})
+
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis. IoCs are individual data points about threats that are gathered from external sources about various entities such as host names, file hashes, IP addresses, and other known targets for compromise.
+
+Once indicators are ingested and appear on the **Threat Intelligence** tab, Cloud SIEM analysts can use the `hasThreatMatch` function in Cloud SIEM rules to analyze incoming records for matches to the threat intelligence indicators.
+
+Sumo Logic Threat Intelligence will help you stay ahead of emerging threats and enhance your security posture.
+
+:::note
+Only Cloud SIEM administrators can add threat intelligence indicators to the datastore.
+:::
+
+[Learn more](/docs/security/threat-intelligence/about-threat-intelligence).
+
+})
diff --git a/cid-redirects.json b/cid-redirects.json
index eff308ff60..2c4caf4060 100644
--- a/cid-redirects.json
+++ b/cid-redirects.json
@@ -1557,7 +1557,9 @@
"/cid/1": "/docs/search/get-started-with-search/build-search/search-syntax-overview",
"/cid/0100": "/docs/manage/security/installation-tokens",
"/cid/0020": "/docs/manage/health-events",
- "/cid/0020001": "/docs/platform-services/threat-intelligence-indicators",
+ "/cid/0020001": "/docs/security/threat-intelligence/upload-formats",
+ "/cid/20002": "/docs/search/search-query-language/search-operators/threatlookup",
+ "/cid/0020003": "/docs/security/threat-intelligence",
"/cid/0523": "/docs/manage/manage-subscription/upgrade-account/upgrade-sumo-logic-flex-account",
"/cid/0524": "/docs/manage/manage-subscription/cloud-flex-legacy-accounts",
"/cid/1000": "/docs/send-data/installed-collectors/sources/local-file-source",
@@ -2863,7 +2865,7 @@
"/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration",
"/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Tag_Schema": "/docs/cse/administration/create-a-custom-tag-schema",
"/Cloud_SIEM_Enterprise/Administration/Configure_a_Custom_Inventory_Source": "/docs/cse/administration/custom-inventory-sources",
- "/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Threat_Intel_Source": "/docs/cse/administration/create-custom-threat-intel-source",
+ "/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Threat_Intel_Source": "/docs/security/threat-intelligence/threat-indicators-in-cloud-siem",
"/Cloud_SIEM_Enterprise/Administration/Create_and_Use_Network_Blocks": "/docs/cse/administration/create-use-network-blocks",
"/Cloud_SIEM_Enterprise/Administration/Create_CSE_Actions": "/docs/cse/administration/create-cse-actions",
"/Cloud_SIEM_Enterprise/Administration/Create_CSE_Context_Actions": "/docs/cse/administration/create-cse-context-actions",
@@ -3295,7 +3297,7 @@
"/Manage/Security/Set_a_Limit_for_User_Concurrent_Sessions": "/docs/manage/security/set-limit-user-concurrent-sessions",
"/Manage/Security/Set_a_Maximum_Web_Session_Timeout": "/docs/manage/security/set-max-web-session-timeout",
"/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
- "/Manage/Threat-Intel-Ingest": "/docs/integrations/amazon-aws/threat-intel",
+ "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
"/Manage/Users-and-Roles": "/docs/manage/users-roles",
"/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
"/Manage/Users-and-Roles/Manage-Roles/About-Roles": "/docs/manage/users-roles/roles",
diff --git a/docs/api/threat-intel-ingest.md b/docs/api/threat-intel-ingest.md
new file mode 100644
index 0000000000..d3e2f58688
--- /dev/null
+++ b/docs/api/threat-intel-ingest.md
@@ -0,0 +1,32 @@
+---
+id: threat-intel-ingest
+title: Threat Intel Ingest Management APIs
+sidebar_label: Threat Intel Ingest Management
+description: The Threat Intel Ingest Management API allows you to upload STIX 2.x threat intel indicators, view storage status of threat intel ingest service, and view and set the retention period for threat intel indicators.
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import ApiIntro from '../reuse/api-intro.md';
+
+}){kind=icon}
+
+The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API allows you to:
+
+* Upload STIX 2.x threat intel indicators
+* View storage status of threat intel ingest service
+* View and set the retention period for threat intel indicators
+
+})
-
-Like match lists, Threat Intelligence lists are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your configured Threat Intelligence lists.
-
-When a record contains a value that matches an entry in one or more Threat Intelligence lists, just like with match list data, two fields in the record get populated: a `listMatches` field that contains the names of Threat Intelligence lists that the record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.
-
-For example, given a record whose `SourceIp` column matches a entry in My Threat Intelligence List, the `listMatches` field added to the record would look like this:
-
-```sql
-listMatches: \['threat_Ip_My_Threat_Intel_List', 'source:My_Threat_Intel_List', 'column:Ip', 'column:SrcIp' 'threat'\]
-```
-where:
-
-* `threat_Ip_My_Threat_Intel_List` is formed by concatenating the following, separated by underscore characters (_):
- * the string `threat`
- * the type of the column–Ip Domain, FileHash, and so on–in the record that matched an Indicator from the threat intelligence source
-* The name of the threat intelligence source, with embedded spaces replaced by underscore characters (_).
-* `source:My_Threat_Intel_List` identifies the threat intelligence list.
-* `column:Ip` identifies the type of the field where the match was found.
-* `column:SrcIp` identifies the name of the field where the match was found.
-* `threat `is a string that Cloud SIEM uses to indicate that the record field matched a threat source, rather than another type of list.
-
-Because the threat intelligence information is persisted within records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
-
-```sql
-array_contains(listMatches, "threat-intel-list-name")
-```
-
-where
-
-`threat-intel-list` is the name of the Threat Intelligence list.
-
-:::note
-If your `array_contains` statement refers to a threat intelligence source whose name contains embedded spaces, be sure to replace the spaces with underscores.
-:::
diff --git a/docs/cse/rules/cse-rules-syntax.md b/docs/cse/rules/cse-rules-syntax.md
index 2748005ee5..ea89e7c44f 100644
--- a/docs/cse/rules/cse-rules-syntax.md
+++ b/docs/cse/rules/cse-rules-syntax.md
@@ -624,6 +624,68 @@ The following expression returns "10.10.1.0":
`getCIDRPrefix("10.10.1.35", "24")`
+### hasThreatMatch
+
+The `hasThreatMatch` Cloud SIEM rules function matches incoming records in Cloud SIEM to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [Custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/).
+
+**Syntax**
+
+`hasThreatMatch([})
* **Collection**. [Collection](/docs/send-data/collection/), [OpenTelemetry Collection](/docs/send-data/opentelemetry-collector/), [Source Template](/docs/send-data), [Status](/docs/manage/ingestion-volume/collection-status-page/), [Ingest Budget](/docs/manage/ingestion-volume/ingest-budgets/), [Health Events](/docs/manage/health-events/), [Archive](/docs/manage/data-archiving/archive), [Data Archiving](/docs/manage/data-archiving/).
-* **Logs**. [Fields](/docs/manage/fields/), [Field Extraction Rules](/docs/manage/field-extractions/), [Partitions](/docs/manage/partitions/), [Scheduled Views](/docs/manage/scheduled-views/), [Data Forwarding](/docs/manage/data-forwarding/), [Threat Intelligence](/docs/platform-services/threat-intelligence-indicators/).
+* **Logs**. [Fields](/docs/manage/fields/), [Field Extraction Rules](/docs/manage/field-extractions/), [Partitions](/docs/manage/partitions/), [Scheduled Views](/docs/manage/scheduled-views/), [Data Forwarding](/docs/manage/data-forwarding/), [Threat Intelligence](/docs/security/threat-intelligence/).
* **Metrics**. [Metrics Rules](/docs/metrics/metric-rules-editor/), [Logs-to-Metrics](/docs/metrics/logs-to-metrics/), [Metrics Transformation Rules](/docs/metrics/metrics-transformation-rules/).
* **Monitoring**. [Connections](/docs/alerts/webhook-connections).
diff --git a/docs/integrations/amazon-aws/api-gateway.md b/docs/integrations/amazon-aws/api-gateway.md
index 65ffba46e5..cf7ea3b448 100644
--- a/docs/integrations/amazon-aws/api-gateway.md
+++ b/docs/integrations/amazon-aws/api-gateway.md
@@ -640,7 +640,7 @@ Use these dashboards to:
* Monitor all API Gateway-related audit logs available via CloudTrail events
* Monitor incoming user activity locations for both successful and failed events to ensure the activity matches with expectations
* Monitor successful and failed API Gateway events, users and user agents / fail activities, and failure reasons
-* Monitor requests coming in from known malicious IP addresses detected via [Sumo Logic Threat Intel](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq)
+* Monitor requests coming in from known malicious IP addresses detected via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/)
diff --git a/docs/integrations/amazon-aws/application-load-balancer.md b/docs/integrations/amazon-aws/application-load-balancer.md
index 7289111c03..0fbdce0640 100644
--- a/docs/integrations/amazon-aws/application-load-balancer.md
+++ b/docs/integrations/amazon-aws/application-load-balancer.md
@@ -234,7 +234,7 @@ Use this dashboard to:
### Threat Intel
-The **AWS Application Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined through [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
+The **AWS Application Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined through Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
Use this dashboard to:
* Identify known malicious IPs that access your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.
diff --git a/docs/integrations/amazon-aws/classic-load-balancer.md b/docs/integrations/amazon-aws/classic-load-balancer.md
index 20c706bd9e..09f5d83098 100644
--- a/docs/integrations/amazon-aws/classic-load-balancer.md
+++ b/docs/integrations/amazon-aws/classic-load-balancer.md
@@ -237,7 +237,7 @@ Use this dashboard to:
### Threat Intel
-The **AWS Classic Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined via [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Dashboard panels show detailed information on malicious IPs and the malicious confidence of each threat.
+The **AWS Classic Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Dashboard panels show detailed information on malicious IPs and the malicious confidence of each threat.
Use this dashboard to:
* Identify known malicious IPs that are accessing your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.
diff --git a/docs/integrations/amazon-aws/lambda.md b/docs/integrations/amazon-aws/lambda.md
index 9607dc1931..34bd4c0d95 100644
--- a/docs/integrations/amazon-aws/lambda.md
+++ b/docs/integrations/amazon-aws/lambda.md
@@ -383,7 +383,7 @@ Use this dashboard to:
### Threat Intel
-**AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
+**AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
Use this dashboard to:
* Identify known malicious IPs that are access your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward
diff --git a/docs/integrations/amazon-aws/network-firewall.md b/docs/integrations/amazon-aws/network-firewall.md
index d976e83cf8..7d0317245e 100644
--- a/docs/integrations/amazon-aws/network-firewall.md
+++ b/docs/integrations/amazon-aws/network-firewall.md
@@ -150,10 +150,10 @@ Use this dashboard to:
### IDS Overview
-The **AWS Network Firewall - IDS Overview** provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with CrowdStrike threat intelligence data, and top systems blocked.
+The **AWS Network Firewall - IDS Overview** provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data, and top systems blocked.
Use this dashboard to:
* Gain visibility into alerts generated by the AWS Network Firewall including location information from top destinations.
-* Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Crowdstrike Threat Intelligence data.
+* Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data.
})
diff --git a/docs/integrations/amazon-aws/route-53-resolver-security.md b/docs/integrations/amazon-aws/route-53-resolver-security.md
index 72e85cf277..f14eb6f738 100644
--- a/docs/integrations/amazon-aws/route-53-resolver-security.md
+++ b/docs/integrations/amazon-aws/route-53-resolver-security.md
@@ -61,7 +61,7 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md';
### Query Logging Overview
-The Query Logging Overview Dashboard provides insights into DNS activities such as DNS queries by location, VPC and instance ID. Additional security information is provided, including blocked and alerted DNS queries from the Route 53 DNS Resolver Firewall, and Threat Intel matches from Sumo Logic's CrowdStrike integration.
+The Query Logging Overview Dashboard provides insights into DNS activities such as DNS queries by location, VPC and instance ID. Additional security information is provided, including blocked and alerted DNS queries from the Route 53 DNS Resolver Firewall, and threat intel matches from Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
@@ -152,7 +152,7 @@ Panels include:
### Threat Intel
-The Threat Intel Dashboard provides details of AWS DNS Resolver Queries that matches the built-in CrowdStrike threat intelligence data with known malicious IP addresses and Domains, allowing for real-time security analytics to help detect threats in your environment and protect against cyber attacks.
+The Threat Intel Dashboard provides details of AWS DNS Resolver Queries that matches the Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data with known malicious IP addresses and Domains, allowing for real-time security analytics to help detect threats in your environment and protect against cyber attacks.
})
diff --git a/docs/integrations/amazon-aws/threat-intel.md b/docs/integrations/amazon-aws/threat-intel.md
index 75c1d84fcb..5c4e0d739c 100644
--- a/docs/integrations/amazon-aws/threat-intel.md
+++ b/docs/integrations/amazon-aws/threat-intel.md
@@ -1,14 +1,14 @@
---
id: threat-intel
title: AWS Threat Intel
-description: The Threat Intel for AWS App correlates CrowdStrike threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks.
+description: The Threat Intel for AWS App correlates Sumo Logic threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
})
-The Threat Intel for AWS App correlates CrowdStrike threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks. The Threat Intel for AWS App scans your AWS CloudTrail, AWS ELB and AWS VPC Flow logs for threats based on IP address.
+The Threat Intel for AWS App correlates Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks. The Threat Intel for AWS App scans your AWS CloudTrail, AWS ELB and AWS VPC Flow logs for threats based on IP address.
The Sumo Logic Threat Intel lookup database is only available with Sumo Logic Enterprise and Professions accounts, or during a 30-day trial period. The Threat Intel lookup database is not available for Sumo Logic Free accounts.
@@ -71,7 +71,7 @@ Use this dashboard for details on potential threats and IOCs for AWS CloudTrail.
})
-* **Threats by Geo Location.** View the geo location of threats by IP address that have been identified by Crowdstrike with a malicious confidence of High over the last 24 hours.
+* **Threats by Geo Location.** View the geo location of threats by IP address that have been identified by Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) with a malicious confidence of High over the last 24 hours.
* **Threats Associated with CloudTrail Events.** Track events in CloudTrail by event time where the malicious confidence is High by source user, source IP address, event name, AWS region, result, malicious confidence, label name, threat malware families, threat last updated, and count for the last 24 hours.
* **Threats by Events and I.P.** Compare events where the malicious confidence is High by source IP address over the last 24 hours.
* **Threats Over Time by Result.** Compare successful versus access denied threats with a High malicious confidence for the last 24 hours, timesliced by hour.
diff --git a/docs/integrations/amazon-aws/waf.md b/docs/integrations/amazon-aws/waf.md
index 617a6f3f0d..b49ac50e8f 100644
--- a/docs/integrations/amazon-aws/waf.md
+++ b/docs/integrations/amazon-aws/waf.md
@@ -54,13 +54,20 @@ The Sumo Logic app for AWS WAF analyzes traffic flowing through AWS WAF and auto
}
```
-## Sample queries
-
+## Sample queries
```sql title="Client IP Threat Info"
_sourceCategory=AWS/WAF {{client_ip}}
| parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
```
+
## Collecting logs for the AWS WAF app
diff --git a/docs/integrations/microsoft-azure/teams.md b/docs/integrations/microsoft-azure/teams.md
index 87239e9722..b1677da67b 100644
--- a/docs/integrations/microsoft-azure/teams.md
+++ b/docs/integrations/microsoft-azure/teams.md
@@ -87,7 +87,7 @@ The Teams - User Sessions dashboard provides an in depth view of the user logins
Use this dashboard to:
* Identify user sessions relative to their locations and compare login statistics over time.
* Understand the client platforms and versions that are being used.
-* Report on login IP addresses correlated to potential threats via Crowdstrike.
+* Report on login IP addresses correlated to potential threats via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md
index 52ea74b3af..042d03c2cf 100644
--- a/docs/integrations/product-list/product-list-a-l.md
+++ b/docs/integrations/product-list/product-list-a-l.md
@@ -169,7 +169,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| }){kind=logo}
| [Couchbase](https://www.couchbase.com/) | Apps:}){kind=logo}
| [Cribl](https://cribl.io/) | Automation integration: [Cribl](/docs/platform-services/automation-service/app-central/integrations/cribl/) })
| [Criminal IP](https://www.criminalip.io/) | Automation integration: [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip) |
-| })
| [CrowdStrike](https://www.crowdstrike.com/) | Apps: | [CrowdStrike](https://www.crowdstrike.com/) | Apps: })
| [Cuckoo](https://cuckoo.readthedocs.io/en/latest/#) | Automation integration: [Cuckoo](/docs/platform-services/automation-service/app-central/integrations/cuckoo/) |
| })
| [CyberArk](https://www.cyberark.com/) | Automation integrations: })
| [CyberInt](https://cyberint.com/) | Automation integration: [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) |
@@ -251,8 +251,8 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| })
| [GitHub](https://github.com/) | App: [GitHub](/docs/integrations/app-development/github/) })
| [GitLab](https://about.gitlab.com/) | App: [GitLab](/docs/integrations/app-development/gitlab/) }){kind=icon}
| [Gmail](https://www.google.com/gmail/about/) | App: [Gmail Trace Logs](/docs/integrations/saas-cloud/gmail-tracelogs) })
| [Google](https://about.google/) | Apps: }){kind=logo}
| [Google Workspace](https://workspace.google.com/) | App: [Google Workspace](/docs/integrations/google/workspace/install-app-dashboards/) | [Google](https://about.google/) | Apps: | [Google Workspace](https://workspace.google.com/) | App: [Google Workspace](/docs/integrations/google/workspace/install-app-dashboards/) }){kind=logo}
| [Grafana](https://grafana.com/) | Webhook: [Grafana OnCall](/docs/integrations/webhooks/grafana-oncall/) |
| }){kind=logo}
| [Gremlin](https://www.gremlin.com/) | Webhook: [Gremlin](/docs/integrations/webhooks/gremlin/) |
| })
| [GreyNoise](https://www.greynoise.io/) | Automation integration: [GreyNoise](/docs/platform-services/automation-service/app-central/integrations/greynoise/) |
@@ -286,7 +286,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| }){kind=logo}
| [Infoblox](https://www.infoblox.com/) | Cloud SIEM integration: [Infoblox](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/fa08cfce-e611-42b7-8317-8b0beca298d5.md) |
| }){kind=logo}
| [ISC](https://www.isc.org/) | Cloud SIEM integration: [ISC](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1583cfd2-7ece-4060-991b-06dcf8567943.md) |
| })
| [Istio](https://istio.io/) | App: [Istio](/docs/integrations/saas-cloud/istio/) |
-| })
| [Intel471](https://intel471.com/) | Automation integration: [Intel471](/docs/platform-services/automation-service/app-central/integrations/intel-471/) |
+| | [Intel471](https://intel471.com/) | Automation integration: [Intel471](/docs/platform-services/automation-service/app-central/integrations/intel-471/) })
| [Intelligence X](https://intelx.io/) | Automation integration: [Intelligence X](/docs/platform-services/automation-service/app-central/integrations/intelligence-x/) |
| })
| [Intezer](https://intezer.com/) | Automation integration: [Intezer](/docs/platform-services/automation-service/app-central/integrations/intezer/) |
| })
| [Intsights TIP](https://intsights.com/) | Automation integration: [Intsights TIP](/docs/platform-services/automation-service/app-central/integrations/intsights-tip/) |
diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md
index 4e2628b762..6377604462 100644
--- a/docs/integrations/product-list/product-list-m-z.md
+++ b/docs/integrations/product-list/product-list-m-z.md
@@ -157,6 +157,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| }){kind=logo}
| [StackRox](https://www.stackrox.io/) | Collector: [StackRox](https://cdn.stackrox.io/integrations/sumologic-stackrox-app.pdf) }){kind=logo}
| [StatsD](https://www.datadoghq.com/blog/statsd/) | Collector: [Collect StatsD Metrics](/docs/send-data/collect-from-other-data-sources/collect-statsd-metrics/) |
| })
| [Stellar Cyber](https://stellarcyber.ai/) | Automation integration: [Stellar Cyber Starlight](/docs/platform-services/automation-service/app-central/integrations/stellar-cyber-starlight/) |
+| }){kind=logo}
| [STIX](https://oasis-open.github.io/cti-documentation/) | Collectors: })
| [Strimzi](https://strimzi.io/) | App: [Strimzi Kafka](/docs/integrations/containers-orchestration/strimzi-kafka/) |
| }){kind=logo}
| [Stripe](https://stripe.com/) | Webhook: [Stripe](/docs/integrations/webhooks/stripe/) |
| }){kind=logo}
| [Sucuri](https://sucuri.net/) | Cloud SIEM integration: [Sucuri](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/cdfd2ba0-77eb-4e11-b071-6f4d01fda607.md) |
@@ -226,6 +227,6 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| })
| [Zendesk](https://www.zendesk.com/) | App: [Zendesk](/docs/integrations/saas-cloud/zendesk/) }){kind=logo}
| [Zenduty](https://www.zenduty.com/) | Webhook: [Zenduty](/docs/integrations/webhooks/zenduty/) |
| }){kind=icon}
| [Zero Networks](https://zeronetworks.com/) | Cloud SIEM integration: [Zero Networks](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/3e3c8813-9644-4fd6-9d6f-78bb8ffc5f44.md) }){kind=logo}
| [ZeroFox](https://www.zerofox.com/) | Automation integration: [ZeroFOX](/docs/platform-services/automation-service/app-central/integrations/zerofox/) | [ZeroFox](https://www.zerofox.com/) | Automation integration: [ZeroFox](/docs/platform-services/automation-service/app-central/integrations/zerofox/) })
| [Zoom](https://zoom.us/) | App: [Zoom](/docs/integrations/saas-cloud/zoom/) })
| [Zscaler](https://www.zscaler.com/) | Apps: })
diff --git a/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md b/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md
index 821d7d0c76..ba4e461ee7 100644
--- a/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md
+++ b/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md
@@ -2,43 +2,40 @@
id: threat-intel-quick-analysis
title: Threat Intel Quick Analysis
sidebar_label: Threat Intel Quick Analysis
-description: The Threat Intel Quick Analysis App correlates CrowdStrike's threat intelligence data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.
+description: The Threat Intel Quick Analysis app correlates threat intelligence data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks.
---
import useBaseUrl from '@docusaurus/useBaseUrl';
})
-The Threat Intel Quick Analysis App correlates [CrowdStrike's](https://www.crowdstrike.com/sumologic/) threat intelligence data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. The Threat Intel Quick Analysis App scans selected logs for threats based on **IP**, **URL**, **domain, Hash 256,** and **email**.
-
+The Threat Intel Quick Analysis app correlates [threat intelligence](/docs/security/threat-intelligence/) data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. The Threat Intel Quick Analysis app scans selected logs for threats based on IP, URL, domain, SHA-256 hashes, and email.
## Log types
-The Threat Intel Quick Analysis App can be used for any type of logs, regardless of format. Ideal log sources should include **IP**, **URL**, **domain**, **Hash 256**, and/or **email** information.
-
+The Threat Intel Quick Analysis app can be used for any type of logs, regardless of format. Ideal log sources should include IP, URL, domain, SHA-256 hashes, and/or email information.
-## Installing the Threat Intel Quick Analysis App
+## Installing the Threat Intel Quick Analysis app
-This app contains generic regex expressions and thus may not perform well at very large scale. Once you are familiar with Sumo Logic, you can apply performance optimization techniques as described in [Threat Intel Optimization](#threat-intel-optimization). Alternatively, you can run this app on smaller and more specific data streams.
+This app contains generic regex expressions and thus may not perform well at very large scale. Once you are familiar with Sumo Logic, you can apply performance optimization techniques as described in [Threat Intel optimization](#threat-intel-optimization). Alternatively, you can run this app on smaller and more specific data streams.
-This section provides instructions on how to install the Threat Intel Quick Analysis App, and examples of each of dashboards. The preconfigured searches and dashboards provide easy-to-access visual insights into your data.
+This section provides instructions on how to install the Threat Intel Quick Analysis app, and examples of each of dashboards. The preconfigured searches and dashboards provide easy-to-access visual insights into your data.
import AppInstall from '../../reuse/apps/app-install.md';
})
-* **Welcome to the Threat Intel Quick Analysis App.** Informational panel to help you find information on [optimization](#threat-intel-optimization) and [FAQs](#threat-intel-faq) on working with the Threat Intel database.
+* **Welcome to the Threat Intel Quick Analysis App.** Informational panel to help you find information on working with the threat intelligence database.
* **Number of Log Lines (Events) Scanned for Threats.** Count of log lines scanned across all selected sources for the last 15 minutes.
* **IP Threat Count.** Count of threats related to malicious IPs, for the last 15 minutes.
* **File Name Threat Count.** Count of threats related to malicious file names, for the last 15 minutes.
* **URL Threat Count.** Count of threats related to malicious URLs, for the last 15 minutes.
* **Email Threat Count.** Count of threats related to malicious email addresses, for the last 15 minutes.
* **Domain Threat Count.** Count of threats related to malicious domains, for the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies all threats into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine.
-
+* **Threats by Malicious Confidence.** Qualifies all threats into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine.
### Domain
@@ -469,8 +255,8 @@ See the frequency of Domain threats by Actor, Log Source, Malicious Confidence,
})
* **Threat Count.** Count of threats related to malicious domains, for the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies domain threats into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine.
-* **Threats by Actor.** Count of threats related to malicious domains, broken by Actors, for the last 15 minutes. [Actors](https://www.crowdstrike.com/blog/meet-the-adversaries/) are identified individuals, groups or nation-states associated to threats.
+* **Threats by Malicious Confidence.** Qualifies domain threats into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine.
+* **Threats by Actor.** Count of threats related to malicious domains, broken down by Actors, for the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
* **Threats by Sources.** Count of threats related to malicious domains, broken by Sources, for the last 15 minutes.
* **Threats Over Time.** Trends of domain threats over time for the last 60 minutes.
* **Threats Over Time by Sources.** Trends of domain threats over time, broken by Sources for the last 60 minutes.
@@ -483,14 +269,13 @@ See the frequency of Email threats by Actor, Log Source, Malicious Confidence, a
})
* **Threat Count.** Count of threats related to malicious emails addresses, for the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies email address threats into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine.
+* **Threats by Malicious Confidence.** Qualifies email address threats into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine.
* **Threat Breakdown by Sources.** Count of threats related to malicious email addresses, broken by Sources, for the last 15 minutes.
* **Threats Over Time.** Trends of email address threats over time for the last 60 minutes.
* **Threats Over Time by Sources.** Trends of email address threats over time, broken by Sources for the last 60 minutes.
-* **Threats by Actor.** Count of threats related to malicious email addresses, broken by Actors, for the last 15 minutes. [Actors](https://www.crowdstrike.com/blog/meet-the-adversaries/) are identified individuals, groups or nation-states associated to threats.
+* **Threats by Actor.** Count of threats related to malicious email addresses, broken by Actors, for the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
* **Threats Table.** Listing of all domain threats, including Malicious Confidence, Actors and Sources.
-
### IP
See the frequency of IP threats by Actor, Log Source, Malicious Confidence, and view trends over time.
@@ -500,13 +285,12 @@ See the frequency of IP threats by Actor, Log Source, Malicious Confidence, and
* **Threat Count.** Count of threats related to malicious IPs, for the last 15 minutes.
* **Threats by Geo Location.** Count of threats related to malicious IPs, broken by geo location, for the last 15 minutes.
* **Threat Breakdown by Sources.** Count of threats related to malicious IPs, broken by Sources, for the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies IP threats into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine.
-* **Threats by Actors.** Count of threats related to malicious IPs, broken by Actors, for the last 15 minutes. [Actors](https://www.crowdstrike.com/blog/meet-the-adversaries/) are identified individuals, groups or nation-states associated to threats.
+* **Threats by Malicious Confidence.** Qualifies IP threats into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine.
+* **Threats by Actors.** Count of threats related to malicious IPs, broken by Actors, for the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
* **Threats Over Time.** Trends of IP threats over time for the last 60 minutes.
* **Threats Table.** Listing of all IP threats, including Malicious Confidence, Actors and Sources.
* **Threats Over Time by Sources.** Trends of IP threats over time, broken by Sources for the last 60 minutes.
-
### URL
See the frequency of URL threats by Actor, Log Source, Malicious Confidence, and view trends over time.
@@ -515,23 +299,22 @@ See the frequency of URL threats by Actor, Log Source, Malicious Confidence, and
* **Threat Count.** Count of threats related to malicious URLs, for the last 15 minutes.
* **Threats by Sources.** Count of threats related to malicious URLs, broken by Sources, for the last 15 minutes.
-* **Threats by Actors.** Count of threats related to malicious URLs, broken by Actors, for the last 15 minutes. [Actors](https://www.crowdstrike.com/blog/meet-the-adversaries/) are identified individuals, groups or nation-states associated to threats.
-* **Threats by Malicious Confidence.** Qualifies URLP threats into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine.
+* **Threats by Actors.** Count of threats related to malicious URLs, broken by Actors, for the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
+* **Threats by Malicious Confidence.** Qualifies URLP threats into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine.
* **Threats Over Time.** Trends of URL threats over time for the last 60 minutes.
* **Threats Over Time by Sources.** Trends of URL threats over time, broken by Sources for the last 60 minutes.
* **Threat Table.** Listing of threats identified by URL, including information on Malicious Confidence, Actors, Source, and count.
-
### Hash 256
-See the frequency of Hash 256 threats by Actor, Log Source, Malicious Confidence, and view trends over time.
+See the frequency of SHA-256 threats by Actor, Log Source, Malicious Confidence, and view trends over time.
})
-* **Threat Count.** Count of total Hash 256 threats over the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies Hash 256 threats for the last 60 minutes into High, Medium, Low, Unverified, according to CrowdStrike's machine learning engine and displayed as a pie chart.
-* **Threat Breakdown by Sources.** Pie chart of Hash 256 threats over the last 60 minutes broken down by source.
-* **Threats Over Time.** Line chart of the number of Hash 256 threats over the last 60 minutes.
-* **Threat Breakdown by Source.** Line chart of the number of Hash 256 threats over the last 60 minutes, broken down by source.
-* **Threats by Actor.** Identifies Actors, if any, that can be attributed to Hash 256 threats over the last 15 minutes. [Actors](https://www.crowdstrike.com/blog/meet-the-adversaries/) are identified individuals, groups or nation-states associated to threats.
-* **Threat Table.** Aggregation Table of Hash 256 threats over the last 15 minutes.
+* **Threat Count.** Count of total SHA-256 threats over the last 15 minutes.
+* **Threats by Malicious Confidence.** Qualifies SHA-256 threats for the last 60 minutes into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine and displayed as a pie chart.
+* **Threat Breakdown by Sources.** Pie chart of SHA-256 threats over the last 60 minutes broken down by source.
+* **Threats Over Time.** Line chart of the number of SHA-256 threats over the last 60 minutes.
+* **Threat Breakdown by Source.** Line chart of the number of SHA-256 threats over the last 60 minutes, broken down by source.
+* **Threats by Actor.** Identifies Actors, if any, that can be attributed to SHA-256 threats over the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
+* **Threat Table.** Aggregation Table of SHA-256 threats over the last 15 minutes.
diff --git a/docs/integrations/web-servers/apache-tomcat.md b/docs/integrations/web-servers/apache-tomcat.md
index 3e2ad004b5..8bc9ae38a5 100644
--- a/docs/integrations/web-servers/apache-tomcat.md
+++ b/docs/integrations/web-servers/apache-tomcat.md
@@ -692,7 +692,7 @@ The **Apache Tomcat - Garbage Collector** dashboard provides information on the
The **Apache Tomcat - Threat Intel** dashboard provides an at-a-glance view of threats to Apache Tomcat servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/haproxy.md b/docs/integrations/web-servers/haproxy.md
index 74d85a78cf..520085a83e 100644
--- a/docs/integrations/web-servers/haproxy.md
+++ b/docs/integrations/web-servers/haproxy.md
@@ -456,7 +456,7 @@ Use this dashboard to:
The **HAProxy - Threat Inte**l dashboard provides an at-a-glance view of threats to HAProxy servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/nginx-ingress.md b/docs/integrations/web-servers/nginx-ingress.md
index cf80660cf8..007c7a9477 100644
--- a/docs/integrations/web-servers/nginx-ingress.md
+++ b/docs/integrations/web-servers/nginx-ingress.md
@@ -156,7 +156,7 @@ You can use schedule searches to send alerts to yourself whenever there is an ou
The **Nginx Ingress - Threat Intel** dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/nginx-plus-ingress.md b/docs/integrations/web-servers/nginx-plus-ingress.md
index c9eead2d02..5df3dae669 100644
--- a/docs/integrations/web-servers/nginx-plus-ingress.md
+++ b/docs/integrations/web-servers/nginx-plus-ingress.md
@@ -176,7 +176,7 @@ You can use schedule searches to send alerts to yourself whenever there is an ou
The **Nginx Plus Ingress - Threat Inte**l dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the[ Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using theSumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/nginx-plus.md b/docs/integrations/web-servers/nginx-plus.md
index c6b62b7e31..7f9de9b775 100644
--- a/docs/integrations/web-servers/nginx-plus.md
+++ b/docs/integrations/web-servers/nginx-plus.md
@@ -358,7 +358,7 @@ You can use schedule searches to send alerts to yourself whenever there is an ou
The **Nginx Plus - Threat Inte**l dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the[ Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/nginx.md b/docs/integrations/web-servers/nginx.md
index 0c4f07ef6e..a5500910ad 100644
--- a/docs/integrations/web-servers/nginx.md
+++ b/docs/integrations/web-servers/nginx.md
@@ -420,7 +420,7 @@ You can use schedule searches to send alerts to yourself whenever there is an ou
The **Nginx - Threat Intel** dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.
Use this dashboard to:
-* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry.md b/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry.md
index f47c32e5a0..d207108ed2 100644
--- a/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry.md
+++ b/docs/integrations/web-servers/opentelemetry/apache-tomcat-opentelemetry.md
@@ -373,7 +373,7 @@ The **Apache Tomcat - Threat Intel** dashboard provides an at-a-glance view of t
Use this dashboard to:
-- To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo Logic - CrowdStrike](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-faq) threat feed.
+- To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
diff --git a/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md b/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md
index cba874ef1c..f4b273480e 100644
--- a/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md
+++ b/docs/integrations/web-servers/opentelemetry/haproxy-opentelemetry.md
@@ -302,7 +302,7 @@ The **HAProxy - Threat Analysis** dashboard provides an at-a-glance view of thre
Use this dashboard to:
-- To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-faq) threat feed.
+- To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
diff --git a/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry.md b/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry.md
index c8a141c10c..571a437c3b 100644
--- a/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry.md
+++ b/docs/integrations/web-servers/opentelemetry/nginx-opentelemetry.md
@@ -238,7 +238,7 @@ You can use schedule searches to send alerts to yourself whenever there is an ou
### Threat Intel
-The **Nginx - Threat Intel** dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats. Use this dashboard to gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-faq) threat feed.
+The **Nginx - Threat Intel** dashboard provides an at-a-glance view of threats to Nginx servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats. Use this dashboard to gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
diff --git a/docs/integrations/web-servers/varnish.md b/docs/integrations/web-servers/varnish.md
index 35400aa597..83becc50a2 100644
--- a/docs/integrations/web-servers/varnish.md
+++ b/docs/integrations/web-servers/varnish.md
@@ -504,7 +504,7 @@ The **Varnish - Threat Intel** dashboard provides an at-a-glance view of threats
Use this dashboard to:
* To gain insights and understand threats in incoming traffic and discover potential IOCs.
-* Incoming traffic requests are analyzed using the [Sumo - Crowdstrikes](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq) threat feed.
+* Incoming traffic requests are analyzed using Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
})
diff --git a/docs/manage/manage-subscription/sumo-logic-credits-accounts.md b/docs/manage/manage-subscription/sumo-logic-credits-accounts.md
index e734aff849..f1d9d8ccf3 100644
--- a/docs/manage/manage-subscription/sumo-logic-credits-accounts.md
+++ b/docs/manage/manage-subscription/sumo-logic-credits-accounts.md
@@ -86,7 +86,7 @@ The following table provides a summary list of key features by Credits package a
| Audit Event Index | |  | |  |  |  |
| Cloud SIEM | | | | | Activation required* | Activation required* |
| Cloud SOAR | | | | | | Activation required* |
-| CrowdStrike Threat Intel | |  |  |  |  |  |
+| Threat Intel | |  |  |  |  |  |
| Collector Management API |  |  |  |  |  |  |
| Data Forwarding | |  |  |  |  |  |
| Data Tiers | | | | | |  |
diff --git a/docs/manage/manage-subscription/sumo-logic-flex-accounts.md b/docs/manage/manage-subscription/sumo-logic-flex-accounts.md
index 4cd824860b..01fadd6e01 100644
--- a/docs/manage/manage-subscription/sumo-logic-flex-accounts.md
+++ b/docs/manage/manage-subscription/sumo-logic-flex-accounts.md
@@ -74,7 +74,7 @@ The following table provides a summary list of key features by Flex package acco
| Cloud SOAR | | | | Activation required* |
| Collector Management API |  |  |  | |
| Compliance and Audit Logging | |  | |  |
-| CrowdStrike Threat Intelligence | |  | |  |
+| Threat Intelligence | |  | |  |
| Customizable Dashboards |  |  | |  |
| Data Forwarding | |  |  | |
| Data Volume Index | |  |  | |
diff --git a/docs/manage/security/audit-indexes/audit-event-index.md b/docs/manage/security/audit-indexes/audit-event-index.md
index aa335d1764..ecfd7df565 100644
--- a/docs/manage/security/audit-indexes/audit-event-index.md
+++ b/docs/manage/security/audit-indexes/audit-event-index.md
@@ -66,6 +66,8 @@ _index=sumologic_audit_events _sourceCategory=accessKeys
| Security Policy: [Support Account Access](/docs/manage/security/enable-support-account) | `supportAccount` |
| [Service Allowlist](/docs/manage/security/create-allowlist-ip-cidr-addresses) | `serviceAllowlist` |
| [Support Account](/docs/manage/security/enable-support-account) | `supportAccount` |
+| [Threat Intelligence](/docs/security/threat-intelligence/) | `threatIntelligence` |
+| [Tracing Ingest](/docs/apm/traces/tracing-ingest) | `tracingIngest` |
| [Transformation Rules](/docs/metrics/metrics-transformation-rules) | `transformationRules` |
| [Users](/docs/manage/users-roles) | `users` |
| User Sessions | `userSessions` |
diff --git a/docs/manage/users-roles/roles/role-capabilities.md b/docs/manage/users-roles/roles/role-capabilities.md
index a3a31bf0d1..ea0708d55c 100644
--- a/docs/manage/users-roles/roles/role-capabilities.md
+++ b/docs/manage/users-roles/roles/role-capabilities.md
@@ -127,11 +127,10 @@ Folder-level permissions are available if your org has fine-grained Monitor perm
| Deactivate Organizations | Deactivate trial organizations. (For Sumo Logic Service Providers only.)|
## Threat Intel
-
| Capability | Description |
| :-- | :-- |
-| View Threat Intel Data Store | Search log data using threat intelligence indicators. |
-| Manage Threat Intel Data Store | Create, edit, and delete threat intelligence indicators. |
+| View Threat Intel Data Store | Search log data using [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
+| Manage Threat Intel Data Store | Create, edit, and delete [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
## Cloud SOAR
diff --git a/docs/observability/aws/integrations/aws-dynamodb.md b/docs/observability/aws/integrations/aws-dynamodb.md
index d98f78d310..43503d55a6 100644
--- a/docs/observability/aws/integrations/aws-dynamodb.md
+++ b/docs/observability/aws/integrations/aws-dynamodb.md
@@ -69,6 +69,20 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
| sum (ip_count) as threat_count
```
+
+
## Viewing AWS DynamoDB dashboards
We highly recommend you view these dashboards in the [AWS Observability view](/docs/dashboards/explore-view/#aws-observability) of our AWS Observability solution.
diff --git a/docs/platform-services/automation-service/app-central/integrations/zerofox.md b/docs/platform-services/automation-service/app-central/integrations/zerofox.md
index e6c54c9f32..6351bfa8c9 100644
--- a/docs/platform-services/automation-service/app-central/integrations/zerofox.md
+++ b/docs/platform-services/automation-service/app-central/integrations/zerofox.md
@@ -1,5 +1,5 @@
---
-title: ZeroFOX
+title: ZeroFox
description: ''
---
import useBaseUrl from '@docusaurus/useBaseUrl';
@@ -9,7 +9,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
***Version: 1.1
Updated: Jul 11, 2023***
-Query data and utilize action in ZeroFOX Platform.
+Query data and utilize action in ZeroFox Platform.
## Actions
diff --git a/docs/platform-services/index.md b/docs/platform-services/index.md
index 4397b71264..2d5d453212 100644
--- a/docs/platform-services/index.md
+++ b/docs/platform-services/index.md
@@ -15,4 +15,10 @@ Platform services are services that are available to use across the entire Sumo
Learn how to use the Automation Service to automate actions.
+Learn about Sumo Logic's threat intelligence capabilities.
+}){kind=icon}
The `threatip()` operator correlates CrowdStrike's threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.
+Correlates CrowdStrike's threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.
The `where` operator allows you to filter results based on a boolean expression.
})
1. Type or paste the following code into the query window. (Replace `Labs/AWS/CloudTrail` with a valid source category for AWS CloudTrail logs in your environment.)
- ```
- _sourceCategory=Labs/AWS/CloudTrail
- | parse regex "(?
+
+The sources on the **Threat Intelligence** tab include:
+* **_sumo_global_feed_cs**. This is an out-of-the-box default source of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit this source.
+* **Other sources**. The other sources on the tab are imported by Cloud SIEM administrators so that Cloud SIEM analysts can use them to find threats.
+
+Cloud SIEM analysts can use any of these sources to find threats (see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/)). In addition, all Sumo Logic users can run queries against the indicators in the global feed to uncover threats (see [Find Threats with Log Queries](/docs/security/threat-intelligence/find-threats/)).
+
+})
+
+Any Sumo Logic user can use this global feed to search for potential threats. To search with the global feed, use `sumo://threat/cs` in log search queries. For example:
+
+```
+_sourceCategory=cylance "IP Address"
+| parse regex "(?Get an osverview of Sumo Logic's threat intelligence capabilities.
+Learn how to add and manage indicators from threat intelligence sources.
+Learn how to perform searches to find matches to data in threat intelligence indicators.
+Learn how to use threat indicators in Cloud SIEM.
+Learn how to format upload files containing threat intelligence indicators.
+Learn about mapping of threat intelligence indicators to Sumo Logic.
+})
+
+
\ No newline at end of file
diff --git a/docs/security/threat-intelligence/threat-intelligence-indicators.md b/docs/security/threat-intelligence/threat-intelligence-indicators.md
new file mode 100644
index 0000000000..2395ff8edb
--- /dev/null
+++ b/docs/security/threat-intelligence/threat-intelligence-indicators.md
@@ -0,0 +1,87 @@
+---
+slug: /security/threat-intelligence/threat-intelligence-indicators
+title: Manage Threat Intelligence Indicators
+sidebar_label: Manage Indicators
+description: Learn how to add and manage indicators from threat intelligence sources.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import CloudSIEMThreatIntelNote from '../../reuse/cloud-siem-threat-intelligence-note.md';
+
+The **Threat Intelligence** tab shows the indicators that have been added to your threat intelligence datastore. Use this tab to add and manage your threat intelligence indicators. You can add indicators from a number of sources. Threat intelligence indicators imported to Sumo Logic not only integrate with your existing core Sumo Logic deployment, but also Cloud SIEM and Cloud SOAR.
+
+:::tip
+You can also add threat intelligence indicators using a collector or the API. See [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
+:::
+
+## Threat Intelligence tab
+
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Threat Intelligence** tab, in the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**.
+
+[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Threat Intelligence** tab, in the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
+
+})
+
+1. **+ Add Indicators**. Click to upload files that [add threat intelligence indicators](#add-indicators-in-the-threat-intelligence-tab).
+1. **Actions**. Select to perform additional actions:
+ * **Edit Retention Period**. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. See [Change the retention period for expired indicators](#change-the-retention-period-for-expired-indicators).
+1. **Status**. The current status of the indicator source (**Enabled** or **Disabled**).
+1. **Source Name**. The name of the threat intelligence indicator file. The name usually indicates the supplier of the indicators.
+1. **Storage Consumed**. The amount of storage consumed by the threat intelligence indicator file.
+1. **Indicators**. The number of threat intelligence indicators included in the file.
+
+:::note
+* The `_sumo_global_feed_cs` source is a default source and cannot be changed or deleted.
+* The default storage limit is 10 million total indicators (not including any indicators provided by Sumo Logic such as the `_sumo_global_feed_cs` source).
+:::
+
+## Add indicators in the Threat Intelligence tab
+
+You can add threat intelligence indicators using a collector, API, or the **Threat Intelligence** tab. This section describes how to add indicators in the **Threat Intelligence** tab. For information on the other methods, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
+
+})
+1. Select the format of the file to be uploaded (see [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use in the file):
+ * **Normalized JSON**. A normalized JSON file.
+ * **CSV**. A comma-separated value (CSV) file.
+
+1. Click **Upload** to upload the file.
+1. Click **Import**.
+
+:::note
+When you add indicators, the event is recorded in the Audit Event Index. See [Audit logging for threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/#audit-logging-for-threat-intelligence).
+:::
+
+## Delete threat intelligence indicators
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. Learn how to collect combined endpoint vulnerabilities data from the CrowdStrike Spotlight platform.
-Collects a list of users from the Google Workspace Users API.
})
Collects user and device data from the Microsoft Graph API Security endpoint.
}){kind=logo}
Learn to collect threat indicators from the Mandiant platform.
+}){kind=logo}
Learn to receive authentication logs from the Sophos Central APIs.
Learn how to set up a STIX/TAXII 1.x client to collect threat intelligence indicators into the Sumo Logic environment.
+Learn how to set up a STIX/TAXII 2.x client to collect threat intelligence indicators into the Sumo Logic environment.
+}){kind=logo}
Learn to collect audit logs from the Zendesk platform.
}){kind=logo}
Learn to collect threat indicators using the ZeroFox API and send them to Sumo Logic for analysis.
+
-Intel471 is a cybersecurity firm specializing in providing cyber threat intelligence services. Their focus is primarily on delivering information about threats originating from the criminal underground, including malware, malicious actors, and their tactics, techniques, and procedures (TTPs). Intel471 provides these insights to help organizations protect themselves against cyber threats. Their intelligence-gathering efforts often involve monitoring and analyzing underground marketplaces, forums, and other communication channels used by cyber criminals.
+The Intel471 Threat Intel source collects threat intelligence indicators using the [Intel471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
-The Intel471 source collects threat indicators using the [Intel471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis.
+Intel471 is a cybersecurity firm specializing in providing cyber threat intelligence services. Their focus is primarily on delivering information about threats originating from the criminal underground, including malware, malicious actors, and their tactics, techniques, and procedures (TTPs). Intel471 provides these insights to help organizations protect themselves against cyber threats. Their intelligence-gathering efforts often involve monitoring and analyzing underground marketplaces, forums, and other communication channels used by cyber criminals.
## Data collected
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
index 3e25c1c14f..789e19f5f9 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
@@ -1,7 +1,7 @@
---
id: mandiant-threat-intel-source
-title: Mandiant Threat Intel Source (Beta)
-sidebar_label: Mandiant Threat Intel (Beta)
+title: Mandiant Threat Intel Source
+sidebar_label: Mandiant Threat Intel
tags:
- cloud-to-cloud
- mandiant-threat-intel
@@ -13,15 +13,11 @@ import MyComponentSource from '!!raw-loader!/files/c2c/mandiant-threat-intel/exa
import TerraformExample from '!!raw-loader!/files/c2c/mandiant-threat-intel/example.tf';
import useBaseUrl from '@docusaurus/useBaseUrl';
-
-
-
-
-
-
-Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. By scaling decades of frontline experience, Mandiant helps organizations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is part of Google Cloud. The Mandiant Threat Intel integration ingests the indicators data from Mandiant API and sends it to Sumo Logic as normalized threat indicators.
+The Mandiant Threat Intel source ingests threat intelligence indicators using the Mandiant API and sends them to Sumo Logic as normalized threat indicators. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+
+Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. By scaling decades of frontline experience, Mandiant helps organizations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is part of Google Cloud.
## Data collected
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
index 0ef8c78f1c..190d07a5f4 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
@@ -15,13 +15,9 @@ import MyComponentSource from '!!raw-loader!/files/c2c/taxii-1/example.json';
import TerraformExample from '!!raw-loader!/files/c2c/taxii-1/example.tf';
import useBaseUrl from '@docusaurus/useBaseUrl';
-
-
-
+The STIX/TAXII 1 Client source supports collecting threat intelligence indicators from STIX/TAXII 1.x and sending them to Sumo Logic as normalized threat indicators. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
-
-
-[STIX/TAXII](https://oasis-open.github.io/cti-documentation/) are two standards used together to exchange threat intelligence information between systems. STIX defines the format and structure of the data. TAXII defines how the API endpoints are served and accessed by clients. This Sumo Logic source supports collecting indicators from STIX/TAXII 1.x.
+[STIX/TAXII](https://oasis-open.github.io/cti-documentation/) are two standards used together to exchange threat intelligence information between systems. STIX defines the format and structure of the data. TAXII defines how the API endpoints are served and accessed by clients.
:::sumo[Best Practice]
This source only supports STIX/TAXII 1.x. Sumo Logic recommends using our [STIX/TAXII 2.x source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source/) instead as it is the current version of STIX/TAXII.
@@ -29,7 +25,7 @@ This source only supports STIX/TAXII 1.x. Sumo Logic recommends using our [STIX/
## Data collected
-This source collects [threat intelligence indicators](/docs/platform-services/threat-intelligence-indicators/) from a vendor's STIX/TAXII 1.x endpoints. This means the specific endpoints we collect data from are the endpoints defined in the [TAXII standard](https://oasis-open.github.io/cti-documentation/taxii/intro). Vendor APIs must follow the standard. The source will collect all indicators from the TAXII server when it runs for the first time and it will check for updates once an hour. This one-hour polling interval can be adjusted in the source configuration.
+This source collects threat intelligence indicators from a vendor's STIX/TAXII 1.x endpoints. This means the specific endpoints we collect data from are the endpoints defined in the [TAXII standard](https://oasis-open.github.io/cti-documentation/taxii/intro). Vendor APIs must follow the standard. The source will collect all indicators from the TAXII server when it runs for the first time and it will check for updates once an hour. This one-hour polling interval can be adjusted in the source configuration.
## Setup
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
index 1ab0ddfdc4..1e7e868c66 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
@@ -15,17 +15,15 @@ import MyComponentSource from '!!raw-loader!/files/c2c/taxii-2/example.json';
import TerraformExample from '!!raw-loader!/files/c2c/taxii-2/example.tf';
import useBaseUrl from '@docusaurus/useBaseUrl';
-
-
-
+The STIX/TAXII 2 Client source supports collecting threat intelligence indicators from STIX/TAXII 2.0 and 2.1 versions. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
-
+The legacy STIX/TAXII 1.x versions are not supported with this source. Use [STIX/TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source/) for version 1.x versions.
-[STIX/TAXII](https://oasis-open.github.io/cti-documentation/) are two standards used together to exchange threat intelligence information between systems. STIX defines the format and structure of the data. TAXII defines how the API endpoints are served and accessed by clients. This Sumo Logic source supports collecting indicators from STIX/TAXII 2.0 and 2.1 versions. The legacy STIX/TAXII 1.x versions are not supported with this source.
+[STIX/TAXII](https://oasis-open.github.io/cti-documentation/) are two standards used together to exchange threat intelligence information between systems. STIX defines the format and structure of the data. TAXII defines how the API endpoints are served and accessed by clients.
## Data collected
-This source collects [threat intelligence indicators](/docs/platform-services/threat-intelligence-indicators/) from a vendor's STIX/TAXII 2.x endpoints. This means the specific endpoints we collect data from are the endpoints defined in the [TAXII standard](https://oasis-open.github.io/cti-documentation/taxii/intro). Vendor APIs must follow the standard. The source will collect all indicators from the TAXII server when it runs for the first time and it will check for updates once an hour. This one-hour polling interval can be adjusted in the source configuration.
+This source collects threat intelligence indicators from a vendor's STIX/TAXII 2.x endpoints. This means the specific endpoints we collect data from are the endpoints defined in the [TAXII standard](https://oasis-open.github.io/cti-documentation/taxii/intro). Vendor APIs must follow the standard. The source will collect all indicators from the TAXII server when it runs for the first time and it will check for updates once an hour. This one-hour polling interval can be adjusted in the source configuration.
## Setup
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
index e6cd76b003..6ba50629cc 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
@@ -13,13 +13,7 @@ import MyComponentSource from '!!raw-loader!/files/c2c/zerofox/example.json';
import TerraformExample from '!!raw-loader!/files/c2c/zerofox/example.tf';
import useBaseUrl from '@docusaurus/useBaseUrl';
-
-
-
-
-
-
-}){kind=logo}
+
ZeroFox is a cybersecurity firm specializing in providing cyber threat intelligence services.
diff --git a/docusaurus.config.js b/docusaurus.config.js
index b70d457cd4..f3493f318a 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -264,6 +264,12 @@ module.exports = {
background: 'rgba(0, 0, 0, 0.6)',
},
},
+ announcementBar: {
+ id: 'support_us',
+ content: 'We are aware of the recent CrowdStrike and Microsoft outages. Our operations remain unaffected, and service continues uninterrupted. Thank you for your continued trust in Sumo Logic.
', + backgroundColor: '#fafbfc', + textColor: '#091E42', + }, colorMode: { defaultMode: 'light', }, diff --git a/sidebars.ts b/sidebars.ts index 5601485269..0ba338c922 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -453,7 +453,7 @@ module.exports = { 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source', - //'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source', @@ -468,7 +468,7 @@ module.exports = { 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-bigquery-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-alertcenter', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-workspace-source', - // 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/jamf-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/jfrog-xray-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/jumpcloud-directory-insights-source', @@ -476,7 +476,7 @@ module.exports = { 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/kandji-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/knowbe4-api-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source', - //'send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-azure-ad-inventory-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-exchange-trace-logs', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-azure-ad-reporting-source', @@ -499,6 +499,8 @@ module.exports = { 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/smartsheet-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/snowflake-sql-api-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/sophos-central-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source', //'send-data/hosted-collectors/cloud-to-cloud-integration-framework/sumo-logic-kickstart-data-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-endpoint-security-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/symantec-web-security-service-source', @@ -512,6 +514,7 @@ module.exports = { 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/webex-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/workday-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/zendesk-source', + 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source', 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/zero-networks-segment-source', ], }, @@ -1456,6 +1459,7 @@ module.exports = { 'search/search-query-language/search-operators/sort', 'search/search-query-language/search-operators/substring', 'search/search-query-language/search-operators/threatip', + // 'search/search-query-language/search-operators/threatlookup', 'search/search-query-language/search-operators/timeslice', 'search/search-query-language/search-operators/timeslice-join', 'search/search-query-language/search-operators/tolowercase-touppercase', @@ -3010,6 +3014,21 @@ integrations: [ }, ], }, + { + type: 'category', + label: 'Threat Intelligence', + collapsible: true, + collapsed: true, + link: {type: 'doc', id: 'security/threat-intelligence/index'}, + items: [ + 'security/threat-intelligence/about-threat-intelligence', + 'security/threat-intelligence/threat-intelligence-indicators', + 'security/threat-intelligence/find-threats', + 'security/threat-intelligence/threat-indicators-in-cloud-siem', + 'security/threat-intelligence/upload-formats', + 'security/threat-intelligence/threat-intelligence-mapping', + ], + }, ], api: [ { diff --git a/static/img/platform-services/threat-intelligence-tab.png b/static/img/platform-services/threat-intelligence-tab.png deleted file mode 100644 index bd6e559406..0000000000 Binary files a/static/img/platform-services/threat-intelligence-tab.png and /dev/null differ diff --git a/static/img/security/global-feed-threat-intelligence-tab-example.png b/static/img/security/global-feed-threat-intelligence-tab-example.png new file mode 100644 index 0000000000..0f005981b0 Binary files /dev/null and b/static/img/security/global-feed-threat-intelligence-tab-example.png differ diff --git a/static/img/platform-services/threat-indicators-in-cloud-siem-ui.png b/static/img/security/threat-indicators-in-cloud-siem-ui.png similarity index 100% rename from static/img/platform-services/threat-indicators-in-cloud-siem-ui.png rename to static/img/security/threat-indicators-in-cloud-siem-ui.png diff --git a/static/img/security/threat-intelligence-add-indicators.png b/static/img/security/threat-intelligence-add-indicators.png new file mode 100644 index 0000000000..f7515d0e62 Binary files /dev/null and b/static/img/security/threat-intelligence-add-indicators.png differ diff --git a/static/img/security/threat-intelligence-delete-indicators.png b/static/img/security/threat-intelligence-delete-indicators.png new file mode 100644 index 0000000000..6ed756637f Binary files /dev/null and b/static/img/security/threat-intelligence-delete-indicators.png differ diff --git a/static/img/security/threat-intelligence-tab-example.png b/static/img/security/threat-intelligence-tab-example.png new file mode 100644 index 0000000000..edbc992261 Binary files /dev/null and b/static/img/security/threat-intelligence-tab-example.png differ diff --git a/static/img/security/threat-intelligence-tab.png b/static/img/security/threat-intelligence-tab.png new file mode 100644 index 0000000000..41d647259a Binary files /dev/null and b/static/img/security/threat-intelligence-tab.png differ diff --git a/static/img/send-data/stix-logo.png b/static/img/send-data/stix-logo.png new file mode 100644 index 0000000000..876399ca42 Binary files /dev/null and b/static/img/send-data/stix-logo.png differ