Links in Rule Description Field
Often, organizations will document standard procedures or runbooks to follow when investigating or responding to certain types of security events. To help analysts more easily access these documents, the description fields in Rules now support standard markdown syntax for links (only). Since the description is included in any resulting Signals, analysts can easily click the link to open the documentation in a new tab/window.
For example, you could put the following in a Rule description field:
Follow [these steps](http://somedomain.com/runbook1234.html) to investigate. Then, when a Signal was generated from that Rule, it would include that text as a clickable link, like this:
Minor Changes and Enhancements
- [Update] Wildcards can now be used in the
Valuefield for Entity Groups. For example, you can specify
- [Update] Second-level unnormalized inventory attributes (like
fields.foo.bar) can now be used in the
Inventory Keyfield for Entity Groups.
- [Update] Playbooks in the Automation Service no longer have to be of type
CSE; all published playbooks will be available for use in Automations.
- [New] A new API endpoint has been added that supports enabling or disabling Log Mappings,
- [New] A new API endpoint has been added to support customers with large numbers of Entities.
GET /entities/alluses a "cursor" to page through a complete list of Entities.
- [Deprecated] The legacy (JASK) feature for forwarding Signal data to a Sumo Logic index has been deprecated. Signal data is automatically forwarded to the
- [Update] The UI has been updated to reflect recent product name changes. Cloud SIEM Enterprise is now Cloud SIEM, and Continuous Intelligence Platform is now Log Analytics Platform. URLs and API endpoints have not been changed.
- Users were unable to define rules with names that had been previously used (but deleted).
- Links from the legend for the new Insights by Status panel on the HUD were not enabled properly.