DOCS-736 - Legacy Cloud SIEM threat intel (#5141)

jpipkin1 · web-flow · commit feeffd84b024 · 2025-03-05T19:16:50.000Z
* DOCS-736 - Legacy Cloud SIEM threat intel

* Updates from Oren Shevach review

* Add note about STIX upload format
diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md
@@ -1,102 +1,39 @@
 ---
 id: create-custom-threat-intel-source
-title: Create a Custom Threat Intelligence Source
-sidebar_label: Create a Custom Threat Intelligence Source
-description: Learn how to create and manage custom threat sources.
+title: Custom Threat Intelligence Sources
+sidebar_label: Custom Threat Intelligence Sources
+description: Learn how to manage custom threat intelligence sources in Cloud SIEM.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-<!-- For threat intel. Put this back once we support cat with the threatlookup search operator:
-
 :::info
-This article describes functionality in Cloud SIEM that will be deprecated at a future time. **You can no longer add custom intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence indicators framework. For more information, see [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
-:::
--->
-
-This topic has information about setting up a *custom threat intelligence source* in Cloud SIEM, which is a threat intelligence list that you can populate manually, as opposed to using an automatic feed. 
-
-You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes.
-
-:::note
-You can also use the Sumo Logic threat intelligence framework to add sources. See [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/).
+**You can no longer add custom threat intelligence sources in Cloud SIEM**. To create new sources, use the Sumo Logic threat intelligence framework. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence). [Contact Support](https://support.sumologic.com/support/s/) if you still need to create custom sources in Cloud SIEM.
 :::
 
-## How Cloud SIEM uses indicators
-
-When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way.
-
-Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic.
-
-## Create a threat intelligence source from Cloud SIEM UI
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
-1. Click **Add Source** on the **Threat Intelligence** page. 
-1. In the **Custom** box click **Create**.
-1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. 
-1. Click **Add Custom Source**.
-
-Your new source should now appear on the **Threat Intelligence** page.
-
-## Add threat indicators
+Prior to the introduction of [Sumo Logic Threat Intelligence](/docs/security/threat-intelligence), administrators created their own custom threat intelligence sources, which they manually populated as opposed to using an automatic feed. This article has information about managing these custom threat intelligence sources in Cloud SIEM. 
 
-### Enter indicators manually
+Previously, administrators created custom threat intelligence sources interactively from the Cloud SIEM UI by uploading a .csv file, or using Cloud SIEM APIs. They populated the sources with IP addresses, domains, URLs, email addresses, and file hashes.
 
-1. On the **Threat Intelligence** page, click the name of the source you want to update.  
-1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**.
-1. On the **New Threat Intelligence Indicator** popup.
-    1. **Value**. Enter one of the following:
-        * Domain (valid domain name without protocol or path)
-        * Email (valid email address)
-        * File hash (hexadecimal string of 32, 40, 64, or 128 characters)
-        * IP (valid IPV4 or IPv6 address)  
-        * URL (valid, complete URL)
-        :::note
-        For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below.
-        :::
-    1. **Description**. (Optional)
-    1. **Expiration**. (Optional) If desired, you can specify an
-        expiration date and time for the indicator. When that time is
-        reached, the indicator will be removed from the source. When you
-        click in the field, you’ll be prompted to select a date and
-        time.
-    1. Click **Add**.
+## View threat intelligence sources in Cloud SIEM
 
-### Upload a file of indicators 
+[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**.
 
-If you have a large number of indicators to add to your source, you can save time by creating a .csv file and uploading it to Cloud SIEM. 
+[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.  
 
-#### Create a CSV file
-
-The .csv file can contain up to four columns, which are described below. 
-
-| Column     | Description  |   
-| :-- | :-- |
-| value  | Required. Must be one of the following: <br/>- Domain (valid domain name without protocol or path)<br/>- Email (valid email address)<br/>- File hash (hexadecimal string of 32, 40, 64, or 128 characters)<br/>- IP (valid IPV4 or IPv6 address)<br/>- URL (valid, complete URL) <br/>For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below. |
-| description | Optional.  |  
-| expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. |
-| active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. |
-
-**Example .csv file**
+## Search indicators
 
-```
-value,description,expires,active
-22.333.22.252,Tante Intel,2022-06-01 01:00 PM,true
-```
+To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. 
 
-#### Upload the file
+You can search using the same functionality available for other Cloud SIEM searches, including regular expressions. For more information, see [Filter and Search Cloud SIEM List Pages](/docs/cse/administration/filter-search).
 
-1. On the **Threat Intelligence** page, click the name of the target custom source.
-1. Click **Import Indicators**.
-1. On the import popup:
-    1. Drag your file onto the import popup, or click to navigate to the file, and then click Import.
-    1. Optionally, you can enter an expiration for the indicators on the list. If you do, it will override any expirations that are defined in the file. Enter the expiration in any ISO date format. For example: `2022-12-31`
+## How Cloud SIEM uses indicators
 
-### Manage sources and indicators using APIs
+When Cloud SIEM encounters an indicator from a threat source in an incoming record, it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way.
 
-You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/).
+Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a rule tuning expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence Indicators in Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/).
 
-## Target fields for threat indicators
+### Target fields for threat indicators
 
 Following are the fields that threat indicators are compared to. 
 
@@ -139,9 +76,3 @@ Following are the fields that threat indicators are compared to.
       * srcDevice_natIp
 * URL:
       * http_url
-
-## Search indicators
-
-To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. 
-
-You can search using the same functionality available for other Cloud SIEM searches, including regular expressions. For more information, see [Filter and Search Cloud SIEM List Pages](/docs/cse/administration/filter-search).
diff --git a/docs/cse/administration/index.md b/docs/cse/administration/index.md
@@ -30,8 +30,8 @@ Learn about onboarding tasks and best practices for Cloud SIEM administrators. I
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/cse/administration/create-custom-threat-intel-source"><img src={useBaseUrl('img/icons/security/world-class-security.png')} alt="Shield with a globe icon" width="40"/><h4>Create a Custom Threat Intelligence Source</h4></a>
-  <p>Learn how to create and manage Custom Threat Sources.</p>
+  <a href="/docs/cse/administration/create-custom-threat-intel-source"><img src={useBaseUrl('img/icons/security/world-class-security.png')} alt="Shield with a globe icon" width="40"/><h4>Custom Threat Intelligence Sources</h4></a>
+  <p>Learn how manage custom threat intelligence sources.</p>
   </div>
 </div>
 <div className="box smallbox card">
diff --git a/docs/cse/rules/cse-rules-syntax.md b/docs/cse/rules/cse-rules-syntax.md
@@ -626,7 +626,7 @@ The following expression returns "10.10.1.0":
 
 ### hasThreatMatch
 
-The `hasThreatMatch` Cloud SIEM rules function matches incoming records in Cloud SIEM to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [Custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/). 
+The `hasThreatMatch` Cloud SIEM rules function matches incoming records in Cloud SIEM to [threat intelligence indicators](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). It can also match values in [custom threat intelligence sources in Cloud SIEM](/docs/cse/administration/create-custom-threat-intel-source/). 
 
 **Syntax**
 
diff --git a/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md b/docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md
@@ -7,7 +7,11 @@ description: Learn how to use threat intelligence indicators in Cloud SIEM.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-Threat intelligence indicators can be used in Cloud SIEM to find possible threat activity. 
+Threat intelligence indicators can be used in Cloud SIEM to find possible threat activity.
+
+:::note
+Previously, Cloud SIEM administrators could add [custom threat intelligence sources](/docs/cse/administration/create-custom-threat-intel-source/) in Cloud SIEM. **You can no longer add custom threat intelligence sources in Cloud SIEM**. To add new sources, [ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) using the Sumo Logic threat intelligence framework. [Contact Support](https://support.sumologic.com/support/s/) if you still need to create custom sources in Cloud SIEM.
+:::
 
 ## hasThreatMatch Cloud SIEM rules language function
 
diff --git a/docs/security/threat-intelligence/upload-formats.md b/docs/security/threat-intelligence/upload-formats.md
@@ -7,11 +7,11 @@ description: Learn how to format upload files containing threat intelligence ind
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-Use the following formats for threat intelligence indicator files when you [add indicators in the **Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-in-the-threat-intelligence-tab) or when you use the upload APIs in the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) API resource:
+Use the following formats for threat intelligence indicator files when you [add indicators in the **Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-in-the-threat-intelligence-tab) or when you use the upload APIs with the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource:
 
 * [Normalized JSON format](#normalized-json-format)
 * [CSV format](#csv-format)
-* [STIX 2.x JSON format](#stix-2x-json-format)
+* [STIX 2.x JSON format](#stix-2x-json-format) (API use only)
 
 ## Normalized JSON format
 
@@ -158,6 +158,10 @@ Columns for the following attributes are required in the upload file:
 
 ## STIX 2.x JSON format
 
+:::note
+Use this format only with the [STIX 2.x JSON upload API](https://api.sumologic.com/docs/#operation/uploadStixIndicators) in the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource. You cannot [add indicators in the **Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-in-the-threat-intelligence-tab) using this format.
+:::
+
 STIX 2.x JSON format is a method to present JSON data according to the STIX 2.x specification.
 
 Note that if you want to upload indicators from multiple sources, you cannot use this format but instead should use the [Normalized JSON format](#normalized-json-format).
