DOCS-37 - New threat intel source (#5185)

* Rough draft

* Remove RSS logo

* Finish draft

* Move release note to Cloud SIEM

* Updates from meeting

* Change name of default global feed to _sumo_global_feed_i471

* Updates per review by Nitin Pande

* Minor updates

* Updates from review

* Update blog-cse/2025-04-01-application.md

Co-authored-by: Kim (Sumo Logic) <[email protected]>

* Updates from meeting

* Fix broken link

* Fix broken link

* Add nodrop example

* Adjustment to nodrop

* New content for the mapping article

* Update hasThreatMatch example

* Update screenshots

* Remove mapping article

* Update from Kevin Burtt

* Minor cleanup

* Fix link in vendor switch article

* Remove Beta from vendor switch article

* Change release note date to April 3 2025

* Change date in release note

* Add support link

* Move release note to service section

* Add Cloud SIEM release note for new source

* Change release note date to April 8 2025

* Update screenshots

* Fix typo

---------

Co-authored-by: Kim (Sumo Logic) <[email protected]>

Author: jpipkin1

blog-cse/2025-04-08-application.md

@@ -0,0 +1,16 @@
+---
+title: April 8, 2025 - Application Update
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - threat intel
+  - security
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### New Threat Intelligence Source
+
+We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.
+
+For more information, [see our release note](/release-notes-service/2025/04/08/security/) in the *Service* release notes section.

blog-service/2025-04-08-security.md

@@ -0,0 +1,20 @@
+---
+title: New Threat Intelligence Source (Security)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - security
+  - threat intel
+hide_table_of_contents: true
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We’re excited to announce a new `SumoLogic_ThreatIntel` source incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis.
+
+:::warning
+On April 30, 2025, we will discontinue our legacy `_sumo_global_feed_cs` source. If you have rules that explicitly point to this source, update them to use the new `SumoLogic_ThreatIntel` source.
+:::
+
+[Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources).
+
+<img src={useBaseUrl('img/security/threat-intelligence-tab-example.png')} alt="Threat Intelligence tab" style={{border: '1px solid gray'}} width="800" />

cid-redirects.json

@@ -3312,6 +3312,7 @@
   "/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
   "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
   "/docs/platform-services/threat-intelligence-indicators": "/docs/security/threat-intelligence",
+  "/docs/security/threat-intelligence/threat-intelligence-mapping": "/docs/security/threat-intelligence",
   "/Manage/Users-and-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles/About-Roles": "/docs/manage/users-roles/roles",

docs/cse/rules/cse-rules-syntax.md

@@ -670,13 +670,10 @@ As a best practice, always include filtering to narrow your match to just the ty
 For example:
 * `hasThreatMatch([dstDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))` 
 * `hasThreatMatch([file_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_ssdeep, file_hash_sha1, file_hash_sha256], confidence > 1 AND type="file:hashes")` 
-* `hasThreatMatch([device_hostname, srcDevice_hostname, dstDevice_hostname, http_hostname, http_referrerHostname, bro_ssl_serverName, bro_ntlm_domainame, bro_ssl_serverName_rootDomain, dns_queryDomain, dns_replyDomain, fromUser_authDomain, http_referrerDomain, http_url_rootDomain, http_url_fqdn], confidence > 1 AND (type="domain-name" OR type="url"))` 
 * `hasThreatMatch([http_url], confidence > 1 AND type="url")` 
-* `hasThreatMatch([srcDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))`
+* `hasThreatMatch([dstDevice_ip, srcDevice_ip], (confidence >1 AND confidence <50) AND (type='ipv4-addr' OR type='ipv6-addr'))`
 
 Following are the standard indicator types you can filter on:
-* `domain-name`. Domain name. 
-* `email-addr`. Email address. 
 * `file:hashes`. File hash. (If you want to add the hash algorithm, enter `file:hashes.<HASH-TYPE>`. For example, `[file:hashes.MD5 = '5d41402abc4b2a76b9719d911017c592']` or `[file:hashes.'SHA-256' = '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c']`.)
 * `file`. File name. 
 * `ipv4-addr`. IPv4 IP address. 

docs/integrations/amazon-aws/waf.md

@@ -60,7 +60,7 @@ _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop
 | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=clientip
 ```
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="Client IP Threat Info"
 _sourceCategory=AWS/WAF {{client_ip}}
 | parse "\"httpMethod\":\"*\"," as httpMethod,"\"httpVersion\":\"*\"," as httpVersion,"\"uri\":\"*\"," as uri, "{\"clientIp\":\"*\",\"country\":\"*\"" as clientIp,country, "\"action\":\"*\"" as action, "\"matchingNonTerminatingRules\":[*]" as matchingNonTerminatingRules, "\"rateBasedRuleList\":[*]" as rateBasedRuleList, "\"ruleGroupList\":[*]" as ruleGroupList, "\"httpSourceId\":\"*\"" as httpSourceId, "\"httpSourceName\":\"*\"" as httpSourceName, "\"terminatingRuleType\":\"*\"" as terminatingRuleType, "\"terminatingRuleId\":\"*\"" as terminatingRuleId, "\"webaclId\":\"*\"" as webaclId nodrop

docs/integrations/security-threat-detection/threat-intel-quick-analysis.md

@@ -27,9 +27,10 @@ import AppInstall from '../../reuse/apps/app-install.md';
 
 ## Threat Intel optimization
 
-The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. Use the following guidelines to customize your Threat Intel queries:
+The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**.
 
-Filter out unwanted logs before you use lookup operator
+Use the following guidelines to customize your Threat Intel queries:
+* Filter out unwanted logs before you use lookup operator
 * Use keywords
 * Use the where operator
 * Use general search optimization rules
@@ -43,7 +44,7 @@ _sourceCategory=cylance "IP Address"
 | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
 ```
 
-<!-- Replace section content with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace section content with this after `sumo://threat/i471` is replaced by `threatlookup`:
 
 The app provides baseline queries that utilize the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/) to look for threat intelligence data. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. 
 
@@ -98,15 +99,15 @@ Use [Field Extraction Rules (FER)](/docs/manage/field-extractions/create-field-e
 1. Customize your query so you can use parsed fields from FER with the lookup operator, where src_ip is the parsed field from FER (see step # 1). For example:
    ```
    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
-   | json field=raw "labels[*].name" as label_name
+   | json field=raw "labels[*].name" as label_name nodrop
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
    | where  type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name
    | sort by threat_count
    ``` 
-<!-- Replace the preceding step with the following after `sumo://threat/cs` is replaced by `threatlookup`:   
+<!-- Replace the preceding step with the following after `sumo://threat/i471` is replaced by `threatlookup`:   
 1. Customize your query so you can use parsed fields from the Field Extraction Rule with the [`threatlookup` search operator](/docs/search/search-query-language/search-operators/threatlookup/), where `src_ip` is the parsed field from the FER. For example:
    ```
    | threatlookup singleIndicator src_ip
@@ -125,15 +126,15 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
 1. Create a scheduled view. For example, for Cylance, create a scheduled view, **cylance_threat**:
    ```
    _sourceCategory=cylance | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip
-   | json field=raw "labels[*].name" as label_name
+   | json field=raw "labels[*].name" as label_name nodrop
    | replace(label_name, "\\/","->") as label_name
    | replace(label_name, "\""," ") as label_name
    | where  type="ip_address" and !isNull(malicious_confidence)
    | if (isEmpty(actor), "Unassigned", actor) as Actor
    | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
    | count as threat_count by src_ip, malicious_confidence, Actor,  _source,  label_name, city, country_name, raw
    ```
-<!-- Replace the preceding code with the following after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace the preceding code with the following after `sumo://threat/i471` is replaced by `threatlookup`:
    ```
     _sourceCategory=cylance
     | threatlookup singleIndicator src_ip
@@ -150,7 +151,7 @@ Use scheduled views with the threat lookup operator to find threats. Scheduled v
      | count by src_ip
      ```
 
-<!-- Hide this FAQ section until after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Hide this FAQ section until after `sumo://threat/i471` is replaced by `threatlookup`:
 
 ## Threat Intel FAQ
 

docs/observability/aws/integrations/aws-dynamodb.md

@@ -61,15 +61,15 @@ _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynam
 | where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
 | count as ip_count by ip_address
 | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address
-| json field=raw "labels[*].name" as label_name
+| json field=raw "labels[*].name" as label_name nodrop
 | replace(label_name, "\\/","->") as label_name
 | replace(label_name, "\""," ") as label_name
 | where  type="ip_address" and !isNull(malicious_confidence)
 | if (isEmpty(actor), "Unassigned", actor) as Actor
 | sum (ip_count) as threat_count
 ```
 
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql title="All IP Threat Count"
 _sourceCategory=Labs/AWS/DynamoDB account=* namespace=* "\"eventSource\":\"dynamodb.amazonaws.com\""
 | json "eventName", "awsRegion", "requestParameters.tableName", "sourceIPAddress", "userIdentity.userName" as event_name, Region, entity, ip_address, user

docs/search/search-query-language/search-operators/threatip.md

@@ -4,7 +4,7 @@ title: threatip Search Operator
 sidebar_label: threatip
 ---
 
-The `threatip` operator correlates data in the `_sumo_global_feed_cs` [threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) source based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
+The `threatip` operator correlates data in the [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) based on IP addresses from your log data. This provides security analytics that helps you to detect threats in your environment, while also protecting against sophisticated and persistent cyber-attacks. 
 
 <!-- 
 You can also use the [`threatlookup`](/docs/search/search-query-language/search-operators/threatlookup/) search operator to search threat intelligence indicators.

docs/search/search-query-language/search-operators/threatlookup.md

@@ -136,7 +136,7 @@ _sourceCategory=weblogs
 | compose src_ip]
 ```
 
-<!-- Add this after sumo://threat/cs is replaced by threatlookup":
+<!-- Add this after sumo://threat/i471 is replaced by threatlookup":
 
 ### Threatlookup queries in dashboards
 
@@ -217,6 +217,6 @@ cat sumo://threat-intel | formatDate(toLong(_threatlookup.valid_until), "yyyy-MM
 ```
 
 :::note
-You cannot use the cat search operator with the `_sumo_global_feed_cs` source.
+You cannot use the cat search operator with the `SumoLogic_ThreatIntel` source.
 :::
 -->

docs/search/search-query-language/search-operators/tolowercase-touppercase.md

@@ -55,7 +55,7 @@ which provides results like:
 | lookup raw from sumo://threat/cs on threat = hash{code}
 ```
 
-<!-- Replace code example with this after `sumo://threat/cs` is replaced by `threatlookup`:
+<!-- Replace code example with this after `sumo://threat/i471` is replaced by `threatlookup`:
 ```sql
 *
 | limit 1