Cleanup

jpipkin1 · jpipkin1 · commit 9a64de6b5c11 · 2025-07-11T14:33:14.000-05:00
diff --git a/docs/security/threat-intelligence/index.md b/docs/security/threat-intelligence/index.md
@@ -42,4 +42,10 @@ See the following articles to learn about Sumo Logic's threat intelligence capab
   <p>Learn how to format upload files containing threat intelligence indicators.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/security/threat-intelligence/threat-intelligence-mapping"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Threat Intelligence Mapping</h4></a>
+  <p>Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.</p>
+  </div>
+</div>
 </div>
diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -1,37 +1,41 @@
 ---
 slug: /security/threat-intelligence/threat-intelligence-mapping
 title: Threat Intelligence Mapping
-sidebar_label: Mapping 
-description: Learn about mapping of threat intelligence indicators to Sumo Logic.
+sidebar_label: Mapping
+description: Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## _sumo_global_feed_cs mapping
+Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article. 
 
-Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by CrowdStrike. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
+## CrowdStrike
 
-In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source). In addition, Sumo Logic provides an out-of-the-box `_sumo_global_feed_cs` source whose indicators are supplied by CrowdStrike. The same normalization applies to schema in both sources.
 
-| Original schema | Normalized schema in the datastore |
-|:--|:--|
-| `actor` | `actors` |
-| `id` | `id` |
-| `indicator` | `indicator` |
-| `kill_chain_phases` | `killChain` |
-| `labels.ThreatType` | `threatType` |
-| `last_updated` | `updated` |
-| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) |
-| `published_date` | `validFrom` and `imported` |
-| `type` | `type` |
+Following are the normalized values for CrowdStrike:
+
+| CrowdStrike schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `actor` | `actors` | Array joined with a comma: ", " |
+| `id` | `id` | Array joined with a comma: ", " |
+| `indicator` | `indicator` | |
+| `kill_chain_phases` | `killChain` | |
+| `labels.ThreatType` | `threatType`* | |
+| `last_updated` | `updated` | |
+| `malicious_confidence` | `confidence` | Normalized to a 0-100 scale. |
+| `published_date` | `validFrom` and `imported` | |
+| `type` | `type` | |
+
+All other fields will be kept in the `fields{}` object.
 
-(All other fields will be kept in the `fields{}` object.)
+*The value `malicious-activity` is used for the `threatType` if the regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)`. The value `anomalous-activity` is used if the regex matches `name=threattype\/`, and the value `unknown` is used if nothing matches.
 
-### Type mapping for _sumo_global_feed_cs 
+### Type mapping for CrowdStrike 
 
 The `type` object is mapped to the following normalized type values:
 
-| Original type | Normalized type in the datastore |
+| Original type in CrowdStrike | Normalized type in the datastore |
 |:--|:--|
 | `binary_string` | `artifact:payload_bin` | 
 | `bitcoin_address` | `url` | 
@@ -50,42 +54,25 @@ The `type` object is mapped to the following normalized type values:
 | `user_agent` | `http-request-ext:request_header.'User-Agent'` | 
 | `x509_subject` | `x509-certificate:serial_number` | 
 
+## Intel 471
 
-## CrowdStrike mapping
-
-You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source).
+You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition, Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
 
-In the threat intelligence datastore, the CrowdStrike schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for Intel 471:
 
-| CrowdStrike schema | Normalized schema in the datastore | Notes |
-|:--|:--|:--|
-| `[]actors` | `actors` | Array joined with a ", " |
-| `id` | `id` | Array joined with a ", " |
-| `indicator` | `indicator` | |
-| `[]kill_chains` | `killChain` | |
-| `labels` | `threatType` | Value used can also be `malicious-activity`, `anomalous-activity`, or `unknown`.* |
-
-*Value `malicious-activity` used if regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)` <br/>Value `anomalous-activity` used if regex matches: `name=threattype\/` <br/>Value `unknown` used if nothing matches.
-
-## Intel471 mapping
-
-You can ingest threat indicators from Intel471 using the [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/).
-
-In the threat intelligence datastore, the Intel471 schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
-
-| ThreatIntel 471 schema | Normalized schema in the datastore | Notes |
+| Intel 471 schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
 | `activity.last` | `validFrom` | Converted from epoch timestamp. |
 | `data.expiration` | `validUntil` | Converted from epoch timestamp. |
 | `data.mitre_tactics` | `killChain` | |
 | `data.threat.uid` | `id` | |
 | | `threatType` | Statically set to `unknown`. |
 
-## Mandiant mapping
+## Mandiant
 
 You can ingest threat indicators from Mandiant using the [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/).
 
-In the threat intelligence datastore, the Mandiant schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for Mandiant:
 
 | Mandiant schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
@@ -95,13 +82,13 @@ In the threat intelligence datastore, the Mandiant schema is mapped to normalize
 | `unknown` | `threatType` | |
 | `value` | `indicator` | |
 
-## ZeroFox mapping
+## ZeroFox
 
 You can ingest threat indicators from ZeroFox using the [ZeroFox Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source/).
 
-In the threat intelligence datastore, the ZeroFox schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for ZeroFox:
 
-| Mandiant schema | Normalized schema in the datastore | Notes |
+| ZeroFox schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
 | `c2_domain` | `indicator` | |
 | `c2_ip_address` | `indicator` | |
@@ -134,22 +121,6 @@ In the threat intelligence datastore, the ZeroFox schema is mapped to normalized
 | `url--{{url}}` | `id` | |
 | | `threatType` | Set to `compromised`. |
 
-### Confidence mapping for ZeroFox
-
-The `confidence` field in the datastore has the following values for ZeroFox:
-
-| ZeroFox item | Confidence score in datastore |
-|:--|:--|
-| `domain` | `50` |
-| `ip` | `50` |
-| `ip_address` | `50` |
-| `ip_addresses` | `50` |
-| `md5` | `75` |
-| `sha1` | `75` |
-| `sha256` | `75` |
-| `sha512` | `75` |
-| `url` | `50` for phishing events, and `100` for disruption events |
-
 ### Type mapping for ZeroFox
 
 The `type` object is mapped to the following normalized type values:
@@ -164,4 +135,18 @@ The `type` object is mapped to the following normalized type values:
 | `Ip_addresses` | `ipv4-addr` or `ipv6-addr` |
 | `url` | `url` |
 
+### Confidence mapping for ZeroFox
+
+The `confidence` field in the datastore has the following values for ZeroFox:
 
+| ZeroFox item | Confidence score in datastore |
+|:--|:--|
+| `domain` | `50` |
+| `ip` | `50` |
+| `ip_address` | `50` |
+| `ip_addresses` | `50` |
+| `md5` | `75` |
+| `sha1` | `75` |
+| `sha256` | `75` |
+| `sha512` | `75` |
+| `url` | `50` for phishing events, and `100` for disruption events |
