diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 64299fc39a..b65c78c487 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -79,7 +79,7 @@ jobs: while IFS= read -r -d '' file; do FILES+=("$file") done < <( - git diff --name-only -z origin/main...HEAD | + git diff --diff-filter=d --name-only -z origin/main...HEAD | grep -zE '\.mdx?$' || true ) if [ "${#FILES[@]}" -eq 0 ]; then diff --git a/blog-service/2026-06-26-security.md b/blog-service/2026-06-26-security.md deleted file mode 100644 index b7b65413ff..0000000000 --- a/blog-service/2026-06-26-security.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Unified Threat Intelligence Configuration and Management -image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082 -keywords: - - security - - threat intelligence - - data management -hide_table_of_contents: true ---- - -We're excited to announce that we've streamlined the Threat Intelligence workflow by bringing source configuration and manual indicator uploads into a single, unified experience. Instead of switching between multiple pages, you can now perform both tasks from one centralized location, reducing navigation and simplifying administration. - -Threat Intelligence is now accessible under **Data Management > Threat Intelligence**, making it easier to discover and manage your threat intel sources. - -Key improvements include: - -- A new **Add Source** flow that lets you select from available threat intelligence sources, choose a collector, and complete configuration in a streamlined workflow. -- A new option to **manually upload indicators**. -- An updated **Sources listing page** showing **Status**, **Source Name**, **Description**, **Storage Consumed**, and **Number of Indicators**. - -[Learn more](/docs/security/threat-intelligence/). diff --git a/docs/cse/integrations/integrate-cse-with-taxii-feed.md b/docs/cse/integrations/integrate-cse-with-taxii-feed.md index ae10164aa2..276ea45034 100644 --- a/docs/cse/integrations/integrate-cse-with-taxii-feed.md +++ b/docs/cse/integrations/integrate-cse-with-taxii-feed.md @@ -26,9 +26,9 @@ Cloud SIEM supports TAXII 1.x and TAXII 2.x.  ## Configure the integration 1. Configure the [TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source/) or [TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source/), depending on which you want to use. -1. The [ingested threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) appear on the [Threat Intelligence page](/docs/security/threat-intelligence/threat-intelligence-indicators/). To access the Threat Intelligence tab: - * [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Data Management**, and then select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. - * [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**. +1. The [ingested threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) appear on the [Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab). To access the Threat Intelligence tab: + * [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. + * [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. 1. Use the [`hasThreatMatch`](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) Cloud SIEM rules language function to search incoming records for matches to threat intelligence indicators. When matches are found, they appear on records in Cloud SIEM. ## Leveraging indicators in rules @@ -37,4 +37,4 @@ Threat intelligence indicators allow you to enrich incoming records with threat Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a signal for any record with a match from your threat feed. -For more information, see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/). +For more information, see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/). \ No newline at end of file diff --git a/docs/security/threat-intelligence/about-threat-intelligence.md b/docs/security/threat-intelligence/about-threat-intelligence.md index cecebd7f73..4ff648b672 100644 --- a/docs/security/threat-intelligence/about-threat-intelligence.md +++ b/docs/security/threat-intelligence/about-threat-intelligence.md @@ -39,30 +39,28 @@ Watch this micro lesson to learn about Sumo Logic's threat intelligence features ## Threat intelligence sources -In Sumo Logic, threat intelligence indicators are supplied by sources listed on the **Sources** tab of the Threat Intelligence page, including Sumo Logic-managed sources and custom sources you configure. +In Sumo Logic, threat intelligence indicators are supplied by sources listed on the **Threat Intelligence** tab. +* [**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Threat Intelligence** tab, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. +* [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Threat Intelligence** tab, in the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**.
Threat Intelligence tab -To access Threat Intelligence in Sumo Logic, -* [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, navigate to **Data Management > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. -* [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**.
Threat Intelligence overview - -Cloud SIEM analysts can use all sources shown in the **Sources** tab of the **Threat Intelligence** page to find threats (see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/)). In addition, all Sumo Logic users can run queries against the indicators in the Sumo Logic threat intelligence sources to uncover threats (see [Find Threats with Log Queries](/docs/security/threat-intelligence/find-threats/)). +Cloud SIEM analysts can use all sources shown in the **Threat Intelligence** tab to find threats (see [Find Threats with Cloud SIEM](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/)). In addition, all Sumo Logic users can run queries against the indicators in the Sumo Logic threat intelligence sources to uncover threats (see [Find Threats with Log Queries](/docs/security/threat-intelligence/find-threats/)). -The Threat Intelligence sources include: -* **Sumo Logic sources**. Out-of-the-box default sources of threat indicators supplied by third-party intel vendors and maintained by Sumo Logic. You cannot edit these sources. See [Sumo Logic threat intelligence sources](#sumo-logic-threat-intelligence-sources) below. -* **Other sources**. The other sources are imported by Cloud SIEM administrators so that Cloud SIEM analysts can use them to find threats. See [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) to learn how to add other sources. +The sources on the **Threat Intelligence** tab include: +* **Sumo Logic sources**. Out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources. See [Sumo Logic threat intelligence sources](#sumo-logic-threat-intelligence-sources) below. +* **Other sources**. The other sources on the tab are imported by Cloud SIEM administrators so that Cloud SIEM analysts can use them to find threats. See [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators) to learn how to add other sources. ### Sumo Logic threat intelligence sources -Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third-party intel vendors and maintained by Sumo Logic. You cannot edit these sources: +Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources: * **SumoLogic_ThreatIntel**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/). For more information, see [Sumo Logic Threat Intel Source](/docs/security/threat-intelligence/sumologic-threat-intel-source/). * **_sumo_global_feed_cs**. This is a source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/). For more information, see [Sumo Logic Global Feed from CrowdStrike](/docs/security/threat-intelligence/sumologic-global-feed-from-crowdstrike/). ### Ingest threat intelligence indicators -A Cloud SIEM administrator must first ingest the indicators before they can be used to uncover threats. Indicators can be ingested using one of the following methods: -* **Add Source**. This flow lets you select from available threat intelligence sources given below, choose a collector, and complete configuration in a streamlined workflow. +A Cloud SIEM administrator must first ingest the indicators before they can be used to uncover threats. Indicators can be ingested using: +* **A collector**. See: * [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source) * [Google Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/google-threat-intel-source/) * [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source) @@ -70,12 +68,12 @@ A Cloud SIEM administrator must first ingest the indicators before they can be u * [STIX/TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source) * [STIX/TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source) * [ZeroFox Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source) -* **Upload**. Manually upload files that add threat intelligence indicators. See [Add indicators in Threat Intelligence](/docs/security/threat-intelligence/threat-intelligence-indicators/#upload). See [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use when uploading indicators using this option or APIs. * **The API**. See the following APIs in the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) API resource: * [uploadNormalizedIndicators API](https://api.sumologic.com/docs/#operation/uploadNormalizedIndicators) * [uploadStixIndicators API](https://api.sumologic.com/docs/#operation/uploadStixIndicators) +* **The Threat Intelligence tab**. Use this tab to upload your own indicators. See [Add indicators in the Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-button). See [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use when uploading indicators using this tab or APIs. -After threat indicator sources are ingested, they appear on the Threat Intelligence **Sources** tab and are ready to be used in [Cloud SIEM rules](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). +After threat indicator sources are ingested, they appear on the **Threat Intelligence** tab and are ready to be used in [Cloud SIEM rules](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#hasthreatmatch-cloud-siem-rules-language-function). @@ -89,9 +87,9 @@ After threat indicator sources are ingested, they appear on the Threat Intellige ### Role capabilities -To view and manage [threat intelligence indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/), a Cloud SIEM administrator must have the correct [role capabilities](/docs/manage/users-roles/roles/role-capabilities/#threat-intel). +To view and manage threat intelligence indicators on the [Threat Intelligence tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#threat-intelligence-tab), a Cloud SIEM administrator must have the correct [role capabilities](/docs/manage/users-roles/roles/role-capabilities/#threat-intel). -1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, select **Administration**, and then under **Users and Roles** select **Roles**. You can also click the **Go To...** menu at the top of the screen and select **Roles**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Administration > Users and Roles**. +1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Administration**, and then under **Users and Roles** select **Roles**. You can also click the **Go To...** menu at the top of the screen and select **Roles**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Administration > Users and Roles**. 1. Click the **Roles** tab. 1. Click **Add Role** to create a new role. Alternatively, you can select an existing role in the **Roles** tab and click **Edit**. Add the following capabilities: @@ -109,7 +107,7 @@ Set firewall rules to allowlist the Sumo Logic IPs listed in [Static IP addresse Here is the typical workflow to set up and use threat intelligence indicators: -1. A system administrator [ingests threat intelligence indicators](#ingest-threat-intelligence-indicators) and adds them to the threat intelligence data store. For example, install a collector such as the [STIX/TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source), and set up the collector to obtain indicators from Federal, vendor, or open services. Ingested indicators appear on the Threat Intelligence **Sources** tab. You can manually add more indicators as needed, such as your own private indicators, using the Threat Intelligence **Sources** tab or the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) APIs. +1. A system administrator [ingests threat intelligence indicators](#ingest-threat-intelligence-indicators) and adds them to the threat intelligence data store. For example, install a collector such as the [STIX/TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source), and set up the collector to obtain indicators from Federal, vendor, or open services. Ingested indicators appear on the **Threat Intelligence** tab. You can manually add more indicators as needed, such as your own private indicators, using the **Threat Intelligence** tab or the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) APIs. 1. Analysts use the threat indicators data to uncover threats using [Cloud SIEM rules](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/). 1. A system administrator occasionally checks to see why a connector is not ingesting data, or to see how much storage all the indicators are using. They may examine their indicators, and then if needed, [delete indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/#delete-threat-intelligence-indicators). @@ -126,4 +124,4 @@ _index=sumologic_audit_events _sourceCategory=threatIntelligence ## Additional resources * Blog: [Threat intelligence feeds: essential arsenal in cybersecurity](https://www.sumologic.com/blog/threat-intelligence-feeds-cybersecurity) -* Glossary: [Threat intelligence](https://www.sumologic.com/glossary/threat-intelligence) +* Glossary: [Threat intelligence](https://www.sumologic.com/glossary/threat-intelligence) \ No newline at end of file diff --git a/docs/security/threat-intelligence/find-threats.md b/docs/security/threat-intelligence/find-threats.md index f327c6e2c4..703bcde204 100644 --- a/docs/security/threat-intelligence/find-threats.md +++ b/docs/security/threat-intelligence/find-threats.md @@ -9,7 +9,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; ## Use the lookup search operator -The [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) in the threat intelligence datastore contain threat indicators supplied by third party intel vendors and maintained by Sumo Logic:
Threat Intelligence +The [Sumo Logic threat intelligence sources](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) in the threat intelligence datastore contain threat indicators supplied by third party intel vendors and maintained by Sumo Logic:
Global feed in the Threat Intelligence tab Any Sumo Logic user can use the [`lookup`](/docs/search/search-query-language/search-operators/lookup/) search operator to point to a Sumo Logic threat intelligence source to search for potential threats: * `SumoLogic_ThreatIntel`. Use `sumo://threat/i471` in log search queries. diff --git a/docs/security/threat-intelligence/index.md b/docs/security/threat-intelligence/index.md index 08ea5b7092..b6442dbb36 100644 --- a/docs/security/threat-intelligence/index.md +++ b/docs/security/threat-intelligence/index.md @@ -2,20 +2,12 @@ slug: /security/threat-intelligence title: Sumo Logic Threat Intelligence sidebar_label: Threat Intelligence -description: Learn about Sumo Logic's threat intelligence capabilities, including how to configure sources and manage indicators. +description: Learn about Sumo Logic's threat intelligence capabilities. --- import useBaseUrl from '@docusaurus/useBaseUrl'; -Threat intelligence is information that helps you prevent or mitigate cyber attacks. - -To access Threat Intelligence in Sumo Logic, -* [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, navigate to **Data Management > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. -* [**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**.
Threat Intelligence tab - -The Threat Intelligence section includes the following: -- **Sources**. Configure and manage your threat intelligence sources. -- **Indicators**. View and manage threat intelligence indicators ingested from your sources. +Threat intelligence is information that helps you prevent or mitigate cyber attacks. See the following articles to learn about Sumo Logic's threat intelligence capabilities. diff --git a/docs/security/threat-intelligence/threat-intelligence-indicators.md b/docs/security/threat-intelligence/threat-intelligence-indicators.md index b455edc895..d0e1b1f668 100644 --- a/docs/security/threat-intelligence/threat-intelligence-indicators.md +++ b/docs/security/threat-intelligence/threat-intelligence-indicators.md @@ -8,69 +8,43 @@ description: Learn how to add and manage indicators from threat intelligence sou import useBaseUrl from '@docusaurus/useBaseUrl'; import CloudSIEMThreatIntelNote from '../../reuse/cloud-siem-threat-intelligence-note.md'; -The **Threat Intelligence** page displays the indicators added to your threat intelligence datastore. Use this documentation to add and manage your threat intelligence indicators. You can add indicators from several sources (see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators)). Threat intelligence indicators imported to Sumo Logic not only integrate with your existing core Sumo Logic deployment, but also Cloud SIEM and Cloud SOAR. +The **Threat Intelligence** tab shows the indicators that have been added to your threat intelligence datastore. Use this tab to add and manage your threat intelligence indicators. You can add indicators from a number of sources (see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators)). Threat intelligence indicators imported to Sumo Logic not only integrate with your existing core Sumo Logic deployment, but also Cloud SIEM and Cloud SOAR. -## Threat Intelligence overview +## Threat Intelligence tab -To access Threat Intelligence in Sumo Logic, -1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, navigate to **Data Management > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**.
Threat Intelligence overview -1. Click **+Add Source** to add threat intelligence sources to your datastore: - 1. **New Source**. This flow lets you select from available threat intelligence sources, choose a collector, and complete configuration in a streamlined workflow. - 1. **Upload**. Manually upload files that add threat intelligence indicators. +[**New UI**](/docs/get-started/sumo-logic-ui/). To access the **Threat Intelligence** tab, in the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. + +[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). To access the **Threat Intelligence** tab, in the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. + +Threat Intelligence tab + +1. [**+ Add Indicators**](#add-indicators-button). Click to upload files that add threat intelligence indicators. 1. **Actions**. Select to perform additional actions: - * **Edit Retention Period**. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. See [Change the retention period for expired indicators](#change-the-retention-period-for-expired-indicators).
Threat Intelligence overview + * **Edit Retention Period**. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. See [Change the retention period for expired indicators](#change-the-retention-period-for-expired-indicators). 1. **Status**. The current status of the indicator source (**Enabled** or **Disabled**). 1. **Source Name**. The name of the threat intelligence indicator file. The name usually indicates the supplier of the indicators. -1. **Description**. The description of the threat intelligence indicator. 1. **Storage Consumed**. The amount of storage consumed by the threat intelligence indicator file. -1. **Number of Indicators**. The total count of threat intelligence indicators provided by the source. +1. **Indicators**. The number of threat intelligence indicators included in the file. :::note * The `SumoLogic_ThreatIntel` and `_sumo_global_feed_cs` sources are default sources and cannot be changed or deleted. * The default storage limit is 10 million total indicators (not including any indicators provided by Sumo Logic such as in the `SumoLogic_ThreatIntel` and `_sumo_global_feed_cs` sources). ::: -## Add a source +## Add Indicators button -Use the **+Add Source** button in the **Sources** tab to add threat intelligence sources to your datastore. You can connect to an external threat intelligence feed or manually upload indicators from a file. For information on the other methods, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators). +You can add threat intelligence indicators with the **Add Indicators** button in the **Threat Intelligence** tab. For information on the other methods, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators). -### New source - -1. Click **+ Add Source** and then select **New Source** from the dropdown. -1. Select a collector from the **Collector** dropdown and a source (for example, CrowdStrike Threat Intel) from the available integrations grid. -1. Click **Next**.
Threat Intelligence overview -1. Enter the following details to configure the source: - :::note - The fields are source-specific and vary by integration. - ::: - 1. Enter a **Name** for the source. The description is optional. - 1. (Optional) For **Source Category**, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called `_sourceCategory`. - 1. (Optional) **Fields.** Click the **+Add Field** link to define the fields you want to associate. Each field needs a name (key) and a value. - * Green check circle A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema. - * Orange exclamation point An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. - 1. **Region**. Select the region of your account from the dropdown. - 1. **Client ID**: Provide the client ID you want to use to authenticate collection requests. - 1. **Client Secret**. Provide the client secret key you want to use to authenticate collection requests. - 1. **Sumo Logic Threat Intel Source ID**. Provide your own threat intel source ID for organizing multiple sources. - :::note - If no Application ID is provided, a random ID is generated. Any time this ID is changed, the Source will re-read the data stream starting at the beginning. - ::: - 1. (Optional) **Malicious Confidence**. Select the confidence level of the threat type from the dropdown as High, Medium, Low, Unverified, or leave it empty for all types. -1. When you are finished configuring the Source, click **Next**. -1. Once you have reviewed all the details, click **Done**. A confirmation message appears when the source is successfully configured. - -### Upload - -To manually upload threat intelligence indicators from a file: -1. Click **+ Add Source** and then select **Upload** from the dropdown. The upload dialog displays. -1. Select the format of the file to upload (see [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use in the file): - * **Normalized JSON**. A normalized JSON file.
Add threat intelligence indicators - * **CSV**. A comma-separated value (CSV) file.
Add threat intelligence indicators +1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. +1. Click **+ Add Indicators**. The dialog displays.
Add threat intelligence indicators +1. Select the format of the file to be uploaded (see [Upload formats](/docs/security/threat-intelligence/upload-formats/) for the format to use in the file): + * **Normalized JSON**. A normalized JSON file. + * **CSV**. A comma-separated value (CSV) file. -1. Click **Upload** to upload the file. -1. Click **Import**. +1. Click **Upload** to upload the file. +1. Click **Import**. :::note When you add indicators, the event is recorded in the Audit Event Index. See [Audit logging for threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/#audit-logging-for-threat-intelligence). @@ -78,16 +52,14 @@ When you add indicators, the event is recorded in the Audit Event Index. See [Au ## Delete threat intelligence indicators -1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, navigate to **Data Management > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**. +1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. 1. Select a source in the list of sources. Details of the source appear in a sidebar. -1. Click the **More Actions** dropdown and then select **Delete Indicators**.
Threat Intelligence overview +1. Click the **Delete Indicators** button. + * **Delete indicators matching the expression**. Enter the attribute and value to match. For example, if you want to delete indicators with certain "valid until" dates from **Sumo normalized JSON** files, for an attribute enter `validUntil` and for a value enter a date. The attributes and values you enter must match attributes and values in the indicators. --> 1. Click **Delete** on the **Delete Indicators** dialog. -You do not have to wait until indicators reach the end of their retention period to delete them. You can [delete indicators](#delete-threat-intelligence-indicators) from the **Sources** tab in the **Threat Intelligence** page, as well as use the APIs in the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) API resource. - :::note When you remove indicators, the event is recorded in the Audit Event Index. See [Audit logging for threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/#audit-logging-for-threat-intelligence). ::: @@ -99,11 +71,13 @@ Indicators are deemed valid until they reach the date set by their "valid until" Expired indicators are retained until they reach the end of the retention period. At the end of the retention period, expired indicators are automatically deleted. Between the time they expire and are deleted, the indicators are still in the system, and you can still use them to find threats. By default, expired indicators are retained for 180 days. To change the retention period: -1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu, navigate to **Data Management > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/). In the main Sumo Logic menu, select **Manage Data > Threat Intelligence**. -1. Click the more actions button in the upper-right corner of the page.
Threat Intelligence overview -1. Click **Edit Retention Period**. -1. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180.
Threat Intelligence overview -1. Click **Save**. +1. [**New UI**](/docs/get-started/sumo-logic-ui/). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic/).In the main Sumo Logic menu, select **Manage Data > Logs > Threat Intelligence**. +1. Click the three-dot button in the upper-right corner of the page. +1. Click **Edit Retention Period**. +1. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. + :::note When you change the retention period, the event is recorded in the Audit Event Index. See [Audit logging for threat intelligence](/docs/security/threat-intelligence/about-threat-intelligence/#audit-logging-for-threat-intelligence). ::: + +You do not have to wait until indicators reach the end of their retention period in order to delete them. You can [use the **Threat Intelligence** tab to delete indicators](#delete-threat-intelligence-indicators), as well as use the APIs in the [Threat Intel Ingest Management](https://api.sumologic.com/docs/#tag/threatIntelIngest) API resource. diff --git a/docs/security/threat-intelligence/upload-formats.md b/docs/security/threat-intelligence/upload-formats.md index 247fdcc975..4ffdb7ee5d 100644 --- a/docs/security/threat-intelligence/upload-formats.md +++ b/docs/security/threat-intelligence/upload-formats.md @@ -7,7 +7,7 @@ description: Learn how to format upload files containing threat intelligence ind import useBaseUrl from '@docusaurus/useBaseUrl'; -This documentation describes the format to use for upload files when you [manually upload indicators](/docs/security/threat-intelligence/threat-intelligence-indicators/#upload) or when you use the upload APIs in the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource. +This article describes the format to use for upload files when you add threat intelligence sources by [manually uploading them in the **Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-button) or when you use the upload APIs in the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource. Following are the formats for file upload: @@ -183,7 +183,7 @@ Columns for the following attributes are required in the upload file: ## STIX 2.x JSON format :::note -Use this format only with the [STIX 2.x JSON upload API](https://api.sumologic.com/docs/#operation/uploadStixIndicators) in the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource. You cannot add indicators in [**Threat Intelligence**](/docs/security/threat-intelligence/threat-intelligence-indicators/#upload) using this format. +Use this format only with the [STIX 2.x JSON upload API](https://api.sumologic.com/docs/#operation/uploadStixIndicators) in the [Threat Intel Ingest Management API](/docs/api/threat-intel-ingest/) resource. You cannot [add indicators in the **Threat Intelligence** tab](/docs/security/threat-intelligence/threat-intelligence-indicators/#add-indicators-button) using this format. ::: STIX 2.x JSON format is a method to present JSON data according to the STIX 2.x specification. diff --git a/static/img/collector/select-threat-intel-source-and-collector.png b/static/img/collector/select-threat-intel-source-and-collector.png deleted file mode 100644 index 83590edbc6..0000000000 Binary files a/static/img/collector/select-threat-intel-source-and-collector.png and /dev/null differ diff --git a/static/img/security/threat-intelligence-actions-icon.png b/static/img/security/threat-intelligence-actions-icon.png deleted file mode 100644 index 8b6eee817c..0000000000 Binary files a/static/img/security/threat-intelligence-actions-icon.png and /dev/null differ diff --git a/static/img/security/threat-intelligence-add-indicators-csv.png b/static/img/security/threat-intelligence-add-indicators-csv.png deleted file mode 100644 index cf5b0131db..0000000000 Binary files a/static/img/security/threat-intelligence-add-indicators-csv.png and /dev/null differ diff --git a/static/img/security/threat-intelligence-add-indicators.png b/static/img/security/threat-intelligence-add-indicators.png index 2d37e1fc93..f7515d0e62 100644 Binary files a/static/img/security/threat-intelligence-add-indicators.png and b/static/img/security/threat-intelligence-add-indicators.png differ diff --git a/static/img/security/threat-intelligence-retention-period.png b/static/img/security/threat-intelligence-retention-period.png deleted file mode 100644 index ab8de63c45..0000000000 Binary files a/static/img/security/threat-intelligence-retention-period.png and /dev/null differ diff --git a/static/img/security/threat-intelligence-source-delete.png b/static/img/security/threat-intelligence-source-delete.png deleted file mode 100644 index 5bcca47973..0000000000 Binary files a/static/img/security/threat-intelligence-source-delete.png and /dev/null differ diff --git a/static/img/security/threat-intelligence-tab-example.png b/static/img/security/threat-intelligence-tab-example.png index b46825b2c6..dcf1bea027 100644 Binary files a/static/img/security/threat-intelligence-tab-example.png and b/static/img/security/threat-intelligence-tab-example.png differ