Updates from review

Author: jpipkin1

docs/cse/rules/cse-rules-syntax.md

@@ -670,13 +670,10 @@ As a best practice, always include filtering to narrow your match to just the ty
 For example:
 * `hasThreatMatch([dstDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))` 
 * `hasThreatMatch([file_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_ssdeep, file_hash_sha1, file_hash_sha256], confidence > 1 AND type="file:hashes")` 
-* `hasThreatMatch([device_hostname, srcDevice_hostname, dstDevice_hostname, http_hostname, http_referrerHostname, bro_ssl_serverName, bro_ntlm_domainame, bro_ssl_serverName_rootDomain, dns_queryDomain, dns_replyDomain, fromUser_authDomain, http_referrerDomain, http_url_rootDomain, http_url_fqdn], confidence > 1 AND (type="domain-name" OR type="url"))` 
 * `hasThreatMatch([http_url], confidence > 1 AND type="url")` 
 * `hasThreatMatch([srcDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))`
 
 Following are the standard indicator types you can filter on:
-* `domain-name`. Domain name. 
-* `email-addr`. Email address. 
 * `file:hashes`. File hash. (If you want to add the hash algorithm, enter `file:hashes.<HASH-TYPE>`. For example, `[file:hashes.MD5 = '5d41402abc4b2a76b9719d911017c592']` or `[file:hashes.'SHA-256' = '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c']`.)
 * `file`. File name. 
 * `ipv4-addr`. IPv4 IP address. 

docs/security/threat-intelligence/about-threat-intelligence.md

@@ -104,7 +104,7 @@ _index=sumologic_audit_events _sourceCategory=threatIntelligence
 
 Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources: 
 * **_sumo_global_feed_i471**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/).
-* **_sumo_global_feed_cs**. This is a legacy source of threat indicators maintained by Sumo Logic. ***This source will be discontinued on April 30, 2025***. If you want to stop using this source before April 30, disable the source on the [Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab).
+* **_sumo_global_feed_cs**. This is a legacy source of threat indicators maintained by Sumo Logic. ***This source will be discontinued on April 30, 2025***.
 
 :::warning
 To maintain uninterrupted threat intelligence operation, if you have created rules, saved searches, monitors or dashboard panel queries that explicitly reference the legacy `_sumo_global_feed_cs` source, follow the directions below to update them to use the new `_sumo_global_feed_i471` source ***before April 30, 2025***.
@@ -116,21 +116,25 @@ Perform the steps in the following sections to migrate to the `_sumo_global_feed
 
 #### hasThreatMatch rule syntax
 
-If no source is explicitly provided in your rules with [hasThreatMatch](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) syntax, no change is needed:
-* By default, until April 30, 2025 the rules point to the legacy `_sumo_global_feed_cs` source (and the rest of your tenant-specific sources). 
+In most cases, no change is needed if you use [hasThreatMatch](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) in your rules:
+* Until April 30, 2025 the rules point to the legacy `_sumo_global_feed_cs` source (and the rest of your tenant-specific sources). 
 * After April 30, 2025, the rules point to the new `_sumo_global_feed_i471` source (and the rest of your tenant-specific sources).
 
-If you have rules with hasThreatMatch syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `_sumo_global_feed_i471` source. For example: 
-* Change this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` 
-* To this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_i471")`
+You may need to make changes in these scenarios:
+* If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `_sumo_global_feed_i471` source. For example: 
+   * Change this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` 
+   * To this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_i471")`
+* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using `hasThreatMatch`, update your rule syntax to remove them.
 
 #### lookup operator
 
-No change is needed on your part to address changes to the [lookup](/docs/search/search-query-language/search-operators/lookup/) search operator.
+In most cases, no change is needed if you use the [lookup](/docs/search/search-query-language/search-operators/lookup/) search operator to point to `sumo://threat/cs`:
+* Until April 30, 2025, queries in dashboards that use the `lookup` search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) are now updated to point to `sumo://threat/i471` (the new `_sumo_global_feed_i471` source). For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. 
+* After April 30, 2025, any `lookup` operator queries pointing to `sumo://threat/cs` will be directed to the new `_sumo_global_feed_i471` source.
 
-Queries in dashboards that use the `lookup` search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) will now point to `sumo://threat/i471` (the new `_sumo_global_feed_i471` source). For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app.
-
-After April 30, 2025, all `lookup` operator queries pointing to `sumo://threat/cs` will be directed to the new `_sumo_global_feed_i471` source.
+You may need to make changes in these scenarios:
+* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them.
+* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `_sumo_global_feed_i471` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause.
 
 #### threatip search operator
 

docs/security/threat-intelligence/threat-intelligence-mapping.md

@@ -9,7 +9,55 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 ## Global feed mapping
 
-Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by Sumo Logic. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
+<!-- Add this section after we get the mapping information:
+### _sumo_global_feed_i471 source
+
+The `_sumo_global_feed_i471` source is one of the out-of-the-box [global feed sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source) of threat intelligence indicators supplied by Sumo Logic. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
+
+In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| Original schema | Normalized schema in the datastore |
+|:--|:--|
+| `actor` | `actors` with the value of `NULL`. |
+| `confidence` | `confidence` (normalized to the 0-100 scale) |
+| `id` | `id` |
+| `imported` | `imported` |
+| `indicator` | `indicator` |
+| `kill_chain` | `killChain` |
+| `last_updated` | `updated` |
+| `threat_types` | `threatType` |
+| `type` | `type` |
+| `valid_from` | `validFrom` |
+| `valid_until` | `validUntil` |
+
+(All other fields will be kept in the `fields{}` object.)
+
+The `type` object is mapped to the following normalized type values:
+
+| Type | Normalized type in the datastore |
+|:--|:--|
+| `binary_string` | `artifact:payload_bin` | 
+| `bitcoin_address` | `url` | 
+| `ip_address` | `ipv4-addr` / `ipv6-addr` |
+| `domain` |  Not mapped. | 
+| `email_address` | Not mapped. | 
+| `file_path` | `file:name` | 
+| `file_name` | `file:name` | 
+| `hash_md5` | `file:hashes.'MD5'` | 
+| `hash_sha1` | `file:hashes.'SHA-1'` | 
+| `hash_sha256` | `file:hashes.'SHA-256'` | 
+| `mutex_name` | `mutex:name` | 
+| `service_name` | `process:name` | 
+| `url` | `url` | 
+| `username` | `user-account:user_id` | 
+| `user_agent` | `http-request-ext:request_header.'User-Agent'` | 
+| `x509_subject` | `x509-certificate:serial_number` | 
+
+-->
+
+### _sumo_global_feed_cs source
+
+The `_sumo_global_feed_cs` source is one of the out-of-the-box [global feed sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-global-feed-source) of threat intelligence indicators supplied by Sumo Logic. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
 
 In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources: