SumoLogic · jpipkin1 · Mar 3, 2025 · Mar 11, 2024 · Mar 11, 2024 · Mar 11, 2024
diff --git a/blog-service/2025-01-31-security.md b/blog-service/2025-01-31-security.md
@@ -0,0 +1,26 @@
+---
+title: Threat Intelligence (Security)
+image: https://www.sumologic.com/img/logo.svg
+keywords:
+  - platform services
+  - threat intel
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables you to seamlessly import threat intelligence indicator files directly into Sumo Logic to aid in security analysis. Threat intelligence indicators are individual data points about threats that are gathered from external sources about various entities such as host names, file hashes, IP addresses, and other known targets for compromise. 
+
+To see threat intelligence indicators, go to **Manage Data > Logs > Threat Intelligence**. Once indicators are ingested and appear on the **Threat Intelligence** tab, you can use them to search logs for threats. 
+
+Sumo Logic Threat Intelligence will help you stay ahead of emerging threats and enhance your security posture.
+
+[Learn more](/docs/security/threat-intelligence/).
+
+<img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
+
+:::note
+Only Cloud SIEM administrators can add threat intelligence indicators to the system. However, all Sumo Logic users can run queries against the indicators to uncover threats.
+:::
@@ -1549,7 +1549,9 @@
   "/cid/1": "/docs/search/get-started-with-search/build-search/search-syntax-overview",
   "/cid/0100": "/docs/manage/security/installation-tokens",
   "/cid/0020": "/docs/manage/health-events",
-  "/cid/0020001": "/docs/platform-services/threat-intelligence-indicators",
+  "/cid/0020001": "/docs/security/threat-intelligence/upload-formats",
+  "/cid/20002": "/docs/search/search-query-language/search-operators/threatlookup",
+  "/cid/0020003": "/docs/security/threat-intelligence",
   "/cid/0523": "/docs/manage/manage-subscription/upgrade-sumo-logic-credits-account",
   "/cid/0524": "/docs/manage/manage-subscription/cloud-flex-legacy-accounts",
   "/cid/1000": "/docs/send-data/installed-collectors/sources/local-file-source",
@@ -2833,7 +2835,7 @@
   "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration",
   "/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Tag_Schema": "/docs/cse/administration/create-a-custom-tag-schema",
   "/Cloud_SIEM_Enterprise/Administration/Configure_a_Custom_Inventory_Source": "/docs/cse/administration/custom-inventory-sources",
-  "/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Threat_Intel_Source": "/docs/cse/administration/create-custom-threat-intel-source",
+  "/Cloud_SIEM_Enterprise/Administration/Create_a_Custom_Threat_Intel_Source": "/docs/security/threat-intelligence/threat-indicators-in-cloud-siem",
   "/Cloud_SIEM_Enterprise/Administration/Create_and_Use_Network_Blocks": "/docs/cse/administration/create-use-network-blocks",
   "/Cloud_SIEM_Enterprise/Administration/Create_CSE_Actions": "/docs/cse/administration/create-cse-actions",
   "/Cloud_SIEM_Enterprise/Administration/Create_CSE_Context_Actions": "/docs/cse/administration/create-cse-context-actions",
@@ -3263,7 +3265,7 @@
   "/Manage/Security/Set_a_Limit_for_User_Concurrent_Sessions": "/docs/manage/security/set-limit-user-concurrent-sessions",
   "/Manage/Security/Set_a_Maximum_Web_Session_Timeout": "/docs/manage/security/set-max-web-session-timeout",
   "/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
-  "/Manage/Threat-Intel-Ingest": "/docs/integrations/amazon-aws/threat-intel",
+  "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
   "/Manage/Users-and-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles/About-Roles": "/docs/manage/users-roles/roles",

@@ -0,0 +1,32 @@
+---
+id: threat-intel-ingest
+title: Threat Intel Ingest Management APIs
+sidebar_label: Threat Intel Ingest Management
+description: The Threat Intel Ingest Management API allows you to upload STIX 2.x threat intel indicators, view storage status of threat intel ingest service, and view and set the retention period for threat intel indicators.
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import ApiIntro from '../reuse/api-intro.md';
+
+<img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="60"/>
+
+The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API allows you to:
+
+* Upload STIX 2.x threat intel indicators
+* View storage status of threat intel ingest service
+* View and set the retention period for threat intel indicators
+
+<ApiIntro/>
+
+| Deployment | Documentation URL  |
+|:-----------|:---------|
+| AU         | https://api.au.sumologic.com/docs/#tag/threatIntelIngest  |
+| CA         | https://api.ca.sumologic.com/docs/#tag/threatIntelIngest  |
+| DE         | https://api.de.sumologic.com/docs/#tag/threatIntelIngest  |
+| EU         | https://api.eu.sumologic.com/docs/#tag/threatIntelIngest  |
+| FED        | https://api.fed.sumologic.com/docs/#tag/threatIntelIngest |
+| IN         | https://api.in.sumologic.com/docs/#tag/threatIntelIngest  |
+| JP         | https://api.jp.sumologic.com/docs/#tag/threatIntelIngest  |
+| US1        | https://api.sumologic.com/docs/#tag/threatIntelIngest     |
+| US2        | https://api.us2.sumologic.com/docs/#tag/threatIntelIngest |
@@ -46,7 +46,7 @@ As the newest member of your company's SOC team, it’s your task to set up some
 
 Your company's apps and services generate logs, metrics, and tracing data. 
 
-When you ingest that data into Sumo Logic, you have one centralized location to query and visualize all that data. Sumo Logic’s Log Analytics Platform integrates with CrowdStrike’s threat intel database, so you can start getting security alerts and hunt threats. You can learn more in [Additional Security Features](/docs/security/additional-security-features/).
+When you ingest that data into Sumo Logic, you have one centralized location to query and visualize all that data. Sumo Logic’s Log Analytics Platform uses [threat intelligence](/docs/security/threat-intelligence/), so you can start getting security alerts and hunt threats. You can learn more in [Additional Security Features](/docs/security/additional-security-features/).
 
 You can take your security one step further with [Cloud SIEM](/docs/cse/). When you forward your log messages to Cloud SIEM, they are parsed, mapped, and enriched into Cloud SIEM records. These records are compared to security rules. If a rule is triggered, an entity is extracted, a severity score is assigned, and a signal is created. If enough signals with the same entity cluster together, they become an Insight. Insights are likely risks that need your attention. 
 

@@ -5,13 +5,23 @@ sidebar_label: Create a Custom Threat Intelligence Source
 description: Learn how to create and manage custom threat sources.
 ---
 
-
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
+<!-- For threat intel. Put this back once we support cat with the threatlookup search operator:
+
+:::info
+This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Threat Intelligence](/docs/security/threat-intelligence/).
+:::
+-->
+
 This topic has information about setting up a *custom threat intelligence source* in Cloud SIEM, which is a threat intelligence list that you can populate manually, as opposed to using an automatic feed. 
 
 You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes.
 
+:::note
+You can also use the Sumo Logic threat intelligence framework to add sources. See [Threat Intelligence](/docs/security/threat-intelligence/).
+:::
+
 ## How Cloud SIEM uses indicators
 
 When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way.
@@ -20,7 +30,7 @@ Rule authors can also write rules that look for threat intelligence information
 
 ## Create a threat intelligence source from Cloud SIEM UI
 
-1.  [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Click **Add Source** on the **Threat Intelligence** page. 
 1. In the **Custom** box click **Create**.
 1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. 

@@ -69,7 +69,7 @@ sso : ip-192-0-2-0 : alex@travellogic.com :
 "Successful Login" : "2024-05-25T22:11:42"
 ```
 
-First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-192-0-2-0`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or threat intelligence databases, such as its [CrowdStrike threat level](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). These normalized records are then sent down the Cloud SIEM pipeline and compared to rules. 
+First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-192-0-2-0`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). These normalized records are then sent down the Cloud SIEM pipeline and compared to rules. 
 
 ### Extracting security insights from Cloud SIEM
 

@@ -130,16 +130,16 @@ Perform the following tasks to install security apps that provide data to Cloud
 
 Install the Cloud SIEM App to monitor data that is parsed, along with all the signals and insights that records generate. The app contains multiple folders of searches and dashboards related to Cloud SIEM.
 
-Also install any out-of-the-box apps or dashboards for security data sources we support, including CrowdStrike’s Threat Intel Quick Analysis app. These apps are useful for quick visualizations and configuring context actions to pivot directly to from Cloud SIEM.
+Also install any out-of-the-box apps or dashboards for security data sources we support, including the Threat Intel Quick Analysis app. These apps are useful for quick visualizations and configuring context actions to pivot directly to from Cloud SIEM.
 
 See:
 * [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/)
 * [Security and Threat Detection](/docs/integrations/security-threat-detection/)
 * [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
 
-#### Import Crowdstrike threat intel searches
+#### Import threat intel searches
 
-You can configure Crowdstrike threat indicator matches from the Threat Intel Quick Analysis app to become signals within Cloud SIEM using scheduled searches. An example would be to fire a Cloud SIEM signal from a scheduled search when there is a highly malicious threat intel match on device IPs. Review other current scheduled search alerts that might be candidates for generating signals.
+You can configure Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) matches from the Threat Intel Quick Analysis app to become signals within Cloud SIEM using scheduled searches. An example would be to fire a Cloud SIEM signal from a scheduled search when there is a highly malicious threat intel match on device IPs. Review other current scheduled search alerts that might be candidates for generating signals.
 
 See:
 * [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
@@ -169,9 +169,9 @@ See: [Create and Use Network Blocks](/docs/cse/administration/create-use-network
 
 ### Configure threat intel feeds
 
-Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, etc), you can configure these too.
+Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, and so on), you can configure these too.
 
-See: [Create a Custom Threat Intel Source](/docs/cse/administration/create-custom-threat-intel-source/)
+See: [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/)
 
 ### Create lists
 Perform the following steps to create lists to allow or suppress information monitored for Cloud SIEM.

@@ -7,11 +7,22 @@ description: Learn how to set up a ThreatQ source.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
+<!-- For threat intel. Once we support cat with the threatlookup search operator, REPLACE THE CONTENTS OF THIS ARTICLE WITH THE FOLLOWING:
+
+ThreatQ is a threat intelligence platform that centrally manages and correlates external sources of threat intel information. If you have a ThreatQ subscription, you can leverage ThreatQ threat intel feeds. 
+
+To do so, [ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) from your ThreatQ source.
+
+## Looking for ThreatQ indicators using Cloud SIEM rules
+
+Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+-->
+
 This topic has information about configuring a ThreatQ source in Cloud SIEM.
 
-ThreatQ is a threat intelligence platform that centrally manages and correlates external sources of threat intel information. 
+ThreatQ is a threat intelligence platform that centrally manages and correlates external sources of threat intel information. 
 
-If you have a ThreatQ subscription, Cloud SIEM’s ThreatQ integration allows you to leverage ThreatQ threat intel feeds. 
+If you have a ThreatQ subscription, Cloud SIEM’s ThreatQ integration allows you to leverage ThreatQ threat intel feeds. 
 
 To do so, you simply configure a ThreatQ source in Cloud SIEM. You supply the information Cloud SIEM needs to connect to ThreatQ and fetch feed updates on a periodic basis.
 
@@ -51,7 +62,7 @@ Because the threat intel information is persisted within records, you can refere
 
 `array_contains(listMatches, "threat_intel_list_name")`
 
-where 
+where 
 
 `threat_intel_list_name` is the name of the threat intel list.
 
@@ -60,4 +71,3 @@ If the name of the list you are referencing with `array_contains` contains any s
 :::
 
 For more information, see [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.  
-
@@ -40,6 +40,8 @@ No icon is displayed for entities with the **Not Flagged** label.
 **Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
 :::
 
+For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
+
 ## Enrichment attributes
 
 The enrichment schema includes support for the following optional attributes: