SumoLogic · jpipkin1 · Apr 8, 2025 · Mar 18, 2025 · Mar 19, 2025 · Mar 19, 2025
diff --git a/blog-cse/2025-04-01-application.md b/blog-cse/2025-04-01-application.md
@@ -0,0 +1,21 @@
+---
+title: April 1, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intelligence
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Threat Intelligence New Global Feed
+
+We’re excited to announce a new `_sumo_global_feed_i471` source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis.
+
+:::warning
+On April 30 2025, we will discontinue our legacy `_sumo_global_feed_cs` source. If you have rules that explicitly point to this source, update them to use the new `_sumo_global_feed_i471` source.
+:::
+
+[Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source).
+
+<img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
@@ -670,13 +670,10 @@ As a best practice, always include filtering to narrow your match to just the ty
 For example:
 * `hasThreatMatch([dstDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))` 
 * `hasThreatMatch([file_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_ssdeep, file_hash_sha1, file_hash_sha256], confidence > 1 AND type="file:hashes")` 
-* `hasThreatMatch([device_hostname, srcDevice_hostname, dstDevice_hostname, http_hostname, http_referrerHostname, bro_ssl_serverName, bro_ntlm_domainame, bro_ssl_serverName_rootDomain, dns_queryDomain, dns_replyDomain, fromUser_authDomain, http_referrerDomain, http_url_rootDomain, http_url_fqdn], confidence > 1 AND (type="domain-name" OR type="url"))` 
 * `hasThreatMatch([http_url], confidence > 1 AND type="url")` 
 * `hasThreatMatch([srcDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))`
 
 Following are the standard indicator types you can filter on:
-* `domain-name`. Domain name. 
-* `email-addr`. Email address. 
 * `file:hashes`. File hash. (If you want to add the hash algorithm, enter `file:hashes.<HASH-TYPE>`. For example, `[file:hashes.MD5 = '5d41402abc4b2a76b9719d911017c592']` or `[file:hashes.'SHA-256' = '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c']`.)
 * `file`. File name. 
 * `ipv4-addr`. IPv4 IP address. 

diff --git a/docs/integrations/amazon-aws/amazon-bedrock.md b/docs/integrations/amazon-aws/amazon-bedrock.md
@@ -58,9 +58,9 @@ The Sumo Logic app for AWS WAF analyzes traffic flowing through AWS WAF and auto
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=clientip
 ```
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop

@@ -27,9 +27,10 @@ import AppInstall from '../../reuse/apps/app-install.md';
 
 ## Threat Intel optimization
 
-The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your Threat Intel queries:
+The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**.
 
-Filter out unwanted logs before you use lookup operator
+Use the following guidelines to customize your Threat Intel queries:
+* Filter out unwanted logs before you use lookup operator
 * Use keywords
 * Use the where operator
 * Use general search optimization rules
@@ -40,10 +41,10 @@ _sourceCategory=cylance "IP Address"
 | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where !isNull(ip_address)
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
 ```
 
-<!-- Replace section content with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace section content with this after `sumo://threat/i471` is replaced by `threatlookup`:
 
 The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
 
@@ -97,7 +98,7 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    ```
 1. Customize your query so you can use parsed fields from FER with the lookup operator, where src_ip is the parsed field from FER (see step # 1). For example:
    ```
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=src_ip
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
@@ -106,7 +107,7 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
    | sort by threat_count
    ``` 
-<!-- Replace the preceding step with the following after `sumo://threat/cs` is replaced by `threatlookup`:   
+<!-- Replace the preceding step with the following after `sumo://threat/i471` is replaced by `threatlookup`:   
 1. Customize your query so you can use parsed fields from the Field Extraction Rule with the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/), where `src_ip` is the parsed field from the FER. For example:
    ```
    | threatlookup singleIndicator src_ip
@@ -124,7 +125,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
 
 1. Create a scheduled view. For example, for Cylance, create a scheduled view, **cylance_threat**:
    ```
-   _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
+   _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=src_ip
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
@@ -133,7 +134,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
    | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source,  label_name, city, country_name, raw
    ```
-<!-- Replace the preceding code with the following after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace the preceding code with the following after `sumo://threat/i471` is replaced by `threatlookup`:
    ```
     _sourceCategory=cylance
     | threatlookup singleIndicator src_ip
@@ -150,7 +151,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
      | count by src_ip
      ```
 
-<!-- Hide this FAQ section until after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Hide this FAQ section until after `sumo://threat/i471` is replaced by `threatlookup`:
 
 ## Threat Intel FAQ
 

@@ -60,7 +60,7 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | where Region matches "*" and tolowercase(entity) matches "*"
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
 | count as ip_count by ip_address
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
 | json field=raw "labels[*].name" as label_name
 | replace(label_name, "\\/","->") as label_name
 | replace(label_name, "\""," ") as label_name
@@ -69,7 +69,7 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | sum (ip_count) as threat_count
 ```
 
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="All IP Threat Count"
 _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynamodb.amazonaws.com\""
 | json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, ip_address, user

@@ -4,7 +4,7 @@ title: threatip Search Operator
 sidebar_label: threatip
 ---
 
-The `threatip` operator correlates data in the `_sumo_global_feed_cs` [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) source based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
+The `threatip` operator correlates data in the `_sumo_global_feed_i471` [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) source based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
 
 <!-- 
 You can also use the [`threatlookup`](/docs/search/search-query-language/search-operators/threatlookup/) search operator to search threat intelligence indicators.

@@ -136,7 +136,7 @@ _sourceCategory=weblogs
 | compose src_ip]
 ```
 
-<!-- Add this after sumo://threat/cs is replaced by threatlookup":
+<!-- Add this after sumo://threat/i471 is replaced by threatlookup":
 
 ### Threatlookup queries in dashboards
 
@@ -217,6 +217,6 @@ cat sumo://threat-intel | formatDate(toLong(_threatlookup.valid_until), "yyyy-MM
 ```
 
 :::note
-You cannot use the cat search operator with the `_sumo_global_feed_cs` source.
+You cannot use the cat search operator with the `_sumo_global_feed_i471` source.
 :::
 -->
@@ -52,10 +52,10 @@ which provides results like:
 | toLowerCase ("B101CD29E18A515753409AE86CE68A4CEDBE0D640D385EB24B9BBB69CF8186AE") as hash
 | count hash
 | fields -_count
-| lookup raw from sumo://threat/cs on threat = hash{code}
+| lookup raw from sumo://threat/i471 on threat = hash{code}
 ```
 
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql
 *
 | limit 1

@@ -385,11 +385,11 @@ _sourceCategory=weblogs
 | json field=_raw "service.action.networkConnectionAction.connectionDirection" as connectionDirection
 | where connectionDirection = "OUTBOUND"
 | json field=remoteipdetails "ipAddressV4" as src_ip
-| lookup type, actor, raw, threatlevel from sumo://threat/cs on src_ip=threat
+| lookup type, actor, raw, threatlevel from sumo://threat/i471 on src_ip=threat
 | where threatlevel = "high"
 | compose src_ip]
 ```
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql
 _sourceCategory=weblogs
 [subquery:_sourceCategory="Labs/SecDemo/guardduty" "EC2 Instance" "communicating on an unusual server port 22"

@@ -288,7 +288,7 @@ We need a way to see if any of the IP addresses we have logged are known threats
    _sourceCategory=Labs/AWS/CloudTrail
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" multi
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
    | where type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | parse field=raw "\"ip_address_types\":[\"*\"]" as ip_address_types nodrop
@@ -298,7 +298,7 @@ We need a way to see if any of the IP addresses we have logged are known threats
    | fields - ip_address,malicious_confidence,actor,kill_chains,ip_address_types,_sourceCategory,_source | count by _timeslice
    | outlier _count window=5,threshold=3,consecutive=1,direction=+-
    ```
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
    ```
    _sourceCategory=Labs/AWS/CloudTrail 
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"