|
| 1 | +--- |
| 2 | +slug: /security/threat-intelligence/threat-intelligence-mapping |
| 3 | +title: Threat Intelligence Mapping |
| 4 | +sidebar_label: Mapping |
| 5 | +description: Learn about mapping of threat intelligence indicators to Sumo Logic. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +## Global feed mapping |
| 11 | + |
| 12 | +Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by CrowdStrike. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. |
| 13 | + |
| 14 | +In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources: |
| 15 | + |
| 16 | +| Original schema | Normalized schema in the datastore | |
| 17 | +|:--|:--| |
| 18 | +| `actor` | `actors` | |
| 19 | +| `id` | `id` | |
| 20 | +| `indicator` | `indicator` | |
| 21 | +| `kill_chain_phases` | `killChain` | |
| 22 | +| `labels.ThreatType` | `threatType` | |
| 23 | +| `last_updated` | `updated` | |
| 24 | +| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) | |
| 25 | +| `published_date` | `validFrom` and `imported` | |
| 26 | +| `type` | `type` | |
| 27 | + |
| 28 | +(All other fields will be kept in the `fields{}` object.) |
| 29 | + |
| 30 | +The `type` object is mapped to the following normalized type values: |
| 31 | + |
| 32 | +| Original type | Normalized type in the datastore | |
| 33 | +|:--|:--| |
| 34 | +| `binary_string` | `artifact:payload_bin` | |
| 35 | +| `bitcoin_address` | `url` | |
| 36 | +| `ip_address` | `ipv4-addr` / `ipv6-addr` | |
| 37 | +| `domain` | `domain-name` | |
| 38 | +| `email_address` | `email-add` | |
| 39 | +| `file_path` | `file:name` | |
| 40 | +| `file_name` | `file:name` | |
| 41 | +| `hash_md5` | `file:hashes.'MD5'` | |
| 42 | +| `hash_sha1` | `file:hashes.'SHA-1'` | |
| 43 | +| `hash_sha256` | `file:hashes.'SHA-256'` | |
| 44 | +| `mutex_name` | `mutex:name` | |
| 45 | +| `service_name` | `process:name` | |
| 46 | +| `url` | `url` | |
| 47 | +| `username` | `user-account:user_id` | |
| 48 | +| `user_agent` | `http-request-ext:request_header.'User-Agent'` | |
| 49 | +| `x509_subject` | `x509-certificate:serial_number` | |
| 50 | + |
| 51 | + |
| 52 | +## CrowdStrike mapping |
| 53 | + |
| 54 | +You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md) |
| 55 | + |
| 56 | +In the threat intelligence datastore, the CrowdStrike schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources: |
| 57 | + |
| 58 | +| CrowdStrike schema | Normalized schema in the datastore | |
| 59 | +|:--|:--| |
| 60 | +| `actor` | `actors` | |
| 61 | +| `id` | `id` | |
| 62 | +| `indicator` | `indicator` | |
| 63 | +| `kill_chain_phases` | `killChain` | |
| 64 | +| `labels.ThreatType` | `threatType` | |
| 65 | +| `last_updated` | `updated` | |
| 66 | +| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) | |
| 67 | +| `published_date` | `validFrom` and `imported` | |
| 68 | +| `type` | `type` | |
| 69 | + |
| 70 | + |
| 71 | + |
0 commit comments