diff --git a/cid-redirects.json b/cid-redirects.json
index 096e508a04..ae2d416771 100644
--- a/cid-redirects.json
+++ b/cid-redirects.json
@@ -2390,6 +2390,7 @@
"/cid/5148": "/docs/send-data/installed-collectors/collector-installation-reference/set-collector-as-ephemeral",
"/cid/5150": "/",
"/cid/5154": "/docs/manage/fields",
+ "/cid/5157": "/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules",
"/cid/5155": "/docs/manage/field-extractions",
"/cid/5156": "/docs/send-data/collection/processing-rules",
"/cid/5162": "/docs/manage/security/access-keys",
diff --git a/docs/manage/manage-subscription/create-and-manage-orgs/index.md b/docs/manage/manage-subscription/create-and-manage-orgs/index.md
index 9e73d5237d..7917326821 100644
--- a/docs/manage/manage-subscription/create-and-manage-orgs/index.md
+++ b/docs/manage/manage-subscription/create-and-manage-orgs/index.md
@@ -47,6 +47,12 @@ In this section, we'll introduce the following concepts:
Learn how to update org names, define subdomain names, delete orgs, and change the account owner.
+
+
+## Manage Cloud SIEM rules
+
+To ensure that content is consistent across child organizations, use the **Manage Content** tab to push content in target organizations with content from a source organization.
+
+You can push the following:
+* Cloud SIEM [rules](/docs/cse/rules/)
+* Cloud SIEM [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions/)
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Organizations**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Organizations**. You can also click the **Go To...** menu at the top of the screen and select **Organizations**.
+1. Select the **Manage Content** tab.
+1. In the **Source Org** field, select the organization that will provide the source data to be pushed in other organizations.
+1. In the **Content** bar, select the content to be pushed:
+ * **Cloud SIEM Rules**. For more information about Cloud SIEM rules, refer to [Cloud SIEM Rules](/docs/cse/rules/).
+ * **Cloud SIEM Rule Tuning**. For more information about Cloud SIEM rule tuning expressions, refer to [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions/).
+1. Select individual items to be pushed, or all items.
+1. Click **Push to Orgs**.
})
+1. On the **Push Selected Items** box, navigate to the **Destinations** section to select the organizations to push the selected items to. You can push to all organizations, a single child organization, or multiple child organizations.
})
+1. Click **Push**. A **Pushing in progress** dialog is displayed.
+
+### Tips
+
+* If you select **All Child Organizations**, you can then select organizations to exclude, allowing you to push to all organizations except those you select:
})
+* When you push rule tuning expressions, select **Include Associated Cloud SIEM Rules** to push all the Cloud SIEM rules that the expressions are used on:
})
+
+### Limitations
+
+- If an item with the same name exists in the target organization, it will be replaced.
+- Once a push is initiated, it cannot be reversed. Administrators should carefully review their selections before updating.
+- If errors occur during the push, administrators must manually re-attempt the failed push. To see failed pushes, use [View History](#view-history).
+- Push operations may take longer based on the volume of content being pushed.
+- Rule tuning expressions must be pushed separately from rules.
+- *Cloud SIEM Legacy Rule Type* is not supported for sync or push.
+
+## View history
+
+1. Click **View History** in the upper-right corner of the page. A query for push history displays:
})
+1. Click the search button. })
The push history displays. The email of the individual who performed the push appears in the **user_email** column, and the pushed items appear in the **content** column.
})
+1. Investigate any push that failed and re-run the push if needed.
+
+## View push in the audit log
+
+You can view all content management push in the [Audit Event Index](/docs/manage/security/audit-indexes/audit-event-index/) by using the following query:
+
+```sql
+_index=sumologic_audit_events
+| where eventname = "ContentSynced"
+```
+
+To see the results displayed the same as in [View History](#view-history), use the following query:
+
+```sql
+_index=sumologic_audit_events
+| where eventname = "ContentSynced"
+| orchestratorJob.id as job_sync_id
+| operator.email as user_email
+| parseDate(eventTime, "yyyy-MM-dd'T'HH:mm:ss.SSSXXX") as eventTimeInmilliseconds
+| values(resourceIdentity.name) as content, values(resourceIdentity.type) as content_type, min(eventTimeInmilliseconds) as content_sync_job_time_ms, values(status) as all_status by job_sync_id, user_email
+| if (contains(all_status, "Failed"), "Failed", "Success") as status
+| sort by content_sync_job_time_ms
+| formatDate(content_sync_job_time_ms, "yyyy-MM-dd") as content_sync_date
+| formatDate(content_sync_job_time_ms, "HH:mm:ss") as content_sync_time
+| fields content_sync_date, content_sync_time, job_sync_id, status, user_email, content_type, content
+```
+
+## FAQs
+
+* **What happens when an item with the same name already exists?**
It will be replaced in the child organization.
+* **What happens if an item selected for push doesn't already exist in the target organization?**
The item will be created in the target organization.
+* **What if errors occur during pushing?**
Affected items will be skipped. Once the rest of the content is pushed, you can review errors in [View History](#view-history) and retry.
+* **Can I roll back changes after a push operation?**
No, rollback is not supported. After a push operation is initiated, changes cannot be reversed.
+* **How can I monitor push progress?**
During a push, the system displays real-time status, including progress tracking, success or failure messages, and error logs.
+* **How can I view push history?**
Click **View History** in the upper-right corner of the page. A query for push history will display, showing the email of the individual who performed the push and the pushed items.
+* **Who can I contact for additional questions or support?**
Reach out to your Sumo Logic representative with any questions, issues, or feedback.
+
+#### Pushing Cloud SIEM Rules
+
+**Are rule tuning expressions included?**
No, they are not included, but can be pushed separately.
+
+#### Pushing Cloud SIEM Rule tuning expressions
+
+* **What happens if the source tuning expression contains Cloud SIEM rules?**
If the **Include Linked Cloud SIEM Rules** option is selected, existing rules with the same name in the destination organization will be linked to match the source tuning expression.
+* **What if no matching Cloud SIEM rules are found in the destination organization?**
Push will complete with a warning, and missing rules will be logged in the audit log. You can push those rules separately and re-run the tuning expression push.
\ No newline at end of file
diff --git a/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps.md b/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps.md
index 805c32d6ec..f74448bf60 100644
--- a/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps.md
+++ b/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps.md
@@ -2,7 +2,7 @@
id: manage-orgs-for-mssps
title: Manage Organizations for MSSPs
sidebar_label: Manage Orgs for MSSPs
-description: Learn how to manage organizations for Managed Security Service Providers (MSSPs).
+description: Learn how to manage library content for Managed Security Service Providers (MSSPs).
---
@@ -15,7 +15,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
-This article describes how to manage organizations for Managed Security Service Providers (MSSPs). MSSP administrators must ensure that the content of their child organizations is properly configured. MSSPs often consist of a parent organization with child organizations that use [Cloud SIEM](/docs/cse/).
+This article describes how to manage organizational library content for Managed Security Service Providers (MSSPs). MSSP administrators must ensure that the content of their child organizations is properly configured. MSSPs often consist of a parent organization with child organizations that use [Cloud SIEM](/docs/cse/).
## Considerations
@@ -28,103 +28,48 @@ You must have the following [organization role capabilities](/docs/manage/users-
* Create Organizations
* Manage Organizations
-### Multi-insights list page in Cloud SIEM
-
-If you are logged in to a parent organization with child organizations that also use Cloud SIEM, the insights list page in Cloud SIEM allows you to [view insights in child organizations](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#view-insights-in-child-organizations).
-
-
-
## Manage content in organizations
-To ensure that content is consistent across child organizations, use the **Manage Content** tab to update content in target organizations with content from a source organization.
-
-You can update the following:
-* Cloud SIEM [rules](/docs/cse/rules/)
-* Cloud SIEM [rule tuning expressions](/docs/cse/rules/rule-tuning-expressions/)
-* [Library](/docs/get-started/library)
+To ensure that [Library](/docs/get-started/library) content is consistent across child organizations, use the **Manage Content** tab to push content in target organizations with content from a source organization.
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Organizations**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Organizations**. You can also click the **Go To...** menu at the top of the screen and select **Organizations**.
1. Select the **Manage Content** tab.
-1. In the **Source Org** field, select the organization that will provide the source data to be updated in other organizations.
-1. In the **Content** bar, select the content to be updated:
- * **Cloud SIEM Rules**. For more information about Cloud SIEM rules, refer to the [Cloud SIEM Rules](/docs/cse/rules/).
- * **Cloud SIEM Rule Tuning**. For more information about Cloud SIEM rule tuning expressions, refer to the [Rule Tuning Expressions](/docs/cse/rules/rule-tuning-expressions/).
- * **Library**. For more information about Library items, refer to the [Managing Your Sumo Logic Library](/docs/get-started/library).
-1. Select individual items to be updated, or all items.
-1. Click **Update Selected Items**.
})
-1. On the **Update Selected Items** box, navigate to the **Destinations** section to select the organizations to update the selected items to. You can update to all organizations, a single child organization, or multiple child organizations.
})
-1. Click **Update**. An **Updating in progress** dialog is displayed.
+1. In the **Source Org** field, select the organization that will provide the source data to be pushed in other organizations.
+1. In the **Content** bar, select **Library**. For more information about Library items, refer to [Managing Your Sumo Logic Library](/docs/get-started/library).
+1. Select individual items to be pushed, or all items.
+1. Click **Push Selected Items**.
+1. On the **Push Selected Content** box, navigate to the **Destinations** section to select the organizations to push the selected items to. You can push to all organizations, a single child organization, or multiple child organizations.
+1. Click **Push**. A **Pushing in progress** dialog is displayed.
### Tips
-* If you select **All Child Organizations**, you can then select organizations to exclude, allowing you to update to all organizations except those you select:
+* If you select **All Child Organizations**, you can then select organizations to exclude, allowing you to push to all organizations except those you select:
* Selected Library items are added to the [Admin Recommended](/docs/manage/content-sharing/admin-mode/#move-important-content-to-admin-recommended) folder. Additionally, you can only select the Library contents in Source Organization under the Admin Recommended folder.
-* When you update rule tuning expressions, select **Include Associated Cloud SIEM Rules** to also update all the Cloud SIEM rules that the expressions are used on:
-* **Scheduled Searches Connection**. Select **Include and Update Connection** to create the scheduled searches in the target organizations if they don't already exist there. Select **Ignore Connection** only if you want to turn the added scheduled searches into saved searches.
-* **Scheduled Reports**. Select **Include and Update Scheduled Reports** to create the scheduled reports in the target organizations if they don't already exist there. Select **Ignore Scheduled Reports** only if you want to turn the added scheduled reports into saved reports.
+* **Scheduled Searches Connection**. Select **Include Connection** to create the scheduled searches in the target organizations if they don't already exist there. Select **Ignore Connection** only if you want to turn the added scheduled searches into saved searches.
+* **Scheduled Reports**. Select **Include Scheduled Reports** to create the scheduled reports in the target organizations if they don't already exist there. Select **Ignore Scheduled Reports** only if you want to turn the added scheduled reports into saved reports.
:::note
- Both **Scheduled Searches Connection** and **Scheduled Reports** will be available to update when you select a library *folder*.
+ Both **Scheduled Searches Connection** and **Scheduled Reports** will be available only when you select a library *folder*.
:::
### Limitations
- If an item with the same name exists in the target organization, it will be replaced.
-- Once an update is initiated, it cannot be reversed. Administrators should carefully review their selections before updating.
-- If errors occur during update, administrators must manually re-attempt failed updates. To see failed updates, use [View History](#view-history).
-- Update operations may take longer based on the volume of content being updated.
-- Rule tuning expressions must be updated separately from rules.
-- *Cloud SIEM Legacy Rule Type* is not supported for sync or update.
-
-## View history
-
-1. Click **View History** in the upper-right corner of the page. A query for update history displays:
-1. Click the search button.
The update history displays. The email of the individual who performed the update appears in the **user_email** column, and the updated items appear in the **content** column.
-1. Investigate any updates that failed and re-run the update if needed.
-
-## View updates in the audit log
-
-You can view all content management updates in the [Audit Event Index](/docs/manage/security/audit-indexes/audit-event-index/) by using the following query:
-
-```sql
-_index=sumologic_audit_events
-| where eventname = "ContentSynced"
-```
-
-To see the results displayed the same as in [View History](#view-history), use the following query:
-
-```sql
-_index=sumologic_audit_events
-| where eventname = "ContentSynced"
-| orchestratorJob.id as job_sync_id
-| operator.email as user_email
-| parseDate(eventTime, "yyyy-MM-dd'T'HH:mm:ss.SSSXXX") as eventTimeInmilliseconds
-| values(resourceIdentity.name) as content, values(resourceIdentity.type) as content_type, min(eventTimeInmilliseconds) as content_sync_job_time_ms, values(status) as all_status by job_sync_id, user_email
-| if (contains(all_status, "Failed"), "Failed", "Success") as status
-| sort by content_sync_job_time_ms
-| formatDate(content_sync_job_time_ms, "yyyy-MM-dd") as content_sync_date
-| formatDate(content_sync_job_time_ms, "HH:mm:ss") as content_sync_time
-| fields content_sync_date, content_sync_time, job_sync_id, status, user_email, content_type, content
-```
+- Once a push is initiated, it cannot be reversed. Administrators should carefully review their selections before updating.
+- If errors occur during the push, administrators must manually re-attempt the failed push. To see failed pushes, use [View History](/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules#view-history).
+- Push operations may take longer based on the volume of content being pushed.
+- Rule tuning expressions must be pushed separately from rules.
+- *Cloud SIEM Legacy Rule Type* is not supported for sync or push.
+
+:::info
+To learn how to view history and view updates in the audit log, refer to [Manage Organizations for MSSPs - Cloud SIEM](/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules).
+:::
## FAQs
* **What happens when a item with the same name already exists?**
It will be replaced in the child organization.
-* **What happens if an item selected for update doesn't already exist in the target organization?**
The item will be created in the target organization.
-* **What if errors occur during updating?**
Affected items will be skipped. Once the rest of the content is updated, you can review errors in [View History](#view-history) and retry.
-* **Can I roll back changes after an update operation?**
No, rollback is not supported. After an update operation is initiated, changes cannot be reversed.
-* **How can I monitor update progress?**
During an update, the system displays real-time status, including progress tracking, success or failure messages, and error logs.
-* **How can I view update history?**
Click View History in the upper-right corner of the page. A query for update history will display, showing the email of the individual who performed the update and the updated items.
+* **What happens if an item selected for push doesn't already exist in the target organization?**
The item will be created in the target organization.
+* **What if errors occur during pushing?**
Affected items will be skipped. Once the rest of the content is pushed, you can review errors in [View History](/docs/manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules#view-history) and retry.
+* **Can I roll back changes after a push operation?**
No, rollback is not supported. After a push operation is initiated, changes cannot be reversed.
+* **How can I monitor push progress?**
During a push, the system displays real-time status, including progress tracking, success or failure messages, and error logs.
+* **How can I view push history?**
Click **View History** in the upper-right corner of the page. A query for push history will display, showing the email of the individual who performed the push and the pushed items.
* **Who can I contact for additional questions or support?**
Reach out to your Sumo Logic representative with any questions, issues, or feedback.
-
-#### Rules updates
-
-**Are rule tuning expressions included?**
No, they are not included, but can be updated separately.
-
-#### Rule tuning expressions updates
-
-* **What happens if the source tuning expression contains Cloud SIEM rules?**
If the **Include Linked Cloud SIEM Rules** option is selected, existing rules with the same name in the destination organization will be linked to match the source tuning expression.
-* **What if no matching Cloud SIEM rules are found in the destination organization?**
The update will complete with a warning, and missing rules will be logged in the audit log. You can update those rules separately and re-run the tuning expression update.
\ No newline at end of file
diff --git a/sidebars.ts b/sidebars.ts
index aa52efc5b5..f75aeebc23 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -988,7 +988,7 @@ module.exports = {
'manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-service-providers',
'manage/manage-subscription/create-and-manage-orgs/create-manage-orgs-flex',
'manage/manage-subscription/create-and-manage-orgs/manage-org-settings',
- //'manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps',
+ 'manage/manage-subscription/create-and-manage-orgs/manage-orgs-for-mssps-csiem-rules',
],
},
{
diff --git a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2-csiem.png b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2-csiem.png
new file mode 100644
index 0000000000..4d84957161
Binary files /dev/null and b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2-csiem.png differ
diff --git a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2.png b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2.png
index b40963353e..4298d4c48e 100644
Binary files a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2.png and b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-2.png differ
diff --git a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-csiem.png b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-csiem.png
new file mode 100644
index 0000000000..89f175c517
Binary files /dev/null and b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items-csiem.png differ
diff --git a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items.png b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items.png
index 4ac9d38b49..8ad8e64070 100644
Binary files a/static/img/manage/subscriptions/mssp-orgs-sync-selected-items.png and b/static/img/manage/subscriptions/mssp-orgs-sync-selected-items.png differ
})