SumoLogic · kimsauce · May 30, 2025 · May 30, 2025 · May 30, 2025 · May 30, 2025
@@ -440,7 +440,6 @@
   "/05Search/Get-Started-with-Search/Visualizations/Group-By-Operator": "/docs/search/search-query-language/search-operators",
   "/05Search/Live-Tail": "/docs/search/live-tail",
   "/05Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",
-  "/Search": "/docs/search",
   "/Search/Anomaly_Detection": "/docs/alerts/monitors/create-monitor",
   "/Search/Live-Tail": "/docs/search/live-tail/about-live-tail",
   "/Search/Live-Tail/About-Live-Tail": "/docs/search/live-tail/about-live-tail",

@@ -87,7 +87,7 @@ Sumo Logic has several deployments that are assigned depending on the geographic
 
 Sumo Logic redirects your browser to the correct login URL and also redirects Collectors to the correct endpoint. However, if you're using an API you'll need to manually direct your API client to the correct Sumo Logic API URL.
 
-<table><small>
+<table>
   <tr>
    <td>Deployment</td>
    <td>Service Endpoint (login URL)</td>
@@ -183,7 +183,6 @@ https://endpoint9.collection.us2.sumologic.com/</td>
    <td>syslog.collection.us2.sumologic.com</td>
    <td>https://open-collectors.us2.sumologic.com</td>
   </tr>
-  </small>
   </table>
 
 ### Which endpoint should I should use?

@@ -37,7 +37,7 @@ With the NLB-created and ALB-registered as a target, requests over AWS PrivateL
 
 Sumo Logic exposes AWS PrivateLink endpoints to different [regions that depend on your Sumo Logic deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security). If you're using the VPC in a different region where the Sumo Logic PrivateLink endpoint service is set up, you need to set up VPC peering. Either way, you need to create an endpoint.
 
-<table><small>
+<table>
   <tr>
     <td><strong>Deployment</strong></td>
     <td><strong>Collection Endpoint</strong></td>
@@ -107,7 +107,7 @@ https://endpoint9.collection.us2.sumologic.com</td>
     <td>https://open-collectors.us2.sumologic.com</td>
     <td>us-west-2</td>
   </tr>
-</small></table>
+</table>
 
 
 ### Create an endpoint to connect with the Sumo Logic endpoint service

@@ -51,7 +51,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
 <details>
 <summary>View the list of Scheduled Searches (<strong>click to expand</strong>)</summary>
 
-<table><small>
+<table>
   <tr>
     <td><strong>Folder</strong></td>
     <td><strong>Scheduled Search Name (prefixed with gis_benchmarks)</strong></td>
@@ -282,7 +282,7 @@ This application relies on 45 Scheduled Searches that Save to two different Inde
     <td>S3_ListBuckets</td>
     <td>Counts S3 events related to listing buckets.</td>
   </tr>
-</small></table>
+</table>
 
 * To reduce false positives, the benchmarks and application filter out AWS CloudTrail events from legitimate cloud services including AWS itself and CloudHealth by VMware.
 * Security posture requirements may vary between AWS accounts for a given customer. For example, development accounts might have less strict controls than production accounts. The app supports filtering findings by AWS account ID to facilitate AWS account level posture assessment.

@@ -114,7 +114,7 @@ In this step, you configure four local file sources, one for each log source lis
 
 The following suffixes are required. For example, you could use `_sourceCategory=<Foo>/artifactory/console`, but the suffix **artifactory/console** must be used.
 
-<table><small>
+<table>
   <tr>
    <td><strong>Log source</strong></td>
    <td><strong>File Path</strong></td>
@@ -139,7 +139,7 @@ The following suffixes are required. For example, you could use `_sourceCategory
    <td>Traffic</td>
    <td>$JFROG_HOME/&#60;product&#62;/var/log/artifactory-traffic.*.log</td>
    <td>artifactory/traffic</td>
-  </tr></small>
+  </tr>
 </table>
 
 :::note

@@ -46,7 +46,7 @@ _sourceCategory=cylance "IP Address"
 
 <!-- Per DOCS-643, replace section content with this after `sumo://threat/cs` is replaced by `threatlookup`:
 
-The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
+The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**.
 
 You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your threat intel queries:
 
@@ -58,14 +58,14 @@ You can further optimize and enhance these queries for the log and events types
 For example, here is the query used for the **Threat Count** panel in the [Threat Intel Quick Analysis - IP](#ip) dashboard:
 
 ```
-_sourceCategory=<source-category-name> 
-| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
+_sourceCategory=<source-category-name>
+| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
 | count as ip_count by ip_address
 
 | threatlookup singleIndicator ip_address
 
-// normalize confidence level to a string 
+// normalize confidence level to a string
 | if (_threatlookup.confidence >= 85, "high", if (_threatlookup.confidence >= 50, "medium", if (_threatlookup.confidence >= 15, "low", if (_threatlookup.confidence >= 0, "unverified", "unknown")))) as threat_confidence
 
 // filter for threat confidence
@@ -106,7 +106,7 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
    | sort by threat_count
-   ``` 
+   ```
 <!-- Per DOCS-643, replace the preceding step with the following after `sumo://threat/cs` is replaced by `threatlookup`:   
 1. Customize your query so you can use parsed fields from the Field Extraction Rule with the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/), where `src_ip` is the parsed field from the FER. For example:
    ```
@@ -140,7 +140,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
   _view=cylance_threat
   | count by src_ip
   ```
-  
+
 ## Threat Intel FAQ
 
 #### What is the CrowdStrike Integration for Sumo Logic?
@@ -399,7 +399,7 @@ Once an indicator has been marked with a malicious confidence level, it continue
         </tr>
         <tr>
             <td class="mt-column-width-20" data-th="IOC Type"><br/><strong>Vulnerability</strong></td>
-            <td class="mt-column-width-80" data-th="Values"><br/>The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g. <a href="https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158" rel="freelink" title="https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158">https://intelapi.crowdstrike.com/ind.../CVE-2012-0158</a> )</td>
+            <td class="mt-column-width-80" data-th="Values"><br/>The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g., https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=vulnerability/CVE-2012-0158).</td>
         </tr>
     </tbody>
 </table>
@@ -506,4 +506,4 @@ import AppUpdate from '../../reuse/apps/app-update.md';
 
 import AppUninstall from '../../reuse/apps/app-uninstall.md';
 
-<AppUninstall/>
+<AppUninstall/>
@@ -5,6 +5,7 @@ description: Field Extraction Rules (FER) tell Sumo Logic which fields to parse
 ---
 
 import Iframe from 'react-iframe';
+import FerLimit from '../../reuse/fer-limitations.md';
 
 You can create a field extraction rule of your own from scratch by following the instructions below. We also provide [data-source-specific templates](/docs/manage/field-extractions/fer-templates/index.md) for AWS, Apache, and more.
 
@@ -71,9 +72,9 @@ To create a Field Extraction Rule:
     :::
 
     :::sumo Best Practices
-    If you are not using Partitions we recommend using [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) fields like `_sourceCategory`, `_sourceHost` or `_collector` to define the scope.
+    If you are not using Partitions we recommend using [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) fields like `_sourceCategory`, `_sourceHost` or `_collector` to define the scope.
 
-    We recommend creating a separate Partition for your JSON dataset and use that Partition as the scope for run time field extraction. For example, let's say you have AWS CloudTrail logs, and they are stored in `_view=cloudtrail` Partition in Sumo. You can create a Run Time FER with the scope `_view=cloudtrail`. Creating a separate Partition and using it as scope for a run time field extraction ensures that auto parsing logic only applies to necessary Partitions.
+    We recommend creating a separate Partition for your JSON dataset and use that Partition as the scope for run time field extraction. For example, let's say you have AWS CloudTrail logs, and they are stored in `_view=cloudtrail` Partition in Sumo. You can create a Run Time FER with the scope `_view=cloudtrail`. Creating a separate Partition and using it as scope for a run time field extraction ensures that auto parsing logic only applies to necessary Partitions.
     :::
 
    * **Parsed template** (Optional for Ingest Time rules).
@@ -153,6 +154,4 @@ The **multi** and **auto** options are not supported in FERs.
 
 The `parse multi` operator is not supported in FERs.
 
-import FerLimit from '../../reuse/fer-limitations.md';
-
-<FerLimit/> 
+<FerLimit/>
@@ -9,34 +9,77 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 Stay up to date with the latest Sumo Logic enhancements, features, and fixes. Explore the individual release notes pages to see what's new, and consider subscribing to the RSS feeds for automatic updates.
 
 <div className="box-wrapper">
+
 <div className="box smallbox card">
   <div className="container">
-  <a href="/release-notes-service"><img src={useBaseUrl('img/icons/manage.png')} alt="icon" width="40"/><h4>Service<br/><a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45"/></a></h4></a>
-  <p>Latest features and bug fixes for our apps, alerts, security, search, observability, data collectors, and more.</p>
+    <a href="/release-notes-service">
+      <img src={useBaseUrl('img/icons/manage.png')} alt="icon" width="40" />
+      <h4>Service</h4>
+    </a>
+    <a href="https://help.sumologic.com/release-notes-service/rss.xml">
+      <img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45" />
+    </a>
+    <p>Latest features and bug fixes for our apps, alerts, security, search, observability, data collectors, and more.</p>
   </div>
 </div>
+
 <div className="box smallbox card">
   <div className="container">
-  <a href="/release-notes-cse"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Cloud SIEM <br/><a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45"/></a></h4></a>
-  <p>Information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM.</p>
+    <a href="/release-notes-cse">
+      <img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40" />
+      <h4>Cloud SIEM</h4>
+    </a>
+    <a href="https://help.sumologic.com/release-notes-cse/rss.xml">
+      <img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45" />
+    </a>
+    <p>Information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM.</p>
   </div>
 </div>
+
 <div className="box smallbox card">
   <div className="container">
-  <a href="/release-notes-csoar"><img src={useBaseUrl('img/icons/security/soar-2-color-icon.png')} alt="icon" width="40"/><h4>Cloud SOAR<br/><a href="https://help.sumologic.com/release-notes-csoar/rss.xml"><img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45"/></a></h4></a>
-  <p>The latest news about CSOAR, like new features, bug fixes, changes to the application, and other important announcements for Cloud SOAR.</p>
+    <a href="/release-notes-csoar">
+      <img src={useBaseUrl('img/icons/security/soar-2-color-icon.png')} alt="icon" width="40" />
+      <h4>Cloud SOAR</h4>
+    </a>
+    <a href="https://help.sumologic.com/release-notes-csoar/rss.xml">
+      <img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45" />
+    </a>
+    <p>The latest news about CSOAR, like new features, bug fixes, changes to the application, and other important announcements for Cloud SOAR.</p>
   </div>
 </div>
+
 <div className="box smallbox card">
   <div className="container">
-  <a href="/release-notes-collector"><img src={useBaseUrl('img/icons/data-collection.png')} alt="icon" width="40"/><h4>Collector <br/><a href="https://help.sumologic.com/release-notes-collector/rss.xml"><img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45"/></a></h4></a>
-  <p>Latest features and bug fixes for Installed Collectors. To access new features, upgrade using <a href="/docs/send-data/installed-collectors/collector-installation-reference/download-collector-from-static-url">Static URLs</a>, <a href="/docs/send-data/collection/upgrade-collectors">Sumo Logic</a>, <a href="/docs/send-data/collection/upgrade-collectors">Command Line</a>, or <a href="/docs/api/collector-management/upgrade-downgrade-collectors">Collector Management API</a>.</p>
+    <a href="/release-notes-collector">
+      <img src={useBaseUrl('img/icons/data-collection.png')} alt="icon" width="40" />
+      <h4>Collector</h4>
+    </a>
+    <a href="https://help.sumologic.com/release-notes-collector/rss.xml">
+      <img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45" />
+    </a>
+    <p>Latest features and bug fixes for Installed Collectors.</p>
+    <p>To access new features, upgrade using:</p>
+    <ul>
+      <li><a href="/docs/send-data/installed-collectors/collector-installation-reference/download-collector-from-static-url">Static URLs</a></li>
+      <li><a href="/docs/send-data/collection/upgrade-collectors">Sumo Logic</a></li>
+      <li><a href="/docs/send-data/collection/upgrade-collectors">Command Line</a></li>
+      <li><a href="/docs/api/collector-management/upgrade-downgrade-collectors">Collector Management API</a></li>
+    </ul>
   </div>
 </div>
+
 <div className="box smallbox card">
   <div className="container">
-  <a href="/release-notes-developer"><img src={useBaseUrl('img/icons/cloud/api2.png')} alt="icon" width="40"/><h4>Developer<br/><a href="https://help.sumologic.com/release-notes-developer/rss.xml"><img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45"/></a></h4></a>
-  <p>New features and changes to our APIs, Collector management, and Live Tail CLI.</p>
+    <a href="/release-notes-developer">
+      <img src={useBaseUrl('img/icons/cloud/api2.png')} alt="icon" width="40" />
+      <h4>Developer</h4>
+    </a>
+    <a href="https://help.sumologic.com/release-notes-developer/rss.xml">
+      <img src={useBaseUrl('img/release-notes/rss.png')} alt="RSS Feed" width="45" />
+    </a>
+    <p>New features and changes to our APIs, Collector management, and Live Tail CLI.</p>
   </div>
 </div>
+
 </div>