|
| 1 | +--- |
| 2 | +slug: /security/threat-intelligence/threat-intelligence-vendor-switch |
| 3 | +title: Threat Intelligence Vendor Switch |
| 4 | +description: Learn about the switch of our threat intelligence vendor from CrowdStrike to Intel 471. |
| 5 | +--- |
| 6 | + |
| 7 | +<head> |
| 8 | + <meta name="robots" content="noindex" /> |
| 9 | +</head> |
| 10 | + |
| 11 | +<p><a href="/docs/beta"><span className="beta">Beta</span></a></p> |
| 12 | + |
| 13 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 14 | + |
| 15 | +This article provides guidance on our switching from the legacy **_sumo_global_feed_cs** source supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/) to the **SumoLogic_ThreatIntel** source supplied by [Intel 471](https://intel471.com/). |
| 16 | + |
| 17 | +:::warning |
| 18 | +*The **_sumo_global_feed_cs** source will be discontinued on April 30, 2025*. For more information, see [Sumo Logic Threat Intelligence Sources](/docs/security/threat-intelligence/about-threat-intelligence). |
| 19 | +::: |
| 20 | + |
| 21 | +Switching to the Intel 471 global threat feed from CrowdStrike will introduce differences in the threat indicator content. Namely, the `raw` field from the `lookup` operator, and the `raw_threat` field from the `threatip` operator will contain different JSON-formatted fields. Sophisticated, security-centric Sumo Logic platform queries sometimes use these fields for searches and dashboards. |
| 22 | + |
| 23 | +Importantly, the intel vendors themselves control what appears in these "raw" fields, and each vendor prioritizes different aspects of the intel they provide. For example, CrowdStrike often includes CVEs where applicable, whereas Intel 471 bundles geo-IP data with some of its entries. CrowdStrike reports the publication timestamp of its indicators, whereas Intel 471 reports the recommended expiration timestamp. As such, Sumo Logic strongly encourages customers to review their searches and dashboards for "raw" field handling, and to modify them appropriately. |
| 24 | + |
| 25 | +Beginning April 1, 2025, customers can experiment with the Intel 471 feed by referencing the `sumo://threat/i471` lookup table as a parameter to the [`lookup` search operator](/docs/search/search-query-language/search-operators/lookup). (It isn't possible to do the same for `threatip`, though its `raw_threat` field is the same as the `lookup` operator's `raw` field.) On April 30, 2025, the global CrowdStrike feed will be fully replaced by Intel 471 in the Sumo Logic platform, and references to the old feed will automatically be updated to point to the new feed. |
| 26 | + |
| 27 | +Sumo Logic's native security applications will be updated to support this vendor change. To take advantage of the new Intel 471 feed, customers only need to update queries in their custom apps by April 30, 2025. For examples of queries using the `lookup` operator, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. |
| 28 | + |
| 29 | +## How do I know if I need to update a search or dashboard? |
| 30 | + |
| 31 | +If your queries reference `json field=raw` or `parse field=raw` (or `raw_threat`, in the case of the `threatip` operator), you are extracting vendor-specific data that might need to be updated. |
| 32 | + |
| 33 | +Additionally, the Intel 471 source currently does not include domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. |
| 34 | + |
| 35 | +## How can I translate CrowdStrike-specific fields to Intel 471-specific fields? |
| 36 | + |
| 37 | +In many cases, it may not be possible to translate CrowdStrike-specific fields to Intel 471-specific fields, as the two vendors emphasize different aspects of indicators of compromise. However, the table below provides approximate mappings to help you start adapting your queries. |
| 38 | + |
| 39 | +### Approximate field mappings |
| 40 | + |
| 41 | +As a starting point to analyze field mapping, examine the following translations: |
| 42 | + |
| 43 | +| CrowdStrike | Intel 471 | Translation notes | |
| 44 | +| :-- | :-- | :-- | |
| 45 | +| `indicator` | `data.indicator_data.*` <br/><br/>For example:<br/>`data.indicator_data.address`<br/>`data.indicator_data.file.md5`<br/>`data.indicator_data.file.sha1`<br/>`data.indicator_data.file.sha256`<br/>`data.indicator_data.url` | Depends on the type. Every Intel 471 file hash record includes all hash types. <br/><br/>Intel 471 also includes geoip data for IP addresses under `data.indicator_data.geo_ip`.<br/><br/>Intel 471 has no domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. | |
| 46 | +| `kill_chains` | `data.mitre_tactics` | |
| 47 | +| `labels[*].name` | `data.threat.type`<br/>`data.threat.data.family`<br/>`data.context.description`<br/>`data.mitre_tactics` | CrowdStrike's labels are redundant with other sections in the CrowdStrike record. | |
| 48 | +| `last_updated` | `last_updated` | CrowdStrike's timestamps are in epoch seconds whereas Intel 471's are in milliseconds. | |
| 49 | +| `malicious_confidence` | `data.confidence` | | |
| 50 | +| `malware_families` | `data.threat.data.family` | | |
| 51 | +| `threat_types` | `data.threat.type` | | |
| 52 | +| `type` | `data.indicator_type` | | |
| 53 | +| (none) | `data.expiration` | Intel 471 only. In milliseconds. | |
| 54 | + |
| 55 | +### JSON side-by-side approximate field mappings |
| 56 | + |
| 57 | +<img src={useBaseUrl('img/security/threat-intel-field-mappings.png')} alt="Threat Intelligence field mappings" style={{border: '1px solid gray'}} width="800" /> |
0 commit comments