DOCS-533 - Network sensor end-of-life

blog-cse/2024/12-31.md

@@ -209,7 +209,7 @@ Changes are enumerated below.
 
 #### Cloud SIEM network sensor end-of-life
 
-The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
+The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
 
 Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/).
 

blog-cse/2025-04-30-application.md

@@ -0,0 +1,7 @@
+### April 30, 2025 - Application Update
+
+#### Cloud SIEM network sensor end-of-life
+
+As [previously announced](/release-notes-cse/2024/12/31/#november-8-2024---application-update), the Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. Support for the feature ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
+
+Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/).

cid-redirects.json

@@ -1671,7 +1671,7 @@
   "/cid/10144": "/docs/metrics/metrics-operators",
   "/cid/10145": "/docs/cse/records-signals-entities-insights/global-intelligence-security-insights",
   "/cid/16002": "/docs/integrations/microsoft-azure/opentelemetry/sql-server-linux-opentelemetry",
-  "/cid/10146": "/docs/cse/sensors",
+  "/cid/10146": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
   "/cid/10147": "/docs/cse/integrations",
   "/cid/10148": "/docs/cse/rules",
   "/cid/101481": "/docs/cse/rules/about-cse-rules",
@@ -2956,16 +2956,16 @@
   "/Cloud_SIEM_Enterprise/CSE_Schema/Parser_Editor/Parser_Troubleshooting_Tips": "/docs/cse/troubleshoot/troubleshoot-parsers",
   "/docs/cse/schema/parser-troubleshooting-tips": "/docs/cse/troubleshoot/troubleshoot-parsers",
   "/Cloud_SIEM_Enterprise/CSE_Schema/Username_and_Hostname_Normalization": "/docs/cse/schema/username-and-hostname-normalization",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors": "/docs/cse/sensors",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/01_Sensor_Download_Locations": "/docs/cse/sensors/sensor-download-locations",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/05_Windows_Sensor_Installation": "/docs/cse/sensors/sensor-download-locations",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/11_Network_Sensor_Deployment_Guide": "/docs/cse/sensors/network-sensor-deployment-guide",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/07_Network_Sensor_Deployment_Guide": "/docs/cse/sensors/network-sensor-deployment-guide",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/07_Windows_Sensor_Health_Status_Messages": "/docs/cse/sensors/network-sensor-troubleshooting",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/09_Windows_Sensor_Troubleshooting": "/docs/cse/sensors/network-sensor-troubleshooting",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/13_Network_Sensor_Troubleshooting": "/docs/cse/sensors/network-sensor-troubleshooting",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/17_Log_Sensor_Troubleshooting": "/docs/cse/sensors/log-sensor-troubleshooting",
-  "/Cloud_SIEM_Enterprise/CSE_Sensors/Ingest_Zeek_Logs": "/docs/cse/sensors/ingest-zeek-logs",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/01_Sensor_Download_Locations": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/05_Windows_Sensor_Installation": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/11_Network_Sensor_Deployment_Guide": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/07_Network_Sensor_Deployment_Guide": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/07_Windows_Sensor_Health_Status_Messages": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/09_Windows_Sensor_Troubleshooting": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/13_Network_Sensor_Troubleshooting": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/17_Log_Sensor_Troubleshooting": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
+  "/Cloud_SIEM_Enterprise/CSE_Sensors/Ingest_Zeek_Logs": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek",
   "/Cloud_SIEM_Enterprise/Ingestion_Guides": "/docs/cse/ingestion",
   "/Cloud_SIEM_Enterprise/Ingestion_Guides/00Products_with_Log_Mappings": "/docs/cse/ingestion/products-with-log-mappings",
   "/Cloud_SIEM_Enterprise/Ingestion_Guides/Cisco_Meraki": "/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki",

docs/cse/index.md

@@ -49,12 +49,6 @@ This section contains the following topics:
   <p>Learn about Cloud SIEM Schema v3, schema attributes, and the Record processing pipeline.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/cse/sensors"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="Shield on a cloud icon" width="40"/><h4>Sensors</h4></a>
-  <p>Cloud SIEM Sensors collect log and event data from your infrastructure and applications.</p>
-  </div>
-</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/cse/integrations"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="Shield on a cloud icon" width="40"/><h4>Integrations</h4></a>

docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md

@@ -11,6 +11,10 @@ This section has instructions for collecting Corelight Zeek log messages and sen
 
 These instructions are for Corelight Zeek logs sent as JSON over syslog.
 
+:::note
+The Sumo Logic Product Team has continued our on-premise network sensor feature for Sumo Logic Cloud SIEM (see [release note](/release-notes-cse#cloud-siem-network-sensor-end-of-life)). This article describes how to use Zeek as a network sensor to provide equivalent monitoring of your network.
+:::
+
 ## Step 1: Configure collection
 
 In this step, you configure a Syslog Source to collect Corelight Zeek log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.
@@ -53,22 +57,88 @@ In this step, you configure a Syslog Source to collect Corelight Zeek log messag
 
 In this step you configure Zeek to send log messages to the Sumo Logic platform. For instructions, see [Corelight JSON Streaming documentation](https://github.com/corelight/json-streaming-logs).
 
-## Step 3: Cloud SIEM Ingest Configuration
+## Step 3: Enable parsing and mapping of Zeek logs
+
+After configuring the appropriate source, use one of the methods described below to provide information Cloud SIEM requires to parse and map Zeek logs.
+
+This configuration step is required to ensure that Cloud SIEM knows how to parse incoming Zeek logs, correctly map the log fields to schema attributes, and create Cloud SIEM records. The most important bit of information is what type of data a particular log contains. Zeek has a variety of log types, for example `conn` for TCP/UDP/ICMP connections, `http` for HTTP requests and replies, and `ftp` for FTP activity.
+
+So, how to determine whether a Zeek log is a `conn`, `http`, `ftp`, or some other log type? Zeek logs do not contain a key that explicitly holds a value that is only the log type identifier. There are two options for dealing with this:
+
+* Use Corelight to add a field to each Zeek log that identifies its log type. See [Use Corelight](#use-corelight) below.
+* Use Sumo Logic Field Extraction Rules (FERs) to create fields that provide the log type and other data that enables Cloud SIEM to parse and map the logs. See [Use FERs](#use-fers).
+
+### Use Corelight
+
+With this method, you use Corelight’s [json-streaming-logs](https://github.com/corelight/json-streaming-logs), a Bro script package that creates JSON formatted logs, and adds an extension field, named _path that identifies the Zeek log type to each Zeek log. Then, you map that field to **Event ID** in a Sumo Logic ingest mapping.
+
+After installing the `json-streaming-logs` package, follow these instructions to set up the Sumo Logic mapping.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
+1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.<br/><img src={useBaseUrl('img/cse/ingest-mappings.png')} alt="Ingest mappings" style={{border: '1px solid gray'}} width="800"/>
+1. On the **Add Ingest Mapping** tab:
+   1. **Source Category**. Enter the Source Category value you assigned to the Source you configured above.
+   1. **Format**. Choose **Bro/Zeek JSON**.
+   1. **Event ID**. Enter `{_path}`.
+   1. **Enabled**. Use the slider to enable the mapping if you’re ready to receive Zeek logs.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/cse/create-mapping.png')} alt="Create mapping" style={{border: '1px solid gray'}} width="400"/>
+
+### Use FERs
+
+With this method, you use Sumo Logic Field Extraction Rules (FERs) to extract fields from each Zeek log. The fields you extract will provide the information necessary for Cloud SIEM to correctly parse and map the logs. 
+
+Here’s an example Bro log from the Security Onion platform. 
+
+```
+{"TAGS":".source.s_bro_conn","SOURCEIP":"127.0.0.1","PROGRAM":"bro_conn","PRIORITY":"notice","MESSAGE":"{\"ts\":\"2020-05-28T10:32:51.997054Z\",\"uid\":\"Cu3KVA2TbWqZm1Z0S6\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":16030,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":161,\"proto\":\"udp\",\"duration\":30.000317811965942,\"orig_bytes\":258,\"resp_bytes\":0,\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":6,\"orig_ip_bytes\":426,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"sensorname\":\"test\"}","ISODATE":"2020-05-28T10:34:24+00:00","HOST_FROM":"somehost","HOST":"somehost","FILE_NAME":"/nsm/bro/logs/current/conn.log","FACILITY":"user"}
+```
+
+In the log above, the content of the Bro log is the value of the `MESSAGE` key. Note that no key in the log explicitly states the log type, which is `conn`. 
+
+To enable Cloud SIEM to successfully process the log, we need to create the following fields listed in the table below.
+
+<table>
+  <tr>
+   <td><strong>Field</strong></td>
+   <td><strong>Parse Expression</strong> </td>
+  </tr>
+  <tr>
+   <td><code>_siemMessage</code> </td>
+   <td><code>json field=_raw "MESSAGE" as _siemMessage</code> </td>
+  </tr>
+  <tr>
+   <td><code>_siemEventId</code></td>
+   <td><code>json field=_raw "PROGRAM" as _siemEventId | parse regex field=_siemEventId "bro_(?&lt;_siemEventId>.*)"</code> </td>
+  </tr>
+  <tr>
+   <td><code>_siemFormat</code></td>
+   <td><code>"bro" as _siemFormat</code></td>
+  </tr>
+  <tr>
+   <td><code>_siemVendor</code></td>
+   <td><code>"bro" as _siemVendor</code></td>
+  </tr>
+  <tr>
+   <td><code>_siemProduct</code></td>
+   <td><code>"bro" as _siemProduct</code></td>
+  </tr>
+</table>
 
-In this step, you configure a Sumo Logic Ingest Mapping in Cloud SIEM for the source category assigned to your source or collector you configured in [Step 1](#step-1-configure-collection). The mapping tells Cloud SIEM the information it needs to select the right mapper to process messages that have been tagged with that source category. 
+Perform these steps for each of the FERs.
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then and under **Integrations** select **Sumo Logic**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  
-1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.
-1. On the **Add Ingest Mapping** popup:
-    1. **Source Category**. Enter the category you assigned to the HTTP Source or Hosted Collector in [Step 1](#step-1-configure-collection). 
-    1. **Format**. Enter *Bro/Zeek JSON*.  
-    1. **Event ID**. *`{_path}`*.<br/><img src={useBaseUrl('img/cse/corelight-edit-mapping.png')} alt="Corelight edit mappings" style={{border: '1px solid gray'}} width="400"/> 
-1. Click **Create** to save the mapping.
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Field Extraction Rules**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Logs** select **Field Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Field Extraction Rules**.  
+1. Click **Add Rule**.
+1. In the **Add Field Extraction Rule** pane:
+   1. **Rule Name**. Enter a meaningful name for the rule.
+   1. **Applied At**. Click Ingest Time. 
+   1. **Scope**. Click **Specific Data**.
+   1. **Parse Expression**. Enter the parse expression shown in the table above for the field the rule will extract.
+1. Click **Save**.<br/><img src={useBaseUrl('img/cse/example-fer.png')} alt="Example FER" style={{border: '1px solid gray'}} width="400"/>
 
 ## Step 4: Verify Ingestion
 
 In this step, you verify that your logs are successfully making it into Cloud SIEM. 
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Configuration**, and then under **Incoming Data** select **Log Mappings**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Integrations** select **Log Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Log Mappings**.  
 1. On the **Log Mappings** tab search for "Zeek" and check the **Records** columns. <br/><img src={useBaseUrl('img/cse/corelight-record-volume.png')} alt="Corelight record volume" style={{border: '1px solid gray'}} width="800"/>
-1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.<br/><img src={useBaseUrl('img/cse/corelight-search.png')} alt="Corelight search" style={{border: '1px solid gray'}} width="400"/>
+1. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Corelight Zeek security records.<br/><img src={useBaseUrl('img/cse/corelight-search.png')} alt="Corelight search" style={{border: '1px solid gray'}} width="400"/>

docs/cse/rules/import-yara-rules.md

@@ -13,7 +13,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 This section has instructions for importing YARA rules from GitHub into Cloud SIEM.
 
-YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [network sensor](/docs/cse/sensors/network-sensor-deployment-guide). When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created.  Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
+YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the [network sensor](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek/). When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created.  Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.
 
 To import YARA rules: