you can specify a token for an extracted field using the format `{{fields["<field_name>"]}}`.
     :::
-1. **with the description**. Define the description for the Signal the same way you did the Signal name, using text and Record fields. The Signal description should be a good indication of what the rule looks for.
+1. **with the description**. Define the description for the signal the same way you did the signal name, using text and record fields. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
-1. **using the summary**. Enter a brief summary describing what causes the Rule to create a Signal.
-1. **and a constant severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). Every Signal that the rule fires will have the same severity.
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any Signals created from this rule, and inherited by any insights generated from those signals.
+1. **using the summary**. Enter a brief summary describing what causes the rule to create a signal.
+1. **and a constant severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). Every signal that the rule fires will have the same severity.
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like rules, insights, signals, entities. You can also search for and filter items by tag. Tags you set here will be automatically set on any signals created from this rule, and inherited by any insights generated from those signals.
 
-## When the baseline is reset for an Outlier rule
+## When the baseline is reset for an outlier rule
 
 The baseline learning period begins again when the following fields on the rule are updated or overridden:
 * **Baseline Configuration**:
@@ -130,7 +130,7 @@ The baseline learning period begins again when the following fields on the rule
 
 ## Use case for a spike in failed logins from a user
 
-This section shows how an Outlier rule would function with a daily baseline.
+This section shows how an outlier rule would function with a daily baseline.
 
 **Baseline Configuration**
 *  Our example rule expression is: `normalizedAction=logon AND success=false`
@@ -142,11 +142,11 @@ This section shows how an Outlier rule would function with a daily baseline.
 
    When the `count` function is used, the occurrences of rule expression on each record is used to build the normal behavior baseline. You do not need to input a record filed in case of `count`.
 
-   For all the other aggregation types, the Record field is an expected input.
+   For all the other aggregation types, the record field is an expected input.
 
 * **Model Sensitivity Threshold**: 3
 * **Minimum Count Value**: 10
 
  :::tip
- If you are unsure what to set the minimum count value to from the default value of 1, consider providing the value which is beyond the normal acceptable behavior for a given time window for a particular entity. The **Minimum Count Value** is geared towards false positive reduction and improving the fidelity of Signals generated, and will vary based upon the use case and type of logs collected.
+ If you are unsure what to set the minimum count value to from the default value of 1, consider providing the value which is beyond the normal acceptable behavior for a given time window for a particular entity. The **Minimum Count Value** is geared towards false positive reduction and improving the fidelity of signals generated, and will vary based upon the use case and type of logs collected.
  :::
diff --git a/docs/cse/rules/write-threshold-rule.md b/docs/cse/rules/write-threshold-rule.md
index f28a948041..bdaafdb9f0 100644
--- a/docs/cse/rules/write-threshold-rule.md
+++ b/docs/cse/rules/write-threshold-rule.md
@@ -2,21 +2,21 @@
 id: write-threshold-rule
 title: Write a Threshold Rule
 sidebar_label: Threshold Rule
-description: Learn how to write a Threshold rule.
+description: Learn how to write a threshold rule.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import CseRule from '../../reuse/cse-rule-description-links.md';
 
-This topic has information about the Threshold rules and how to create them in the Cloud SIEM UI.
+This topic has information about the threshold rules and how to create them in the Cloud SIEM UI.
 
 If you are new to writing rules, see [About Cloud SIEM Rules](/docs/cse/rules/about-cse-rules) for information about rule expressions and other rule options.
 
-## About Threshold rules
+## About threshold rules
 
-A Threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time. For example, if there are five or more failed login attempts for the same IP address within one hour. 
+A threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time. For example, if there are five or more failed login attempts for the same IP address within one hour. 
 
-Watch this micro lesson to learn how to create a Threshold rule.
+Watch this micro lesson to learn how to create a threshold rule.
 
 <Iframe url="https://www.youtube.com/embed/uei_TDOy5QM?rel=0"
         width="854px"
@@ -31,53 +31,53 @@ Watch this micro lesson to learn how to create a Threshold rule.
 
 import Iframe from 'react-iframe'; 
 
-## Create a Threshold rule
+## Create a threshold rule
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 
 1. On the **Create a Rule** page, click **Create** in the **Threshold** card. 
 1. In the rules editor:
    1. **Name**. Enter a name for the rule.
-   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it.  <br/><img src={useBaseUrl('img/cse/threshold.png')} alt="Threshold rule" style={{border: '1px solid gray'}} width="600"/>
+   1. **Enabled**. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming records until you’ve tested it.  <br/><img src={useBaseUrl('img/cse/threshold.png')} alt="Threshold rule" style={{border: '1px solid gray'}} width="600"/>
 
 ### Configure “If Triggered” settings
 
 1. **When a Record matches the expression**. Enter the rule expression, a boolean expression that when “true”, causes the rule to fire.
     :::note
-    You can expand the field template guide, which contains a list of all the fields that Cloud SIEM can normalize to v3 of the Cloud SIEM Schema. Note that the existence of a field in the guide doesn't mean that your ingested Records necessarily include that field.
+    You can expand the field template guide, which contains a list of all the fields that Cloud SIEM can normalize to v3 of the Cloud SIEM Schema. Note that the existence of a field in the guide doesn't mean that your ingested records necessarily include that field.
     :::
-1. Click **Test Rule Expression** to test it against existing Records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for Records that match the rule expression. If there are no matching Records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
-1. **matches at least *n* Record**. Select how many Records must match the rule expression during the interval you specify below, in the **within** option.
-1. **within...**. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in **matches at least n Record** for the rule to fire a Signal.
+1. Click **Test Rule Expression** to test it against existing records in Cloud SIEM. The **If Triggered** section expands, and Cloud SIEM searches for records that match the rule expression. If there are no matching records, you'll see a **There aren't any matches for the expression** message. If no matches were returned, try changing the time range.
+1. **matches at least *n* Record**. Select how many records must match the rule expression during the interval you specify below, in the **within** option.
+1. **within...**. Select the duration within which the rule expression must evaluate to “true” more than the number of times specified in **matches at least n Record** for the rule to fire a signal.
 1. Select **Add Tuning Expression** if you want to add a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions) to the rule.
     :::note
     If you use **Test Rule Expression** on a rule that has one or more rule tuning expressions, you can test it without the tuning expressions, or with selected tuning expressions.
     :::
 1. **Show advanced**. Click this link at the top of the **If Triggered** tab to display advanced options. When you select these options, the **If Triggered** area refreshes, displaying additional fields. <br/><img src={useBaseUrl('img/cse/advanced-threshold.png')} alt="Advanced section of threshold rule" style={{border: '1px solid gray'}} width="400"/>
-    1. **Count only distinct values for a field.** Configure this option if you only want to count the number of Records that contain  distinct values of a particular Record field, instead of just counting Records that match your rule expression. Use the **for field** dropdown list to select the desired field. 
-    1. **Group by one or more fields.** By default, a threshold rule implicitly groups by the entity field you’ll select below when configuring the **Then Create a Signal** options. You can select additional “group by” fields with the **matches grouped by** option, so that a Signal is only created if the count for the group is above the threshold count specified above. 
+    1. **Count only distinct values for a field.** Configure this option if you only want to count the number of records that contain  distinct values of a particular record field, instead of just counting records that match your rule expression. Use the **for field** dropdown list to select the desired field. 
+    1. **Group by one or more fields.** By default, a threshold rule implicitly groups by the entity field you’ll select below when configuring the **Then Create a Signal** options. You can select additional “group by” fields with the **matches grouped by** option, so that a signal is only created if the count for the group is above the threshold count specified above. 
 
 ### Configure “Then Create a Signal” settings
 
 :::note
-When you're configuring a Threshold and Chain rule, you do not supply a Signal name; a Signal fired by those rule types has the same name as the rule that fired it.
+When you're configuring a threshold and chain rule, you do not supply a signal name; a signal fired by those rule types has the same name as the rule that fired it.
 :::
 
-1. Click **Show Advanced** if you want the rule to [override global Signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
-1. **On Entity**. Select the Entity field—for example, an IP address, MAC address, hostname, and so on—in the Record that the resulting Signal should be associated with. (In Cloud SIEM, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
-1. **with the summary**. Enter a brief summary describing what causes the Rule to create a Signal.
-1. **with the description**. Define the description for the Signal. You can use text and Record fields. The Signal description should be a good indication of what the rule looks for.
+1. Click **Show Advanced** if you want the rule to [override global signal suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression/#override-global-signal-suppression).
+1. **On Entity**. Select the entity field—for example, an IP address, MAC address, hostname, and so on—in the record that the resulting signal should be associated with. (In Cloud SIEM, an insight is a set of signals with the same entity field.) Select a value from the pull-down list. 
+1. **with the summary**. Enter a brief summary describing what causes the rule to create a signal.
+1. **with the description**. Define the description for the signal. You can use text and record fields. The signal description should be a good indication of what the rule looks for.
    :::note
    <CseRule/>
    :::
 1. **with a severity of**. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest).
-1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, and Entities. You can also search for and filter items by tag. For more information, see [Using Tags with Insights, Signals, Entities, and Rules](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules).
+1. **with tags**. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like rules, insights, signals, and entities. You can also search for and filter items by tag. For more information, see [Using Tags with Insights, Signals, Entities, and Rules](/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules).
 
 ## Save as prototype
-If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates Signals, but those Signals won't contribute to Insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many Signals.
+If you are not sure that your rule is ready for prime time, you can save it as a prototype. A prototype rule generates signals, but those signals won't contribute to insights. (Signals generated by a prototype rule do not increment the rule's **On Entity** entity's Activity Score.) Running the rule as a prototype for a while allows you to determine whether the rule is too noisy and fires too many signals.
 
 To make the rule a prototype, click the box next to **Save this rule as a prototype**. When you are satisfied with the rule's behavior you can uncheck the box.
 
-## Duplicate Signals?
-If you determine that a Threshold, Chain, or Aggregation rule is firing identical Signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than Match rules, because they support time duration conditions. For example, a Threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
+## Duplicate signals?
+If you determine that a threshold, chain, or aggregation rule is firing identical signals for the same conditions during the same time interval, there’s a likely explanation. This situation can arise due to how these rule types are processed: they are evaluated differently than match rules, because they support time duration conditions. For example, a threshold rule fires when its rule expression is matched at least a certain number of times during a specified length of time.
 
-To successfully apply a rule across a sliding time window, Cloud SIEM evaluates Records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a Signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate Signals. However, as long as you don’t run the rule as a prototype, duplicate Signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).
+To successfully apply a rule across a sliding time window, Cloud SIEM evaluates records across overlapping time spans. Consider a rule that requires three matches across five minutes. With non-overlapping windows, we could detect one match at the end of one time window, and two more in the following time window. This should cause the rule to fire a signal, but would not, because the required five minute span is split between two evaluation windows. Overlapping evaluation windows solves this problem. In some cases though, it can also result in duplicate signals. However, as long as you don’t run the rule as a prototype, duplicate signals will be suppressed, as described in [About Signal Suppression](/docs/cse/records-signals-entities-insights/about-signal-suppression).

From dd0a2650853d5b4840eafb07e9d7e6a93388e8f5 Mon Sep 17 00:00:00 2001
From: "John Pipkin (Sumo Logic)" <jpipkin@sumologic.com>
Date: Tue, 17 Dec 2024 15:34:00 -0600
Subject: [PATCH 5/5] Fix spelling error

---
 docs/cse/rules/before-writing-custom-rule.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cse/rules/before-writing-custom-rule.md b/docs/cse/rules/before-writing-custom-rule.md
index fed444b438..d637321c5e 100644
--- a/docs/cse/rules/before-writing-custom-rule.md
+++ b/docs/cse/rules/before-writing-custom-rule.md
@@ -19,7 +19,7 @@ By tuning and using a built-in rule, you avoid the effort of writing a rule, and
 
 The following topics provide information that’s relevant to the process of writing a custom rule:
 
-* [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline). This topic describes how Cloud SIEM creates records for incoming messages. It provides facts about how message fields are mapped to Cloud SIEM schema attributes; about the attributes Cloud SIEM adds to records to enrich and provide context about IP address, URLs, and domains; “list” features, like Match Lists and Suppress Lists that allow you to include or exclude records based on indentifiers found in records; how to leverage threat intel data and more.
+* [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline). This topic describes how Cloud SIEM creates records for incoming messages. It provides facts about how message fields are mapped to Cloud SIEM schema attributes; about the attributes Cloud SIEM adds to records to enrich and provide context about IP address, URLs, and domains; “list” features, like Match Lists and Suppress Lists that allow you to include or exclude records based on identifiers found in records; how to leverage threat intel data and more.
 * [Schema Attributes](/docs/cse/schema/schema-attributes). This topic defines the record attributes you can reference in rules.
 * [Cloud SIEM Rules Syntax](/docs/cse/rules/cse-rules-syntax). This topic describes rules language functions and syntax, which you’ll use in writing rule expressions.
 * [Searching for Cloud SIEM Records in Sumo Logic](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). This topic explains how to search Cloud SIEM records in the Sumo Logic platform. Typically, you’ll build and refine your rule expressions in Sumo Logic. Once you’re happy with the results, you’ll copy the query into the rule expression field in the rules editor.