From 09103e220d54286717ae234a974ad2d5a10a8537 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Thu, 10 Jul 2025 17:11:04 -0500
Subject: [PATCH 1/8] Add back the mapping article

---
 .../threat-intelligence-mapping.md            | 71 +++++++++++++++++++
 sidebars.ts                                   |  1 +
 2 files changed, 72 insertions(+)
 create mode 100644 docs/security/threat-intelligence/threat-intelligence-mapping.md

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
new file mode 100644
index 0000000000..9f36d96791
--- /dev/null
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -0,0 +1,71 @@
+---
+slug: /security/threat-intelligence/threat-intelligence-mapping
+title: Threat Intelligence Mapping
+sidebar_label: Mapping 
+description: Learn about mapping of threat intelligence indicators to Sumo Logic.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+## Global feed mapping
+
+Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by CrowdStrike. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
+
+In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| Original schema | Normalized schema in the datastore |
+|:--|:--|
+| `actor` | `actors` |
+| `id` | `id` |
+| `indicator` | `indicator` |
+| `kill_chain_phases` | `killChain` |
+| `labels.ThreatType` | `threatType` |
+| `last_updated` | `updated` |
+| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) |
+| `published_date` | `validFrom` and `imported` |
+| `type` | `type` |
+
+(All other fields will be kept in the `fields{}` object.)
+
+The `type` object is mapped to the following normalized type values:
+
+| Original type | Normalized type in the datastore |
+|:--|:--|
+| `binary_string` | `artifact:payload_bin` | 
+| `bitcoin_address` | `url` | 
+| `ip_address` | `ipv4-addr` / `ipv6-addr` |
+| `domain` |  `domain-name` | 
+| `email_address` | `email-add` | 
+| `file_path` | `file:name` | 
+| `file_name` | `file:name` | 
+| `hash_md5` | `file:hashes.'MD5'` | 
+| `hash_sha1` | `file:hashes.'SHA-1'` | 
+| `hash_sha256` | `file:hashes.'SHA-256'` | 
+| `mutex_name` | `mutex:name` | 
+| `service_name` | `process:name` | 
+| `url` | `url` | 
+| `username` | `user-account:user_id` | 
+| `user_agent` | `http-request-ext:request_header.'User-Agent'` | 
+| `x509_subject` | `x509-certificate:serial_number` | 
+
+
+## CrowdStrike mapping
+
+You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md)
+
+In the threat intelligence datastore, the CrowdStrike schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| CrowdStrike schema | Normalized schema in the datastore |
+|:--|:--|
+| `actor` | `actors` |
+| `id` | `id` |
+| `indicator` | `indicator` |
+| `kill_chain_phases` | `killChain` |
+| `labels.ThreatType` | `threatType` |
+| `last_updated` | `updated` |
+| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) |
+| `published_date` | `validFrom` and `imported` |
+| `type` | `type` |
+
+
+
diff --git a/sidebars.ts b/sidebars.ts
index dcb4096a99..922c8e8261 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -3069,6 +3069,7 @@ integrations: [
         'security/threat-intelligence/find-threats',
         'security/threat-intelligence/threat-intelligence-indicators',
         'security/threat-intelligence/upload-formats',
+        "security/threat-intelligence/threat-intelligence-mapping",
       ],
     },
   ],

From 0246a40b85c2c1cb885627f9afa3a7c83cebc1b1 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Fri, 11 Jul 2025 12:04:30 -0500
Subject: [PATCH 2/8] Add mapping

---
 .../threat-intelligence-mapping.md            | 120 ++++++++++++++++--
 1 file changed, 108 insertions(+), 12 deletions(-)

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index 9f36d96791..a6ff3977f9 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -7,7 +7,7 @@ description: Learn about mapping of threat intelligence indicators to Sumo Logic
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## Global feed mapping
+## _sumo_global_feed_cs mapping
 
 Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by CrowdStrike. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
 
@@ -27,6 +27,8 @@ In the threat intelligence datastore, the schema is mapped to normalized values
 
 (All other fields will be kept in the `fields{}` object.)
 
+### Type mapping for _sumo_global_feed_cs 
+
 The `type` object is mapped to the following normalized type values:
 
 | Original type | Normalized type in the datastore |
@@ -51,21 +53,115 @@ The `type` object is mapped to the following normalized type values:
 
 ## CrowdStrike mapping
 
-You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source.md)
+You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source).
 
 In the threat intelligence datastore, the CrowdStrike schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
 
-| CrowdStrike schema | Normalized schema in the datastore |
+| CrowdStrike schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `[]actors` | `actors` | Array joined with a ", " |
+| `id` | `id` | Array joined with a ", " |
+| `indicator` | `indicator` | |
+| `[]kill_chains` | `killChain` | |
+| `labels` | `threatType` | Value used can also be `malicious-activity`, `anomalous-activity`, or `unkown`.* |
+
+*Value `malicious-activity` used if regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)` <br/>Value `anomalous-activity` used if regex matches: `name=threattype\/` <br/>Value `unknown` used if nothing matches.
+
+## Intel471 mapping
+
+You can ingest threat indicators from Intel471 using the [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/).
+
+In the threat intelligence datastore, the Intel471 schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| ThreatIntel 471 schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `activity.last` | `validFrom` | Converted from epoch timestamp. |
+| `data.expiration` | `validUntil` | Converted from epoch timestamp. |
+| `data.mitre_tactics` | `killChain` | |
+| `data.threat.uid` | `id` | |
+| | `threatType` | Statically set to `unknown`. |
+
+## Mandiant mapping
+
+You can ingest threat indicators from Mandiant using the [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/).
+
+In the threat intelligence datastore, the Mandiant schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| Mandiant schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `[]actors` | `actors` | The JSON structure of individual actors are joined with a ", " |
+| `id` | `id` | |
+| `threat_rating.confidence_score` | `confidence` | |
+| `unknown` | `threatType` | |
+| `value` | `indicator` | |
+
+## ZeroFox mapping
+
+You can ingest threat indicators from ZeroFox using the [ZeroFox Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source/).
+
+In the threat intelligence datastore, the ZeroFox schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+
+| Mandiant schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `c2_domain` | `indicator` | |
+| `c2_ip_address` | `indicator` | |
+| `created_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
+| `domain` | `indicator` | |
+| `domain-name--{{domain}}` | `id` | |
+| `file:hashes.'SHA-1'` | `type` | |
+| `file:hashes.'SHA-1'--{{sha1}}` | `id` | |
+| `file:hashes.'SHA-256'` | `type` | |
+| `file:hashes.'SHA-256'--{{sha256}}` | `id` | |
+| `file:hashes.'SHA-512'` | `type` | |
+| `file:hashes.'SHA-512'--{{sha512}}` | `id` | |
+| `file:hashes.MD5` | `type` | |
+| `file:hashes.'MD5'--{{md5}}` | `id` | |
+| `ip` | `indicator` | | |
+| `ip_address` | `indicator` | |
+| `ipv4-addr--{{c2_domain}}` | `id` | |
+| `ipv4-addr--{{c2_ip_address}}` | `id` | |
+| `ipv4-addr--{{ip_address}}`  | `id` | |
+| `ipv6-addr--{{c2_ip_address}}` | `id` | |
+| `listed_at` | `validFrom` | |
+| `md5` | `indicator` | |
+| `scanned` | `validFrom` | |
+| `sha1` | `indicator` | |
+| `sha256` | `indicator` | |
+| `sha512` | `indicator` | |
+| `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
+| `updated_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
+| `url` | `indicator` | |
+| `url--{{url}}` | `id` | |
+| | `threatType` | Set to `compromised`. |
+
+### Confidence mapping for ZeroFox
+
+The `confidence` field in the datastore has the following values for ZeroFox:
+
+| ZeroFox item | Confidence score in datastore |
 |:--|:--|
-| `actor` | `actors` |
-| `id` | `id` |
-| `indicator` | `indicator` |
-| `kill_chain_phases` | `killChain` |
-| `labels.ThreatType` | `threatType` |
-| `last_updated` | `updated` |
-| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) |
-| `published_date` | `validFrom` and `imported` |
-| `type` | `type` |
+| `domain` | `50` |
+| `ip` | `50` |
+| `ip_address` | `50` |
+| `ip_addresses` | `50` |
+| `md5` | `75` |
+| `sha1` | `75` |
+| `sha256` | `75` |
+| `sha512` | `75` |
+| `url` | `50` for phishing events, and `100` for disruption events |
+
+### Type mapping for ZeroFox
 
+The `type` object is mapped to the following normalized type values:
+
+| Original type | Normalized type in the datastore |
+|:--|:--|
+| `c2_domain` | `domain-name` |
+| `c2_ip_address` | `ip_address` |
+| `domain` | `domain-name` |
+| `ip` | `ipv4-addr` |
+| `ip_address` | `ip_address` |
+| `Ip_addresses` | `ipv4-addr` or `ipv6-addr` |
+| `url` | `url` |
 
 

From f2bc01715991fbadfbae45e6636691402cef88fa Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Fri, 11 Jul 2025 13:36:25 -0500
Subject: [PATCH 3/8] Fix build break

---
 cid-redirects.json                                              | 1 -
 .../security/threat-intelligence/threat-intelligence-mapping.md | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cid-redirects.json b/cid-redirects.json
index 53db74be50..2757f3f7ec 100644
--- a/cid-redirects.json
+++ b/cid-redirects.json
@@ -3358,7 +3358,6 @@
   "/Manage/Security/Set-the-Password-Policy": "/docs/manage/security/set-password-policy",
   "/Manage/Threat-Intel-Ingest": "/docs/security/threat-intelligence",
   "/docs/platform-services/threat-intelligence-indicators": "/docs/security/threat-intelligence",
-  "/docs/security/threat-intelligence/threat-intelligence-mapping": "/docs/security/threat-intelligence",
   "/docs/manage/users/manage-access-keys": "/docs/manage/security/access-keys",
   "/Manage/Users-and-Roles": "/docs/manage/users-roles",
   "/Manage/Users-and-Roles/Manage-Roles": "/docs/manage/users-roles",
diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index a6ff3977f9..6428f5516c 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -63,7 +63,7 @@ In the threat intelligence datastore, the CrowdStrike schema is mapped to normal
 | `id` | `id` | Array joined with a ", " |
 | `indicator` | `indicator` | |
 | `[]kill_chains` | `killChain` | |
-| `labels` | `threatType` | Value used can also be `malicious-activity`, `anomalous-activity`, or `unkown`.* |
+| `labels` | `threatType` | Value used can also be `malicious-activity`, `anomalous-activity`, or `unknown`.* |
 
 *Value `malicious-activity` used if regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)` <br/>Value `anomalous-activity` used if regex matches: `name=threattype\/` <br/>Value `unknown` used if nothing matches.
 

From 9a64de6b5c11bdd2cfd8872af28ca10bfa5300ad Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Fri, 11 Jul 2025 14:33:14 -0500
Subject: [PATCH 4/8] Cleanup

---
 docs/security/threat-intelligence/index.md    |   6 +
 .../threat-intelligence-mapping.md            | 107 ++++++++----------
 2 files changed, 52 insertions(+), 61 deletions(-)

diff --git a/docs/security/threat-intelligence/index.md b/docs/security/threat-intelligence/index.md
index 230f28ee22..ed33a9e52c 100644
--- a/docs/security/threat-intelligence/index.md
+++ b/docs/security/threat-intelligence/index.md
@@ -42,4 +42,10 @@ See the following articles to learn about Sumo Logic's threat intelligence capab
   <p>Learn how to format upload files containing threat intelligence indicators.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/security/threat-intelligence/threat-intelligence-mapping"><img src={useBaseUrl('img/icons/security/cloud-siem.png')} alt="icon" width="40"/><h4>Threat Intelligence Mapping</h4></a>
+  <p>Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.</p>
+  </div>
+</div>
 </div>
\ No newline at end of file
diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index 6428f5516c..1ce1d1e295 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -1,37 +1,41 @@
 ---
 slug: /security/threat-intelligence/threat-intelligence-mapping
 title: Threat Intelligence Mapping
-sidebar_label: Mapping 
-description: Learn about mapping of threat intelligence indicators to Sumo Logic.
+sidebar_label: Mapping
+description: Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-## _sumo_global_feed_cs mapping
+Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article. 
 
-Sumo Logic provides an out-of-the-box a `_sumo_global_feed_cs` source of threat intelligence indicators supplied by CrowdStrike. You can see it in the [**Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). This source is a default source and cannot be changed or deleted. 
+## CrowdStrike
 
-In the threat intelligence datastore, the schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source). In addition, Sumo Logic provides an out-of-the-box `_sumo_global_feed_cs` source whose indicators are supplied by CrowdStrike. The same normalization applies to schema in both sources.
 
-| Original schema | Normalized schema in the datastore |
-|:--|:--|
-| `actor` | `actors` |
-| `id` | `id` |
-| `indicator` | `indicator` |
-| `kill_chain_phases` | `killChain` |
-| `labels.ThreatType` | `threatType` |
-| `last_updated` | `updated` |
-| `malicious_confidence` | `confidence` (normalized to the 0-100 scale) |
-| `published_date` | `validFrom` and `imported` |
-| `type` | `type` |
+Following are the normalized values for CrowdStrike:
+
+| CrowdStrike schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|
+| `actor` | `actors` | Array joined with a comma: ", " |
+| `id` | `id` | Array joined with a comma: ", " |
+| `indicator` | `indicator` | |
+| `kill_chain_phases` | `killChain` | |
+| `labels.ThreatType` | `threatType`* | |
+| `last_updated` | `updated` | |
+| `malicious_confidence` | `confidence` | Normalized to a 0-100 scale. |
+| `published_date` | `validFrom` and `imported` | |
+| `type` | `type` | |
+
+All other fields will be kept in the `fields{}` object.
 
-(All other fields will be kept in the `fields{}` object.)
+*The value `malicious-activity` is used for the `threatType` if the regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)`. The value `anomalous-activity` is used if the regex matches `name=threattype\/`, and the value `unknown` is used if nothing matches.
 
-### Type mapping for _sumo_global_feed_cs 
+### Type mapping for CrowdStrike 
 
 The `type` object is mapped to the following normalized type values:
 
-| Original type | Normalized type in the datastore |
+| Original type in CrowdStrike | Normalized type in the datastore |
 |:--|:--|
 | `binary_string` | `artifact:payload_bin` | 
 | `bitcoin_address` | `url` | 
@@ -50,30 +54,13 @@ The `type` object is mapped to the following normalized type values:
 | `user_agent` | `http-request-ext:request_header.'User-Agent'` | 
 | `x509_subject` | `x509-certificate:serial_number` | 
 
+## Intel 471
 
-## CrowdStrike mapping
-
-You can ingest threat indicators from CrowdStrike using the [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source).
+You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition, Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
 
-In the threat intelligence datastore, the CrowdStrike schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for Intel 471:
 
-| CrowdStrike schema | Normalized schema in the datastore | Notes |
-|:--|:--|:--|
-| `[]actors` | `actors` | Array joined with a ", " |
-| `id` | `id` | Array joined with a ", " |
-| `indicator` | `indicator` | |
-| `[]kill_chains` | `killChain` | |
-| `labels` | `threatType` | Value used can also be `malicious-activity`, `anomalous-activity`, or `unknown`.* |
-
-*Value `malicious-activity` used if regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)` <br/>Value `anomalous-activity` used if regex matches: `name=threattype\/` <br/>Value `unknown` used if nothing matches.
-
-## Intel471 mapping
-
-You can ingest threat indicators from Intel471 using the [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/).
-
-In the threat intelligence datastore, the Intel471 schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
-
-| ThreatIntel 471 schema | Normalized schema in the datastore | Notes |
+| Intel 471 schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
 | `activity.last` | `validFrom` | Converted from epoch timestamp. |
 | `data.expiration` | `validUntil` | Converted from epoch timestamp. |
@@ -81,11 +68,11 @@ In the threat intelligence datastore, the Intel471 schema is mapped to normalize
 | `data.threat.uid` | `id` | |
 | | `threatType` | Statically set to `unknown`. |
 
-## Mandiant mapping
+## Mandiant
 
 You can ingest threat indicators from Mandiant using the [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source/).
 
-In the threat intelligence datastore, the Mandiant schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for Mandiant:
 
 | Mandiant schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
@@ -95,13 +82,13 @@ In the threat intelligence datastore, the Mandiant schema is mapped to normalize
 | `unknown` | `threatType` | |
 | `value` | `indicator` | |
 
-## ZeroFox mapping
+## ZeroFox
 
 You can ingest threat indicators from ZeroFox using the [ZeroFox Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source/).
 
-In the threat intelligence datastore, the ZeroFox schema is mapped to normalized values to provide ease of interoperability with the schema from other threat intelligence sources:
+Following are the normalized values for ZeroFox:
 
-| Mandiant schema | Normalized schema in the datastore | Notes |
+| ZeroFox schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
 | `c2_domain` | `indicator` | |
 | `c2_ip_address` | `indicator` | |
@@ -134,22 +121,6 @@ In the threat intelligence datastore, the ZeroFox schema is mapped to normalized
 | `url--{{url}}` | `id` | |
 | | `threatType` | Set to `compromised`. |
 
-### Confidence mapping for ZeroFox
-
-The `confidence` field in the datastore has the following values for ZeroFox:
-
-| ZeroFox item | Confidence score in datastore |
-|:--|:--|
-| `domain` | `50` |
-| `ip` | `50` |
-| `ip_address` | `50` |
-| `ip_addresses` | `50` |
-| `md5` | `75` |
-| `sha1` | `75` |
-| `sha256` | `75` |
-| `sha512` | `75` |
-| `url` | `50` for phishing events, and `100` for disruption events |
-
 ### Type mapping for ZeroFox
 
 The `type` object is mapped to the following normalized type values:
@@ -164,4 +135,18 @@ The `type` object is mapped to the following normalized type values:
 | `Ip_addresses` | `ipv4-addr` or `ipv6-addr` |
 | `url` | `url` |
 
+### Confidence mapping for ZeroFox
+
+The `confidence` field in the datastore has the following values for ZeroFox:
 
+| ZeroFox item | Confidence score in datastore |
+|:--|:--|
+| `domain` | `50` |
+| `ip` | `50` |
+| `ip_address` | `50` |
+| `ip_addresses` | `50` |
+| `md5` | `75` |
+| `sha1` | `75` |
+| `sha256` | `75` |
+| `sha512` | `75` |
+| `url` | `50` for phishing events, and `100` for disruption events |
\ No newline at end of file

From 93462a611a042bce4b60e42ed64ffae9ef6d9a4e Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Mon, 14 Jul 2025 15:58:36 -0500
Subject: [PATCH 5/8] Final changes

---
 .../threat-intelligence-mapping.md                   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index 1ce1d1e295..c6ff23adb0 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -7,7 +7,7 @@ description: Learn about the mapping of threat intelligence schema from vendor s
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article. 
+Schema from vendor-supplied threat intelligence indicators are mapped to [normalized values](/docs/security/threat-intelligence/upload-formats/#normalized-json-format) in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article. 
 
 ## CrowdStrike
 
@@ -21,11 +21,11 @@ Following are the normalized values for CrowdStrike:
 | `id` | `id` | Array joined with a comma: ", " |
 | `indicator` | `indicator` | |
 | `kill_chain_phases` | `killChain` | |
-| `labels.ThreatType` | `threatType`* | |
+| `labels.ThreatType` | `threatType`* | The `threatType` value can vary based on matches*. |
 | `last_updated` | `updated` | |
 | `malicious_confidence` | `confidence` | Normalized to a 0-100 scale. |
 | `published_date` | `validFrom` and `imported` | |
-| `type` | `type` | |
+| `type` | `type` | See [Type mapping for CrowdStrike](/docs/security/threat-intelligence/threat-intelligence-mapping/#type-mapping-for-crowdstrike) below. |
 
 All other fields will be kept in the `fields{}` object.
 
@@ -66,7 +66,7 @@ Following are the normalized values for Intel 471:
 | `data.expiration` | `validUntil` | Converted from epoch timestamp. |
 | `data.mitre_tactics` | `killChain` | |
 | `data.threat.uid` | `id` | |
-| | `threatType` | Statically set to `unknown`. |
+| *Not applicable* | `threatType` | All indicators have `threatType` set to `unknown`. |
 
 ## Mandiant
 
@@ -115,11 +115,11 @@ Following are the normalized values for ZeroFox:
 | `sha1` | `indicator` | |
 | `sha256` | `indicator` | |
 | `sha512` | `indicator` | |
-| `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
+| `tags` | `confidence` | Set by default to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
 | `updated_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
 | `url` | `indicator` | |
 | `url--{{url}}` | `id` | |
-| | `threatType` | Set to `compromised`. |
+| *Not applicable*  | `threatType` | All indicators are set to `compromised`. |
 
 ### Type mapping for ZeroFox
 

From f404ea9db8966e58bf3671253386267d2ad5fcae Mon Sep 17 00:00:00 2001
From: "John Pipkin (Sumo Logic)" <jpipkin@sumologic.com>
Date: Mon, 14 Jul 2025 16:51:26 -0500
Subject: [PATCH 6/8] Update
 docs/security/threat-intelligence/threat-intelligence-mapping.md

Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com>
---
 .../security/threat-intelligence/threat-intelligence-mapping.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index c6ff23adb0..42ba24ab09 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -1,5 +1,5 @@
 ---
-slug: /security/threat-intelligence/threat-intelligence-mapping
+id: threat-intelligence-mapping
 title: Threat Intelligence Mapping
 sidebar_label: Mapping
 description: Learn about the mapping of threat intelligence schema from vendor sources to Sumo Logic schema.

From a8a42d4e1327597975c2c3c78ac25ebf9d51f6e4 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Thu, 17 Jul 2025 10:42:39 -0500
Subject: [PATCH 7/8] Minor fix

---
 .../security/threat-intelligence/threat-intelligence-mapping.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index c6ff23adb0..ecab2e6413 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -29,7 +29,7 @@ Following are the normalized values for CrowdStrike:
 
 All other fields will be kept in the `fields{}` object.
 
-*The value `malicious-activity` is used for the `threatType` if the regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|randomware|targeted|targetedcrimeware)`. The value `anomalous-activity` is used if the regex matches `name=threattype\/`, and the value `unknown` is used if nothing matches.
+*The value `malicious-activity` is used for the `threatType` if the regex matches: `name=threattype\/(clickfraud|commodity|pointofsale|ransomware|targeted|targetedcrimeware)`. The value `anomalous-activity` is used if the regex matches `name=threattype\/`, and the value `unknown` is used if nothing matches.
 
 ### Type mapping for CrowdStrike 
 

From 0f0b293560ee90de1edce2886fea8d26d5e76af7 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Mon, 21 Jul 2025 10:53:13 -0500
Subject: [PATCH 8/8] Update ZeroFox table

---
 .../threat-intelligence-mapping.md            | 160 ++++++++++++------
 1 file changed, 108 insertions(+), 52 deletions(-)

diff --git a/docs/security/threat-intelligence/threat-intelligence-mapping.md b/docs/security/threat-intelligence/threat-intelligence-mapping.md
index fe5e1675de..5e02f7ce2c 100644
--- a/docs/security/threat-intelligence/threat-intelligence-mapping.md
+++ b/docs/security/threat-intelligence/threat-intelligence-mapping.md
@@ -40,7 +40,7 @@ The `type` object is mapped to the following normalized type values:
 | `binary_string` | `artifact:payload_bin` | 
 | `bitcoin_address` | `url` | 
 | `ip_address` | `ipv4-addr` / `ipv6-addr` |
-| `domain` |  `domain-name` | 
+| `domain` | `domain-name` | 
 | `email_address` | `email-add` | 
 | `file_path` | `file:name` | 
 | `file_name` | `file:name` | 
@@ -56,7 +56,7 @@ The `type` object is mapped to the following normalized type values:
 
 ## Intel 471
 
-You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition, Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
+You can ingest threat indicators from Intel 471 using the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source/). In addition |  Sumo Logic provides an out-of-the-box `SumoLogic_ThreatIntel` source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
 
 Following are the normalized values for Intel 471:
 
@@ -76,7 +76,7 @@ Following are the normalized values for Mandiant:
 
 | Mandiant schema | Normalized schema in the datastore | Notes |
 |:--|:--|:--|
-| `[]actors` | `actors` | The JSON structure of individual actors are joined with a ", " |
+| `[]actors` | `actors` | The JSON structure of individual actors are joined with a " , " |
 | `id` | `id` | |
 | `threat_rating.confidence_score` | `confidence` | |
 | `unknown` | `threatType` | |
@@ -88,38 +88,110 @@ You can ingest threat indicators from ZeroFox using the [ZeroFox Threat Intel So
 
 Following are the normalized values for ZeroFox:
 
-| ZeroFox schema | Normalized schema in the datastore | Notes |
-|:--|:--|:--|
-| `c2_domain` | `indicator` | |
-| `c2_ip_address` | `indicator` | |
-| `created_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
-| `domain` | `indicator` | |
-| `domain-name--{{domain}}` | `id` | |
-| `file:hashes.'SHA-1'` | `type` | |
-| `file:hashes.'SHA-1'--{{sha1}}` | `id` | |
-| `file:hashes.'SHA-256'` | `type` | |
-| `file:hashes.'SHA-256'--{{sha256}}` | `id` | |
-| `file:hashes.'SHA-512'` | `type` | |
-| `file:hashes.'SHA-512'--{{sha512}}` | `id` | |
-| `file:hashes.MD5` | `type` | |
-| `file:hashes.'MD5'--{{md5}}` | `id` | |
-| `ip` | `indicator` | | |
-| `ip_address` | `indicator` | |
-| `ipv4-addr--{{c2_domain}}` | `id` | |
-| `ipv4-addr--{{c2_ip_address}}` | `id` | |
-| `ipv4-addr--{{ip_address}}`  | `id` | |
-| `ipv6-addr--{{c2_ip_address}}` | `id` | |
-| `listed_at` | `validFrom` | |
-| `md5` | `indicator` | |
-| `scanned` | `validFrom` | |
-| `sha1` | `indicator` | |
-| `sha256` | `indicator` | |
-| `sha512` | `indicator` | |
-| `tags` | `confidence` | Set by default to `75`, but set to `25` if `c2_domain_top_1m` found as a tag. |
-| `updated_at` | `validFrom` | If `created_at` and `updated_at` appear on the same item, use the latest for the `validFrom` value. |
-| `url` | `indicator` | |
-| `url--{{url}}` | `id` | |
-| *Not applicable*  | `threatType` | All indicators are set to `compromised`. |
+| ZeroFox endpoint | ZeroFox schema | Normalized schema in the datastore | Notes |
+|:--|:--|:--|:--|
+| /botnet endpoint with `ip_address` populated | `ipv4-addr--<ip_address>` | `id` | Templated |
+| /botnet endpoint with `ip_address` populated | `ip_address` | `indicator` | |
+| /botnet endpoint with `ip_address` populated |  | `type` | Statically set to `ip_address` |
+| /botnet endpoint with `ip_address` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `ip_address` populated | `listed_at` | `validFrom` | |
+| /botnet endpoint with `ip_address` populated |  | `confidence` | Statically set to `50`
+| /botnet endpoint with `c2_ip_address` populated | `ipv4-addr--<c2_ip_address>` | `id` | Templated |
+| /botnet endpoint with `c2_ip_address` populated | `c2_ip_address` | `indicator` | |
+| /botnet endpoint with `c2_ip_address` populated |  | `type` | Statically set to `ip_address` |
+| /botnet endpoint with `c2_ip_address` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `c2_ip_address` populated | `listed_at` | `validFrom` | |
+| /botnet endpoint with `c2_ip_address` populated | `tags` | `confidence` | Default statically set to `75,  but set to 25 if `c2_domain_top_1m` found as a tag |
+| /botnet endpoint with `c2_domain` populated | `ipv4-addr--<c2_domain>` | `id` | Templated |
+| /botnet endpoint with `c2_domain` populated | `c2_domain` | `indicator` | |
+| /botnet endpoint with `c2_domain` populated |  | `type` | Statically set to `domain-name` |
+| /botnet endpoint with `c2_domain` populated |  | `threatType` | Statically set to `compromised` |
+| /botnet endpoint with `c2_domain` populated | `listed_at` | `validFrom` |  |
+| /botnet endpoint with `c2_domain` populated | `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag |
+| /c2-domains endpoint with `domain` populated | `domain-name--<domain>` | `id` | Templated |
+| /c2-domains endpoint with `domain` populated | `domain` | `indicator` | |
+| /c2-domains endpoint with `domain` populated |  | `type` | Statically set to `domain-name` |
+| /c2-domains endpoint with `domain` populated |  | `threatType` | Statically set to `compromised` |
+| /c2-domains endpoint with `domain` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /c2-domains endpoint with `domain` populated | `tags` | `confidence` | Default statically set to `75`, but set to `25` if `c2_domain_top_1m` found as a tag |
+| /c2-domains endpoint with each `Ip_addresses` populated | `ipv4-addr--<c2_ip_address>` or `ipv6-addr--<c2_ip_address>` | `id` | Templated. Depends if value is IPv4 or IPv6 |
+| /c2-domains endpoint with each `Ip_addresses` populated | `[]Ip_addresses` | `indicator` | The specific value in the list |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `type` | Statically set to `ipv4-addr` or `ipv6-addr` |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `threatType` | Statically set to `compromised` |
+| /c2-domains endpoint with each `Ip_addresses` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /c2-domains endpoint with each `Ip_addresses` populated |  | `confidence` | Statically set to `50` |
+| /disruption endpoint with `url` populated | `url--<url>` | `id` | Templated |
+| /disruption endpoint with `url` populated | `url` | `indicator` | |
+| /disruption endpoint with `url` populated |  | `type` | Statically set to `url` |
+| /disruption endpoint with `url` populated |  | `threatType` | Statically set to `compromised` |
+| /disruption endpoint with `url` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /disruption endpoint with `url` populated |  | `confidence` | Statically set to `100` |
+| /disruption endpoint with `ip` populated | `ipv4-addr--<ip>` | `id` | Templated |
+| /disruption endpoint with `ip` populated | `ip` | `indicator` | |
+| /disruption endpoint with `ip` populated |  | `type` | Statically set to `ipv4-addr` |
+| /disruption endpoint with `ip` populated |  | `threatType` | Statically set to `compromised` |
+| /disruption endpoint with `ip` populated | `created_at` or `updated_at` | `validFrom` | Use the latest of the two |
+| /disruption endpoint with `ip` populated |  | `confidence` | Statically set to `50` |
+| /malware endpoint with `md5` populated | `file:hashes.MD5--<md5>` | `id` | Templated |
+| /malware endpoint with `md5` populated | `md5` | `indicator` |  |
+| /malware endpoint with `md5` populated | `file:hashes.MD5` | `type` |  |
+| /malware endpoint with `md5` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `md5` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `md5` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha1` populated | `file:hashes.'SHA-1'--<sha1>` | `id` | Templated |
+| /malware endpoint with `sha1` populated | `sha1` | `indicator` | |
+| /malware endpoint with `sha1` populated | `file:hashes.'SHA-1'` | `type` | |
+| /malware endpoint with `sha1` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha1` populated | `created_at` | `validFrom` | 
+| /malware endpoint with `sha1` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha256` populated | `file:hashes.'SHA-256'--<sha256>` | `id` | Templated |
+| /malware endpoint with `sha256` populated | `sha256` | `indicator` | |
+| /malware endpoint with `sha256` populated | `file:hashes.'SHA-256'` | `type` | |
+| /malware endpoint with `sha256` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha256` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `sha256` populated |  | `confidence` | Statically set to `75` |
+| /malware endpoint with `sha512` populated | `file:hashes.'SHA-512'--<sha512>` | `id` | Templated |
+| /malware endpoint with `sha512` populated | `sha512` | `indicator` | |
+| /malware endpoint with `sha512` populated | `file:hashes.'SHA-512'` | `type` | |
+| /malware endpoint with `sha512` populated |  | `threatType` | Statically set to `compromised` |
+| /malware endpoint with `sha512` populated | `created_at` | `validFrom` | |
+| /malware endpoint with `sha512` populated |  | `confidence` | Statically set to `75` |
+| /phishing endpoint with `domain` populated |` domain-name--<domain>` | `id` | Templated |
+| /phishing endpoint with `domain` populated | `domain` | `indicator` |  |
+| /phishing endpoint with `domain` populated |  | `type` | Statically set to `domain-name` |
+| /phishing endpoint with `domain` populated |  | `threatType` | Statically set to `compromised` |
+| /phishing endpoint with `domain` populated | `scanned` | `validFrom` | |
+| /phishing endpoint with `domain` populated |  | `confidence` | Statically set to `50` |
+| /phishing endpoint with `url` populated |` url--<domain>` | `id` | Templated |
+| /phishing endpoint with `url` populated | `url` | `indicator` | |
+| /phishing endpoint with `url` populated |  | `type` | Statically set to `url` |
+| /phishing endpoint with `url` populated |  | `threatType` | Statically set to `compromised` |
+| /phishing endpoint with `url` populated | `scanned` | `validFrom` | |
+| /phishing endpoint with `url` populated |  | `confidence` | Statically set to `50` |
+| /ransomware endpoint with `md5` populated | `file:hashes.MD5--<md5>` | `id` | Templated |
+| /ransomware endpoint with `md5` populated | `md5` | `indicator` | |
+| /ransomware endpoint with `md5` populated | `file:hashes.MD5` | `type` | |
+| /ransomware endpoint with `md5` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `md5` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `md5` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha1` populated | `file:hashes.'SHA-1'--<sha1>` | `id` | Templated |
+| /ransomware endpoint with `sha1` populated | `sha1` | `indicator` | |
+| /ransomware endpoint with `sha1` populated | `file:hashes.'SHA-1'` | `type` | |
+| /ransomware endpoint with `sha1` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha1` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha1` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha256` populated | `file:hashes.'SHA-256'--<sha256>` | `id` | Templated |
+| /ransomware endpoint with `sha256` populated | `sha256` | `indicator` |  |
+| /ransomware endpoint with `sha256` populated | `file:hashes.'SHA-256'` | `type` | |
+| /ransomware endpoint with `sha256` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha256` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha256` populated |  | `confidence` | Statically set to `75` |
+| /ransomware endpoint with `sha512` populated | `file:hashes.'SHA-512'--<sha512>` | `id` | Templated |
+| /ransomware endpoint with `sha512` populated | `sha512` | `indicator` | |
+| /ransomware endpoint with `sha512` populated | `file:hashes.'SHA-512'` | `type` | |
+| /ransomware endpoint with `sha512` populated |  | `threatType` | Statically set to `compromised` |
+| /ransomware endpoint with `sha512` populated | `created_at` | `validFrom` | |
+| /ransomware endpoint with `sha512` populated |  | `confidence` | Statically set to `75` |
 
 ### Type mapping for ZeroFox
 
@@ -133,20 +205,4 @@ The `type` object is mapped to the following normalized type values:
 | `ip` | `ipv4-addr` |
 | `ip_address` | `ip_address` |
 | `Ip_addresses` | `ipv4-addr` or `ipv6-addr` |
-| `url` | `url` |
-
-### Confidence mapping for ZeroFox
-
-The `confidence` field in the datastore has the following values for ZeroFox:
-
-| ZeroFox item | Confidence score in datastore |
-|:--|:--|
-| `domain` | `50` |
-| `ip` | `50` |
-| `ip_address` | `50` |
-| `ip_addresses` | `50` |
-| `md5` | `75` |
-| `sha1` | `75` |
-| `sha256` | `75` |
-| `sha512` | `75` |
-| `url` | `50` for phishing events, and `100` for disruption events |
\ No newline at end of file
+| `url` | `url` |
\ No newline at end of file