diff --git a/docs/cse/administration/create-a-custom-tag-schema.md b/docs/cse/administration/create-a-custom-tag-schema.md
index e08db23324..73afa06615 100644
--- a/docs/cse/administration/create-a-custom-tag-schema.md
+++ b/docs/cse/administration/create-a-custom-tag-schema.md
@@ -22,8 +22,8 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
## Define a custom tag schema
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Tag Schemas**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Tag Schemas**. You can also click the **Go To...** menu at the top of the screen and select **Tag Schemas**.
-1. On the **Tag Schemas** page, click **Create**.
})
-1. The **Tag Schema** popup appears.
+1. On the **Tag Schemas** page, click **+Add Tag Schema**.
+1. The **Add Tag Schemas** popup appears.
1. **Key**. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the **Label** field blank.
1. **Label**. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
1. **Content Types**. Select the types that you want the tag to be
@@ -32,7 +32,7 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
* **Rule**
* **Entity** The options do not include **Signal** or **Insight**. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
1. **Allow Custom Values**. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the **Value Options** section below.
- 1. **Value Options**. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
+ 1. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
* **Enter Value**. Enter an allowable value for the tag.
* **Enter Label**. Enter a label for the value.
* **Enter Link** (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the **Tactic:TA0002** to associated information on the MITRE site.
})
diff --git a/docs/cse/administration/create-cse-actions.md b/docs/cse/administration/create-cse-actions.md
index 042725ad76..bc8bded9f2 100644
--- a/docs/cse/administration/create-cse-actions.md
+++ b/docs/cse/administration/create-cse-actions.md
@@ -73,10 +73,10 @@ The notification sent by a Rule Action contains the name of the rule and the re
## Create an Action
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Actions**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Actions**. You can also click the **Go To...** menu at the top of the screen and select **Actions**.
-1. On the **Actions** page, click **Create**.
-1. The **Create Action** popup appears.
})
+1. On the **Actions** tab, click **+ Add Action**.
+1. The **Add Action** popup appears.
1. **Name**. Enter a name that communicates what the Action does.
-1. **Type**. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
+1. **Action Type**. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
* [AWS Simple Notification Service](#aws-simple-notification-service-sns)
* [Demisto](#demistocortex-xsoar)
* [Email](#email)
diff --git a/docs/cse/administration/create-cse-context-actions.md b/docs/cse/administration/create-cse-context-actions.md
index dd8e88b3c6..67c2354e83 100644
--- a/docs/cse/administration/create-cse-context-actions.md
+++ b/docs/cse/administration/create-cse-context-actions.md
@@ -32,7 +32,7 @@ The Context Actions menu will be available for any of these types, wherever they
## How a user accesses Context Actions
-A user runs a Context Action by clicking the Context Action icon next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
+A user runs a Context Action by clicking the Context Action icon })
next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
In the screenshot below, Context Actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
@@ -58,17 +58,18 @@ import Iframe from 'react-iframe';
## Configure a Context Action
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Context Actions**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Context Actions**. You can also click the **Go To...** menu at the top of the screen and select **Context Actions**.
-1. On the **Context Actions** page click **Create**.
-1. Create the context action.
})
- 1. **Enter Context Action Name**. Enter a name for the Context Action.
- 1. Choose whether you want to open a **URL** to an external service or
- a **Sumo Logic Query**.
- 1. Enter the URL or log query that the context action will issue.
+1. On the **Context Actions** tab click **+ Add Context Action**.
+1. Create the context action.
+ 1. **Name**. Enter a name for the Context Action.
+ 1. **Action Type**. Choose whether you want to open a **Sumo Logic Query** or a **URL** to an external service.
+ 1. **Query**. Enter the URL or log query that the context action will issue.
For instructions, see:
* [Create a Sumo Logic search URL](#create-a-sumo-logic-search-url)
* [Create a URL to external service](#create-an-url-to-an-external-service)
1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target Record’s [timestamp](/docs/cse/schema/schema-attributes) field.
- 1. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
+ 1. **Entity Types**. Select the Entity types that the context action will apply to.
+ 1. **Record Properties**. Select the Record properties that the context action will apply to.
+ 1. **IOC Data Types**. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
* **Domain**
* **Entity Types**
* **Hash**
diff --git a/docs/cse/administration/manage-custom-insight-resolutions.md b/docs/cse/administration/manage-custom-insight-resolutions.md
index d086313434..719a940237 100644
--- a/docs/cse/administration/manage-custom-insight-resolutions.md
+++ b/docs/cse/administration/manage-custom-insight-resolutions.md
@@ -23,13 +23,14 @@ You can define custom *sub-resolutions* for any of the built-in resolutions. Thi
## Create a custom sub-resolution
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Resolutions**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Resolutions**. You can also click the **Go To...** menu at the top of the screen and select **Insight Resolutions**.
-1. On the **Insight Resolutions** page, click **Create**.
-1. The **Create Insight Resolution** page appears.
+1. On the **Insight Resolutions** tab, click **+ Add Resolution**.
+1. The **Add Insight Resolution** popup appears.
1. **Name**. Enter a meaningful name for the new resolution.
1. **Parent Resolution**. Display the dropdown list and select a built-in resolution.
1. **Description**. (Optional) Enter a description that will help other users understand when to use the new resolution.
- 1. Click **Create**.
})
- 1. The new resolution appears on the **Insight Resolutions** page, indented below the parent resolution.
+ 1. Click **Save**.
+
+The new resolution appears on the **Insight Resolutions** tab, indented below the parent resolution.
## Close an Insight using a custom resolution
diff --git a/docs/cse/administration/manage-custom-insight-statuses.md b/docs/cse/administration/manage-custom-insight-statuses.md
index 7eccd0b860..cbde112eae 100644
--- a/docs/cse/administration/manage-custom-insight-statuses.md
+++ b/docs/cse/administration/manage-custom-insight-statuses.md
@@ -14,7 +14,7 @@ This page has information about creating and managing custom Insight statuses.
To view Insight statuses:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**.
-1. This screenshot of the **Statuses** page shows the three Insight statuses that are preconfigured:
+1. This screenshot of the **Insight Statuses** tab shows the three Insight statuses that are preconfigured:
* **New**. Insights that have not been worked on yet.
* **In Progress**. Insights that are being investigated. If you want to create custom statuses to represent different types of "in progress" states, you can click the **Enabled** toggle to disable the default **In Progress** status to reduce confusion.
* **Closed**. Insights whose investigations are complete.
})
@@ -26,28 +26,28 @@ Preconfigured Insight statuses cannot be edited or deleted. You can however crea
To create a custom Insight status:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**.
-1. On the **Statuses** page, click **Create Status**.
-1. On the **New Status** popup, enter a name and description for the status.
+1. On the **Insight Statuses** tab, click **+ Add Status**.
+1. On the **Add Insight Status** popup, enter a name and description for the status.
1. Click **Color** to select a color for the status. The color will appear on the status on the [Heads Up Display](/docs/cse/get-started-with-cloud-siem/cse-heads-up-display).
## Change the order of Insight statuses
-You can change the status of an Insight on the **Details** pane of the page for the Insight. Note that the items in the **Status** dropdown appear in the same order as they do on the **Statuses** page.
+You can change the status of an Insight on the **Details** pane of the page for the Insight. Note that the items in the **Status** dropdown appear in the same order as they do on the **Insight Statuses** tab.
})
-To change the order that the statuses appear in the **Status** dropdown, you can reorder them on the **Statuses** page, except for **New** and **Closed**. **New** must always be the first status, and **Closed** must always be the last.
+To change the order that the statuses appear in the **Status** dropdown, you can reorder them on the **Insight Statuses** tab, except for **New** and **Closed**. **New** must always be the first status, and **Closed** must always be the last.
To change the order of Insight statuses:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Workflow** select **Statuses**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Workflow** select **Insight Statuses**. You can also click the **Go To...** menu at the top of the screen and select **Insight Statuses**.
-1. On the **Statuses** page, each status that can be moved has a handle to the left of its name.
})
+1. On the **Insight Statuses** tab, each status that can be moved has a handle to the left of its name.
1. To move a status to a different location on the list, use your mouse to drag it to the desired location.
## Edit or delete a custom Insight status
-On the **Statuses** page, you can edit or delete any of the custom Insight statuses that have been created.
+On the **Insight Statuses** tab, you can edit or delete any of the custom Insight statuses that have been created.
The edit and delete icons are only available for custom statuses.
diff --git a/docs/cse/automation/about-automation-service-and-cloud-siem.md b/docs/cse/automation/about-automation-service-and-cloud-siem.md
index 57c619764a..c70d9b94a1 100644
--- a/docs/cse/automation/about-automation-service-and-cloud-siem.md
+++ b/docs/cse/automation/about-automation-service-and-cloud-siem.md
@@ -47,7 +47,7 @@ Before you can access the Automation Service from Cloud SIEM, you must first [co
1. To access the Automation Service from Cloud SIEM:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.
The list of available Cloud SIEM automations appears. Each automation runs a playbook.
})
- 1. At the top of the screen, click **Manage Playbooks**.
})
The Automation Service screen displays:
})
+ 1. At the top of the screen, click **Manage Playbooks**.
The Automation Service screen displays:
:::note
You can also launch the Automation Service by selecting **Automation** from the main menu:
})
If you also have Cloud SOAR installed, a **Cloud SOAR** option appears instead, since all automation services are provided by Cloud SOAR when it installed in conjunction with Cloud SIEM.
:::
diff --git a/docs/cse/automation/automations-in-cloud-siem.md b/docs/cse/automation/automations-in-cloud-siem.md
index 6019e1bed0..9258fcd21f 100644
--- a/docs/cse/automation/automations-in-cloud-siem.md
+++ b/docs/cse/automation/automations-in-cloud-siem.md
@@ -55,10 +55,10 @@ Now that the playbook is configured, you can add it to an automation.
1. [Create a new automation](#create-an-automation).
1. Select the playbook you created in Step 2.
-1. In **Expects attributes for**, select **Entity** or **Insight**.
+1. In **Object (expects attributes for)**, select **Entity** or **Insight**.
1. Select whether you want to automatically run the automation when an Insight is created or closed, or to run it manually. (For the purposes of this overview, select **Manually Done**.)
1. Select **Enabled**.
-1. Click **Add to List**.
+1. Click **Save**.
### Step 4: Run the automation
@@ -92,13 +92,12 @@ To view the automations that have run on Insights or Entities, see [View results
The following procedure provides a brief introduction to how to create an automation. For detailed examples, see [Cloud SIEM Automation Examples](/docs/cse/automation/cloud-siem-automation-examples/).
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.
-1. At the top of the automations screen, click **Create**. (To modify an existing automation, click on the edit icon for the corresponding automation.)
-1. In the **New Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation.
})
-1. In **Expects attributes for** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM.
-1. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
-1. Select one or more **Executes when** Insight triggers: **Insight Created**, **Insight Closed**, or **Manually Done**. If **Manually Done** is not selected, the automation will not appear in any **Actions** menu on Insights or **Automations** menus on Entities.
+1. At the top of the **Automation** tab, click **+ Add Automation**. (To modify an existing automation, select the automation and click **Edit**.)
+1. In the **Add Automation** dialog, select a **Playbook** from the drop-down list. The playbook must be defined before associating it with an automation.
1. Set the **Status**. Disabled automations will not run automatically and will not appear in any **Actions** or **Automations** menus.
-1. Click **Add to List** (or **Update** if editing an existing automation).
+1. In **Object (xpects attributes for)** select whether the playbook will run on an **Entity** or **Insight**. This defines what data payload will be sent to the playbook from Cloud SIEM. If **Entity** is selected, in the **Type** field select one or more Entity types. The playbook will only execute on the Entity types selected.
+1. For **Execution** select when the automation runs: **Insight Created**, **Insight Closed**, or **Manually Done**. If **Manually Done** is not selected, the automation will not appear in any **Actions** menu on Insights or **Automations** menus on Entities.
+1. Click **Save**.
## Run an automation automatically
diff --git a/docs/cse/automation/cloud-siem-automation-examples.md b/docs/cse/automation/cloud-siem-automation-examples.md
index 4946f98a18..e6692ab715 100644
--- a/docs/cse/automation/cloud-siem-automation-examples.md
+++ b/docs/cse/automation/cloud-siem-automation-examples.md
@@ -63,11 +63,11 @@ The following example shows how to add an enrichment to an Insight using the “
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
})
1. Create an automation in Cloud SIEM to run the playbook:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.
- 1. At the top of the automations screen, click **New Automation**.
+ 1. At the top of the **Automation** tab, click **+ Add Automation**.
1. For **Playbook**, select the playbook you created in the previous steps.
- 1. For **Expects attributes for**, select **Insight**.
- 1. For **Executes when**, select **Manually Done**.
- 1. Click **Add to List**.
+ 1. For **Object (expects attributes for)**, select **Insight**.
+ 1. For **Execution**, select **Manually Done**.
+ 1. Click **Save**.
1. Run the automation:
1. Select **Insights** from the main Cloud SIEM screen.
1. Select an Insight.
@@ -135,11 +135,11 @@ The following example shows how to configure a notification that sends an email
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
})
1. Create an automation in Cloud SIEM to run the playbook:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu of Cloud SIEM select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**.
- 1. At the top of the automations screen, click **New Automation**.
+ 1. At the top of the **Automation** tab, click **+ Add Automation**.
1. For **Playbook**, select the playbook you created in the previous steps.
- 1. For **Expects attributes for**, select **Insight**.
- 1. For **Executes when**, select **Manually Done**.
- 1. Click **Add to List**.
+ 1. For **Object (expects attributes for)**, select **Insight**.
+ 1. For **Execution**, select **Manually Done**.
+ 1. Click **Save**.
1. Run the automation:
1. Select **Insights** from the main Cloud SIEM screen.
1. Select an Insight.
@@ -239,11 +239,11 @@ The action uses [IP Quality Score](https://www.ipqualityscore.com/) to gather IP
1. Click the **Publish** button (clipboard icon) at the bottom of the playbook view. The playbook should look like this:
})
1. Create an automation in Cloud SIEM to run the playbook:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**.
- 1. At the top of the automations screen, click **New Automation**.
+ 1. At the top of the **Automation** tab, click **+ Add Automation**.
1. For **Playbook**, select the playbook you created in the previous steps.
- 1. For **Expects attributes for**, select **Insight**.
- 1. For **Executes when**, select **Manually Done**.
- 1. Click **Add to List**.
+ 1. For **Object (expects attributes for)**, select **Insight**.
+ 1. For **Execution**, select **Manually Done**.
+ 1. Click **Save**.
1. Run the automation:
1. Select **Insights** from the main Cloud SIEM screen.
1. Select an **Insight**.
@@ -363,9 +363,9 @@ The following example pulls together elements of the [Simple example](#simple-ex
1. Create an automation in Cloud SIEM to run the playbook:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the main Sumo Logic menu select **Cloud SIEM**. In the top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**.
1. For **Playbook**, select the playbook you created in the previous steps.
- 1. For **Expects attributes for**, select **Insight**.
- 1. For **Executes when**, select **Manually Done**.
- 1. Click **Add to List**.
+ 1. For **Object (expects attributes for)**, select **Insight**.
+ 1. For **Execution**, select **Manually Done**.
+ 1. Click **Save**.
1. Run the automation:
1. Select **Insights** from the main Cloud SIEM screen.
1. Select an Insight.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
index 0ec37f2a7d..eaf9077101 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/auth0.md
@@ -56,5 +56,5 @@ In this step, you verify that your logs are successfully making it into
Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for Auth0 and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for Auth0 and check the **Records** columns.
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Auth0 security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
index 9e176ebc9a..1bd377c439 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-application-load-balancer.md
@@ -71,5 +71,5 @@ In this step, you verify that your logs are successfully making it into
Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "AWS Application Load Balancer" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "AWS Application Load Balancer" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS ALB Flow security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
index 6169ad900b..a62638ecff 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-cloudtrail.md
@@ -47,6 +47,6 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "CloudTrail" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "CloudTrail" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for CloudTrail security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
index d558d4ee46..dc50894356 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-guardduty.md
@@ -76,5 +76,5 @@ In this step, you deploy the events processor. This will create the AWS resource
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "GuardDuty" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "GuardDuty" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for GuardDuty security records..
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
index a13d5e3fdc..b027c282dc 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-network-firewall.md
@@ -62,7 +62,7 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "AWS Network Firewall " and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "AWS Network Firewall " and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS Network Firewall security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
index 589a146f74..7e3dc775a3 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/aws-vpc-flow.md
@@ -71,5 +71,5 @@ It’s also possible to configure individual sources to forward to Cloud SIEM, a
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "AWS VPC Flow" and check under **Record Volume**.
+1. On the **Log Mappings** tab search for "AWS VPC Flow" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for AWS VPC Flow security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
index 5a5fe77e1f..dbb435cb91 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/carbon-black.md
@@ -76,5 +76,5 @@ In this step you configure Carbon Black Cloud to send log messages to an S3 buck
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-2. On the **Log Mappings** page search for Carbon Black Cloud and check under **Record Volume**.
})
+2. On the **Log Mappings** tab search for Carbon Black Cloud and check the **Records** columns.
3. For a more granular look at the incoming Records, you can also search Sumo Logic for Carbon Black Cloud Records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
index 399fbaaec3..b85d3f5659 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/check-point-firewall.md
@@ -62,5 +62,5 @@ In this step you configure Check Point Firewall to send log messages to the Sumo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "checkpoint" and check under **Record Volume.**
})
+1. On the **Log Mappings** tab search for "checkpoint" and check the **Records** columns.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Check Point Firewall security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
index 0addb5ce3b..59b371146d 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa.md
@@ -60,5 +60,5 @@ To configure Cisco ASA logging, follow the instructions in the [ASA Syslog Conf
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Cisco ASA" and check under **Record Volume.** A list of mappers for Cisco ASA Syslog will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "Cisco ASA" and check the **Records** columns. A list of mappers for Cisco ASA Syslog will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco ASA security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
index d40fb37e83..c22222cd55 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki.md
@@ -61,5 +61,5 @@ Configure logging for Cisco Meraki as described in [Syslog Server Overview and
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Cisco Meraki" and check under **Record Volume.** A list of mappers for Cisco Meraki will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "Cisco Meraki" and check the **Records** columns. A list of mappers for Cisco Meraki will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also use search the Sumo Logic platform for Cisco Meraki security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
index 2f401171eb..b5a96cee38 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md
@@ -58,8 +58,8 @@ In this step you configure Zeek to send log messages to the Sumo Logic platform.
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configure-collection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.
-1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
-1. On the **Create Sumo Logic Mapping** popup:
+1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+1. On the **Add Ingest Mapping** popup:
1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configure-collection).
1. **Format**. Enter *Bro/Zeek JSON*.
1. **Event ID**. *`{_path}`*.
})
@@ -70,5 +70,5 @@ In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the so
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Zeek" and check under **Record Volume.**
})
+1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Corelight Zeek security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
index 3a10d6a806..acb30eb109 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/fortigate-firewall.md
@@ -70,5 +70,5 @@ Different parsers are required for CEF and JSON format logs.
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "FortiGate" and check under **Record Volume.** A list of mappers for FortiGate will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "FortiGate" and check the **Records** columns. A list of mappers for FortiGate will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for FortiGate security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
index 5112ea73ec..6df6067331 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/g-suite-alert-center.md
@@ -50,5 +50,5 @@ In this step, you configure an HTTP Source to collect G Suite Alert Center log m
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the Log Mappings page search for "G Suite Alert Center" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "G Suite Alert Center" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for G Suite Alert Center security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
index 96334660c9..090435c750 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/google-workspace-apps-audit.md
@@ -37,5 +37,5 @@ In this step, you configure an Google Workspace Apps Audit Source to collect Goo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Google Workspace" and check under **Record Volume**.
+1. On the **Log Mappings** tab search for "Google Workspace" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
index fa5190fd95..e0211d4d6e 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/kemp-loadmaster.md
@@ -63,5 +63,5 @@ While the linked document only focuses on unexpected reboot logs, the process fo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Kemp" and check under **Record Volume**, a list of mappers for Kemp will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "Kemp" and check the **Records** column. A list of mappers for Kemp will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Kemp security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
index 5d5f185053..a119cffa86 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog.md
@@ -87,5 +87,5 @@ In this step, you configure forwarding to the the Syslog Source. Follow the ins
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Linux OS" and check under **Record Volume.** A list of mappers for Linux OS Syslog will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "Linux OS" and check the **Records** columns. A list of mappers for Linux OS Syslog will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Linux OS security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
index c60e0b51c5..2a57376776 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-audit-office.md
@@ -42,5 +42,5 @@ In this step, you configure an Microsoft 365 Audit Source to collect Microsoft 3
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for Office 365 and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for Office 365 and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Office 365 security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
index b365626bc9..bbae6229fa 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-azure-activity-log.md
@@ -54,5 +54,5 @@ In this step you configure Azure Activity Log to send log messages to the Sumo L
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Azure" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "Azure" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Azure security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
index 631b85969b..0dbed7c814 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/microsoft-windows.md
@@ -61,5 +61,5 @@ In this step, you configure a Local Windows Event Log Source to collect Microsof
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Windows" and check under **Record Volume.**
})
+1. On the **Log Mappings** tab search for "Windows" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also use search the Sumo Logic platform for Windows security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
index 6233ff342e..bb9495bfdb 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/nginx-access-logs.md
@@ -65,5 +65,5 @@ Follow the Nginx [instructions](https://docs.nginx.com/nginx/admin-guide/monito
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Nginx" and check under **Record Volume**, a list of mappers for Nginx will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "Nginx" and check the **Records** columns. A list of mappers for Nginx will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Nginx security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
index cb786421c0..50aa296955 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/okta.md
@@ -33,5 +33,5 @@ In this step, you configure an Okta Source to collect Okta log messages. You can
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for Okta and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for Okta and check the **Records** columns.
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for Okta security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
index 8e9285c21f..fd1758c3eb 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/onelogin.md
@@ -56,5 +56,5 @@ the OneLogin knowledge base. You must use the SIEM (NDJSON) format. Use the **S
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "OneLogin" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "OneLogin" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for OneLogin security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
index b7af31e976..1810d5f5b1 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/osquery.md
@@ -65,5 +65,5 @@ In this step you configure osquery to send log messages to Sumo Logic core platf
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page, search for *osquery* and check under **Record Volume**.
-1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery Records.
})
+1. On the **Log Mappings** tab, search for *osquery* and check the **Records** columns.
+1. For a more granular look at the incoming records, you can also search Sumo Logic for osquery Records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
index 9b431986f2..f8f491cb88 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/palo-alto-firewall.md
@@ -117,5 +117,5 @@ In this step, you configure Palo Alto Firewall to send log messages to the Sumo
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Palo Alto" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "Palo Alto" and check the **Records**.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Palo Alto Firewall security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
index d4955b6e14..0a4c68252f 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/sentinelone.md
@@ -57,6 +57,6 @@ In this step you configure SentinelOne to send log messages to the Sumo Logic pl
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "SentinelOne" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "SentinelOne" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also use the Sumo Logic platform to search for SentinelOne security records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
index b41cc2f08c..7f1c477cd2 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/signal-sciences-waf.md
@@ -58,8 +58,8 @@ For more information on Generic Webhooks refer to the [Generic Webhooks](https:/
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configurecollection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.
-1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
-1. On the **Create Sumo Logic Mapping** popup:
+1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+1. On the **Add Ingest Mapping** popup:
* **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configurecollection).
* **Format**. Enter *JSON.*
* **Vendor**. Enter *SignalSciences*.
@@ -72,6 +72,6 @@ In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the so
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Signal Sciences" and check under **Record Volume**.
})
+1. On the **Log Mappings** page search for "Signal Sciences" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Signal Sciences WAF security records.
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
index 9144404fc6..1cb8bc05ab 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway-blue-coat-proxy.md
@@ -68,5 +68,5 @@ In this step, you configure ProxySG to forward access logs to the the Syslog S
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "ProxySG" and check under **Record Volume.** A list of mappers for ProxySG will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG will appear and you can see if logs are coming in.
1. For a more granular look at the incoming Records, you can also search Sumo Logic for ProxySG Records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
index 367c2da303..05c2f37264 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/symantec-proxy-secure-gateway.md
@@ -72,5 +72,5 @@ Instructions for sending access logs to a syslog server are available on the [Br
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "ProxySG" and check under **Record Volume**. A list of mappers for ProxySG Syslog will appear and you can see if logs are coming in.
})
+1. On the **Log Mappings** tab search for "ProxySG" and check the **Records** columns. A list of mappers for ProxySG Syslog will appear and you can see if logs are coming in.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Proxy Secure Gateway security Records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
index 5902b28375..c93484d350 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-nss.md
@@ -61,5 +61,5 @@ In this step, you configure ZScaler NSS to send log messages to the Sumo Logic
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "Nanolog Streaming Service" and check under **Record Volume.**
})
+1. On the **Log Mappings** tab search for "Nanolog Streaming Service" and check the **Records** columns.
1. For a more granular look at the incoming Records, you can also search the Sumo Logic platform for ZScaler NSS security Records.
})
diff --git a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
index 57f7e110b4..5916bb69ec 100644
--- a/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
+++ b/docs/cse/ingestion/ingestion-sources-for-cloud-siem/zscaler-private-access.md
@@ -57,5 +57,5 @@ In this step you configure Zscaler Private Access to send log messages to Sumo L
In this step, you verify that your logs are successfully making it into Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. On the **Log Mappings** page search for "ZPA" and check under **Record Volume**.
})
+1. On the **Log Mappings** tab search for "ZPA" and check the **Records** columns.
1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for "ZPA" security records.
})
diff --git a/docs/cse/ingestion/sumo-logic-ingest-mapping.md b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
index 554af03be7..97282ac32d 100644
--- a/docs/cse/ingestion/sumo-logic-ingest-mapping.md
+++ b/docs/cse/ingestion/sumo-logic-ingest-mapping.md
@@ -64,7 +64,7 @@ You need to know how your messages are formatted. Cloud SIEM supports messages i
### Determining Product, Vendor, and Event ID pattern
-When you fill out the **Sumo Logic Ingest Mapping** page, for most of the supported message formats, all you need to select a value for **Format**. However, for the following formats, you also need to tell Cloud SIEM the **Product**, **Vendor**, and **Event ID template** for the messages:
+When you fill out the **Add Ingest Mapping** page, for most of the supported message formats, all you need to select a value for **Format**. However, for the following formats, you also need to tell Cloud SIEM the **Product**, **Vendor**, and **Event ID template** for the messages:
* JSON messages without a syslog header
* JSON messages with a syslog header
@@ -74,7 +74,7 @@ When you fill out the **Sumo Logic Ingest Mapping** page, for most of the suppor
For these formats, Cloud SIEM uses the values you configure for **Product**, **Vendor**, and **Event ID** (in addition to **Format**) to select the appropriate Cloud SIEM mapper to process the messages. To verify the correct values, you can go to the **Log Mapping Details** page for the mapper in the Cloud SIEM UI. To do so:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. The **Log Mappings** page displays a list of mappers.
})
+1. The **Log Mappings** tab displays a list of mappers.
1. In the **Filters** area, you can filter the list of log mappings by
typing in a keyword, or by selecting a field to filter by.
})
1. When you find the mapper you’re looking for, you can find the following for a mapper on the **If Input Matches** side of the page:
@@ -85,7 +85,7 @@ For these formats, Cloud SIEM uses the values you configure for **Product**, **V
### Quick reference to configuring ingest mappings
-This table in this section is a quick reference to supplying values for each supported message format on the **Create Sumo Logic Mapping** page in Cloud SIEM. This reference summarizes the step-by-step instructions provided below.
+This table in this section is a quick reference to supplying values for each supported message format on the **Add Ingest Mapping** page in Cloud SIEM. This reference summarizes the step-by-step instructions provided below.
| If your messages are... | Select this option for Format | Are Vendor, Product, andEvent ID pattern required? | How Cloud SIEM picks a mapper |
| :-- | :-- | :-- | :-- |
@@ -105,8 +105,8 @@ This table in this section is a quick reference to supplying values for each su
In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured. The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.
-1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
-1. On the **Create Sumo Logic Mapping** popup:
+1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+1. On the **Add Ingest Mapping** popup:
1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector.
1. **Format**. Follow the instructions for the type of messages your source collects:
* [Unstructured messages with a syslog header](#unstructured-messages-with-a-syslog-header)
diff --git a/docs/cse/ingestion/view-mappers-for-product.md b/docs/cse/ingestion/view-mappers-for-product.md
index 115e26ddb4..989f272c28 100644
--- a/docs/cse/ingestion/view-mappers-for-product.md
+++ b/docs/cse/ingestion/view-mappers-for-product.md
@@ -14,4 +14,6 @@ See the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-con
Cloud SIEM may have more than one log mapping for a particular product. For example, there may be a separate mapping for each message type issued by a product. You can view the available mappings in the Cloud SIEM UI.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. In the **Filters** area, filter by **Output Vendor**, **Output Product**, or both.
In the following screenshot, the list of mappings is filtered to display mappings for *Output Vendor is Proofpoint*. The list contains six mappings for two Proofpoint products: five for Targeted Attack Protection, and one for Proofpoint On Demand.
})
+1. In the **Filters** area, filter by **Output Vendor**, **Output Product**, or both.
+
+In the following screenshot, the list of mappings is filtered to display mappings for *Output Vendor is Proofpoint*. The list contains six mappings for two Proofpoint products: one for Proofpoint On Demand, and the rest for Targeted Attack Protection.
diff --git a/docs/cse/integrations/enable-virustotal-enrichment.md b/docs/cse/integrations/enable-virustotal-enrichment.md
index c915309477..a2f43415c8 100644
--- a/docs/cse/integrations/enable-virustotal-enrichment.md
+++ b/docs/cse/integrations/enable-virustotal-enrichment.md
@@ -37,8 +37,8 @@ VirusTotal enrichments are only added to Signals that are part of an Insight.
## Configure VirusTotal enrichment
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Enrichment**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Enrichment**. You can also click the **Go To...** menu at the top of the screen and select **Enrichment**.
-1. On the **Enrichment** page, click the pencil icon for VirusTotal.
})
-2. On the **Edit VirusTotal Configuration** popup, enter your VirusTotal API Key, and click Update.
})
+1. On the **Enrichment** tab, select **VirusTotal** and click the **Edit** button.
+2. On the **Edit VirusTotal** popup, enter your VirusTotal API Key, and click **Save**.
## Example VirusTotal enrichment
})
diff --git a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
index 82fb7de2e1..f29c17bc13 100644
--- a/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+++ b/docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
@@ -72,15 +72,16 @@ For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-
After you've [created your Entity Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Normalization**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Normalization**. You can also click the **Go To...** menu at the top of the screen and select **Normalization**.
-1. On the **Entity Normalization** page, click **Lookup Tables**.
-1. Click **Create** on the **Lookup Tables** tab.
-1. The **Existing Lookup Table** popup appears.
})
-1. **Type**. Choose the type of normalization you want to set up.
- * **Host ID to Normalized Hostname**. Maps unique host IDs to recognizable hostnames.
- * **User ID to Normalized Username**. Maps unique user IDs to recognizable usernames.
- * **Username to Normalized Username**. Maps a username in one format to a username in another format.
-1. **Lookup Column Name**. Enter the name of the Lookup Table column that contains the primary key for the table.
-1. **Substitution Column Name**. Enter the name of the Lookup Table column that contains the value you want to substitute for the lookup column.
-1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to Records that are tagged with that source category.
-1. **Table Path**. Enter the path to the existing Lookup Table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames` You can copy the path to the [Lookup Table](/docs/search/lookup-tables/create-lookup-table) in the Sumo Logic Library. Hover over the row for the table in the Library, and select **Copy path to clipboard** from the three-dot kebab menu.
})
-1. Click **Create**.
+1. On the **Normalization** tab, click **Lookup Tables**.
+1. Select the lookup table.
+1. The **Existing Lookup Table** popup appears. Following is an example.
+1. Click **Edit** to configure the lookup table. Note that most fields are read-only.
+ 1. **Path**. The path to the existing Lookup Table in the Sumo Logic Library. For example: `/Library/Admin Recommended/NormalizedHostNames`
To see the path to the [Lookup Table](/docs/search/lookup-tables/create-lookup-table) in the Sumo Logic Library, hover over the row for the table in the Library, and select **Copy path to clipboard** from the three-dot kebab menu.
+ 1. **Type**. The type of normalization:
+ * **Host ID to Normalized Hostname**. Maps unique host IDs to recognizable hostnames.
+ * **User ID to Normalized Username**. Maps unique user IDs to recognizable usernames.
+ * **Username to Normalized Username**. Maps a username in one format to a username in another format.
+ 1. **Column Name**. The name of the Lookup Table column that contains the primary key for the table.
+ 1. **Sub Column Name**. The name of the Lookup Table column that contains the value you want to substitute for the lookup column.
+ 1. **Source Category**. (Optional) If you enter a source category, the lookup substitution will only be applied to Records that are tagged with that source category.
+ 1. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/create-an-entity-group.md b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
index e3144102eb..bdcbcad1b9 100644
--- a/docs/cse/records-signals-entities-insights/create-an-entity-group.md
+++ b/docs/cse/records-signals-entities-insights/create-an-entity-group.md
@@ -47,12 +47,12 @@ It’s possible to define Entity Groups that overlap, in terms of the Entities t
Follow these instructions to create an Entity Group based on Entity name or whether the Entity is within a specified range of IP addresses.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Groups**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.
-1. On the **Entity Groups** page, click **Create**.
-1. The **Create Entity Group** popup appears. (In the screenshot below, values are already entered.)
})
+1. On the **Entity Groups** page, click **+ Add Entity Group**.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)
1. **Name**. Enter a name for the Entity Group.
1. **Description**. (Optional.)
-1. **Group Entities matching the following**. Select **Values**.
-1. **Entity Type**. Select one of the following Entity types:
+1. **Configuration Type**. Select **Values**.
+1. **Entity Types**. Select one of the following Entity types:
* **IP Address**
* **MAC Address**
* **Username**
@@ -82,11 +82,11 @@ Follow these instructions to create an Entity Group based on Entity name or whet
Follow these instructions to create an Entity Group that corresponds to a group in an inventory service in your infrastructure.
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Groups**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Groups**. You can also click the **Go To...** menu at the top of the screen and select **Groups**.
-1. On the **Entity Groups** page, click **Create**.
-1. The **Create Entity Group** popup appears. (In the screenshot below, values are already entered.)
})
+1. On the **Entity Groups** page, click **+ Add Entity Group**.
+1. The **Add Entity Group** popup appears. (In the screenshot below, values are already entered.)
1. **Name**. Enter a name for the Entity Group.
1. **Description**. (Optional.)
-1. **Group Entities matching the following**. Select **Inventory**.
+1. **Configuration Type**. Select **Inventory**.
1. **Inventory Type**. Select one of:
* Computer
* User
diff --git a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
index 0f442af310..0378b03d51 100644
--- a/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
+++ b/docs/cse/records-signals-entities-insights/create-custom-entity-type.md
@@ -22,12 +22,12 @@ Just as for Entities of built-in types listed above—IP addresses, MAC addresse
To create a custom Entity type:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Custom Types**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Custom Types**. You can also click the **Go To...** menu at the top of the screen and select **Custom Types**.
-1. Click **Create** on the **Custom Entity Types** page.
-2. The **Create Custom Entity Type** popup appears.
})
+1. On the **Custom Entity Types** tab click **+ Add Custom Type**.
+2. The **Add Custom Entity Type** popup appears.
3. **Name**. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the **Name** of the custom Entity type on the **Custom Entity Type** page.
4. **Identifier**. Enter a unique identifier for the custom Entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the Entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
:::note
The Entity type Identifier cannot be changed once you’ve saved it.
:::
5. **Fields**. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom Entity type.
-6. Click **Create**.
+6. Click **Save**.
diff --git a/docs/cse/records-signals-entities-insights/entity-criticality.md b/docs/cse/records-signals-entities-insights/entity-criticality.md
index bb7a356ef5..337edfc3ba 100644
--- a/docs/cse/records-signals-entities-insights/entity-criticality.md
+++ b/docs/cse/records-signals-entities-insights/entity-criticality.md
@@ -31,11 +31,11 @@ You can configure both the detection window and the threshold Activity Score for
## Define a Criticality
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Criticality**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Criticality**. You can also click the **Go To...** menu at the top of the screen and select **Criticality**.
-1. On the **Entity Criticality** page, click **Create**.
-1. The **Create Entity Criticality** popup appears.
})
+1. On the **Criticality** tab, click **+ Add Criticality**.
+1. The **Add Criticality** popup appears.
2. **Name**. Enter a name.
3. **Severity Expression**. Enter a formula for adjusting a severity value. You can use a plus sign (+), minus sign (-), an asterisk (\*), or a forward slash (/). Enter the formula in this format: `severity+2 `
-4. Click **Create** to save the Criticality.
+4. Click **Save** to save the Criticality.
## Assign a Criticality to an Entity
diff --git a/docs/cse/rules/before-writing-custom-rule.md b/docs/cse/rules/before-writing-custom-rule.md
index ae84b1d7b0..ac72fe56fa 100644
--- a/docs/cse/rules/before-writing-custom-rule.md
+++ b/docs/cse/rules/before-writing-custom-rule.md
@@ -41,7 +41,7 @@ Let’s say you’re going to write a rule that fires every time a successful Wi
To find and review a log mapping:
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu click **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. You can use the filter area at the top of the **Log Mappings** page to search for a mapping by various options. The screenshot below shows the results when we enter the filter `Name matches wildcard pattern *4624`. A mapping matches. For the mapping, you can see how many times it’s been used in the last 24 hrs and also over the last 7 days. Select the mapping.
})
+1. You can use the filter area at the top of the **Log Mappings** tab to search for a mapping by various options. The screenshot below shows the results when we enter the filter `Name matches wildcard pattern *4624`. A mapping matches. For the mapping, you can see how many times it’s been used in the last 24 hrs and also over the last 7 days. Select the mapping.
1. Once you’ve opened the mapping, you’ll see the top of the page shows the Vendor, Product, and Event ID that is written to the Records produced by the mapping.
})
1. The **Fields** section of the page shows how raw message fields are mapped to Cloud SIEM schema attributes. In this mapping, `EventData.LogonProcessName` is mapped to `application`, `EventData.WorkstationName` is mapped to `device_hostname`, and so on.
})
diff --git a/docs/cse/schema/create-structured-log-mapping.md b/docs/cse/schema/create-structured-log-mapping.md
index c918bcc6d9..597f8af11b 100644
--- a/docs/cse/schema/create-structured-log-mapping.md
+++ b/docs/cse/schema/create-structured-log-mapping.md
@@ -22,9 +22,9 @@ When you set up a log mapping, you supply the following information:
## Step 1: Choose mapping type and name the mapping
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.
-1. Click **Create** in the upper right side of the **Log Mappings** page.
})
-1. Click the **Structured Mapping** tile on the **Create a Mapping** page.
})
-1. On the **New Mapping** page, enter a name for the mapping.
})
+1. Click **+ Add Log Mapping** in the upper right side of the **Log Mappings** tab.
+1. Click the **Structured Mapping** tile on the **Create a Mapping** page.
+1. On the **New Mapping** page, enter a name for the mapping.
## Step 2: Enter “If Input Matches” values
@@ -71,7 +71,7 @@ You can use a constant mapping to map a constant encountered in a message to a C
Given the example constant mapping below, if the key value “true” is encountered in an incoming message, that value is mapped to the success schema attribute.
-})
+
To configure a constant mapping:
@@ -88,7 +88,7 @@ You can use an extracted mapping to map a field that was extracted from a log me
Given the following example mapping, if the extracted field `serial` is encountered in a message, its value is mapped to the `resource` schema attribute.
-})
+
To configure a extracted mapping:
@@ -109,7 +109,7 @@ The example mapping below creates a string by combining the values of the `first
the mapping combines the values of the ` firstName` and the `lastName` message fields, separated by a space. The resulting value, "John Doe", is mapped to the `user_username` attribute.
-})
+
To define a format mapping:
@@ -127,13 +127,13 @@ You can use a joined mapping to join multiple values together and map them to a
In the screenshot below, we're configuring a mapping that joins the value of the `actor.firstname` and `actor.lastname` fields and maps the result to the `user_username` attribute. For example, if the value of `actor.firstname` is "zaya", and the value of `actor.lastname` is "hedad", this mapping would result in "zayahedad" being written to the `user_username` attribute.
-})
+
1. **Input Fields**. Enter the names of input fields. These are the fields from incoming messages whose values you want to join.
-1. **Delimiter.** Enter the character that delimits the segments of the input fields.
+1. **Input Field Delimiter.** Enter the character that delimits the segments of the input fields.
1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
- 1. **Alternate input fields**. Enter one or more fields, separated by spaces. If any of the input fields you entered above do not exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
- 1. **Default value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
+ 1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If any of the input fields you entered above do not exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
+ 1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
### lookup mapping
@@ -198,19 +198,18 @@ To map a single input field:
1. Select standard from the **Create a new … mapping field?** pull-down.
1. **Input Field**. Enter the name of an input field. This is the field from incoming messages whose value you want to write to the Cloud SIEM attribute you’ll specify later in this procedure.
1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
-
- 1. **Alternate input fields**. Enter one or more fields, separated by spaces. If the Input Field you entered above doesn’t exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
- 1. **Default value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
+ 1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If the Input Field you entered above doesn’t exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
+ 1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.
**Example standard mapping: multiple input fields**
-This example mapping combines the values of `fielda` and `fieldb`, separated by a period delimiter, and maps the result to the `user_username` attribute.
+This example mapping combines the values of `firstname` and `lastname`, separated by a period delimiter, and maps the result to the `user_username` attribute.
-We defined two alternative fields, `fieldc` and `fieldd`. If `fielda`and `fieldb` are not found in a message or are null, the values of `fieldc` and `fieldd` are used instead to form the value to be mapped to the `user_username` attribute.
+We defined two alternative fields, `first` and `last`. If `firstname`and `lastname` are not found in a message or are null, the values of `first` and `last` are used instead to form the value to be mapped to the `user_username` attribute.
-We also defined a default value: if `fieldc` and `fieldd` are not found in a message or are null, the default value “john.doe” is mapped to the `user_username` attribute.
+We also defined a default value: if `first` and `last` are not found in a message or are null, the default value “john.doe” is mapped to the `user_username` attribute.
})
@@ -218,7 +217,7 @@ To map multiple input fields:
1. Select **standard** from the **Create a new … mapping field?** pull-down.
1. **Add more fields**. Expand this section.
-1. **Input Fields**. Enter the names of the input fields to be combined, separated by spaces.
+1. **Input Fields**. Enter the names of the input fields to be combined, separated by spaces.
1. **Input Field Delimiter**. Enter the character to use as the delimiter between the input field values.
1. **Show optional fields**. Click this if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
1. **Alternate input fields**. Enter one or more fields, separated by spaces. If any of the Input Fields you entered above don’t exist in a message, or are null, the values of the alternative fields you enter will be combined and mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
@@ -234,7 +233,7 @@ You can use a time mapping to map a formatted time value to the timestamp schema
This example mapping maps the TimeCreated.SystemTime input field to the timestamp attribute.
-})
+
To create a time mapping:
diff --git a/docs/cse/schema/username-and-hostname-normalization.md b/docs/cse/schema/username-and-hostname-normalization.md
index f33a786e1c..a1b0872658 100644
--- a/docs/cse/schema/username-and-hostname-normalization.md
+++ b/docs/cse/schema/username-and-hostname-normalization.md
@@ -67,7 +67,7 @@ If no name normalization configuration exists, the name attribute will consist o
Following is an example configuration:
-})
+
### Warnings and issues
diff --git a/docs/cse/sensors/ingest-zeek-logs.md b/docs/cse/sensors/ingest-zeek-logs.md
index 5cbda5b9e9..34bbcaea90 100644
--- a/docs/cse/sensors/ingest-zeek-logs.md
+++ b/docs/cse/sensors/ingest-zeek-logs.md
@@ -43,14 +43,14 @@ With this method, you use Corelight’s [json-streaming-logs](https://github.com
After installing the `json-streaming-logs` package, follow these instructions to set up the Sumo Logic mapping.
-1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic** .
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.
-1. On the **Sumo Logic Ingest Mappings** page, click **Create**.
})
-1. On the **Create Sumo Logic Mapping** page:
+1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.
+1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
+1. On the **Add Ingest Mapping** tab:
1. **Source Category**. Enter the Source Category value you assigned to the Source you configured above in [Configure a Sumo Logic Source](#configure-a-sumo-logic-source).
1. **Format**. Choose **Bro/Zeek JSON**.
1. **Event ID**. Enter `{_path}`.
1. **Enabled**. Use the slider to enable the mapping if you’re ready to receive Zeek logs.
- 1. Click **Create**.
})
+ 1. Click **Create**.
### Use FERs
diff --git a/docs/platform-services/automation-service/about-automation-service.md b/docs/platform-services/automation-service/about-automation-service.md
index 0572e461b2..7adc414f58 100644
--- a/docs/platform-services/automation-service/about-automation-service.md
+++ b/docs/platform-services/automation-service/about-automation-service.md
@@ -58,7 +58,7 @@ Before you can access the Automation Service, you must first [configure role cap
### From Cloud SIEM
1. [**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the Cloud SIEM top menu select **Configuration**, and then under **Integrations** select **Automation**.
[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Automation**. You can also click the **Go To...** menu at the top of the screen and select **Automation**.
The list of available automations appears. Each automation runs a playbook.
-1. At the top of the screen, click **Manage Playbooks**.
+1. At the top of the screen, click **Manage Playbooks**.
1. The Automation Service screen opens on the **Playbook** tab.
})
## Prerequisites
diff --git a/static/img/cse/Configuration.png b/static/img/cse/Configuration.png
index 783131d1dc..0b823c0995 100644
Binary files a/static/img/cse/Configuration.png and b/static/img/cse/Configuration.png differ
diff --git a/static/img/cse/Example_UI.png b/static/img/cse/Example_UI.png
index 1fb77c48ee..3bf6258c36 100644
Binary files a/static/img/cse/Example_UI.png and b/static/img/cse/Example_UI.png differ
diff --git a/static/img/cse/action-icon-entity.png b/static/img/cse/action-icon-entity.png
index da917c99ca..e7cdb7894d 100644
Binary files a/static/img/cse/action-icon-entity.png and b/static/img/cse/action-icon-entity.png differ
diff --git a/static/img/cse/auth0-reocrd-volume.png b/static/img/cse/auth0-reocrd-volume.png
index 9e4615ddaa..53b9a6b0e3 100644
Binary files a/static/img/cse/auth0-reocrd-volume.png and b/static/img/cse/auth0-reocrd-volume.png differ
diff --git a/static/img/cse/automations-automations-list.png b/static/img/cse/automations-automations-list.png
index 3b3887b073..54f770c473 100644
Binary files a/static/img/cse/automations-automations-list.png and b/static/img/cse/automations-automations-list.png differ
diff --git a/static/img/cse/automations-manage-playbooks.png b/static/img/cse/automations-manage-playbooks.png
index fad8e501f5..34c93164e4 100644
Binary files a/static/img/cse/automations-manage-playbooks.png and b/static/img/cse/automations-manage-playbooks.png differ
diff --git a/static/img/cse/automations-new.png b/static/img/cse/automations-new.png
index 808ddfbb63..ab683973f2 100644
Binary files a/static/img/cse/automations-new.png and b/static/img/cse/automations-new.png differ
diff --git a/static/img/cse/built-in-tags.png b/static/img/cse/built-in-tags.png
index 9e225f2fd7..eb3451f03f 100644
Binary files a/static/img/cse/built-in-tags.png and b/static/img/cse/built-in-tags.png differ
diff --git a/static/img/cse/configured-action.png b/static/img/cse/configured-action.png
index d275b11ba6..a098d47e01 100644
Binary files a/static/img/cse/configured-action.png and b/static/img/cse/configured-action.png differ
diff --git a/static/img/cse/constant.png b/static/img/cse/constant.png
index 28c6ddd0f1..2aa1040f91 100644
Binary files a/static/img/cse/constant.png and b/static/img/cse/constant.png differ
diff --git a/static/img/cse/context-action-icon.png b/static/img/cse/context-action-icon.png
new file mode 100644
index 0000000000..c5efeeb4f5
Binary files /dev/null and b/static/img/cse/context-action-icon.png differ
diff --git a/static/img/cse/corelight-edit-mapping.png b/static/img/cse/corelight-edit-mapping.png
index d1f5710d85..fd61ae3847 100644
Binary files a/static/img/cse/corelight-edit-mapping.png and b/static/img/cse/corelight-edit-mapping.png differ
diff --git a/static/img/cse/corelight-record-volume.png b/static/img/cse/corelight-record-volume.png
index e5eda572d7..47f0fd74f5 100644
Binary files a/static/img/cse/corelight-record-volume.png and b/static/img/cse/corelight-record-volume.png differ
diff --git a/static/img/cse/create-action-empty.png b/static/img/cse/create-action-empty.png
index 9ce2fc7aed..fe73a654dd 100644
Binary files a/static/img/cse/create-action-empty.png and b/static/img/cse/create-action-empty.png differ
diff --git a/static/img/cse/create-custom-entity-type.png b/static/img/cse/create-custom-entity-type.png
index efbef08e15..6ad9414cd7 100644
Binary files a/static/img/cse/create-custom-entity-type.png and b/static/img/cse/create-custom-entity-type.png differ
diff --git a/static/img/cse/create-entity-group-inventory.png b/static/img/cse/create-entity-group-inventory.png
index 2c6731b4d7..a1938f7f11 100644
Binary files a/static/img/cse/create-entity-group-inventory.png and b/static/img/cse/create-entity-group-inventory.png differ
diff --git a/static/img/cse/create-entity-group-values.png b/static/img/cse/create-entity-group-values.png
index 9f529f0abf..95dbf4f90e 100644
Binary files a/static/img/cse/create-entity-group-values.png and b/static/img/cse/create-entity-group-values.png differ
diff --git a/static/img/cse/create-insight-resolution.png b/static/img/cse/create-insight-resolution.png
index 39d864110e..46a6ad20b2 100644
Binary files a/static/img/cse/create-insight-resolution.png and b/static/img/cse/create-insight-resolution.png differ
diff --git a/static/img/cse/create-mapping-1.png b/static/img/cse/create-mapping-1.png
index 702b42e192..67c0d151c8 100644
Binary files a/static/img/cse/create-mapping-1.png and b/static/img/cse/create-mapping-1.png differ
diff --git a/static/img/cse/create-mapping-2.png b/static/img/cse/create-mapping-2.png
index 6960833867..7e64bcf5d0 100644
Binary files a/static/img/cse/create-mapping-2.png and b/static/img/cse/create-mapping-2.png differ
diff --git a/static/img/cse/create-mapping-3.png b/static/img/cse/create-mapping-3.png
index 80c8115a95..3593af3101 100644
Binary files a/static/img/cse/create-mapping-3.png and b/static/img/cse/create-mapping-3.png differ
diff --git a/static/img/cse/create-mapping-4.png b/static/img/cse/create-mapping-4.png
index 5c7d6c8231..f92f60afad 100644
Binary files a/static/img/cse/create-mapping-4.png and b/static/img/cse/create-mapping-4.png differ
diff --git a/static/img/cse/create-mapping.png b/static/img/cse/create-mapping.png
index ffc798cf08..2604e5c34b 100644
Binary files a/static/img/cse/create-mapping.png and b/static/img/cse/create-mapping.png differ
diff --git a/static/img/cse/criticality-popup.png b/static/img/cse/criticality-popup.png
index 19b4fb558b..290ab454a5 100644
Binary files a/static/img/cse/criticality-popup.png and b/static/img/cse/criticality-popup.png differ
diff --git a/static/img/cse/detection-threshold-popup.png b/static/img/cse/detection-threshold-popup.png
index 6591d3b34f..05c6d2a593 100644
Binary files a/static/img/cse/detection-threshold-popup.png and b/static/img/cse/detection-threshold-popup.png differ
diff --git a/static/img/cse/enrichment-page.png b/static/img/cse/enrichment-page.png
index ad09477137..62499e7165 100644
Binary files a/static/img/cse/enrichment-page.png and b/static/img/cse/enrichment-page.png differ
diff --git a/static/img/cse/existing-lookup-table.png b/static/img/cse/existing-lookup-table.png
index c6be30d0e8..474ee6f5e4 100644
Binary files a/static/img/cse/existing-lookup-table.png and b/static/img/cse/existing-lookup-table.png differ
diff --git a/static/img/cse/extracted-fields-json.png b/static/img/cse/extracted-fields-json.png
index 8ceb7ea8f3..625f8f7b4b 100644
Binary files a/static/img/cse/extracted-fields-json.png and b/static/img/cse/extracted-fields-json.png differ
diff --git a/static/img/cse/extracted-mapping-example.png b/static/img/cse/extracted-mapping-example.png
index eda5316ca4..e3e0d2dc73 100644
Binary files a/static/img/cse/extracted-mapping-example.png and b/static/img/cse/extracted-mapping-example.png differ
diff --git a/static/img/cse/format-mapping-example.png b/static/img/cse/format-mapping-example.png
index cffe19b096..1d359f3e68 100644
Binary files a/static/img/cse/format-mapping-example.png and b/static/img/cse/format-mapping-example.png differ
diff --git a/static/img/cse/ingest-mappings.png b/static/img/cse/ingest-mappings.png
index 706b553b72..523d5f41e6 100644
Binary files a/static/img/cse/ingest-mappings.png and b/static/img/cse/ingest-mappings.png differ
diff --git a/static/img/cse/joined-mapping.png b/static/img/cse/joined-mapping.png
index 0f742f0459..26bcf1de82 100644
Binary files a/static/img/cse/joined-mapping.png and b/static/img/cse/joined-mapping.png differ
diff --git a/static/img/cse/log-mapping-filters.png b/static/img/cse/log-mapping-filters.png
index 465ff7c569..c63c47bfaf 100644
Binary files a/static/img/cse/log-mapping-filters.png and b/static/img/cse/log-mapping-filters.png differ
diff --git a/static/img/cse/log-mappings-page.png b/static/img/cse/log-mappings-page.png
index 21c477bd8b..d583ead1a9 100644
Binary files a/static/img/cse/log-mappings-page.png and b/static/img/cse/log-mappings-page.png differ
diff --git a/static/img/cse/log-mappings.png b/static/img/cse/log-mappings.png
index ff0caef016..51928ac644 100644
Binary files a/static/img/cse/log-mappings.png and b/static/img/cse/log-mappings.png differ
diff --git a/static/img/cse/lookup-mapping-filled-out.png b/static/img/cse/lookup-mapping-filled-out.png
index b9a74ea022..2060274c45 100644
Binary files a/static/img/cse/lookup-mapping-filled-out.png and b/static/img/cse/lookup-mapping-filled-out.png differ
diff --git a/static/img/cse/mapping.png b/static/img/cse/mapping.png
index 91d935bbd0..58bed93b5a 100644
Binary files a/static/img/cse/mapping.png and b/static/img/cse/mapping.png differ
diff --git a/static/img/cse/matching-mappings.png b/static/img/cse/matching-mappings.png
index b2c72d5254..1a064b257d 100644
Binary files a/static/img/cse/matching-mappings.png and b/static/img/cse/matching-mappings.png differ
diff --git a/static/img/cse/new-mapping-page.png b/static/img/cse/new-mapping-page.png
index e035597063..e098007c10 100644
Binary files a/static/img/cse/new-mapping-page.png and b/static/img/cse/new-mapping-page.png differ
diff --git a/static/img/cse/proofpoint-log-mappers.png b/static/img/cse/proofpoint-log-mappers.png
index 1df45e1f02..ec9f450d32 100644
Binary files a/static/img/cse/proofpoint-log-mappers.png and b/static/img/cse/proofpoint-log-mappers.png differ
diff --git a/static/img/cse/reorder-icons.png b/static/img/cse/reorder-icons.png
index ee62c97f15..399488a61a 100644
Binary files a/static/img/cse/reorder-icons.png and b/static/img/cse/reorder-icons.png differ
diff --git a/static/img/cse/select-mapping-type.png b/static/img/cse/select-mapping-type.png
index 7fa4087197..b3a885c2c8 100644
Binary files a/static/img/cse/select-mapping-type.png and b/static/img/cse/select-mapping-type.png differ
diff --git a/static/img/cse/signal-sciences-record-volume.png b/static/img/cse/signal-sciences-record-volume.png
index fdb01a4bcd..9be313f716 100644
Binary files a/static/img/cse/signal-sciences-record-volume.png and b/static/img/cse/signal-sciences-record-volume.png differ
diff --git a/static/img/cse/split-mapping-filled-out.png b/static/img/cse/split-mapping-filled-out.png
index 182388cf68..6ad08bc6ab 100644
Binary files a/static/img/cse/split-mapping-filled-out.png and b/static/img/cse/split-mapping-filled-out.png differ
diff --git a/static/img/cse/standard-mapping-multiple-fields.png b/static/img/cse/standard-mapping-multiple-fields.png
index 540b1d4812..146587d743 100644
Binary files a/static/img/cse/standard-mapping-multiple-fields.png and b/static/img/cse/standard-mapping-multiple-fields.png differ
diff --git a/static/img/cse/standard-mapping-single-input.png b/static/img/cse/standard-mapping-single-input.png
index 52361904a3..2776e35fe6 100644
Binary files a/static/img/cse/standard-mapping-single-input.png and b/static/img/cse/standard-mapping-single-input.png differ
diff --git a/static/img/cse/syslog-delimiters.png b/static/img/cse/syslog-delimiters.png
index 49366db45f..f423b9f299 100644
Binary files a/static/img/cse/syslog-delimiters.png and b/static/img/cse/syslog-delimiters.png differ
diff --git a/static/img/cse/tag-schema-empty.png b/static/img/cse/tag-schema-empty.png
index 6a4e100630..97d25a553c 100644
Binary files a/static/img/cse/tag-schema-empty.png and b/static/img/cse/tag-schema-empty.png differ
diff --git a/static/img/cse/time-mapping-filled-out.png b/static/img/cse/time-mapping-filled-out.png
index 7697a3756c..1e244ff0f5 100644
Binary files a/static/img/cse/time-mapping-filled-out.png and b/static/img/cse/time-mapping-filled-out.png differ
diff --git a/static/img/cse/windows.png b/static/img/cse/windows.png
index 4a2f8d6b0f..c887f32c92 100644
Binary files a/static/img/cse/windows.png and b/static/img/cse/windows.png differ
diff --git a/static/img/cse/winlogbeats.png b/static/img/cse/winlogbeats.png
index 7089e4bcf2..67bbf5b63f 100644
Binary files a/static/img/cse/winlogbeats.png and b/static/img/cse/winlogbeats.png differ
diff --git a/static/img/cse/workflow-page.png b/static/img/cse/workflow-page.png
index 9898de2f9b..d9c19c9839 100644
Binary files a/static/img/cse/workflow-page.png and b/static/img/cse/workflow-page.png differ