Add comments for DOCS-643

Author: jpipkin1

blog-service/2025-01-16-security.md renamed to blog-service/2025-01-31-security.md

@@ -54,14 +54,20 @@ The Sumo Logic app for AWS WAF analyzes traffic flowing through AWS WAF and auto
 }
 ```
 
-## Sample queries  
-
+## Sample queries
+```sql title="Client IP Threat Info"
+_sourceCategory=AWS/WAF {{client_ip}}
+| parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
+```
+<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
 | threatlookup singleIndicator clientip
 | where (_threatlookup.type="ipv4-addr:value" or _threatlookup.type="ipv6-addr:value") and !isNull(_threatlookup.confidence)
 ```
+-->
 
 ## Collecting logs for the AWS WAF app
 

docs/integrations/amazon-aws/waf.md

@@ -9,11 +9,11 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/threatintel.png')} alt="thumbnail icon" width="75"/>
 
-The Threat Intel Quick Analysis app correlates [threat intelligence](/docs/security/threat-intelligence/) data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. The Threat Intel Quick Analysis app scans selected logs for threats based on **IP**, **URL**, **domain, Hash 256,** and **email**.
+The Threat Intel Quick Analysis app correlates [threat intelligence](/docs/security/threat-intelligence/) data with your own log data, providing security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. The Threat Intel Quick Analysis app scans selected logs for threats based on IP, URL, domain, SHA-256 hashes, and email.
 
 ## Log types
 
-The Threat Intel Quick Analysis app can be used for any type of logs, regardless of format. Ideal log sources should include **IP**, **URL**, **domain**, **Hash 256**, and/or **email** information.
+The Threat Intel Quick Analysis app can be used for any type of logs, regardless of format. Ideal log sources should include IP, URL, domain, SHA-256 hashes, and/or email information.
 
 ## Installing the Threat Intel Quick Analysis app
 
@@ -27,6 +27,24 @@ import AppInstall from '../../reuse/apps/app-install.md';
 
 ## Threat Intel optimization
 
+The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your Threat Intel queries:
+
+Filter out unwanted logs before you use lookup operator
+* Use keywords
+* Use the where operator
+* Use general search optimization rules
+
+For example:
+```
+_sourceCategory=cylance "IP Address"
+| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
+| where !isNull(ip_address)
+| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+```
+
+<!-- Replace section content with this after `sumo://threat/cs` is replaced by `threatlookup`:
+
 The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
 
 You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your threat intel queries:
@@ -67,15 +85,28 @@ _sourceCategory=<source-category-name>
 
 |sum (ip_count) as threat_count
 ```
+-->
 
 ### Field Extraction Rule
 
-Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-extraction-rule) to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. Use these parsed fields along with Threat Intel Lookup operator.
+Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-extraction-rule) to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. Use these parsed fields along with lookup operator.
 
 1. Create the FER For example, for Cylance Security Events, create and use the following Field Extraction Rule:
    ```sql
    parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*, *), File Name: *, Path: *, Drive Type: *, SHA256: *, MD5: *, Status: *, Cylance Score: *, Found Date: *, File Type: *, Is Running: *, Auto Run: *, Detected By: *" as event_type,event_name,device_name,src_ip,dest_ip,file_name,path,drive_type,sha,md5,status,score,found,file_type,isRunning,autoRun,detected
    ```
+1. Customize your query so you can use parsed fields from FER with the lookup operator, where src_ip is the parsed field from FER (see step # 1). For example:
+   ```
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
+   | json field=raw "labels[*].name" as label_name
+   | replace(label_name, "\\/","->") as label_name
+   | replace(label_name, "\""," ") as label_name
+   | where  type="ip_address" and !isNull(malicious_confidence)
+   | if (isEmpty(actor), "Unassigned", actor) as Actor
+   | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
+   | sort by threat_count
+   ``` 
+<!-- Replace the preceding step with the following after `sumo://threat/cs` is replaced by `threatlookup`:   
 1. Customize your query so you can use parsed fields from the Field Extraction Rule with the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/), where `src_ip` is the parsed field from the FER. For example:
    ```
    | threatlookup singleIndicator src_ip
@@ -85,12 +116,24 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
    | sort by threat_count
    ```
+-->
 
 ### Scheduled view
 
 Use scheduled views with the threat lookup operator to find threats. Scheduled view reduces aggregate data down to the bare minimum, so they contain only the raw results that you need to generate your data. Queries that run against scheduled views return search results much faster because the data is pre-aggregated before the query is run. And a scheduled view query runs continuously, once per minute.
 
 1. Create a scheduled view. For example, for Cylance, create a scheduled view, **cylance_threat**:
+   ```
+   _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
+   | json field=raw "labels[*].name" as label_name
+   | replace(label_name, "\\/","->") as label_name
+   | replace(label_name, "\""," ") as label_name
+   | where  type="ip_address" and !isNull(malicious_confidence)
+   | if (isEmpty(actor), "Unassigned", actor) as Actor
+   | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
+   | count as threat_count by src_ip, malicious_confidence, Actor,  _source,  label_name, city, country_name, raw
+   ```
+<!-- Replace the preceding code with the following after `sumo://threat/cs` is replaced by `threatlookup`:
    ```
     _sourceCategory=cylance
     | threatlookup singleIndicator src_ip
@@ -100,12 +143,15 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
     | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
     | count as threat_count by src_ip, malicious_confidence, Actor,  _source,  label_name, city, country_name, raw
    ```
+   -->
 1. Now, you can run your Threat Intel query on top of this view:
      ```sql
      _view=cylance_threat
      | count by src_ip
      ```
 
+<!-- Hide this FAQ section until after `sumo://threat/cs` is replaced by `threatlookup`:
+
 ## Threat Intel FAQ
 
 #### What does the Threat Intel Quick Analysis app do?
@@ -131,7 +177,7 @@ No. No results in your dashboards can mean that nothing has been identified as a
 It could be a case-sensitivity issue. In Sumo Logic, the equal sign (`=`) and the not equal to sign (`!=`) conditions are case-sensitive; when you use them with Sumo Logic operators you may need to convert the string to which the condition is applied to upper or lower case. For more information, see [Using toLowerCase or toUpperCase with an equating condition](/docs/search/search-query-language/search-operators/tolowercase-touppercase).
 
 #### I already have parsed fields such as IPs, domain, URL, Email, or File Name. Can I use them with this App, instead of parsing each log line again?
-Yes, you can customize the query with in the App. For example:
+Yes, you can customize the query in the app. For example:
 
 ```
 _sourceCategory= */*/FIREWALL or _sourceCategory=*/*/LB or _sourceCategory=*/*/ROUTER or _sourceCategory=*/*/WINDOWS or _sourceCategory=*/*/SERVER
@@ -179,6 +225,8 @@ Yes, you can run scheduled searches that can be set up with a run frequency of R
 
 You can further investigate bad IP triggers by updating your query to check the port as well and see if it is also identified as a malicious port.
 
+-->
+
 ## Viewing Threat Intel Quick Analysis dashboards
 
 All dashboards include filters that you can use in Interactive Mode for further analysis of your Threat Intel Quick Analysis data. Because the Threat Intel Quick Analysis has the most bearing on recent threats, most panels are set to the 15 minute time range. You can adjust time ranges as needed.
@@ -259,14 +307,14 @@ See the frequency of URL threats by Actor, Log Source, Malicious Confidence, and
 
 ### Hash 256
 
-See the frequency of Hash 256 threats by Actor, Log Source, Malicious Confidence, and view trends over time.
+See the frequency of SHA-256 threats by Actor, Log Source, Malicious Confidence, and view trends over time.
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/TIQA_Hash256_Dashboard.png')} alt="Threat Intel Dashboard" />
 
-* **Threat Count.** Count of total Hash 256 threats over the last 15 minutes.
-* **Threats by Malicious Confidence.** Qualifies Hash 256 threats for the last 60 minutes  into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine and displayed as a pie chart.
-* **Threat Breakdown by Sources.** Pie chart of Hash 256 threats over the last 60 minutes broken down by source.
-* **Threats Over Time.** Line chart of the number of Hash 256 threats over the last 60 minutes.
-* **Threat Breakdown by Source.** Line chart of the number of Hash 256 threats over the last 60 minutes, broken down by source.
-* **Threats by Actor.** Identifies Actors, if any, that can be attributed to Hash 256 threats over the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
-* **Threat Table.** Aggregation Table of Hash 256 threats over the last 15 minutes.
+* **Threat Count.** Count of total SHA-256 threats over the last 15 minutes.
+* **Threats by Malicious Confidence.** Qualifies SHA-256 threats for the last 60 minutes  into High, Medium, Low, Unverified, according to Sumo Logic's machine learning engine and displayed as a pie chart.
+* **Threat Breakdown by Sources.** Pie chart of SHA-256 threats over the last 60 minutes broken down by source.
+* **Threats Over Time.** Line chart of the number of SHA-256 threats over the last 60 minutes.
+* **Threat Breakdown by Source.** Line chart of the number of SHA-256 threats over the last 60 minutes, broken down by source.
+* **Threats by Actor.** Identifies Actors, if any, that can be attributed to SHA-256 threats over the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats.
+* **Threat Table.** Aggregation Table of SHA-256 threats over the last 15 minutes.

docs/integrations/security-threat-detection/threat-intel-quick-analysis.md

@@ -54,6 +54,22 @@ The Sumo Logic app for AWS Observability DynamoDB is a unified logs and metrics
 
 ### Sample queries
 
+```sql title="All IP Threat Count"
+_sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynamodb.amazonaws.com\""
+| json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, ip_address, user
+| where Region matches "*" and tolowercase(entity) matches "*"
+| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
+| count as ip_count by ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+| json field=raw "labels[*].name" as label_name
+| replace(label_name, "\\/","->") as label_name
+| replace(label_name, "\""," ") as label_name
+| where  type="ip_address" and !isNull(malicious_confidence)
+| if (isEmpty(actor), "Unassigned", actor) as Actor
+| sum (ip_count) as threat_count
+```
+
+<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql title="All IP Threat Count"
 _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynamodb.amazonaws.com\""
 | json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, ip_address, user
@@ -65,6 +81,7 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | if (isEmpty(_threatlookup.actors), "Unassigned", _threatlookup.actors) as Actor
 | sum (ip_count) as threat_count
 ```
+-->
 
 ## Viewing AWS DynamoDB dashboards
 

docs/observability/aws/integrations/aws-dynamodb.md

@@ -46,6 +46,16 @@ which provides results like:
 
 **toLowerCase** and **toUpperCase** are useful when you use the equal to sign (`=`) or the not equal to sign (`!=`) with Sumo operators. These conditions are case-sensitive in Sumo Logic. The following example uses **toLowerCase** to convert the hash value to lower case before performing the lookup. 
 
+```sql
+*
+| limit 1
+| toLowerCase ("B101CD29E18A515753409AE86CE68A4CEDBE0D640D385EB24B9BBB69CF8186AE") as hash
+| count hash
+| fields -_count
+| lookup raw from sumo://threat/cs on threat = hash{code}
+```
+
+<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql
 *
 | limit 1
@@ -54,6 +64,7 @@ which provides results like:
 | fields -_count
 | threatlookup singleIndicator hash{code}
 ```
+-->
 
 ### Using toUpperCase with the count operator
 

docs/search/search-query-language/search-operators/tolowercase-touppercase.md

@@ -378,6 +378,18 @@ _sourceCategory=search "error while retrying to deploy index"
 
 The following search allows a security analyst how to track logs related to a malicious IP address that was flagged by Amazon GuardDuty and also by a CrowdStrike Threat feed. The subquery is returning the field `src_ip` with the IP addresses deemed as threats to the parent query, note that the keywords option was not used so the parent query will expect a field src_ip to exist. The results will include logs from the weblogs sourceCategory that have a `src_ip` value that was deemed a threat from the subquery.
 
+```sql
+_sourceCategory=weblogs
+[subquery:_sourceCategory="Labs/SecDemo/guardduty" "EC2 Instance" "communicating on an unusual server port 22"
+| json field=_raw "service.action.networkConnectionAction.remoteIpDetails" as remoteIpDetails
+| json field=_raw "service.action.networkConnectionAction.connectionDirection" as connectionDirection
+| where connectionDirection = "OUTBOUND"
+| json field=remoteipdetails "ipAddressV4" as src_ip
+| lookup type, actor, raw, threatlevel from sumo://threat/cs on src_ip=threat
+| where threatlevel = "high"
+| compose src_ip]
+```
+<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
 ```sql
 _sourceCategory=weblogs
 [subquery:_sourceCategory="Labs/SecDemo/guardduty" "EC2 Instance" "communicating on an unusual server port 22"
@@ -389,6 +401,7 @@ _sourceCategory=weblogs
 | where malicious_confidence = "high"
 | compose src_ip]
 ```
+-->
 
 ### Reference data from child query using save and lookup
 

docs/search/subqueries.md

@@ -284,7 +284,22 @@ We need a way to see if any of the IP addresses we have logged are known threats
 
 1. Click **Add Panel** and **Time Series**.<br/><img src={useBaseUrl('img/csa/add-time-series-panel.png')} alt="Add a time series panel" style={{border: '1px solid gray'}} width="300"/>
 1. Type or paste the following code into the query window. (Replace `Labs/AWS/CloudTrail` with a valid source category for AWS CloudTrail logs in your environment.)
-     ```
+   ```
+   _sourceCategory=Labs/AWS/CloudTrail
+   | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" multi
+   | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
+   | where type="ip_address" and !isNull(malicious_confidence)
+   | if (isEmpty(actor), "Unassigned", actor) as Actor
+   | parse field=raw "\"ip_address_types\":[\"*\"]" as ip_address_types nodrop
+   | parse field=raw "\"kill_chains\":[\"*\"]" as kill_chains nodrop
+   | timeslice 1m
+   | count _timeslice, ip_address, malicious_confidence, actor, kill_chains, ip_address_types, _sourceCategory, _source
+   | fields - ip_address,malicious_confidence,actor,kill_chains,ip_address_types,_sourceCategory,_source | count by _timeslice
+   | outlier _count window=5,threshold=3,consecutive=1,direction=+-
+   ```
+<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+   ```
    _sourceCategory=Labs/AWS/CloudTrail 
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
@@ -313,6 +328,7 @@ We need a way to see if any of the IP addresses we have logged are known threats
 
    |sum (ip_count) as threat_count
    ```
+   -->
 1. Click the magnifying glass icon to perform a search. If results do not display, select a longer time frame. 
 1. Under **Chart Type**, select **Line Chart**.
 1. Rename this panel **IP Threat Count**.