Update pattern_type to stix

Author: jpipkin1

docs/security/threat-intelligence/find-threats.md

@@ -21,49 +21,7 @@ _index=sec_record*
 
 For syntax and examples, see [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/). 
 
-<!-- Add this back once we have support for the cat search operator.
+<!-- Add this back once we have support for the cat search operator:
 You can also [run threatlookup with the cat search operator](/docs/search/search-query-language/search-operators/threatlookup/#run-threatlookup-with-the-cat-search-operator) to search the entire store of threat intelligence indicators.
 -->
 
-## Threatlookup queries in dashboards
-
-The `threatlookup` search operator is used for queries in some dashboards, including [dashboards in the Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#viewing-threat-intel-quick-analysis-dashboards). These queries provide great examples of how to use the operator.
-
-To see `threatlookup` used in a query:
-1. Open the Threat Intel Quick Analysis app.
-1. Navigate to a dashboard, such as **Overview**.
-1. Click the three-dot kebab in the upper-right corner of the dashboard panel.
-1. Select **Open in Log Search**. 
-1. Look for `threatlookup` used in the query. 
-
-For example, here is the query used for the **Threat Count** panel in the **Threat Intel Quick Analysis - IP** dashboard:
-
-```
-_sourceCategory=<source-category-name> 
-| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
-| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
-| count as ip_count by ip_address
-
-| threatlookup singleIndicator ip_address
-
-// normalize confidence level to a string 
-| if (_threatlookup.confidence >= 85, "high", if (_threatlookup.confidence >= 50, "medium", if (_threatlookup.confidence >= 15, "low", if (_threatlookup.confidence >= 0, "unverified", "unknown")))) as threat_confidence
-
-// filter for threat confidence
-| where  threat_confidence matches "*"
-
-//rename to match threat_<foo> convention
-| %"_threatlookup.actors" as threat_actors
-| %"_threatlookup.type" as type
-| %"_threatlookup.threat_type" as threat_type
-
-//convert threat valid from to human readable time
-| toLong(%"_threatlookup.valid_from" * 1000) as %"_threatlookup.valid_from"
-| formatDate(%"_threatlookup.valid_from", "MM-dd-yyyy") as threat_valid_from
-
-| where type matches "ipv4-addr*" and !isNull(threat_confidence)
-
-| if (isEmpty(threat_actors), "Unassigned", threat_actors) as threat_actors
-
-|sum (ip_count) as threat_count
-```  

docs/security/threat-intelligence/upload-formats.md

@@ -332,11 +332,5 @@ The following attributes are required:
          * `url:value`. URL. (Entity type in Cloud SIEM is `_url`.)
          * `user-account:user-id`. User ID. (Entity type in Cloud SIEM is `_username`.)
          * `user-account:login`. Login name. (Entity type in Cloud SIEM is `_username`.)       
-       * **pattern_type** (string). The pattern language used in this indicator (as defined by [pattern_type in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_9lfdvxnyofxw)). Following are valid values:
-          * `stix`. Specifies the [STIX](https://oasis-open.github.io/cti-documentation/stix/intro) pattern language.
-          * `pcre`. Specifies the [PCRE](https://www.pcre.org/) language.
-          * `sigma`. Specifies the [SIGMA](https://sigmahq.io/) language.
-          * `snort`. Specifies the [SNORT](https://www.snort.org/) language.
-          * `suricata`. Specifies the [SURICATA](https://suricata-ids.org/) language.
-          * `yara`. Specifies the [YARA](https://virustotal.github.io/yara/) language.
+       * **pattern_type** (string). The pattern language used in this indicator (as defined by [pattern_type in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_9lfdvxnyofxw)). Enter `stix` to specify the [STIX](https://oasis-open.github.io/cti-documentation/stix/intro) pattern language.
        * **valid_from** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.