diff --git a/docs/cse/administration/create-a-custom-tag-schema.md b/docs/cse/administration/create-a-custom-tag-schema.md
index 2fa1c48f19..de5b7db6a0 100644
--- a/docs/cse/administration/create-a-custom-tag-schema.md
+++ b/docs/cse/administration/create-a-custom-tag-schema.md
@@ -11,7 +11,7 @@ This topic has instructions for creating a custom tag schema in Cloud SIEM.
## About tags in Cloud SIEM
-Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: *keyword tags*, which are arbitrary, freeform strings; and *schema keys*, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.
+Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: *keyword tags*, which are arbitrary, freeform strings; and *schema keys*, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo Logic label, as shown in the example below. You can’t edit the built-in schemas.
})
@@ -30,7 +30,7 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
available for. You can select one or more of the following:
* **Custom Insight**
* **Rule**
- * **Entity** The options do not include **Signal** or **Insight**. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
+ * **Entity** The options do not include **Signal** or **Insight**. Signals and insights inherit tag values from the rule(s) or custom insight definition that triggered the signal or insight and involved entities.
1. **Allow Custom Values**. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the **Value Options** section below.
1. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
* **Enter Value**. Enter an allowable value for the tag.
diff --git a/docs/cse/administration/create-cse-actions.md b/docs/cse/administration/create-cse-actions.md
index 77db22c827..fc2725b868 100644
--- a/docs/cse/administration/create-cse-actions.md
+++ b/docs/cse/administration/create-cse-actions.md
@@ -2,20 +2,20 @@
id: create-cse-actions
title: Create Cloud SIEM Actions
sidebar_label: Create Cloud SIEM Actions
-description: You can use Cloud SIEM Actions to issue notifications to another service when certain events occur in Cloud SIEM.
+description: You can use Cloud SIEM actions to issue notifications to another service when certain events occur in Cloud SIEM.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has instructions for configuring Cloud SIEM Actions.
+This topic has instructions for configuring Cloud SIEM actions.
:::warning
-In the future, Cloud SIEM Actions will be deprecated because comparable behavior is available in the Automation Service. Although Cloud SIEM Actions are still supported, we recommend you use the Automation Service to perform actions. For more information, see [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
+In the future, Cloud SIEM actions will be deprecated because comparable behavior is available in the Automation Service. Although Cloud SIEM actions are still supported, we recommend you use the Automation Service to perform actions. For more information, see [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
:::
-## About Cloud SIEM Actions
+## About Cloud SIEM actions
-You can use Cloud SIEM Actions to issue a notification to another service when certain events occur in Cloud SIEM. The supported Action types are:
+You can use Cloud SIEM actions to issue a notification to another service when certain events occur in Cloud SIEM. The supported action types are:
* AWS Simple Notification Service (SNS)
* Demisto (Cortex XSOAR)
@@ -25,11 +25,11 @@ You can use Cloud SIEM Actions to issue a notification to another service when c
* PagerDuty
* Recorded Future
* Slack
-* Slack Webhook
+* Slack webhook
-An Action can be configured for Insight-related activity as described below in [Insight Actions](#insight-actions). You can also configure an Action to be run when a rule is automatically disabled, as described below in [Rule Actions](#rule-actions).
+An action can be configured for insight-related activity as described below in [Insight actions](#insight-actions). You can also configure an action to be run when a rule is automatically disabled, as described below in [Rule actions](#rule-actions).
-Watch this micro lesson to learn how to configure an Action.
+Watch this micro lesson to learn how to configure an action.
[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Actions**. You can also click the **Go To...** menu at the top of the screen and select **Actions**.
1. On the **Actions** tab, click **+ Add Action**.
-1. The **Add Action** popup appears.
})
-1. **Name**. Enter a name that communicates what the Action does.
-1. **Action Type**. Choose one of the following options, and follow the instructions for that Action type to complete creating your Action.
+1. The **Add Action** popup appears.
+1. **Name**. Enter a name that communicates what the action does.
+1. **Action Type**. Choose one of the following options, and follow the instructions for that action type to complete creating your action.
* [AWS Simple Notification Service](#aws-simple-notification-service-sns)
* [Demisto](#demistocortex-xsoar)
* [Email](#email)
@@ -87,7 +87,7 @@ The notification sent by a Rule Action contains the name of the rule and the re
* [Slack](#slack)
* [Slack Webhook](#slack-webhook)
1. **Notifications**.
- * **Insight**. Click **When Created** to automatically generate a notification when any Insight is created, **When Closed** to automatically generate a notification when any Insight is closed, or **On Demand** to add the Action as an option in the **Actions** menu on the Insight details page.
+ * **Insight**. Click **When Created** to automatically generate a notification when any insight is created, **When Closed** to automatically generate a notification when any insight is closed, or **On Demand** to add the Action as an option in the **Actions** menu on the insight details page.
* **Sensor**. Click **When Offline** to to automatically generate notifications when any sensor goes offline.
* **Rule**. Click **When Automatically Disabled** to generate a notification when Cloud SIEM disables a rule.
1. **Active**. Move the slider to the right if you’d like the Action to be enabled upon creation.
@@ -96,7 +96,7 @@ Continue filling out the dialog box depending on the type of action you are crea
### AWS Simple Notification Service (SNS)
-When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to the AWS Simple Notification Service (SNS).
+When you run this action type for an insight, Cloud SIEM sends the full insight in JSON format to the AWS Simple Notification Service (SNS).
You can configure the action to authenticate with SNS using your AWS Access Key and Secret Access Key, or using the **AssumeRole** method.
@@ -109,36 +109,36 @@ You can configure the action to authenticate with SNS using your AWS Access Key
### Demisto (Cortex XSOAR)
-When you run this Action type for an Insight, Cloud SIEM sends the full Insight in JSON format to Demisto.
+When you run this action type for an insight, Cloud SIEM sends the full insight in JSON format to Demisto.
1. **API Key**. Enter your Demisto API Key.
1. **URL**. Enter the URL of your Demisto API endpoint.
1. **Client Certificate**. Upload your client certificate for accessing the Demisto API endpoint.
1. **Create Incident API Endpoint**. Select `/incident/json`.
1. **Extra Headers**. Enter any additional headers you want to send, as line-delimited key:value pairs.
-1. **Exclude Records**. Move the slider to the right if you don’t want to include Records in the notification.
+1. **Exclude Records**. Move the slider to the right if you don’t want to include records in the notification.
1. Click **Create**.
### Email
-This Action type sends an email notification.
+This action type sends an email notification.
1. **Recipients**. Enter a comma-separated list of the email addresses to send the notification to.
1. Click **Create**.
-When this Action runs on an Insight, the email notification contains:
+When this action runs on an insight, the email notification contains:
-* The Entity the Insight fired on.
-* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
-* A link to the Insight in Cloud SIEM.
+* The entity the insight fired on.
+* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the insight ID, which indicates which stage of the MITRE framework the insight relates to.
+* A link to the insight in Cloud SIEM.
### HTTP POST v2
-This Action type sends a HTTP POST notification. For an Insight Action, the notification contains the full Insight in JSON format. You can optionally configure the Action to send the Signals and Records associated with the Insight as well.
+This action type sends a HTTP POST notification. For an insight action, the notification contains the full insight in JSON format. You can optionally configure the action to send the signals and records associated with the insight as well.
The output of the HTTP POST notification is the same as the JSON output from the `/insight/:id` API endpoint. For information about accessing API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).
-Once you select HTTP POST v2 in the Type field a new **Notification** option—**When Closed**—appears, as highlighted in the screenshot below. Choose this if you want to send a notification when an Insight is closed
+Once you select HTTP POST v2 in the Type field a new **Notification** option—**When Closed**—appears, as highlighted in the screenshot below. Choose this if you want to send a notification when an insight is closed
in Cloud SIEM.
1. **URL**. The URL to send the POST to.
@@ -148,27 +148,27 @@ in Cloud SIEM.
1. **Username**. The username to use to access the URL.
1. **Password**. The password to use to access the URL.
1. **Extra Headers**. Additional HTTP headers to send with the POST.
-1. **Include Signals**. Move the slider to the right to send the Signals associated with the Insight in the POST.
-1. **Include Records**. Move the slider to the right to send the Records associated with the Signal in the POST.
-1. **Record Fields to Include**. If desired, provide a comma-delimited list of selected Record fields to include (instead of all Record fields).
+1. **Include Signals**. Move the slider to the right to send the signals associated with the insight in the POST.
+1. **Include Records**. Move the slider to the right to send the records associated with the signal in the POST.
+1. **Record Fields to Include**. If desired, provide a comma-delimited list of selected record fields to include (instead of all record fields).
1. Click **Create**.
### Microsoft Teams
-This Action type sends a Webhook notification to Microsoft Teams.
+This action type sends a webhook notification to Microsoft Teams.
-#### Configure Webhook connection in Microsoft Teams
+#### Configure webhook connection in Microsoft Teams
-Create a Webhook connection for the Microsoft Teams channel to which emails should be sent. Follow the instructions in [Create Incoming Webhooks](https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook) in Microsoft help.
+Create a webhook connection for the Microsoft Teams channel to which emails should be sent. Follow the instructions in [Create Incoming Webhooks](https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook) in Microsoft help.
-#### Configure Action in Cloud SIEM
+#### Configure action in Cloud SIEM
-1. **URL**. Enter the URL for the Webhook connection you created above.
+1. **URL**. Enter the URL for the webhook connection you created above.
1. Click **Create**.
### PagerDuty
-This Action types sends a notification to PagerDuty.
+This action types sends a notification to PagerDuty.
1. **Service Key**. Enter your PagerDuty service key.
1. **Subdomain**. Enter your PagerDuty account subdomain.
@@ -176,15 +176,15 @@ This Action types sends a notification to PagerDuty.
The notification contains:
-* The Entity the Insight fired on.
-* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
-* A link to the Insight in Cloud SIEM.
+* The entity the insight fired on.
+* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the insight ID, which indicates which stage of the MITRE framework the insight relates to.
+* A link to the insight in Cloud SIEM.
### Recorded Future
Recorded Future (RF) provides contextual Threat Intelligence through indicator lookups using a cloud-accessible API.
-The Cloud SIEM Recorded Future Action runs lookups on Record fields that contain IP addresses, domains, and hashes encountered in Insights, Signals, or both, depending on how you configure the Action. The lookup result is added as an enrichment to Insights, Signals, or both.
+The Cloud SIEM Recorded Future action runs lookups on record fields that contain IP addresses, domains, and hashes encountered in insights, signals, or both, depending on how you configure the action. The lookup result is added as an enrichment to insights, signals, or both.
Lookups will consume RF API credits.
@@ -197,40 +197,40 @@ Lookups will consume RF API credits.
1. Click **Generate**.
1. Copy and save the token.
-#### Create Action in Cloud SIEM
+#### Create action in Cloud SIEM
1. **API Key**. Enter the Recorded Future API token you generated for the Sumo Logic integration.
-1. **Enrich Insights**. Move the slider to the right to enrich Insights.
-1. **Enrich Signals of Insights**. Move the slider to the right to enrich Signals.
+1. **Enrich Insights**. Move the slider to the right to enrich insights.
+1. **Enrich Signals of Insights**. Move the slider to the right to enrich signals.
1. Click **Create**.
#### View Recorded Future Enrichments
-To view an Enrichment that’s been added to an Insight or Signal, navigate to the item and select the [**Enrichments**](/docs/cse/integrations/enrichments-and-indicators/#enrichments) tab.
+To view an Enrichment that’s been added to an insight or signal, navigate to the item and select the [**Enrichments**](/docs/cse/integrations/enrichments-and-indicators/#enrichments) tab.
### Slack
-This Action type sends a message to a Slack channel.
+This action type sends a message to a Slack channel.
1. **API Key**. Enter your Slack API key.
1. **Channel**. Enter the Slack Channel that messages should go to.
1. Click **Create**.
-If the Action was run on an Insight, the message contains:
+If the action was run on an insight, the message contains:
-* The Entity the Insight fired on.
-* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the Insight ID, which indicates which stage of the MITRE framework the Insight relates to.
-* A link to the Insight in Cloud SIEM.
+* The entity the insight fired on.
+* The [MITRE tactic](https://attack.mitre.org/) or tactics that form a portion of the insight ID, which indicates which stage of the MITRE framework the insight relates to.
+* A link to the insight in Cloud SIEM.
-### Slack Webhook
+### Slack webhook
-When you run this Action type on an Insight, Cloud SIEM sends the complete Insight in JSON format to a Slack channel.
+When you run this action type on an insight, Cloud SIEM sends the complete insight in JSON format to a Slack channel.
-#### Configure Webhook connection in Slack
+#### Configure webhook connection in Slack
-Create a Webhook connection for the Slack channel to which Insights should be sent. Follow the instructions in [Sending messages using Incoming Webhooks](https://api.slack.com/messaging/webhooks) in Slack help.
+Create a webhook connection for the Slack channel to which insights should be sent. Follow the instructions in [Sending messages using Incoming Webhooks](https://api.slack.com/messaging/webhooks) in Slack help.
-#### Configure Action in Cloud SIEM
+#### Configure action in Cloud SIEM
-1. **Webhook URL**. Enter the URL of the Webhook you created above.
+1. **Webhook URL**. Enter the URL of the webhook you created above.
1. Click **Create**.
diff --git a/docs/cse/administration/create-cse-context-actions.md b/docs/cse/administration/create-cse-context-actions.md
index c94bf86c19..627f89fc22 100644
--- a/docs/cse/administration/create-cse-context-actions.md
+++ b/docs/cse/administration/create-cse-context-actions.md
@@ -2,43 +2,38 @@
id: create-cse-context-actions
title: Create Context Actions
sidebar_label: Create Context Actions
-description: Learn about Context Actions, options that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in Record.
+description: Learn about context actions, options that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic has information about Cloud SIEM Context Actions and how to create them.
+This topic has information about Cloud SIEM context actions and how to create them.
-## About Context Actions
+## About context actions
-A Context Action is an option that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record. For example, you might want to check an IP address against a threat intel service, google a username, or run a log search in Sumo Logic for a hostname.
+A context action is an option that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record. For example, you might want to check an IP address against a threat intel service, google a username, or run a log search in Sumo Logic for a hostname.
-An authorized user can configure Context Actions and assign them to particular Entity types, Record fields, or common IOC types.
-
-* **Context Actions on Entity types**. You can assign a Context Action to one or more Entity types, including custom Entity types. An action assigned to an Entity type will be available on any instance of that type in the **Entities** page, or in Insights or Signals that contain Entities of the selected type. For an example, see the screenshot in [How a user accesses Context Actions](#how-a-user-accesses-contextactions).
-
- An action you assign to an Entity type will also be available for Record fields that contain the Entity type. For example, an action assigned to the Hostname Entity type will be available for the `srcDevice_hostname`, `dstDevice_hostname`, and `device_hostname` Record fields.
-
-* **Context Actions on Record fields**. You can assign a Context Action to selected Record fields, or all Record fields. In the Cloud SIEM UI, the action will be available on the Context Action menu for selected fields.
-
-* **Context Actions on IOC Types**. You can assign a Context Action to one or more of the following IOC data types:
+An authorized user can configure context actions and assign them to particular entity types, record fields, or common IOC types.
+* **Context actions on entity types**. You can assign a context action to one or more entity types, including custom entity types. An action assigned to an entity type will be available on any instance of that type in the **Entities** page, or in insights or signals that contain entities of the selected type. For an example, see the screenshot in [How a user accesses context actions](#how-a-user-accesses-contextactions).
An action you assign to an entity type will also be available for record fields that contain the entity type. For example, an action assigned to the Hostname entity type will be available for the `srcDevice_hostname`, `dstDevice_hostname`, and `device_hostname` record fields.
+* **Context actions on record fields**. You can assign a context action to selected record fields, or all record fields. In the Cloud SIEM UI, the action will be available on the context action menu for selected fields.
+* **Context actions on IOC types**. You can assign a context action to one or more of the following IOC data types:
* Domain
* IP Address
* URL
* Hash
* MAC Address
-The Context Actions menu will be available for any of these types, wherever they appear in the Cloud SIEM UI.
+The context actions menu will be available for any of these types, wherever they appear in the Cloud SIEM UI.
-## How a user accesses Context Actions
+## How a user accesses context actions
-A user runs a Context Action by clicking the Context Action icon })
next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
+A user runs a context action by clicking the context action icon next to an entity, record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
-In the screenshot below, Context Actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
+In the screenshot below, context actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
})
-If an action name is shown in red font, that indicates that the action depends on a Record field that doesn’t exist.
+If an action name is shown in red font, that indicates that the action depends on a record field that doesn’t exist.
Watch this micro lesson to learn more about how to use context actions.
@@ -55,20 +50,20 @@ Watch this micro lesson to learn more about how to use context actions.
import Iframe from 'react-iframe';
-## Configure a Context Action
+## Configure a context action
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Context Actions**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Context Actions**. You can also click the **Go To...** menu at the top of the screen and select **Context Actions**.
1. On the **Context Actions** tab click **+ Add Context Action**.
1. Create the context action.
})
- 1. **Name**. Enter a name for the Context Action.
+ 1. **Name**. Enter a name for the context action.
1. **Action Type**. Choose whether you want to open a **Sumo Logic Query** or a **URL** to an external service.
1. **Query**. Enter the URL or log query that the context action will issue.
For instructions, see:
* [Create a Sumo Logic search URL](#create-a-sumo-logic-search-url)
* [Create a URL to external service](#create-an-url-to-an-external-service)
- 1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target Record’s [timestamp](/docs/cse/schema/schema-attributes) field.
- 1. **Entity Types**. Select the Entity types that the context action will apply to.
- 1. **Record Properties**. Select the Record properties that the context action will apply to.
+ 1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target record’s [timestamp](/docs/cse/schema/schema-attributes) field.
+ 1. **Entity Types**. Select the entity types that the context action will apply to.
+ 1. **Record Properties**. Select the record properties that the context action will apply to.
1. **IOC Data Types**. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
* **Domain**
* **Entity Types**
@@ -80,7 +75,7 @@ import Iframe from 'react-iframe';
### Create a Sumo Logic search URL
-To create an URL for a Sumo Logic search, you enter a Sumo Logic search query as you would in a Sumo Logic search tab, but use the `{{value}}` parameter placeholder for the target item. For example, for a Context Action whose target is **Username**, you could enter the following query to search for Cloud SIEM Records of any type whose `user_username` field matches the username on which you run the action.
+To create an URL for a Sumo Logic search, you enter a Sumo Logic search query as you would in a Sumo Logic search tab, but use the `{{value}}` parameter placeholder for the target item. For example, for a context action whose target is **Username**, you could enter the following query to search for Cloud SIEM records of any type whose `user_username` field matches the username on which you run the action.
`_index=sec_record* AND user_username = "{{value}}"`
@@ -90,7 +85,7 @@ When you save the action, the URL template will be populated with your Sumo Logi
### Create an URL to an external service
-To create a URL to be sent to an external service, enter the URL in the format required by the external service, and use the `{{value}}` parameter placeholder for the target Entity, Record field, or IOC.
+To create a URL to be sent to an external service, enter the URL in the format required by the external service, and use the `{{value}}` parameter placeholder for the target entity, record field, or IOC.
Examples:
@@ -102,15 +97,15 @@ Examples:
`https://www.abuseipdb.com/check/{{value}}`
-The only required parameter in the URL is `{{value}}`. Depending on your use case, you can use other template parameters to insert timestamps in the action URL. For more information, see [Template parameters for Context Actions](#template-parameters-for-context-actions).
+The only required parameter in the URL is `{{value}}`. Depending on your use case, you can use other template parameters to insert timestamps in the action URL. For more information, see [Template parameters for context actions](#template-parameters-for-context-actions).
#### Open the Criminal IP lookup page for an IP address
`https://www.criminalip.io/asset/report/{{value}}`
-## Template parameters for Context Actions
+## Template parameters for context actions
-The table below defines the parameters you can use in the URL template for a Context Action.
+The table below defines the parameters you can use in the URL template for a context action.
### Value
@@ -120,25 +115,25 @@ The table below defines the parameters you can use in the URL template for a Con
### Record value
-You can insert any field from the target of a Context Action into the action URL with the `{{field_name}}` placeholder. For example, you could include `device_ip` in the URL with `{{device_ip}}`.
+You can insert any field from the target of a context action into the action URL with the `{{field_name}}` placeholder. For example, you could include `device_ip` in the URL with `{{device_ip}}`.
### Sumo Logic Base URL
-The `{{sumobaseurl}}` parameter applies to Context Actions that run a Sumo Logic log search.
+The `{{sumobaseurl}}` parameter applies to context actions that run a Sumo Logic log search.
Assuming your Cloud SIEM instance is configured to communicate with the Sumo Logic platform, when you create an action that runs a Sumo Logic search, Cloud SIEM will automatically insert this placeholder in your URL template—you don’t need to explicitly insert `{{sumobaseurl}} `placeholder yourself.
### Timestamp
-When you run an action on a Cloud SIEM Record, if that Record has a [timestamp](/docs/cse/schema/schema-attributes) field value, you can insert the timestamp in UTC format into the URL using the `{{timestamp}}` parameter.
+When you run an action on a Cloud SIEM record, if that record has a [timestamp](/docs/cse/schema/schema-attributes) field value, you can insert the timestamp in UTC format into the URL using the `{{timestamp}}` parameter.
### Formatted timestamp
-To insert a Record’s [timestamp](/docs/cse/schema/schema-attributes) field value into the action URL as a Unix timestamp, use `{{timestamp [ms]}}`.
+To insert a record’s [timestamp](/docs/cse/schema/schema-attributes) field value into the action URL as a Unix timestamp, use `{{timestamp [ms]}}`.
### Timestamp with delta
-If desired, you can insert a timestamp value that is some offset of the Record’s [timestamp](/docs/cse/schema/schema-attributes) field in the action URL, for example:
+If desired, you can insert a timestamp value that is some offset of the record’s [timestamp](/docs/cse/schema/schema-attributes) field in the action URL, for example:
`{{timestamp-5h}}`
diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md
index d326d155d0..8a63f7c8a1 100644
--- a/docs/cse/administration/create-custom-threat-intel-source.md
+++ b/docs/cse/administration/create-custom-threat-intel-source.md
@@ -30,13 +30,13 @@ import Iframe from 'react-iframe';
### How Cloud SIEM uses indicators
When Cloud SIEM encounters an indicator from your threat source in an incoming
-Record it adds relevant information to the Record. Because threat intelligence
-information is persisted within Records, you can reference it downstream
+record it adds relevant information to the record. Because threat intelligence
+information is persisted within records, you can reference it downstream
in both rules and search. The built-in rules that come with Cloud SIEM
-automatically create a Signal for Records that have been enriched in
+automatically create a signal for records that have been enriched in
this way.
-Rule authors can also write rules that look for threat intelligence information in Records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
*About Cloud SIEM Rules* topic.
### Create a threat intelligence source from Cloud SIEM UI
@@ -83,7 +83,7 @@ The .csv file can contain up to four columns, which are described below.
| value | Required. Must be one of the following:
- A valid IPV4 or IPv6 address
- A valid, complete URL
- A valid email address
- A hostname (without protocol or path)
- A hexadecimal string of 32, 40, 64, or 128 characters |
| description | Optional. |
| expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. |
-| active | Required. Specifies whether the indicator actively looks for threat intelligence in Records. Valid values are `true` or `false`. |
+| active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. |
**Example .csv file**
diff --git a/docs/cse/administration/create-use-network-blocks.md b/docs/cse/administration/create-use-network-blocks.md
index de2546dd82..6f8c6f043b 100644
--- a/docs/cse/administration/create-use-network-blocks.md
+++ b/docs/cse/administration/create-use-network-blocks.md
@@ -2,89 +2,74 @@
id: create-use-network-blocks
title: Create and Use Network Blocks
sidebar_label: Network Blocks
-description: A Network Block is a CIDR block of IP addresses from your infrastructure that you label to provide context that can be leveraged in rules and is helpful in investigating Cloud SIEM Insights.
+description: A network block is a CIDR block of IP addresses from your infrastructure that you label to provide context that can be leveraged in rules and is helpful in investigating Cloud SIEM insights.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
-This topic describes *Network Blocks* and their purpose, and provides instructions for setting them up and using them.
+This topic describes *network blocks* and their purpose, and provides instructions for setting them up and using them.
:::note
-If all you need to know is what enrichment fields Cloud SIEM adds to Records that contain IP addresses in Network Blocks, you can jump to [Network Blocks and enrichment fields](#network-blocks-and-enrichment-fields) below.
+If all you need to know is what enrichment fields Cloud SIEM adds to Records that contain IP addresses in network blocks, you can jump to [Network blocks and enrichment fields](#network-blocks-and-enrichment-fields) below.
:::
-In Cloud SIEM, a Network Block is a CIDR block of IP addresses from your infrastructure that you label to provide context that can be leveraged in rules and is helpful in investigating Insights. For example, you could label one Network Block “Server Network” and another one “Workstations”.
+In Cloud SIEM, a network block is a CIDR block of IP addresses from your infrastructure that you label to provide context that can be leveraged in rules and is helpful in investigating insights. For example, you could label one network block “Server Network” and another one “Workstations”.
-In addition to labeling a Network Block, you can optionally mark a Network Block as “Internal”.
+In addition to labeling a network block, you can optionally mark a network block as “Internal”.
:::note
There is another way that IP addresses get marked as “Internal”. Cloud SIEM automatically marks RFC 1918 IP addresses, which aren’t routable on the Internet, as “Internal”.
:::
-When you configure a Network Block, there is an option to suppress Signals on the IP addresses within the block.
+When you configure a network block, there is an option to suppress signals on the IP addresses within the block.
:::note
-IP addresses in a Network Block for which Signals are suppressed will not appear on the **Suppressed Entities** page in the Cloud SIEM UI. (You can’t manually unsuppress Signals for an IP address that are suppressed due to its Network Block configuration.)
+IP addresses in a network block for which signals are suppressed will not appear on the **Suppressed Entities** page in the Cloud SIEM UI. (You can’t manually unsuppress signals for an IP address that are suppressed due to its network block configuration.)
:::
-## Best practices for Network Blocks
+## Best practices for network blocks
-As you configure Network Blocks, keep in mind the following
-considerations.
+As you configure network blocks, keep in mind the following considerations.
-Ideally, you should use Network Blocks to represent your topology both
-broadly and thoroughly. Any network address space that is in use should
-be accounted for at some level of detail. Broad descriptions of
-supernets that cover all allocated addresses are a start. Coupling a
-broad view with a detailed inventory is preferable. If you have address
-space that’s in use but not reflected in your Network Block
-configuration, associated traffic won’t be evaluated by rules, and
-problems might not be detected.
+Ideally, you should use network blocks to represent your topology both broadly and thoroughly. Any network address space that is in use should be accounted for at some level of detail. Broad descriptions of supernets that cover all allocated addresses are a start. Coupling a broad view with a detailed inventory is preferable. If you have address space that’s in use but not reflected in your network block configuration, associated traffic won’t be evaluated by rules, and problems might not be detected.
-It’s good to define Network Blocks at both high and detailed levels. For
-example, you might want to define one high level block for your
-corporate network and another for your partner network, and also
-smaller, more detailed subnets within each. Nesting your Network Blocks
-provides more context. For critical assets that are static over time, it
-can even be useful to include /32 addresses.
+It’s good to define network blocks at both high and detailed levels. For example, you might want to define one high level block for your corporate network and another for your partner network, and also smaller, more detailed subnets within each. Nesting your network blocks provides more context. For critical assets that are static over time, it can even be useful to include /32 addresses.
-Keep the labels you assign to Network Blocks short and sweet. Don’t
-include the CIDR block itself in the label. For example, instead of
-“Seattle Office 10.191.64.0/18” for a label, use “Seattle Office”.
+Keep the labels you assign to network blocks short and sweet. Don’t include the CIDR block itself in the label. For example, instead of “Seattle Office 10.191.64.0/18” for a label, use “Seattle Office”.
-## Overlapping Network Blocks
+## Overlapping network blocks
-In the case that the two or more Network Blocks overlap, Cloud SIEM uses the smallest, most-specific block that matches the IP address that's being looked up. For example, given these two Network Blocks:
+In the case that the two or more network blocks overlap, Cloud SIEM uses the smallest, most-specific block that matches the IP address that's being looked up. For example, given these two network blocks:
* `10.0.0.0/8` with Label "EC2 Internal"
* `10.128.0.0/24` with Label "WebServer IPs"
-When Cloud SIEM looks for the Network Block address `10.128.0.1`, it will return the more-specific block, "WebServer IPs".
+When Cloud SIEM looks for the network block address `10.128.0.1`, it will return the more-specific block, "WebServer IPs".
-## Create a Network Block manually
+## Create a network block manually
-Follow these instructions to create a Network Block using the Cloud SIEM UI. For information about creating multiple Network Blocks by file upload, see [Upload a CSV file of Network Blocks](#upload-a-csv-file-of-network-blocks).
+Follow these instructions to create a network block using the Cloud SIEM UI. For information about creating multiple network blocks by file upload, see [Upload a CSV file of network blocks](#upload-a-csv-file-of-network-blocks).
1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Network Blocks**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Network Blocks**. You can also click the **Go To...** menu at the top of the screen and select **Network Blocks**.
1. On the **Create Network Block** popup:
1. **Address Block**. Enter a CIDR block that identifies a contiguous range of IP addresses.
- 1. **Label**. Enter a meaningful name for the Network Block.
+ 1. **Label**. Enter a meaningful name for the network block.
1. **Internal**. Leave the toggle switched to the right (green) if you want to mark IP addresses that match the network block as Internal. This allows you to filter on the IP addresses in rule expressions, as described below in [Using enrichment fields](#using-enrichment-fields), below.
- 1. **Suppress Signals**. Leave the toggle switched to the left (red) if you do not want to suppress Signals on IP addresses in the Network Block. Otherwise, switch the toggle to the right (green).
+ 1. **Suppress Signals**. Leave the toggle switched to the left (red) if you do not want to suppress signals on IP addresses in the network block. Otherwise, switch the toggle to the right (green).
1. Click **Create**.
})
-## Upload a CSV file of Network Blocks
+## Upload a CSV file of network blocks
-You can define multiple Network Blocks in a .csv file and upload the file to Cloud SIEM.
+You can define multiple network blocks in a .csv file and upload the file to Cloud SIEM.
-The table below defines the fields you can import for a Network Block.
+The table below defines the fields you can import for a network block.
| Field | Description |
|:--|:--|
| `address_block` | The IP address and subnet mask of the network block. For example:
192.168.10.0/24 |
| `label` | (Optional) A label of the network block (e.g. PCI network). If the label contains a comma, enclose it in double quotes (“). |
| `internal` | (Optional) When true, all IPs matching this network block in the records will be marked as internal.
Default: true |
-| `suppresses_signals` | (Optional) When true, all Signals for IPs in this network block will be suppressed, so that Insights are not generated based on those Signals.
Default: false |
+| `suppresses_signals` | (Optional) When true, all signals for IPs in this network block will be suppressed, so that insights are not generated based on those signals.
Default: false |
Here is an example of a file in which all fields are supplied:
@@ -100,11 +85,11 @@ address_block
192.168.10.0/24
```
-## Network Blocks and enrichment fields
+## Network blocks and enrichment fields
-The Label you assign to a Network Block is stored in an enrichment field that Cloud SIEM adds to each Record that contains an IP address in that block. Similarly, an enrichment field is added to each Record that contains an IP address in a Network Block that is marked Internal.
+The Label you assign to a network block is stored in an enrichment field that Cloud SIEM adds to each record that contains an IP address in that block. Similarly, an enrichment field is added to each record that contains an IP address in a network block that is marked Internal.
-In the table below, the left column contains schema fields that contain IP addresses. The middle column contains the enrichment fields that are added to Records based on Network Block configuration. The enrichment fields in the middle column, which end in `_location`, are populated with the Label from a Network Block. Those in the rightmost column, which end in `_isInternal`, are populated with “yes”, indicating that the IP address is in a Network Block marked Internal.
+In the table below, the left column contains schema fields that contain IP addresses. The middle column contains the enrichment fields that are added to records based on network block configuration. The enrichment fields in the middle column, which end in `_location`, are populated with the Label from a network block. Those in the rightmost column, which end in `_isInternal`, are populated with “yes”, indicating that the IP address is in a network block marked Internal.
| IP address field | _location enrichment field | _isInternal enrichment field |
|:--|:--|:--|
@@ -118,10 +103,10 @@ In the table below, the left column contains schema fields that contain IP addre