You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security/threat-intelligence/threat-intelligence-mapping.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ description: Learn about the mapping of threat intelligence schema from vendor s
7
7
8
8
import useBaseUrl from '@docusaurus/useBaseUrl';
9
9
10
-
Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article.
10
+
Schema from vendor-supplied threat intelligence indicators are mapped to [normalized values](/docs/security/threat-intelligence/upload-formats/#normalized-json-format) in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article.
11
11
12
12
## CrowdStrike
13
13
@@ -21,11 +21,11 @@ Following are the normalized values for CrowdStrike:
21
21
|`id`|`id`| Array joined with a comma: ", " |
22
22
|`indicator`|`indicator`||
23
23
|`kill_chain_phases`|`killChain`||
24
-
|`labels.ThreatType`|`threatType`*||
24
+
|`labels.ThreatType`|`threatType`*|The `threatType` value can vary based on matches*. |
25
25
|`last_updated`|`updated`||
26
26
|`malicious_confidence`|`confidence`| Normalized to a 0-100 scale. |
27
27
|`published_date`|`validFrom` and `imported`||
28
-
|`type`|`type`||
28
+
|`type`|`type`|See [Type mapping for CrowdStrike](/docs/security/threat-intelligence/threat-intelligence-mapping/#type-mapping-for-crowdstrike) below. |
29
29
30
30
All other fields will be kept in the `fields{}` object.
31
31
@@ -66,7 +66,7 @@ Following are the normalized values for Intel 471:
66
66
|`data.expiration`|`validUntil`| Converted from epoch timestamp. |
67
67
|`data.mitre_tactics`|`killChain`||
68
68
|`data.threat.uid`|`id`||
69
-
||`threatType`|Statically set to `unknown`. |
69
+
|*Not applicable*|`threatType`|All indicators have `threatType` set to `unknown`. |
70
70
71
71
## Mandiant
72
72
@@ -115,11 +115,11 @@ Following are the normalized values for ZeroFox:
115
115
|`sha1`|`indicator`||
116
116
|`sha256`|`indicator`||
117
117
|`sha512`|`indicator`||
118
-
|`tags`|`confidence`|Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
118
+
|`tags`|`confidence`|Set by default to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
119
119
|`updated_at`|`validFrom`| If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
120
120
|`url`|`indicator`||
121
121
|`url--{{url}}`|`id`||
122
-
||`threatType`|Set to `compromised`. |
122
+
|*Not applicable*|`threatType`|All indicators are set to `compromised`. |
0 commit comments