Add notes about Cloud SIEM admins

Author: jpipkin1

blog-service/2025-01-16-security.md

@@ -11,12 +11,16 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
 
-We’re excited to introduce Sumo Logic Threat Intelligence, a new feature set that enables you to seamlessly import threat intelligence indicator files directly into Sumo Logic to aid in security analysis. Sumo Logic Threat Intelligence will help you stay ahead of emerging threats and enhance your security posture.
+We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables you to seamlessly import threat intelligence indicator files directly into Sumo Logic to aid in security analysis. Threat intelligence indicators are individual data points about threats that are gathered from external sources about various entities such as host names, file hashes, IP addresses, and other known targets for compromise. 
 
-Threat intelligence indicators are individual data points about threats that are gathered from external sources about various entities such as host names, file hashes, IP addresses, and other known targets for compromise. 
+To see threat intelligence indicators, go to **Manage Data > Logs > Threat Intelligence**. Once indicators are ingested and appear on the **Threat Intelligence** tab, you can use them to search logs for threats. 
 
-To see threat intelligence indicators, go to **Manage Data > Logs > Threat Intelligence**. Once you ingest indicators and they appear on the **Threat Intelligence** tab, you can use them to search logs for threats. 
+Sumo Logic Threat Intelligence will help you stay ahead of emerging threats and enhance your security posture.
 
 [Learn more](/docs/security/threat-intelligence/).
 
-<img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
+<img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
+
+:::note
+Only Cloud SIEM administrators can add threat intelligence indicators to the system. However, all Sumo Logic users can run queries against the indicators to uncover threats.
+:::

docs/integrations/security-threat-detection/threat-intel-quick-analysis.md

@@ -27,9 +27,11 @@ import AppInstall from '../../reuse/apps/app-install.md';
 
 ## Threat Intel optimization
 
-The Threat Intel Quick Analysis app provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your threat intel queries:
+The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
 
-* Filter out unwanted logs before you use the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/)
+You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your threat intel queries:
+
+* Filter out unwanted logs before you use the `threatlookup` search operator
 * Use keywords
 * Use the `where` operator
 * Use general search optimization [rules](/docs/search/get-started-with-search/build-search/best-practices-search.md)

docs/reuse/cloud-siem-threat-intelligence-note.md

@@ -0,0 +1,3 @@
+:::note
+Only Cloud SIEM administrators can add threat intelligence indicators to the system. However, all Sumo Logic users can [run queries against threat intelligence indicators](/docs/security/threat-intelligence/find-threats/) to uncover threats.
+:::

docs/security/threat-intelligence/about-threat-intelligence.md

@@ -7,13 +7,16 @@ description: Introduction to Sumo Logic's threat intelligence capabilities.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 import Iframe from 'react-iframe';
+import CloudSIEMThreatIntelNote from '../../reuse/cloud-siem-threat-intelligence-note.md';
 
 Threat intelligence, often abbreviated as *threat intel*, is information that helps you prevent or mitigate cyber attacks. *Threat intelligence indicators* are individual data points about threats that are gathered from external sources about various entities such as host names, file hashes, IP addresses, and other known targets for compromise. You can import files containing threat intelligence indicators directly into Sumo Logic to aid in security analysis. 
 
 Threat intelligence indicators can help security analysts leverage a large body of information to surface potential threats. For example, say that a threat intelligence database has an indicator that correlates a certain IP address with known malicious activity. Because of this correlation, analysts can assume log messages with that IP address are more likely to be part of a real cyber attack.
 
 Once you [ingest indicators](#ingest-threat-intelligence-indicators) and they appear on the [Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab), you can use them to search logs for threats. See [Find threats with log queries](/docs/security/threat-intelligence/find-threats/) to learn how. 
 
+<CloudSIEMThreatIntelNote/>
+
 Watch this micro lesson to learn about Sumo Logic's threat intelligence features.
 
 <Iframe url="https://www.youtube.com/embed/wQzprl93GU4?rel=0"
@@ -46,7 +49,6 @@ You do not need to be assigned these role capabilities to [find threats with log
 ### Ingest threat intelligence indicators
 
 To search logs that contain correlations to threat intelligence indicators, you must first ingest the indicators. You can ingest indicators using:
-* **The Threat Intelligence tab**. See [Add indicators in the Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-in-the-threat-intelligence-tab).
 * **A collector**. See:
    * [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source)
    * [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source)
@@ -58,14 +60,16 @@ To search logs that contain correlations to threat intelligence indicators, you
    * [uploadNormalizedIndicators API](https://api.sumologic.com/docs/#operation/uploadNormalizedIndicators)
    * [uploadCsvIndicators API](https://api.sumologic.com/docs/#operation/uploadCsvIndicators)
    * [uploadStixIndicators API](https://api.sumologic.com/docs/#operation/uploadStixIndicators)
+* **The Threat Intelligence tab**. See [Add indicators in the Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-in-the-threat-intelligence-tab).
 
 See [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use when uploading indicators using the **Threat Intelligence** tab or APIs.
 
+<CloudSIEMThreatIntelNote/>
+
 :::note
 * Sumo Logic's threat intelligence data store only ingests simple threat indicators, not complex indicators that outline a series of steps or entities that make up an attack. Nor does it ingest actors, malware, or other object types. 
 * The limit of the number of indicators that can be uploaded in one API call is 100.
 * When you add indicators, the event is recorded in the Audit Event Index. See [Audit logging for threat intelligence](#audit-logging-for-threat-intelligence).
-
 :::
 
 ## Typical workflow

docs/security/threat-intelligence/find-threats.md

@@ -7,9 +7,9 @@ description: Perform searches to find matches to data in threat intelligence ind
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-Once you [ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators), you can perform searches to find matches to data in the indicators using the `threatlookup` search operator.
+You can use the `threatlookup` search operator to find matches to indicators in the Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data store. 
 
-The `threatlookup` operator allows you to search logs for matches in threat intelligence indicators. For example, use the following query to find logs in all `sec_record*` indexes with a `srcDevice_ip` attribute correlated to a threat indicator with a high confidence level (greater than `50`): 
+For example, use the following query to find logs in all `sec_record*` indexes with a `srcDevice_ip` attribute correlated to a threat indicator with a high confidence level (greater than `50`): 
 
 ```
 _index=sec_record*
@@ -19,8 +19,51 @@ _index=sec_record*
 | count by _timeslice
 ```
 
-For more information, see [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/). 
+For syntax and examples, see [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/). 
 
 <!-- Add this back once we have support for the cat search operator.
 You can also [run threatlookup with the cat search operator](/docs/search/search-query-language/search-operators/threatlookup/#run-threatlookup-with-the-cat-search-operator) to search the entire store of threat intelligence indicators.
 -->
+
+## Threatlookup queries in dashboards
+
+The `threatlookup` search operator is used for queries in some dashboards, including [dashboards in the Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#viewing-threat-intel-quick-analysis-dashboards). These queries provide great examples of how to use the operator.
+
+To see `threatlookup` used in a query:
+1. Open the Threat Intel Quick Analysis app.
+1. Navigate to a dashboard, such as **Overview**.
+1. Click the three-dot kebab in the upper-right corner of the dashboard panel.
+1. Select **Open in Log Search**. 
+1. Look for `threatlookup` used in a query. 
+
+For example, here is the query used for the **Threat Count** panel in the [Threat Intel Quick Analysis - IP](#ip) dashboard:
+
+```
+_sourceCategory=<source-category-name> 
+| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
+| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
+| count as ip_count by ip_address
+
+| threatlookup singleIndicator ip_address
+
+// normalize confidence level to a string 
+| if (_threatlookup.confidence >= 85, "high", if (_threatlookup.confidence >= 50, "medium", if (_threatlookup.confidence >= 15, "low", if (_threatlookup.confidence >= 0, "unverified", "unknown")))) as threat_confidence
+
+// filter for threat confidence
+| where  threat_confidence matches "*"
+
+//rename to match threat_<foo> convention
+| %"_threatlookup.actors" as threat_actors
+| %"_threatlookup.type" as type
+| %"_threatlookup.threat_type" as threat_type
+
+//convert threat valid from to human readable time
+| toLong(%"_threatlookup.valid_from" * 1000) as %"_threatlookup.valid_from"
+| formatDate(%"_threatlookup.valid_from", "MM-dd-yyyy") as threat_valid_from
+
+| where type matches "ipv4-addr*" and !isNull(threat_confidence)
+
+| if (isEmpty(threat_actors), "Unassigned", threat_actors) as threat_actors
+
+|sum (ip_count) as threat_count
+```  

docs/security/threat-intelligence/threat-intelligence-indicators.md

@@ -6,6 +6,7 @@ description: Learn how to add and manage indicators from threat intelligence sou
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
+import CloudSIEMThreatIntelNote from '../../reuse/cloud-siem-threat-intelligence-note.md';
 
 The **Threat Intelligence** tab shows the indicators that have been added to your threat intelligence data store. Use this tab to add and manage your threat intelligence indicators. You can add indicators from a number of sources, including TAXII, ThreatQ, iDefense, and many others. Threat intelligence indicators imported to Sumo Logic not only integrate with your existing core Sumo Logic deployment, but also Cloud SIEM and Cloud SOAR. 
 
@@ -19,7 +20,6 @@ You can also add threat intelligence indicators using a collector or the API. Se
 
 [**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Threat Intelligence** tab, in the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. 
 
-
 <img src={useBaseUrl('img/security/threat-intelligence-tab.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
 
 1. **+ Add Indicators**. Click to upload files that [add threat intelligence indicators](#add-indicators-in-the-threat-intelligence-tab).
@@ -36,16 +36,16 @@ You can also add threat intelligence indicators using a collector or the API. Se
 
 ## Add indicators in the Threat Intelligence tab
 
-To add threat intelligence indicators in the **Threat Intelligence** tab, you must upload files containing the indicators in a format that can be consumed by Sumo Logic.
+You can add threat intelligence indicators using a collector, API, or the **Threat Intelligence** tab. This section describes how to add indicators in the **Threat Intelligence** tab. For information on the other methods, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
+
+<CloudSIEMThreatIntelNote/>
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui/). In the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 1. Click **+ Add Indicators**. The dialog displays. <br/><img src={useBaseUrl('img/security/threat-intelligence-add-indicators.png')} alt="Add threat intelligence indicators" style={{border: '1px solid gray'}} width="500" />
-1. Select the format of the file to be uploaded:
+1. Select the format of the file to be uploaded (see [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use in the file):
     * **Normalized JSON**. A normalized JSON file. 
     * **CSV**. A comma-separated value (CSV) file. 
     * **STIX 2.x JSON**. A JSON file in STIX 2.x format. When choosing this format, you must enter the name of the source in the **Source** field provided. 
-
-    See [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use in the file.
 1. Click **Upload** to upload the file. 
 1. Click **Import**.