Merge branch 'main' into replace-reinvent-banner

Author: kimsauce

docs/manage/partitions/data-tiers/index.md

@@ -66,8 +66,8 @@ How you can search and use your ingested data varies by the Data Tier it resides
 | Logs to Metrics | ✓ | ✓ | ✓ |
 | Data Forwarding | ✓ | ✓ | |
 | Live Tail | ✓ | ✓ | ✓ |
-| Dashboards | &#10003; | Activation required<sup>*</sup> | |
-| Monitors | &#10003; | Activation required<sup>*</sup> | |
+| Dashboards | &#10003; |  | Activation required<sup>*</sup> |
+| Monitors | &#10003; | | Activation required<sup>*</sup> |
 | Scheduled Searches | &#10003; | | |
 | Scheduled Views | &#10003; | | |
 | API Queries |  &#10003; | &#10003; | &#10003; |

docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon.md

@@ -7,8 +7,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/crowdstrike-falcon.png')} alt="crowdstrike-falcon" width="100"/>
 
-***Version: 1.19  
-Updated: Nov 10, 2025***
+***Version: 1.20  
+Updated: Dec 05, 2025***
 
 The CrowdStrike Falcon integration allows you to pull and update Alerts/Incidents, and search Incidents/Devices/Alerts.
 
@@ -32,6 +32,7 @@ The CrowdStrike Falcon integration allows you to pull and update Alerts/Incident
 * **Search into Incidents** *(Enrichment)* - Search for incidents by providing an FQL filter, sorting, and paging
   details.
 * **Update Alerts** *(Containment)* - Perform actions on Alerts identified by composite ID(s) in request.
+* **On Demand Device Scan** *(Containment)* - Initiate a scan on device by providing the device ID. This action will only work for Windows hosts.
 
 ## Category
 
@@ -110,4 +111,6 @@ For information about CrowdStrike Falcon, see [CrowdStrike documentation](https:
     + Search into Alerts
     + Alerts CrowdStrike Falcon Daemon
 * Nov 10, 2025 (v1.19) - Updated Query Parameter
-    + Get User ID By Mail
+    + Get User ID By Mail
+* Dec 05, 2025 (v1.20) - Added new action
+    + On Demand Device Scan

docs/platform-services/automation-service/playbooks/create-playbooks.md

@@ -118,8 +118,13 @@ For examples of adding conditions to playbooks, see the [Cloud SIEM automation e
 1. Draw a line from a previous action node to the new condition node. This is required to allow the condition to evaluate the output values from the previous action.
 1. Now that you've linked the condition to an action, hover the mouse over the condition node and click the edit button on the node to configure the condition settings.<br/><img src={useBaseUrl('img/cse/automations-edit-condition-node.png')} style={{border:'1px solid gray'}} alt="Edit a condition node" width="150"/>
 1. The condition node configuration dialog displays again. Under **Condition1**, click **Select a value**.<br/><img src={useBaseUrl('img/cse/automations-add-a-condition-3.png')} style={{border:'1px solid gray'}} alt="Select values for the condition" width="500"/>
-1. Click **Get Value** and select from the drop-down menu whether the value will evaluate to **true (bool)**, **false (bool)**, or **empty**. You can also manually enter a value, such as a string or numeric literal.<br/><img src={useBaseUrl('img/cse/automations-add-condition-node-2.png')} style={{border:'1px solid gray'}} alt="Get values for the condition" width="500"/>
-1. Under **Get value from a previous action**, select the value to feed into the condition. The example shows **Get Devices** and **Playbook inputs** that came from the previous action. (The condition must be linked by a line to the previous action node to receive outputs from the action.) Click the options from the previous action and select which output type (for example, hashes, IP addresses, domains) to evaluate and add it to the condition.
+1. Click **Get Value** and select values from the drop-down menu to use for the condition:
+   * **Internal values**. Whether the condition will evaluate to **true (bool)**, **false (bool)**, or **empty**.
+   * **Artifact fields**. Fields obtained from [incident artifacts](/docs/cloud-soar/incidents-triage/#incident-generation).
+   * **Incident fields**. Fields obtained from [incidents](/docs/cloud-soar/settings/#incidents).
+   * **Triage**. Fields obtained from [triage](/docs/cloud-soar/incidents-triage/#triage-field-settings).
+   * You can also manually enter a value, such as a string or numeric literal.<br/><img src={useBaseUrl('img/cse/automations-add-condition-node-2.png')} style={{border:'1px solid gray'}} alt="Get values for the condition" width="500"/>
+1. Under **Get value from a previous action**, select the value to feed into the condition. The example shows **IP Reputation V2** and **Playbook inputs** that came from the previous action. (The condition must be linked by a line to the previous action node to receive outputs from the action.) Click the options from the previous action and select which output type (for example, hashes, IP addresses, domains) to evaluate and add it to the condition.
 1. The selected output type will be displayed under **Condition 1**. Select which condition you would like for the output results to meet from the inequality operators below and click **Select a value** to define the condition.
 1. Now that **Condition 1** is defined, you can choose to filter your results further by selecting an **AND/OR** operator to define another condition.
     :::warning

docs/search/search-query-language/search-operators/macro.md

@@ -39,18 +39,18 @@ To create a macro, follow the steps below:
 1.  [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
 1. Click **+ Add Macro**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
 1. Or, in the log search page, select the part of search query language that needs to be reused and click on **Create Macro**.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-search-page.png')} alt="macro-search-page" style={{border: '1px solid gray'}} width="800" />
-1. **Macro Details**. Enter the name for the macro. Description is optional.
-1. **Macro Definition**. Enter the definition for the macro. To add arguments use the `{{Arg}}` syntax or select a part of the definition and click on **Add Argument**.
-1. (Optional) **Arguments**. Enter the name and select the data type for the argument selected.
-1. (Optional) **Argument Validation**. Define the validation condition and enter the error message that needs to be shown when the validation expression returns false.
-1. **Usage**. Preview of how you use the macro in the log search.
-1. Click **Submit** to save the macro.
+1. In the **Create Macro** page, enter the following details: <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/create-macro.png')} alt="create-macro" style={{border: '1px solid gray'}} width="800" />
+    1. **Macro Details**. Enter the name for the macro. Description is optional.
+    1. **Macro Definition**. Enter the definition for the macro. To add arguments use the `{{Arg}}` syntax or select a part of the definition and click on **Add Argument**.
+    1. (Optional) **Arguments**. Enter the name and select the data type for the argument selected.
+    1. (Optional) **Argument Validation**. Define the validation condition and enter the error message that needs to be shown when the validation expression returns false.
+    1. **Usage**. Preview of how you use the macro in the log search.
+    1. Click **Submit** to save the macro.
 
 ### Limitations
 
 - You can create a maximum of 50 macros.
 - You can add a maximum of 5 arguments.
-- You cannot edit or delete the macro. Submit a customer request to Sumo Logic if you still need to edit or delete a macro.
 - You are only allowed to use single expression.
 - You can only use the below listed argument validations:
   - `isValidIpV4`
@@ -110,3 +110,18 @@ To view any existing macro, follow the steps below:
 1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Managemenu**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
 1. In the **Macros** page, click on any of the macros that you want to view the macro details.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
 1. To use the selected macro in your log search query, copy the suggested **Usage** of the macro and include it in your query syntax. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-details.png')} alt="view-macro-logs-details" style={{border: '1px solid gray'}} width="400" />
+
+## Edit a macro operator
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
+1. In the **Macros** page, click on any of the macros that you want to edit.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
+1. Click **Edit** button to open the pane for editing. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-edit-button.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />
+1. In the **Edit [macroname] macro** pop-up, click on **Continue**. You can also check where your macros have been used to avoid broken queries by clicking on **check queries that reference this macro**. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-edit-pop-up.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />
+1. In the macro editing pane, perform the required editing and click **Submit**.
+
+## Delete a macro operator
+
+1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then under **Logs**, select **Macros**. You can also click the **Go To...** menu at the top of the screen and select **Macros**.<br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data** > **Logs** > **Macros**. 
+1. In the **Macros** page, click on any of the macros that you want to delete.<br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/view-macro-logs-page.png')} alt="macro-logs-page" style={{border: '1px solid gray'}} width="800" />
+1. Click **Delete** button to delete the macro. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-delete-button.png')} alt="macro-delete-button" style={{border: '1px solid gray'}} width="400" />
+1. In the **Delete [macroname] macro** pop-up, click on **Delete**. You can also check where your macros have been used to avoid broken queries by clicking on **check queries that reference this macro**. <br/><img src={useBaseUrl('img/search/searchquerylanguage/search-operators/macro-delete-pop-up.png')} alt="macro-delete-pop-up" style={{border: '1px solid gray'}} width="400" />

docs/security/threat-intelligence/about-threat-intelligence.md

@@ -52,7 +52,7 @@ The sources on the **Threat Intelligence** tab include:
 
 Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources:
 * **SumoLogic_ThreatIntel**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/).
-* **_sumo_global_feed_cs**. This is a source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/).
+* **_sumo_global_feed_cs**. This is a source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/). For more information, see [Sumo Logic Global Feed from CrowdStrike](/docs/security/threat-intelligence/sumologic-global-feed-from-crowdstrike/).
 
 ### Ingest threat intelligence indicators
 

docs/security/threat-intelligence/index.md

@@ -48,4 +48,10 @@ See the following articles to learn about Sumo Logic's threat intelligence capab
   <p>Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href={useBaseUrl('docs/security/threat-intelligence/sumologic-global-feed-from-crowdstrike/')}><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Global Feed from CrowdStrike</h4></a>
+  <p>Learn about Sumo Logic's threat intelligence feed of indicators from CrowdStrike.</p>
+  </div>
+</div>
 </div>