New content for the mapping article

Author: jpipkin1

cid-redirects.json

@@ -3307,7 +3307,6 @@
   "/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
   "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
   "/docs/platform-services/threat-intelligence-indicators": "/docs/security/threat-intelligence",
-  "/docs/security/threat-intelligence/threat-intelligence-mapping/": "/docs/security/threat-intelligence",
   "/Manage/Users-and-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles/About-Roles": "/docs/manage/users-roles/roles",

docs/security/threat-intelligence/about-threat-intelligence.md

@@ -103,9 +103,13 @@ _index=sumologic_audit_events _sourceCategory=threatIntelligence
 ## Sumo Logic threat intelligence sources
 
 Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources:
-* **_sumo_global_feed_cs**. This is a legacy source of threat indicators maintained by Sumo Logic. ***This source will be discontinued on April 30, 2025***.
+* **_sumo_global_feed_cs**. This is a legacy source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/). ***This source will be discontinued on April 30, 2025***.
 * **SumoLogic_ThreatIntel**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/).
 
+<!-- Unhide the article and add this link if we think it's necessary:
+For information about mapping fields to the new source, see [Threat Intelligence Mapping](/docs/security/threat-intelligence/threat-intelligence-mapping/).
+-->
+
 :::warning
 To maintain uninterrupted threat intelligence operation, if you have created rules, saved searches, monitors or dashboard panel queries that explicitly reference the legacy `_sumo_global_feed_cs` source, follow the directions below to update them to use the new `SumoLogic_ThreatIntel` source ***before April 30, 2025***.
 :::

docs/security/threat-intelligence/threat-intelligence-mapping.md

@@ -0,0 +1,30 @@
+---
+slug: /security/threat-intelligence/threat-intelligence-mapping
+title: Threat Intelligence Mapping
+sidebar_label: Threat Intelligence Mapping 
+description: Learn about mapping of threat intelligence indicators to Sumo Logic.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This article provides guidance on mapping behavior from the legacy **_sumo_global_feed_cs** source supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/) to the **SumoLogic_ThreatIntel** source supplied by [Intel 471](https://intel471.com/).
+
+:::warning
+*The **_sumo_global_feed_cs** source will be discontinued on April 30, 2025*. For more information, see [Sumo Logic Threat Intelligence Sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources).
+:::
+
+## Field mapping
+
+It may not be possible to translate CrowdStrike-specific fields to Intel 471-specific fields, because they capture and prioritize different aspects of indicators of compromise.  As a starting point, however, below is approximate mapping of CrowdStrike fields to Intel 471 fields:
+
+| CrowdStrike | Intel 471 | Translation notes |
+| :-- | :-- | :-- |
+| `indicator` | `data.indicator_data.*` <br/><br/>For example:<br/>`data.indicator_data.address`<br/>`data.indicator_data.file.md5`<br/>`data.indicator_data.file.sha1`<br/>`data.indicator_data.file.sha256`<br/>`data.indicator_data.url` | Depends on the type. Every Intel 471 file hash record includes all hash types. <br/><br/>Intel 471 also includes geoip data for IP addresses under `data.indicator_data.geo_ip`.<br/><br/>Intel 471 has no domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. |
+| `kill_chains` | `data.mitre_tactics` |
+| `labels[*].name` | `data.threat.type`<br/>`data.threat.data.family`<br/>`data.context.description`<br/>`data.mitre_tactics` | CrowdStrike's labels are redundant with other sections in the CrowdStrike record. |
+| `last_updated` | `last_updated` | CrowdStrike's timestamps are in epoch seconds whereas Intel 471's are in milliseconds. |
+| `malicious_confidence` | `data.confidence` | |
+| `malware_families` | `data.threat.data.family` | |
+| `threat_types` | `data.threat.type` | |
+| `type` | `data.indicator_type` | |
+| (none) | `data.expiration` | Intel 471 only. In milliseconds. |

sidebars.ts

@@ -3032,6 +3032,7 @@ integrations: [
         'security/threat-intelligence/find-threats',
         'security/threat-intelligence/threat-indicators-in-cloud-siem',
         'security/threat-intelligence/upload-formats',
+        //'security/threat-intelligence/threat-intelligence-mapping',
       ],
     },  
   ],