SumoLogic · jpipkin1 · Mar 4, 2025 · Mar 4, 2025 · Mar 4, 2025
@@ -0,0 +1,16 @@
+---
+title: March 3, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intel
+  - security
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.
+
+For more information, [see our release note](http://localhost:3000/release-notes-service/2025/03/03/security/) in the *Service* release notes section.
@@ -1,8 +1,8 @@
 ---
 title: Threat Intelligence (Security)
-image: https://www.sumologic.com/img/logo.svg
+image: https://help.sumologic.com/img/sumo-square.png
 keywords:
-  - platform services
+  - security
   - threat intel
 hide_table_of_contents: true
 ---

@@ -230,6 +230,11 @@ To connect with other Sumo Logic users, post feedback, or ask a question, visit
   <a href="/docs/api/span-analytics"><img src={useBaseUrl('img/icons/operations/distributed-operations.png')} alt="Thumbnail icon" width="50"/><h4>Span Analytics</h4></a>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/api/threat-intel-ingest"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="Thumbnail icon" width="50"/><h4>Threat Intel Ingest</h4></a>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
     <a href="/docs/api/token-management"><img src={useBaseUrl('img/icons/security/security.png')} alt="Thumbnail icon" width="50"/><h4>Tokens</h4></a>

@@ -1,21 +1,25 @@
 ---
 id: threat-intel-ingest
 title: Threat Intel Ingest Management APIs
-sidebar_label: Threat Intel Ingest Management
+sidebar_label: Threat Intel
 description: The Threat Intel Ingest Management API allows you to upload STIX 2.x threat intel indicators, view storage status of threat intel ingest service, and view and set the retention period for threat intel indicators.
-hide_table_of_contents: true
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import ApiIntro from '../reuse/api-intro.md';
+import ApiRoles from '../reuse/api-roles.md';
 
 <img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="60"/>
 
-The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API allows you to:
+The Threat Intel Ingest Management API allows you to:
 
-* Upload STIX 2.x threat intel indicators
-* View storage status of threat intel ingest service
-* View and set the retention period for threat intel indicators
+* Upload threat intelligence indicators
+* View storage status of threat intelligence ingest service
+* View and set the retention period for threat intelligence indicators
+
+For more information about threat intelligence, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+
+## Documentation
 
 <ApiIntro/>
 
@@ -30,3 +34,11 @@ The [Threat Intel Ingest Management](/docs/security/threat-intelligence) API all
 | JP         | https://api.jp.sumologic.com/docs/#tag/threatIntelIngest  |
 | US1        | https://api.sumologic.com/docs/#tag/threatIntelIngest     |
 | US2        | https://api.us2.sumologic.com/docs/#tag/threatIntelIngest |
+
+## Required role capabilities
+
+<ApiRoles/>
+
+* Threat Intel
+   * View Threat Intel Data Store
+   * Manage Threat Intel Data Store
@@ -10,7 +10,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 <!-- For threat intel. Put this back once we support cat with the threatlookup search operator:
 
 :::info
-This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Threat Intelligence](/docs/security/threat-intelligence/).
+This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
 :::
 -->
 
@@ -19,7 +19,7 @@ This topic has information about setting up a *custom threat intelligence source
 You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes.
 
 :::note
-You can also use the Sumo Logic threat intelligence framework to add sources. See [Threat Intelligence](/docs/security/threat-intelligence/).
+You can also use the Sumo Logic threat intelligence framework to add sources. See [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
 :::
 
 ## How Cloud SIEM uses indicators

@@ -171,7 +171,7 @@ See: [Create and Use Network Blocks](/docs/cse/administration/create-use-network
 
 Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, and so on), you can configure these too.
 
-See: [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/)
+See: [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators)
 
 ### Create lists
 Perform the following steps to create lists to allow or suppress information monitored for Cloud SIEM.

@@ -181,7 +181,7 @@ This example below checks a record for a field named `listMatches` that contains
 
 ### Threat Intelligence
 
-Threat Intelligence sources contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/).
+Threat Intelligence sources contain values that, when encountered in a record, are clear indicators of compromise. To create a new source of Threat Intelligence, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
 
 Threat Intelligence sources are used at the time of record ingestion. When a record is ingested, Cloud SIEM determines whether any of the fields in the record exist in any of your Threat Intelligence sources. When a record contains a value that matches an entry in one or more Threat Intelligence sources, the `hasThreatMatch` Cloud SIEM rules function searches incoming records in Cloud SIEM for matches to threat intelligence indicators. For more information, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
@@ -129,8 +129,8 @@ Folder-level permissions are available if your org has fine-grained Monitor perm
 ## Threat Intel
 | Capability | Description |
 | :-- | :-- |
-| View Threat Intel Data Store | Search log data using [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
-| Manage Threat Intel Data Store | Create, edit, and delete [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/). |
+| View Threat Intel Data Store | View the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab. |
+| Manage Threat Intel Data Store | Create, edit, and delete threat intelligence sources on the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab. |
 
 ## Cloud SOAR
 

@@ -15,10 +15,4 @@ Platform services are services that are available to use across the entire Sumo
   <p>Learn how to use the Automation Service to automate actions.</p>
   </div>
 </div>
-<div className="box smallbox card">
-  <div className="container">
-  <a href="/docs/security/threat-intelligence"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Threat Intelligence</h4></a>
-  <p>Learn about Sumo Logic's threat intelligence capabilities.</p>
-  </div>
-</div>
 </div>
@@ -381,7 +381,7 @@ In this section, we'll introduce the following concepts:
         <div className="box smallbox card">
           <div className="container">
           <a href="/docs/search/search-query-language/search-operators/threatip"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="40"/><h4>threatip</h4></a>
-          <p>Correlates CrowdStrike's threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.</p>
+          <p>Correlates threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.</p>
           </div>
         </div>
         <!-- <div className="box smallbox card">

@@ -4,10 +4,10 @@ title: threatlookup Search Operator
 sidebar_label: threatlookup
 ---
 
-The `threatlookup` search operator allows you to search logs for matches in [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/), providing security analytics to help you to detect threats in your environment.
+The `threatlookup` search operator allows you to search logs for matches in [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/), providing security analytics to help you to detect threats in your environment.
 
 :::note
-You can also use the [`threatip`](/docs/search/search-query-language/search-operators/threatip/) search operator to search CrowdStrike's threat intelligence data based on IP addresses. 
+You can also use the [`threatip`](/docs/search/search-query-language/search-operators/threatip/) search operator to search threat intelligence data based on IP addresses. 
 :::
 
 ## Syntax

@@ -376,7 +376,7 @@ _sourceCategory=search "error while retrying to deploy index"
 
 ### Check Malicious Activity with Subquery
 
-The following search allows a security analyst to track logs related to a malicious IP address that was flagged by Amazon GuardDuty and also by a CrowdStrike Threat feed. The subquery is returning the field `src_ip` with the IP addresses deemed as threats to the parent query, note that the keywords option was not used so the parent query will expect a field src_ip to exist. The results will include logs from the weblogs sourceCategory that have a `src_ip` value that was deemed a threat from the subquery.
+The following search allows a security analyst to track logs related to a malicious IP address that was flagged by Amazon GuardDuty and also by a [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) feed. The subquery is returning the field `src_ip` with the IP addresses deemed as threats to the parent query, note that the keywords option was not used so the parent query will expect a field src_ip to exist. The results will include logs from the weblogs sourceCategory that have a `src_ip` value that was deemed a threat from the subquery.
 
 ```sql
 _sourceCategory=weblogs

@@ -56,7 +56,7 @@ When you add indicators, the event is recorded in the Audit Event Index. See [Au
 
 ## Delete threat intelligence indicators
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Select a source in the list of sources. Details of the source appear in a sidebar.
 1. Click the **Delete Indicators** button. 
 <!-- 1. When the following dialog appears, select which indicators you'd like to delete from the source:<br/><img src={useBaseUrl('img/security/threat-intelligence-delete-indicators.png')} alt="Delete threat intelligence indicators" style={{border: '1px solid gray'}} width="500" />

@@ -81,7 +81,7 @@ The following attributes are required:
        * **source** (string). User-provided text to identify the source of the indicator. For example, `TAXII2Source`.
        * **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
        * **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest (as [defined by the confidence scale in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_1v6elyto0uqg)). For example, `75`.
-       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to Entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
+       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
           * `anomalous-activity`. Unexpected or unusual activity that may not necessarily be malicious or indicate compromise.
           * `anonymization`. Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
           * `benign`. Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
@@ -136,7 +136,7 @@ Columns for the following attributes are required in the upload file:
        * **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
        * **validUntil** (string [date-time]). Ending time this indicator is valid. If not set, the indicator never expires. Timestamp in UTC in RFC3339 format. For example, `2024-03-21T12:00:00.000Z`.
        * **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest. For example, `75`.
-       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to Entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
+       * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
           * `anomalous-activity`. Unexpected or unusual activity that may not necessarily be malicious or indicate compromise.
           * `anonymization`. Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
           * `benign`. Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.

@@ -16,7 +16,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/crowdstrike.png')} alt="thumbnail icon" width="85"/>
 
-CrowdStrike is the leader in next-generation endpoint protection, threat intelligence, and response services. CrowdStrike’s core technology, the Falcon platform, stops breaches by preventing and responding to all types of attacks — both malware and malware-free. The CrowdStrike Threat Intel integration ingests the indicator data from CrowdStrike Combined API and sends it to Sumo Logic as normalized threat indicator information.
+CrowdStrike is the leader in next-generation endpoint protection, threat intelligence, and response services. CrowdStrike’s core technology, the Falcon platform, stops breaches by preventing and responding to all types of attacks — both malware and malware-free. The CrowdStrike Threat Intel integration ingests the indicator data from CrowdStrike Combined API and sends it to Sumo Logic as normalized threat indicator information. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
 :::important
 The CrowdStrike API documentation is not public and can only be accessed by partners or customers.

@@ -579,7 +579,7 @@ In this section, we'll introduce the following concepts:
       </div>
       <div className="box smallbox card">
         <div className="container">
-        <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source"><img src={useBaseUrl('img/integrations/security-threat-detection/zerofox_logo.png')} alt="Thumbnail icon" width="45"/><h4>ZeroFox</h4></a>
+        <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source"><img src={useBaseUrl('img/integrations/misc/zerofox-logo.png')} alt="Thumbnail icon" width="50"/><h4>ZeroFox</h4></a>
         <p>Learn to collect threat indicators using the ZeroFox API and send them to Sumo Logic for analysis.</p>
         </div>
       </div>