Updates from meeting

jpipkin1 · jpipkin1 · commit 8f259d31db2c · 2025-03-27T12:05:24.000-05:00
diff --git a/blog-cse/2025-04-01-application.md b/blog-cse/2025-04-01-application.md
@@ -8,14 +8,14 @@ hide_table_of_contents: true
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-### Threat Intelligence New Global Feed
+### New Threat Intelligence Source
 
-We’re excited to announce a new `_sumo_global_feed_i471` source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis.
+We’re excited to announce a new `SumoLogic_ThreatIntel` source incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis.
 
 :::warning
-On April 30, 2025, we will discontinue our legacy `_sumo_global_feed_cs` source. If you have rules that explicitly point to this source, update them to use the new `_sumo_global_feed_i471` source.
+On April 30, 2025, we will discontinue our legacy `_sumo_global_feed_cs` source. If you have rules that explicitly point to this source, update them to use the new `SumoLogic_ThreatIntel` source.
 :::
 
-[Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source).
+[Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources).
 
 <img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
diff --git a/cid-redirects.json b/cid-redirects.json
@@ -3307,6 +3307,7 @@
   "/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
   "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
   "/docs/platform-services/threat-intelligence-indicators": "/docs/security/threat-intelligence",
+  "/docs/security/threat-intelligence/threat-intelligence-mapping/": "/docs/security/threat-intelligence",
   "/Manage/Users-and-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles/About-Roles": "/docs/manage/users-roles/roles",
diff --git a/docs/integrations/amazon-aws/amazon-bedrock.md b/docs/integrations/amazon-aws/amazon-bedrock.md
diff --git a/docs/integrations/amazon-aws/waf.md b/docs/integrations/amazon-aws/waf.md
@@ -58,7 +58,7 @@ The Sumo Logic app for AWS WAF analyzes traffic flowing through AWS WAF and auto
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=clientip
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
 ```
 <!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
diff --git a/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md b/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md
@@ -41,7 +41,7 @@ _sourceCategory=cylance "IP Address"
 | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where !isNull(ip_address)
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 ```
 
 <!-- Replace section content with this after `sumo://threat/i471` is replaced by `threatlookup`:
@@ -98,7 +98,7 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
    ```
 1. Customize your query so you can use parsed fields from FER with the lookup operator, where src_ip is the parsed field from FER (see step # 1). For example:
    ```
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=src_ip
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
@@ -125,7 +125,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
 
 1. Create a scheduled view. For example, for Cylance, create a scheduled view, **cylance_threat**:
    ```
-   _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=src_ip
+   _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
    | json field=raw "labels[*].name" as label_name
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
diff --git a/docs/observability/aws/integrations/aws-dynamodb.md b/docs/observability/aws/integrations/aws-dynamodb.md
@@ -60,7 +60,7 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | where Region matches "*" and tolowercase(entity) matches "*"
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
 | count as ip_count by ip_address
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 | json field=raw "labels[*].name" as label_name
 | replace(label_name, "\\/","->") as label_name
 | replace(label_name, "\""," ") as label_name
diff --git a/docs/search/search-query-language/search-operators/threatip.md b/docs/search/search-query-language/search-operators/threatip.md
@@ -4,7 +4,7 @@ title: threatip Search Operator
 sidebar_label: threatip
 ---
 
-The `threatip` operator correlates data in the `_sumo_global_feed_i471` [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) source based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
+The `threatip` operator correlates data in the [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
 
 <!-- 
 You can also use the [`threatlookup`](/docs/search/search-query-language/search-operators/threatlookup/) search operator to search threat intelligence indicators.
diff --git a/docs/search/search-query-language/search-operators/threatlookup.md b/docs/search/search-query-language/search-operators/threatlookup.md
@@ -217,6 +217,6 @@ cat sumo://threat-intel | formatDate(toLong(_threatlookup.valid_until), "yyyy-MM
 ```
 
 :::note
-You cannot use the cat search operator with the `_sumo_global_feed_i471` source.
+You cannot use the cat search operator with the `SumoLogic_ThreatIntel` source.
 :::
 -->
diff --git a/docs/search/search-query-language/search-operators/tolowercase-touppercase.md b/docs/search/search-query-language/search-operators/tolowercase-touppercase.md
@@ -52,7 +52,7 @@ which provides results like:
 | toLowerCase ("B101CD29E18A515753409AE86CE68A4CEDBE0D640D385EB24B9BBB69CF8186AE") as hash
 | count hash
 | fields -_count
-| lookup raw from sumo://threat/i471 on threat = hash{code}
+| lookup raw from sumo://threat/cs on threat = hash{code}
 ```
 
 <!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
diff --git a/docs/search/subqueries.md b/docs/search/subqueries.md
@@ -385,7 +385,7 @@ _sourceCategory=weblogs
 | json field=_raw "service.action.networkConnectionAction.connectionDirection" as connectionDirection
 | where connectionDirection = "OUTBOUND"
 | json field=remoteipdetails "ipAddressV4" as src_ip
-| lookup type, actor, raw, threatlevel from sumo://threat/i471 on src_ip=threat
+| lookup type, actor, raw, threatlevel from sumo://threat/cs on src_ip=threat
 | where threatlevel = "high"
 | compose src_ip]
 ```
diff --git a/docs/security/additional-security-features/threat-detection-and-investigation.md b/docs/security/additional-security-features/threat-detection-and-investigation.md
@@ -288,7 +288,7 @@ We need a way to see if any of the IP addresses we have logged are known threats
    _sourceCategory=Labs/AWS/CloudTrail
    | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" multi
    | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
+   | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
    | where type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | parse field=raw "\"ip_address_types\":[\"*\"]" as ip_address_types nodrop
diff --git a/docs/security/threat-intelligence/about-threat-intelligence.md b/docs/security/threat-intelligence/about-threat-intelligence.md
@@ -18,10 +18,10 @@ In Sumo Logic, threat intelligence indicators are supplied by sources listed on
 * [**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Threat Intelligence** tab, in the top menu select **Configuration**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. <br/><img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
 
 The sources on the **Threat Intelligence** tab include:
-* **Global feeds**. Out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources. See [Sumo Logic global feed source](#sumo-logic-global-feed-source) below.
+* **Global feeds**. Out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources. See [Sumo Logic threat intelligence sources](#sumo-logic-threat-intelligence-sources) below.
 * **Other sources**. The other sources on the tab are imported by Cloud SIEM administrators so that Cloud SIEM analysts can use them to find threats. See [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) to learn how to add other sources.
 
-Cloud SIEM analysts can use any of these sources to find threats (see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/)). In addition, all Sumo Logic users can run queries against the indicators in the global feed to uncover threats (see [Find Threats with Log Queries](/docs/security/threat-intelligence/find-threats/)).
+Cloud SIEM analysts can use any of these sources to find threats (see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/)). In addition, all Sumo Logic users can run queries against the indicators in the Sumo Logic threat intelligence source to uncover threats (see [Find Threats with Log Queries](/docs/security/threat-intelligence/find-threats/)).
 
 <CloudSIEMThreatIntelNote/>
 
@@ -100,44 +100,44 @@ Use a search like the following:
 _index=sumologic_audit_events _sourceCategory=threatIntelligence
 ```
 
-## Sumo Logic global feed source
+## Sumo Logic threat intelligence sources
 
-Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources: 
-* **_sumo_global_feed_i471**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/).
+Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources:
 * **_sumo_global_feed_cs**. This is a legacy source of threat indicators maintained by Sumo Logic. ***This source will be discontinued on April 30, 2025***.
+* **SumoLogic_ThreatIntel**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/).
 
 :::warning
-To maintain uninterrupted threat intelligence operation, if you have created rules, saved searches, monitors or dashboard panel queries that explicitly reference the legacy `_sumo_global_feed_cs` source, follow the directions below to update them to use the new `_sumo_global_feed_i471` source ***before April 30, 2025***.
+To maintain uninterrupted threat intelligence operation, if you have created rules, saved searches, monitors or dashboard panel queries that explicitly reference the legacy `_sumo_global_feed_cs` source, follow the directions below to update them to use the new `SumoLogic_ThreatIntel` source ***before April 30, 2025***.
 :::
 
-### Migrate to the new global feed source
+### Migrate to the new source
 
-Perform the steps in the following sections to migrate to the `_sumo_global_feed_i471` source. 
+Perform the steps in the following sections to migrate to the `SumoLogic_ThreatIntel` source. 
 
 #### hasThreatMatch rule syntax
 
 In most cases, no change is needed if you use [hasThreatMatch](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) in your rules:
 * Until April 30, 2025 the rules point to the legacy `_sumo_global_feed_cs` source (and the rest of your tenant-specific sources). 
-* After April 30, 2025, the rules point to the new `_sumo_global_feed_i471` source (and the rest of your tenant-specific sources).
+* After April 30, 2025, the rules point to the new `SumoLogic_ThreatIntel` source (and the rest of your tenant-specific sources).
 
 You may need to make changes in these scenarios:
-* If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `_sumo_global_feed_i471` source. For example: 
+* If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `SumoLogic_ThreatIntel` source. For example: 
    * Change this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` 
-   * To this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_i471")`
+   * To this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="SumoLogic_ThreatIntel")`
 * The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using `hasThreatMatch`, update your rule syntax to remove them.
 
 #### lookup operator
 
 In most cases, no change is needed if you use the [lookup](/docs/search/search-query-language/search-operators/lookup/) search operator to point to `sumo://threat/cs`:
-* Until April 30, 2025, queries in dashboards that use the `lookup` search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) are now updated to point to `sumo://threat/i471` (the new `_sumo_global_feed_i471` source). For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. 
-* After April 30, 2025, any `lookup` operator queries pointing to `sumo://threat/cs` will be directed to the new `_sumo_global_feed_i471` source.
+* Until April 30, 2025, queries in apps that use the `lookup` search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) are unchanged. For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. 
+* After April 30, 2025, queries in apps that use the `lookup` operator to point to `sumo://threat/cs` are updated to point to `sumo://threat/i471` instead (the new `SumoLogic_ThreatIntel` source). **You must upgrade your apps to get this update.** In the App Catalog, open apps labeled **Upgrade Available** and select **Manage > Upgrade**.
 
 You may need to make changes in these scenarios:
 * The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them.
-* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `_sumo_global_feed_i471` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause.
+* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause.
 
 #### threatip search operator
 
 If you use the [threatip](/docs/search/search-query-language/search-operators/threatip/) search operator, no change is needed: 
-* By default, until April 30, 2025, the `threatip` operator points to the legacy `_sumo_global_feed_cs` source.
-* After April 30, 2025, the `threatip` operator points to the new `_sumo_global_feed_i471` source.
+* Until April 30, 2025, the `threatip` operator points to the legacy `_sumo_global_feed_cs` source.
+* After April 30, 2025, the `threatip` operator points to the new `SumoLogic_ThreatIntel` source.
diff --git a/docs/security/threat-intelligence/find-threats.md b/docs/security/threat-intelligence/find-threats.md
@@ -9,29 +9,29 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 ## Use the global feed in a log search
 
-The `_sumo_global_feed_i471` source in the threat intelligence datastore contains threat indicators supplied by third party intel vendors and maintained by Sumo Logic. 
+The [Sumo Logic global feed source](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source) in the threat intelligence datastore contains threat indicators supplied by third party intel vendors and maintained by Sumo Logic. 
 
 <img src={useBaseUrl('img/security/global-feed-threat-intelligence-tab-example.png')} alt="Global feed in the Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />
 
-Any Sumo Logic user can use this global feed to search for potential threats. To search with the global feed, use `sumo://threat/i471` in log search queries. For example:
+Any Sumo Logic user can use this global feed to search for potential threats. To search with the global feed, use `sumo://threat/cs` in log search queries. For example:
 
 ```
 _sourceCategory=cylance "IP Address"
 | parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | where !isNull(ip_address)
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/i471 on threat=ip_address
+| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 ```
 
-For more information about how to use `sumo://threat/i471` in queries, see [Threat Intel optimization](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) in the *Threat Intel Quick Analysis* article.
+For more information about how to use `sumo://threat/cs` in queries, see [Threat Intel optimization](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) in the *Threat Intel Quick Analysis* article.
 
 :::tip
 All the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis) app use the global feed to find threats. To see the queries, open a dashboard in the app, click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. You can copy these queries and use them as templates for your own queries to find threats.
 :::
 
 ## Use the threatip search operator
 
-To find threats using IP addresses, use the `threatip` search operator. This operator correlates data in the `_sumo_global_feed_i471` threat intelligence source based on IP addresses from your log data.
+To find threats using IP addresses, use the `threatip` search operator. This operator correlates data in the [Sumo Logic global feed source](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source) based on IP addresses from your log data.
 
 For more information, see [threatip Search Operator](/docs/search/search-query-language/search-operators/threatip/).
 
diff --git a/docs/security/threat-intelligence/index.md b/docs/security/threat-intelligence/index.md
diff --git a/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md b/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md
diff --git a/docs/security/threat-intelligence/threat-intelligence-indicators.md b/docs/security/threat-intelligence/threat-intelligence-indicators.md
diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
diff --git a/sidebars.ts b/sidebars.ts
