SumoLogic · jpipkin1 · Dec 18, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 18, 2024
@@ -11,7 +11,7 @@ This topic has instructions for creating a custom tag schema in Cloud SIEM.
 
 ## About tags in Cloud SIEM
 
-Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: *keyword tags*, which are arbitrary, freeform strings; and *schema keys*, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.
+Tags are metadata you can attach to insights, signals, entities, and rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: *keyword tags*, which are arbitrary, freeform strings; and *schema keys*, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo Logic label, as shown in the example below. You can’t edit the built-in schemas.
 
 <img src={useBaseUrl('img/cse/built-in-tags.png')} alt="Built-in schema keys" style={{border: '1px solid gray'}} width="800"/>
 
@@ -30,7 +30,7 @@ For more information about tags in Cloud SIEM, see [Using Tags with Insights, Si
         available for. You can select one or more of the following:
         * **Custom Insight**
         * **Rule**
-        * **Entity** The options do not include **Signal** or **Insight**. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
+        * **Entity** The options do not include **Signal** or **Insight**. Signals and insights inherit tag values from the rule(s) or custom insight definition that triggered the signal or insight and involved entities.
     1. **Allow Custom Values**. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the **Value Options** section below.
     1. If **Allow Custom Values** is not checked, you must define at least one value for the tag:
         * **Enter Value**. Enter an allowable value for the tag.

@@ -2,43 +2,38 @@
 id: create-cse-context-actions
 title: Create Context Actions
 sidebar_label: Create Context Actions
-description: Learn about Context Actions, options that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in Record.
+description: Learn about context actions, options that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This topic has information about Cloud SIEM Context Actions and how to create them. 
+This topic has information about Cloud SIEM context actions and how to create them. 
 
-## About Context Actions
+## About context actions
 
-A Context Action is an option that a Cloud SIEM analyst can use to query an external system for information about an Entity, IOC, or data encountered in a Record. For example, you might want to check an IP address against a threat intel service, google a username, or run a log search in Sumo Logic for a hostname. 
+A context action is an option that a Cloud SIEM analyst can use to query an external system for information about an entity, IOC, or data encountered in a record. For example, you might want to check an IP address against a threat intel service, google a username, or run a log search in Sumo Logic for a hostname. 
 
-An authorized user can configure Context Actions and assign them to particular Entity types, Record fields, or common IOC types.
-
-* **Context Actions on Entity types**. You can assign a Context Action to one or more Entity types, including custom Entity types. An action assigned to an Entity type will be available on any instance of that type in the **Entities** page, or in Insights or Signals that contain Entities of the selected type. For an example, see the screenshot in [How a user accesses Context Actions](#how-a-user-accesses-contextactions).  
-
-    An action you assign to an Entity type will also be available for Record fields that contain the Entity type. For example, an action assigned to the Hostname Entity type will be available for the `srcDevice_hostname`, `dstDevice_hostname`, and `device_hostname` Record fields.  
-
-* **Context Actions on Record fields**. You can assign a Context Action to selected Record fields, or all Record fields. In the Cloud SIEM UI, the action will be available on the Context Action menu for selected fields.  
-
-* **Context Actions on IOC Types**. You can assign a Context Action to one or more of the following IOC data types:
+An authorized user can configure context actions and assign them to particular entity types, record fields, or common IOC types.
+* **Context actions on entity types**. You can assign a context action to one or more entity types, including custom entity types. An action assigned to an entity type will be available on any instance of that type in the **Entities** page, or in insights or signals that contain entities of the selected type. For an example, see the screenshot in [How a user accesses context actions](#how-a-user-accesses-contextactions). <br/>An action you assign to an entity type will also be available for record fields that contain the entity type. For example, an action assigned to the Hostname entity type will be available for the `srcDevice_hostname`, `dstDevice_hostname`, and `device_hostname` record fields.     
+* **Context actions on record fields**. You can assign a context action to selected record fields, or all record fields. In the Cloud SIEM UI, the action will be available on the context action menu for selected fields.     
+* **Context actions on IOC types**. You can assign a context action to one or more of the following IOC data types:
     * Domain
     * IP Address
     * URL
     * Hash
     * MAC Address
 
-The Context Actions menu will be available for any of these types, wherever they appear in the Cloud SIEM UI.
+The context actions menu will be available for any of these types, wherever they appear in the Cloud SIEM UI.
 
-## How a user accesses Context Actions
+## How a user accesses context actions
 
-A user runs a Context Action by clicking the Context Action icon <img src={useBaseUrl('img/cse/context-action-icon.png')} alt="Context action icon" style={{border: '1px solid gray'}} width="20"/> next to an Entity, Record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
+A user runs a context action by clicking the context action icon <img src={useBaseUrl('img/cse/context-action-icon.png')} alt="Context action icon" style={{border: '1px solid gray'}} width="20"/> next to an entity, record field, or IOC and choosing an action from the list that appears. The icon appears when you hover over the value of the item.
 
-In the screenshot below, Context Actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
+In the screenshot below, context actions are listed below the built-in **Add to Match List** and **Add to Suppressed List** options.
 
 <img src={useBaseUrl('img/cse/action-icon-entity.png')} alt="List of context actions" style={{border: '1px solid gray'}} width="300"/>
 
-If an action name is shown in red font, that indicates that the action depends on a Record field that doesn’t exist.
+If an action name is shown in red font, that indicates that the action depends on a record field that doesn’t exist.
 
 Watch this micro lesson to learn more about how to use context actions.
 
@@ -55,20 +50,20 @@ Watch this micro lesson to learn more about how to use context actions.
 
 import Iframe from 'react-iframe'; 
 
-## Configure a Context Action
+## Configure a context action
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Context Actions**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Context Actions**. You can also click the **Go To...** menu at the top of the screen and select **Context Actions**.  
 1. On the **Context Actions** tab click **+ Add Context Action**.
 1. Create the context action.  <br/><img src={useBaseUrl('img/cse/configured-action.png')} alt="Configure action" style={{border: '1px solid gray'}} width="400"/>
-    1. **Name**. Enter a name for the Context Action. 
+    1. **Name**. Enter a name for the context action. 
     1. **Action Type**. Choose whether you want to open a **Sumo Logic Query** or a **URL** to an external service. 
     1. **Query**. Enter the URL or log query that the context action will issue.
         For instructions, see:
         * [Create a Sumo Logic search URL](#create-a-sumo-logic-search-url)
         * [Create a URL to external service](#create-an-url-to-an-external-service)
-    1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target Record’s [timestamp](/docs/cse/schema/schema-attributes) field.
-    1. **Entity Types**. Select the Entity types that the context action will apply to.
-    1. **Record Properties**. Select the Record properties that the context action will apply to.
+    1. If you chose **Sumo Logic Query** above, the **Timestamp offset** option appears, which set the query time range. The offset can be either -30m or +30m, and it will be applied to the timestamp in the target record’s [timestamp](/docs/cse/schema/schema-attributes) field.
+    1. **Entity Types**. Select the entity types that the context action will apply to.
+    1. **Record Properties**. Select the record properties that the context action will apply to.
     1. **IOC Data Types**. Choose the IOC data types to which the context action will apply. You can select one or more of the following data types listed below. Your context action will be available for any occurrences of the IOCs you select.
         * **Domain**
         * **Entity Types**
@@ -80,7 +75,7 @@ import Iframe from 'react-iframe';
 
 ### Create a Sumo Logic search URL
 
-To create an URL for a Sumo Logic search, you enter a Sumo Logic search query as you would in a Sumo Logic search tab, but use the `{{value}}` parameter placeholder for the target item. For example, for a Context Action whose target is **Username**, you could enter the following query to search for Cloud SIEM Records of any type whose `user_username` field matches the username on which you run the action. 
+To create an URL for a Sumo Logic search, you enter a Sumo Logic search query as you would in a Sumo Logic search tab, but use the `{{value}}` parameter placeholder for the target item. For example, for a context action whose target is **Username**, you could enter the following query to search for Cloud SIEM records of any type whose `user_username` field matches the username on which you run the action. 
 
 `_index=sec_record* AND user_username = "{{value}}"`
 
@@ -90,7 +85,7 @@ When you save the action, the URL template will be populated with your Sumo Logi
 
 ### Create an URL to an external service
 
-To create a URL to be sent to an external service, enter the URL in the format required by the external service, and use the `{{value}}` parameter placeholder for the target Entity, Record field, or IOC. 
+To create a URL to be sent to an external service, enter the URL in the format required by the external service, and use the `{{value}}` parameter placeholder for the target entity, record field, or IOC. 
 
 Examples:
 
@@ -102,15 +97,15 @@ Examples:
 
 `https://www.abuseipdb.com/check/{{value}}`
 
-The only required parameter in the URL is `{{value}}`. Depending on your use case, you can use other template parameters to insert timestamps in the action URL. For more information, see [Template parameters for Context Actions](#template-parameters-for-context-actions). 
+The only required parameter in the URL is `{{value}}`. Depending on your use case, you can use other template parameters to insert timestamps in the action URL. For more information, see [Template parameters for context actions](#template-parameters-for-context-actions). 
 
 #### Open the Criminal IP lookup page for an IP address
 
 `https://www.criminalip.io/asset/report/{{value}}`
 
-## Template parameters for Context Actions
+## Template parameters for context actions
 
-The table below defines the parameters you can use in the URL template for a Context Action.
+The table below defines the parameters you can use in the URL template for a context action.
 
 ### Value
 
@@ -120,25 +115,25 @@ The table below defines the parameters you can use in the URL template for a Con
 
 ### Record value
 
-You can insert any field from the target of a Context Action into the action URL with the `{{field_name}}` placeholder. For example, you could include `device_ip` in the URL with `{{device_ip}}`.  
+You can insert any field from the target of a context action into the action URL with the `{{field_name}}` placeholder. For example, you could include `device_ip` in the URL with `{{device_ip}}`.  
 
 ### Sumo Logic Base URL
 
-The `{{sumobaseurl}}` parameter applies to Context Actions that run a Sumo Logic log search.
+The `{{sumobaseurl}}` parameter applies to context actions that run a Sumo Logic log search.
 
 Assuming your Cloud SIEM instance is configured to communicate with the Sumo Logic platform, when you create an action that runs a Sumo Logic search, Cloud SIEM will automatically insert this placeholder in your URL template—you don’t need to explicitly insert `{{sumobaseurl}} `placeholder yourself.
 
 ### Timestamp
 
-When you run an action on a Cloud SIEM Record, if that Record has a [timestamp](/docs/cse/schema/schema-attributes) field value, you can insert the timestamp in UTC format into the URL using the `{{timestamp}}` parameter.
+When you run an action on a Cloud SIEM record, if that record has a [timestamp](/docs/cse/schema/schema-attributes) field value, you can insert the timestamp in UTC format into the URL using the `{{timestamp}}` parameter.
 
 ### Formatted timestamp
 
-To insert a Record’s [timestamp](/docs/cse/schema/schema-attributes) field value into the action URL as a Unix timestamp, use `{{timestamp [ms]}}`.
+To insert a record’s [timestamp](/docs/cse/schema/schema-attributes) field value into the action URL as a Unix timestamp, use `{{timestamp [ms]}}`.
 
 ### Timestamp with delta
 
-If desired, you can insert a timestamp value that is some offset of the Record’s [timestamp](/docs/cse/schema/schema-attributes) field in the action URL, for example: 
+If desired, you can insert a timestamp value that is some offset of the record’s [timestamp](/docs/cse/schema/schema-attributes) field in the action URL, for example: 
 
 `{{timestamp-5h}}`
 

@@ -30,13 +30,13 @@ import Iframe from 'react-iframe';
 ### How Cloud SIEM uses indicators
 
 When Cloud SIEM encounters an indicator from your threat source in an incoming
-Record it adds relevant information to the Record. Because threat intelligence
-information is persisted within Records, you can reference it downstream
+record it adds relevant information to the record. Because threat intelligence
+information is persisted within records, you can reference it downstream
 in both rules and search. The built-in rules that come with Cloud SIEM
-automatically create a Signal for Records that have been enriched in
+automatically create a signal for records that have been enriched in
 this way.
 
-Rule authors can also write rules that look for threat intelligence information in Records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
 *About Cloud SIEM Rules* topic.
 
 ### Create a threat intelligence source from Cloud SIEM UI
@@ -83,7 +83,7 @@ The .csv file can contain up to four columns, which are described below.
 | value  | Required. Must be one of the following: <br/>- A valid IPV4 or IPv6 address<br/>- A valid, complete URL <br/>- A valid email address<br/>- A hostname (without protocol or path)<br/>- A hexadecimal string of 32, 40, 64, or 128 characters |
 | description | Optional.  |  
 | expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. |
-| active | Required. Specifies whether the indicator actively looks for threat intelligence in Records. Valid values are `true` or `false`. |
+| active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. |
 
 **Example .csv file**