You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/administration/create-custom-threat-intel-source.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,15 +10,19 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
10
10
<!-- For threat intel. Put this back once we support cat with the threatlookup search operator:
11
11
12
12
:::info
13
-
This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use our new threat intelligence indicators framework. For more information, see [Custom threat intelligence sources in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#custom-threat-intelligence-sources-in-cloud-siem).
13
+
This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Threat Intelligence](/docs/security/threat-intelligence/).
14
14
:::
15
15
-->
16
16
17
17
This topic has information about setting up a *custom threat intelligence source* in Cloud SIEM, which is a threat intelligence list that you can populate manually, as opposed to using an automatic feed.
18
18
19
19
You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, hostnames, URLs, email addresses, and file hashes.
20
20
21
-
### How Cloud SIEM uses indicators
21
+
:::note
22
+
You can also use the Sumo Logic threat intelligence framework to add sources. See [Threat Intelligence](/docs/security/threat-intelligence/).
23
+
:::
24
+
25
+
## How Cloud SIEM uses indicators
22
26
23
27
When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence
24
28
information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in
@@ -27,7 +31,7 @@ this way.
27
31
Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the
28
32
*About Cloud SIEM Rules* topic.
29
33
30
-
###Create a threat intelligence source from Cloud SIEM UI
34
+
## Create a threat intelligence source from Cloud SIEM UI
31
35
32
36
1.[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
33
37
1. Click **Add Source** on the **Threat Intelligence** page.
@@ -37,6 +41,8 @@ Rule authors can also write rules that look for threat intelligence information
37
41
38
42
Your new source should now appear on the **Threat Intelligence** page.
39
43
44
+
## Add indicators
45
+
40
46
### Enter indicators manually
41
47
42
48
1. On the **Threat Intelligence** page, click the name of the source you want to update.
0 commit comments