App migration away from CrowdStrike to Sumo Logic threat intelligence

Author: jpipkin1

docs/cloud-soar/introduction.md

@@ -46,7 +46,7 @@ As the newest member of your company's SOC team, it’s your task to set up some
 
 Your company's apps and services generate logs, metrics, and tracing data. 
 
-When you ingest that data into Sumo Logic, you have one centralized location to query and visualize all that data. Sumo Logic’s Log Analytics Platform integrates with CrowdStrike’s threat intel database, so you can start getting security alerts and hunt threats. You can learn more in [Additional Security Features](/docs/security/additional-security-features/).
+When you ingest that data into Sumo Logic, you have one centralized location to query and visualize all that data. Sumo Logic’s Log Analytics Platform uses [threat intelligence](/docs/security/threat-intelligence/), so you can start getting security alerts and hunt threats. You can learn more in [Additional Security Features](/docs/security/additional-security-features/).
 
 You can take your security one step further with [Cloud SIEM](/docs/cse/). When you forward your log messages to Cloud SIEM, they are parsed, mapped, and enriched into Cloud SIEM records. These records are compared to security rules. If a rule is triggered, an entity is extracted, a severity score is assigned, and a signal is created. If enough signals with the same entity cluster together, they become an Insight. Insights are likely risks that need your attention. 
 

docs/cse/get-started-with-cloud-siem/intro-for-analysts.md

@@ -69,7 +69,7 @@ sso : ip-192-0-2-0 : [email protected] :
 "Successful Login" : "2024-05-25T22:11:42"
 ```
 
-First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-192-0-2-0`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or threat intelligence databases, such as its [CrowdStrike threat level](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). These normalized records are then sent down the Cloud SIEM pipeline and compared to rules. 
+First, the message is parsed into a set of key-value pairs. This process also fixes basic formatting. This step creates semi-structured data. For example, instead of `ip-192-0-2-0`, the parsing step extracts the IP address into a key-value pair, where the key is something like `srcDeviceIP` and the value is `192.0.2.0`, with the hyphens normalized to dots. Then, this information is mapped onto the Cloud SIEM schema. Finally, the record is enriched with information from match lists or Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). These normalized records are then sent down the Cloud SIEM pipeline and compared to rules. 
 
 ### Extracting security insights from Cloud SIEM
 

docs/cse/get-started-with-cloud-siem/onboarding-checklist-cse.md

@@ -130,16 +130,16 @@ Perform the following tasks to install security apps that provide data to Cloud
 
 Install the Cloud SIEM App to monitor data that is parsed, along with all the signals and insights that records generate. The app contains multiple folders of searches and dashboards related to Cloud SIEM.
 
-Also install any out-of-the-box apps or dashboards for security data sources we support, including CrowdStrike’s Threat Intel Quick Analysis app. These apps are useful for quick visualizations and configuring context actions to pivot directly to from Cloud SIEM.
+Also install any out-of-the-box apps or dashboards for security data sources we support, including the Threat Intel Quick Analysis app. These apps are useful for quick visualizations and configuring context actions to pivot directly to from Cloud SIEM.
 
 See:
 * [Enterprise Audit - Cloud SIEM](/docs/integrations/sumo-apps/cse/)
 * [Security and Threat Detection](/docs/integrations/security-threat-detection/)
 * [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
 
-#### Import Crowdstrike threat intel searches
+#### Import threat intel searches
 
-You can configure Crowdstrike threat indicator matches from the Threat Intel Quick Analysis app to become signals within Cloud SIEM using scheduled searches. An example would be to fire a Cloud SIEM signal from a scheduled search when there is a highly malicious threat intel match on device IPs. Review other current scheduled search alerts that might be candidates for generating signals.
+You can configure Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) matches from the Threat Intel Quick Analysis app to become signals within Cloud SIEM using scheduled searches. An example would be to fire a Cloud SIEM signal from a scheduled search when there is a highly malicious threat intel match on device IPs. Review other current scheduled search alerts that might be candidates for generating signals.
 
 See:
 * [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
@@ -169,7 +169,7 @@ See: [Create and Use Network Blocks](/docs/cse/administration/create-use-network
 
 ### Configure threat intel feeds
 
-Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, etc), you can configure these too.
+Cloud SIEM heavily leverages threat intelligence to do real-time comparisons against known bad indicators. You can configure popular free threat feeds. But if your security team pays for premium threat intelligence (such as RecordedFuture, Anomali, Crowdstrike, ThreatConnect, and so on), you can configure these too.
 
 See: [Manage Threat Intelligence Indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/)
 

docs/integrations/amazon-aws/api-gateway.md

@@ -640,7 +640,7 @@ Use these dashboards to:
 * Monitor all API Gateway-related audit logs available via CloudTrail events
 * Monitor incoming user activity locations for both successful and failed events to ensure the activity matches with expectations
 * Monitor successful and failed API Gateway events, users and user agents / fail activities, and failure reasons
-* Monitor requests coming in from known malicious IP addresses detected via [Sumo Logic Threat Intel](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq)
+* Monitor requests coming in from known malicious IP addresses detected via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/)
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/AWS-API-Gateway/6.-AWS-API-Gateway-Audit-Events.png' alt="Audit Events" />
 

docs/integrations/amazon-aws/application-load-balancer.md

@@ -220,7 +220,7 @@ Use this dashboard to:
 
 ### Threat Intel
 
-The **AWS Application Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined through [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
+The **AWS Application Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined through Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
 
 Use this dashboard to:
 * Identify known malicious IPs that access your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.

docs/integrations/amazon-aws/classic-load-balancer.md

@@ -222,7 +222,7 @@ Use this dashboard to:
 
 ### Threat Intel
 
-The **AWS Classic Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined via [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Dashboard panels show detailed information on malicious IPs and the malicious confidence of each threat.
+The **AWS Classic Load Balancer - Threat Intel** dashboard provides insights into incoming requests from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Dashboard panels show detailed information on malicious IPs and the malicious confidence of each threat.
 
 Use this dashboard to:
 * Identify known malicious IPs that are accessing your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward.

docs/integrations/amazon-aws/lambda.md

@@ -400,7 +400,7 @@ Use this dashboard to:
 
 ### Threat Intel
 
-**AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via [Sumo Logic’s Threat Intel feature](/docs/integrations/security-threat-detection/threat-intel-quick-analysis#threat-intel-faq). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
+**AWS Lambda - Threat Intel** dashboard provides insights into incoming requests to your AWS Lambda functions from malicious sources determined via Sumo Logic [threat intelligence](/docs/security/threat-intelligence/). Panels show detailed information on malicious IPs and the malicious confidence of each threat.
 
 Use this dashboard to:
 * Identify known malicious IPs that are access your load-balancers and use firewall access control lists to prevent them from sending you traffic going forward

docs/integrations/amazon-aws/network-firewall.md

@@ -150,10 +150,10 @@ Use this dashboard to:
 
 ### IDS Overview
 
-The **AWS Network Firewall - IDS Overview** provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with CrowdStrike threat intelligence data, and top systems blocked.
+The **AWS Network Firewall - IDS Overview** provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data, and top systems blocked.
 
 Use this dashboard to:
 * Gain visibility into alerts generated by the AWS Network Firewall including location information from top destinations.
-* Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Crowdstrike Threat Intelligence data.
+* Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data.
 
 <img src={useBaseUrl('img/integrations/amazon-aws/AWS_Network_Firewall_IDS_Overview.png')} alt="AWS Network Firewall dashboards" />

docs/integrations/amazon-aws/route-53-resolver-security.md

@@ -61,7 +61,7 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md';
 
 ### Query Logging Overview
 
-The Query Logging Overview Dashboard provides insights into DNS activities such as DNS queries by location, VPC and instance ID. Additional security information is provided, including blocked and alerted DNS queries from the Route 53 DNS Resolver Firewall, and Threat Intel matches from Sumo Logic's CrowdStrike integration.
+The Query Logging Overview Dashboard provides insights into DNS activities such as DNS queries by location, VPC and instance ID. Additional security information is provided, including blocked and alerted DNS queries from the Route 53 DNS Resolver Firewall, and threat intel matches from Sumo Logic [threat intelligence](/docs/security/threat-intelligence/).
 
 <img src={useBaseUrl('img/integrations/amazon-aws/Amazon-Route-53-Resolver-Security-Query-Logging-Overview.png')} alt="Amazon Route 53 Resolver Security Dashboards" />
 
@@ -152,7 +152,7 @@ Panels include:
 
 ### Threat Intel
 
-The Threat Intel Dashboard provides details of AWS DNS Resolver Queries that matches the built-in CrowdStrike threat intelligence data with known malicious IP addresses and Domains, allowing for real-time security analytics to help detect threats in your environment and protect against cyber attacks.
+The Threat Intel Dashboard provides details of AWS DNS Resolver Queries that matches the Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data with known malicious IP addresses and Domains, allowing for real-time security analytics to help detect threats in your environment and protect against cyber attacks.
 
 <img src={useBaseUrl('img/integrations/amazon-aws/Amazon-Route-53-Resolver-Security-Threat-Intel.png')} alt="Amazon Route 53 Resolver Security Dashboards" />
 

docs/integrations/amazon-aws/threat-intel.md

@@ -1,14 +1,14 @@
 ---
 id: threat-intel
 title: AWS Threat Intel
-description: The Threat Intel for AWS App correlates CrowdStrike threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks.
+description: The Threat Intel for AWS App correlates Sumo Logic threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/amazon-aws/threat-intel-aws.png')} alt="Thumbnail icon" width="75"/>
 
-The Threat Intel for AWS App correlates CrowdStrike threat intelligence data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks. The Threat Intel for AWS App scans your AWS CloudTrail, AWS ELB and AWS VPC Flow logs for threats based on IP address.
+The Threat Intel for AWS App correlates Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data with your AWS log data, allowing for real-time security analytics to help detect threats in your environment and protect against cyber-attacks. The Threat Intel for AWS App scans your AWS CloudTrail, AWS ELB and AWS VPC Flow logs for threats based on IP address.
 
 The Sumo Logic Threat Intel lookup database is only available with Sumo Logic Enterprise and Professions accounts, or during a 30-day trial period. The Threat Intel lookup database is not available for Sumo Logic Free accounts.
 
@@ -71,7 +71,7 @@ Use this dashboard for details on potential threats and IOCs for AWS CloudTrail.
 
 <img src={useBaseUrl('img/integrations/amazon-aws/Threat-Intel-for-AWS-AWS-CloudTrail.png')} alt="AWS Threat Intel" />
 
-* **Threats by Geo Location.** View the geo location of threats by IP address that have been identified by Crowdstrike with a malicious confidence of High over the last 24 hours.
+* **Threats by Geo Location.** View the geo location of threats by IP address that have been identified by Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) with a malicious confidence of High over the last 24 hours.
 * **Threats Associated with CloudTrail Events.** Track events in CloudTrail by event time where the malicious confidence is High by source user, source IP address, event name, AWS region, result, malicious confidence, label name, threat malware families, threat last updated, and count for the last 24 hours.
 * **Threats by Events and I.P.** Compare events where the malicious confidence is High by source IP address over the last 24 hours.
 * **Threats Over Time by Result.** Compare successful versus access denied threats with a High malicious confidence for the last 24 hours, timesliced by hour.