From cb5b874315f5ca88c259c74794fd5db1d2035e68 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 4 Mar 2025 11:58:08 -0600
Subject: [PATCH 1/2] DOCS-25 - Fix minor threat intel issues

---
 blog-service/2025-03-03-security.md           |  4 ++--
 docs/api/index.md                             |  5 ++++
 docs/api/threat-intel-ingest.md               | 24 ++++++++++++++-----
 .../create-custom-threat-intel-source.md      |  4 ++--
 .../onboarding-checklist-cse.md               |  2 +-
 docs/cse/rules/about-cse-rules.md             |  2 +-
 .../users-roles/roles/role-capabilities.md    |  4 ++--
 docs/platform-services/index.md               |  6 -----
 .../search-operators/index.md                 |  2 +-
 .../search-operators/threatlookup.md          |  4 ++--
 docs/search/subqueries.md                     |  2 +-
 .../threat-intelligence-indicators.md         |  2 +-
 .../threat-intelligence/upload-formats.md     |  4 ++--
 .../crowdstrike-threat-intel-source.md        |  2 +-
 .../index.md                                  |  2 +-
 .../intel-471-threat-intel-source.md          |  2 +-
 .../mandiant-threat-intel-source.md           |  2 +-
 .../stix-taxii-1-client-source.md             |  2 +-
 .../stix-taxii-2-client-source.md             |  2 +-
 .../zerofox-intel-source.md                   |  4 ++--
 docusaurus.config.js                          |  6 -----
 sidebars.ts                                   |  1 +
 22 files changed, 47 insertions(+), 41 deletions(-)

diff --git a/blog-service/2025-03-03-security.md b/blog-service/2025-03-03-security.md
index f092f4df97..65a2ebc7b3 100644
--- a/blog-service/2025-03-03-security.md
+++ b/blog-service/2025-03-03-security.md
@@ -1,8 +1,8 @@
 ---
 title: Threat Intelligence (Security)
-image: https://www.sumologic.com/img/logo.svg
+image: https://help.sumologic.com/img/sumo-square.png
 keywords:
-  - platform services
+  - security
   - threat intel
 hide_table_of_contents: true
 ---
diff --git a/docs/api/index.md b/docs/api/index.md
index 2ad887755a..44297850d2 100644
--- a/docs/api/index.md
+++ b/docs/api/index.md
@@ -230,6 +230,11 @@ To connect with other Sumo Logic users, post feedback, or ask a question, visit
   <a href="/docs/api/span-analytics"><img src={useBaseUrl('img/icons/operations/distributed-operations.png')} alt="Thumbnail icon" width="50"/><h4>Span Analytics</h4></a>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/api/threat-intel-ingest"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="Thumbnail icon" width="50"/><h4>Threat Intel Ingest</h4></a>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
     <a href="/docs/api/token-management"><img src={useBaseUrl('img/icons/security/security.png')} alt="Thumbnail icon" width="50"/><h4>Tokens</h4></a>
diff --git a/docs/api/threat-intel-ingest.md b/docs/api/threat-intel-ingest.md
index d3e2f58688..11d62e1c92 100644
--- a/docs/api/threat-intel-ingest.md
+++ b/docs/api/threat-intel-ingest.md
@@ -1,21 +1,25 @@
 ---
 id: threat-intel-ingest
 title: Threat Intel Ingest Management APIs
-sidebar_label: Threat Intel Ingest Management
+sidebar_label: Threat Intel
 description: The Threat Intel Ingest Management API allows you to upload STIX 2.x threat intel indicators, view storage status of threat intel ingest service, and view and set the retention period for threat intel indicators.
-hide_table_of_contents: true
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import ApiIntro from '../reuse/api-intro.md';
+import ApiRoles from '../reuse/api-roles.md';
 
 <img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="60"/>
 
-The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API allows you to:
+The Threat Intel Ingest Management API allows you to:
 
-* Upload STIX 2.x threat intel indicators
-* View storage status of threat intel ingest service
-* View and set the retention period for threat intel indicators
+* Upload threat intelligence indicators
+* View storage status of threat intelligence ingest service
+* View and set the retention period for threat intelligence indicators
+
+For more information about threat intelligence, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+
+## Documentation
 
 <ApiIntro/>
 
@@ -30,3 +34,11 @@ The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API all
 | JP         | https://api.jp.sumologic.com/docs/#tag/threatIntelIngest  |
 | US1        | https://api.sumologic.com/docs/#tag/threatIntelIngest     |
 | US2        | https://api.us2.sumologic.com/docs/#tag/threatIntelIngest |
+
+## Required role capabilities
+
+<ApiRoles/>
+
+* Threat Intel
+   * View Threat Intel Data Store
+   * Manage Threat Intel Data Store
diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md
index 9f85b6020c..0830bbc5a7 100644
--- a/docs/cse/administration/create-custom-threat-intel-source.md
+++ b/docs/cse/administration/create-custom-threat-intel-source.md
@@ -10,7 +10,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 <!-- For threat intel. Put this back once we support cat with the threatlookup search operator:
 
 :::info
-This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Threat Intelligence](/docs/security/threat-intelligence/).
+This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
 :::
 -->
 
@@ -19,7 +19,7 @@ This topic has information about setting up a *custom threat intelligence source
 You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes.
 
 :::note
-You can also use the Sumo Logic threat intelligence framework to add sources. See [Threat Intelligence](/docs/security/threat-intelligence/).
+You can also use the Sumo Logic threat intelligence framework to add sources. See [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
 :::
 
 ## How Cloud SIEM uses indicators
diff --git a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
index 4613a13e20..14a3478211 100644
--- a/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
+++ b/docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md
@@ -171,7 +171,7 @@ See: [Create and Use Network Blocks](/docs/cse/administration/create-use-network
 
 Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, and so on), you can configure these too.
 
-See: [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/)
+See: [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators)
 
 ### Create lists
 Perform the following steps to create lists to allow or suppress information monitored for Cloud SIEM.
diff --git a/docs/cse/rules/about-cse-rules.md b/docs/cse/rules/about-cse-rules.md
index 713baf6974..d07418d147 100644
--- a/docs/cse/rules/about-cse-rules.md
+++ b/docs/cse/rules/about-cse-rules.md
@@ -181,7 +181,7 @@ This example below checks a record for a field named `listMatches` that contains
 
 ### Threat Intelligence
 
-Threat Intelligence sources contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/).
+Threat Intelligence sources contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
 
 Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
diff --git a/docs/manage/users-roles/roles/role-capabilities.md b/docs/manage/users-roles/roles/role-capabilities.md
index ea0708d55c..227d4e1b40 100644
--- a/docs/manage/users-roles/roles/role-capabilities.md
+++ b/docs/manage/users-roles/roles/role-capabilities.md
@@ -129,8 +129,8 @@ Folder-level permissions are available if your org has fine-grained Monitor perm
 ## Threat Intel
 | Capability | Description |
 | :-- | :-- |
-| View Threat Intel Data Store | Search log data using [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
-| Manage Threat Intel Data Store | Create, edit, and delete [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
+| View Threat Intel Data Store | View the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab. |
+| Manage Threat Intel Data Store | Create, edit, and delete threat intelligence sources on the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab. |
 
 ## Cloud SOAR
 
diff --git a/docs/platform-services/index.md b/docs/platform-services/index.md
index 2d5d453212..4397b71264 100644
--- a/docs/platform-services/index.md
+++ b/docs/platform-services/index.md
@@ -15,10 +15,4 @@ Platform services are services that are available to use across the entire Sumo
   <p>Learn how to use the Automation Service to automate actions.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/security/threat-intelligence"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Threat Intelligence</h4></a>
-  <p>Learn about Sumo Logic's threat intelligence capabilities.</p>
-  </div>
-</div>
 </div>
diff --git a/docs/search/search-query-language/search-operators/index.md b/docs/search/search-query-language/search-operators/index.md
index d242f8bf6c..4189426fac 100644
--- a/docs/search/search-query-language/search-operators/index.md
+++ b/docs/search/search-query-language/search-operators/index.md
@@ -381,7 +381,7 @@ In this section, we'll introduce the following concepts:
         <div className="box smallbox card">
           <div className="container">
           <a href="/docs/search/search-query-language/search-operators/threatip"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="40"/><h4>threatip</h4></a>
-          <p>Correlates CrowdStrike's threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.</p>
+          <p>Correlates threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.</p>
           </div>
         </div>
         <!-- <div className="box smallbox card">
diff --git a/docs/search/search-query-language/search-operators/threatlookup.md b/docs/search/search-query-language/search-operators/threatlookup.md
index d5c6e39439..56585f7827 100644
--- a/docs/search/search-query-language/search-operators/threatlookup.md
+++ b/docs/search/search-query-language/search-operators/threatlookup.md
@@ -4,10 +4,10 @@ title: threatlookup Search Operator
 sidebar_label: threatlookup
 ---
 
-The `threatlookup` search operator allows you to search logs for matches in [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/), providing security analytics to help you to detect threats in your environment.
+The `threatlookup` search operator allows you to search logs for matches in [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/), providing security analytics to help you to detect threats in your environment.
 
 :::note
-You can also use the [`threatip`](/docs/search/search-query-language/search-operators/threatip/) search operator to search CrowdStrike's threat intelligence data based on IP addresses. 
+You can also use the [`threatip`](/docs/search/search-query-language/search-operators/threatip/) search operator to search threat intelligence data based on IP addresses. 
 :::
 
 ## Syntax
diff --git a/docs/search/subqueries.md b/docs/search/subqueries.md
index 22bfbedbbb..d6922776b9 100644
--- a/docs/search/subqueries.md
+++ b/docs/search/subqueries.md
@@ -376,7 +376,7 @@ _sourceCategory=search "error while retrying to deploy index"
 
 ### Check Malicious Activity with Subquery
 
-The following search allows a security analyst to track logs related to a malicious IP address that was flagged by Amazon GuardDuty and also by a CrowdStrike Threat feed. The subquery is returning the field `src_ip` with the IP addresses deemed as threats to the parent query, note that the keywords option was not used so the parent query will expect a field src_ip to exist. The results will include logs from the weblogs sourceCategory that have a `src_ip` value that was deemed a threat from the subquery.
+The following search allows a security analyst to track logs related to a malicious IP address that was flagged by Amazon GuardDuty and also by a [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) feed. The subquery is returning the field `src_ip` with the IP addresses deemed as threats to the parent query, note that the keywords option was not used so the parent query will expect a field src_ip to exist. The results will include logs from the weblogs sourceCategory that have a `src_ip` value that was deemed a threat from the subquery.
 
 ```sql
 _sourceCategory=weblogs
diff --git a/docs/security/threat-intelligence/threat-intelligence-indicators.md b/docs/security/threat-intelligence/threat-intelligence-indicators.md
index 2395ff8edb..6d8dd4790b 100644
--- a/docs/security/threat-intelligence/threat-intelligence-indicators.md
+++ b/docs/security/threat-intelligence/threat-intelligence-indicators.md
@@ -56,7 +56,7 @@ When you add indicators, the event is recorded in the Audit Event Index. See [Au
 
 ## Delete threat intelligence indicators
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Select a source in the list of sources. Details of the source appear in a sidebar.
 1. Click the **Delete Indicators** button. 
 <!-- 1. When the following dialog appears, select which indicators you'd like to delete from the source:<br/><img src={useBaseUrl('img/security/threat-intelligence-delete-indicators.png')} alt="Delete threat intelligence indicators" style={{border: '1px solid gray'}} width="500" />
diff --git a/docs/security/threat-intelligence/upload-formats.md b/docs/security/threat-intelligence/upload-formats.md
index eb1a254cbd..8e7690321f 100644
--- a/docs/security/threat-intelligence/upload-formats.md
+++ b/docs/security/threat-intelligence/upload-formats.md
@@ -81,7 +81,7 @@ The following attributes are required:
        * **source** (string). User-provided text to identify the source of the indicator. For example, `TAXII2Source`.
        * **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
        * **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest (as [defined by the confidence scale in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_1v6elyto0uqg)). For example, `75`.
-       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to Entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
+       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
           * `anomalous-activity`. Unexpected or unusual activity that may not necessarily be malicious or indicate compromise.
           * `anonymization`. Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
           * `benign`. Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
@@ -136,7 +136,7 @@ Columns for the following attributes are required in the upload file:
        * **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
        * **validUntil** (string [date-time]). Ending time this indicator is valid. If not set, the indicator never expires. Timestamp in UTC in RFC3339 format. For example, `2024-03-21T12:00:00.000Z`.
        * **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest. For example, `75`.
-       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to Entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
+       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
           * `anomalous-activity`. Unexpected or unusual activity that may not necessarily be malicious or indicate compromise.
           * `anonymization`. Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
           * `benign`. Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md
index 25d244f10e..334697531f 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md
@@ -16,7 +16,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/crowdstrike.png')} alt="thumbnail icon" width="85"/>
 
-CrowdStrike is the leader in next-generation endpoint protection, threat intelligence, and response services. CrowdStrike’s core technology, the Falcon platform, stops breaches by preventing and responding to all types of attacks — both malware and malware-free. The CrowdStrike Threat Intel integration ingests the indicator data from CrowdStrike Combined API and sends it to Sumo Logic as normalized threat indicator information.
+CrowdStrike is the leader in next-generation endpoint protection, threat intelligence, and response services. CrowdStrike’s core technology, the Falcon platform, stops breaches by preventing and responding to all types of attacks — both malware and malware-free. The CrowdStrike Threat Intel integration ingests the indicator data from CrowdStrike Combined API and sends it to Sumo Logic as normalized threat indicator information. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 :::important
 The CrowdStrike API documentation is not public and can only be accessed by partners or customers.
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/index.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/index.md
index dc70f26fc1..a2a109afd2 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/index.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/index.md
@@ -579,7 +579,7 @@ In this section, we'll introduce the following concepts:
       </div>
       <div className="box smallbox card">
         <div className="container">
-        <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source"><img src={useBaseUrl('img/integrations/security-threat-detection/zerofox_logo.png')} alt="Thumbnail icon" width="45"/><h4>ZeroFox</h4></a>
+        <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source"><img src={useBaseUrl('img/integrations/misc/zerofox-logo.png')} alt="Thumbnail icon" width="50"/><h4>ZeroFox</h4></a>
         <p>Learn to collect threat indicators using the ZeroFox API and send them to Sumo Logic for analysis.</p>
         </div>
       </div>
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel-471-threat-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel-471-threat-intel-source.md
index acaa589d0c..1714d3d857 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel-471-threat-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel-471-threat-intel-source.md
@@ -15,7 +15,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="intel471-threat-intel.png" width="100" />
 
-The Intel471 Threat Intel source collects threat intelligence indicators using the [Intel471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+The Intel471 Threat Intel source collects threat intelligence indicators using the [Intel471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 Intel471 is a cybersecurity firm specializing in providing cyber threat intelligence services. Their focus is primarily on delivering information about threats originating from the criminal underground, including malware, malicious actors, and their tactics, techniques, and procedures (TTPs). Intel471 provides these insights to help organizations protect themselves against cyber threats. Their intelligence-gathering efforts often involve monitoring and analyzing underground marketplaces, forums, and other communication channels used by cyber criminals.
 
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
index 789e19f5f9..d9b8f60561 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source.md
@@ -15,7 +15,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/send-data/mandiant-threat-intel-logo.png')} alt="icon" width="60" />
 
-The Mandiant Threat Intel source ingests threat intelligence indicators using the Mandiant API and sends them to Sumo Logic as normalized threat indicators. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+The Mandiant Threat Intel source ingests threat intelligence indicators using the Mandiant API and sends them to Sumo Logic as normalized threat indicators. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. By scaling decades of frontline experience, Mandiant helps organizations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is part of Google Cloud. 
 
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
index 190d07a5f4..c50926a00f 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source.md
@@ -15,7 +15,7 @@ import MyComponentSource from '!!raw-loader!/files/c2c/taxii-1/example.json';
 import TerraformExample from '!!raw-loader!/files/c2c/taxii-1/example.tf';
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-The STIX/TAXII 1 Client source supports collecting threat intelligence indicators from STIX/TAXII 1.x and sending them to Sumo Logic as normalized threat indicators. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+The STIX/TAXII 1 Client source supports collecting threat intelligence indicators from STIX/TAXII 1.x and sending them to Sumo Logic as normalized threat indicators. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 [STIX/TAXII](https://oasis-open.github.io/cti-documentation/) are two standards used together to exchange threat intelligence information between systems. STIX defines the format and structure of the data. TAXII defines how the API endpoints are served and accessed by clients. 
 
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
index 1e7e868c66..9a6581d050 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source.md
@@ -15,7 +15,7 @@ import MyComponentSource from '!!raw-loader!/files/c2c/taxii-2/example.json';
 import TerraformExample from '!!raw-loader!/files/c2c/taxii-2/example.tf';
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-The STIX/TAXII 2 Client source supports collecting threat intelligence indicators from STIX/TAXII 2.0 and 2.1 versions. For more information about Sumo Logic threat intelligence, see [About Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/). 
+The STIX/TAXII 2 Client source supports collecting threat intelligence indicators from STIX/TAXII 2.0 and 2.1 versions. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/). 
 
 The legacy STIX/TAXII 1.x versions are not supported with this source. Use [STIX/TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source/) for version 1.x versions.
 
diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
index 6ba50629cc..97c6df1f9e 100644
--- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
+++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source.md
@@ -13,11 +13,11 @@ import MyComponentSource from '!!raw-loader!/files/c2c/zerofox/example.json';
 import TerraformExample from '!!raw-loader!/files/c2c/zerofox/example.tf';
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-<img src={useBaseUrl('img/integrations/security-threat-detection/zerofox_logo.png')} alt="ZeroFox threat intel logo" width="50" />
+<img src={useBaseUrl('img/integrations/misc/zerofox-logo.png')} alt="ZeroFox threat intel logo" width="50" />
 
 ZeroFox is a cybersecurity firm specializing in providing cyber threat intelligence services.
 
-The ZeroFox source collects threat indicators using the [ZeroFox CTI API](https://api.zerofox.com/cti/docs/) and sends them to Sumo Logic as normalized threat indicators for analysis.
+The ZeroFox source collects threat indicators using the [ZeroFox CTI API](https://api.zerofox.com/cti/docs/) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 ## Data collected
 
diff --git a/docusaurus.config.js b/docusaurus.config.js
index f3493f318a..b70d457cd4 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -264,12 +264,6 @@ module.exports = {
         background: 'rgba(0, 0, 0, 0.6)',
       },
     },
-    announcementBar: {
-      id: 'support_us',
-      content: '<html><p style="font-size: 13px; padding-top: 20px">We are aware of the recent CrowdStrike and Microsoft outages. Our operations remain unaffected, and service continues uninterrupted. Thank you for your continued trust in Sumo Logic.</p>',
-      backgroundColor: '#fafbfc',
-      textColor: '#091E42',
-    },
     colorMode: {
       defaultMode: 'light',
     },
diff --git a/sidebars.ts b/sidebars.ts
index 0ba338c922..a147e3e400 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -3092,6 +3092,7 @@ integrations: [
         'api/service-map',
         'api/slo-management',
         'api/span-analytics',
+        'api/threat-intel-ingest',
         'api/token-management',
         'api/tracing',
         'api/user-management',

From bf5fe1799684769df2769f851f13c779fb759479 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Tue, 4 Mar 2025 13:16:48 -0600
Subject: [PATCH 2/2] Add Cloud SIEM release note

---
 blog-cse/2025-03-03-application.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 blog-cse/2025-03-03-application.md

diff --git a/blog-cse/2025-03-03-application.md b/blog-cse/2025-03-03-application.md
new file mode 100644
index 0000000000..71c67edc22
--- /dev/null
+++ b/blog-cse/2025-03-03-application.md
@@ -0,0 +1,16 @@
+---
+title: March 3, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intel
+  - security
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.
+
+For more information, [see our release note](http://localhost:3000/release-notes-service/2025/03/03/security/) in the *Service* release notes section.
\ No newline at end of file