From f6eba8ab0bbabeedbd835a98f1305d18b03c2645 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 23 Jan 2025 15:30:27 -0600 Subject: [PATCH 1/2] DOCS-647 - Add target fields to threat intel article --- .../create-custom-threat-intel-source.md | 82 ++++++++++++++----- 1 file changed, 61 insertions(+), 21 deletions(-) diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md index 4bd0245e3b..a4124c3b7a 100644 --- a/docs/cse/administration/create-custom-threat-intel-source.md +++ b/docs/cse/administration/create-custom-threat-intel-source.md @@ -10,25 +10,20 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; This topic has information about setting up a *custom threat intelligence source* in Cloud SIEM, which is a threat intelligence list that you can populate manually, as opposed to using an automatic feed.  -You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, hostnames, URLs, email addresses, and file hashes. +You can set up and populate custom threat intelligence sources interactively from the Cloud SIEM UI, by uploading a .csv file, or using Cloud SIEM APIs. You can populate the sources with IP addresses, domains, URLs, email addresses, and file hashes. ## How Cloud SIEM uses indicators -When Cloud SIEM encounters an indicator from your threat source in an incoming -record it adds relevant information to the record. Because threat intelligence -information is persisted within records, you can reference it downstream -in both rules and search. The built-in rules that come with Cloud SIEM -automatically create a signal for records that have been enriched in -this way. +When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM +automatically create a signal for records that have been enriched in this way. -Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the -*About Cloud SIEM Rules* topic. +Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic. ## Create a threat intelligence source from Cloud SIEM UI 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Threat Intelligence**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Threat Intelligence**. You can also click the **Go To...** menu at the top of the screen and select **Threat Intelligence**. 1. Click **Add Source** on the **Threat Intelligence** page. -1. Click **Custom** on the **Add Source** popup. +1. In the **Custom** box click **Create**. 1. On the **Add New Source** popup, enter a name, and if desired, a description for the source. 1. Click **Add Custom Source**. @@ -41,13 +36,15 @@ Your new source should now appear on the **Threat Intelligence** page. 1. On the **Threat Intelligence** page, click the name of the source you want to update. 1. The **Details** page lists any indicators that have previously been added and have not expired. Click **Add Indicator**. 1. On the **New Threat Intelligence Indicator** popup. - 1. **Value**. Enter an IP address, hostname, URL, or file hash. - Your entry must be one of: - * A valid IPV4 or IPv6 address   - * A valid email address - * A valid, complete URL - * A hostname (without protocol or path) - * A hexadecimal string of 32, 40, 64, or 128 characters  + 1. **Value**. Enter one of the following: + * Domain (valid domain name without protocol or path) + * Email (valid email address) + * File hash (hexadecimal string of 32, 40, 64, or 128 characters) + * IP (valid IPV4 or IPv6 address)   + * URL (valid, complete URL) + :::note + For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below. + ::: 1. **Description**. (Optional) 1. **Expiration**. (Optional) If desired, you can specify an expiration date and time for the indicator. When that time is @@ -58,8 +55,7 @@ Your new source should now appear on the **Threat Intelligence** page. ### Upload a file of indicators  -If you have a large number of indicators to add to your source, you can -save time by creating a .csv file and uploading it to Cloud SIEM. +If you have a large number of indicators to add to your source, you can save time by creating a .csv file and uploading it to Cloud SIEM. #### Create a CSV file @@ -67,7 +63,7 @@ The .csv file can contain up to four columns, which are described below.  | Column | Description | | :-- | :-- | -| value | Required. Must be one of the following:
- A valid IPV4 or IPv6 address
- A valid, complete URL
- A valid email address
- A hostname (without protocol or path)
- A hexadecimal string of 32, 40, 64, or 128 characters | +| value | Required. Must be one of the following:
- Domain (valid domain name without protocol or path)
- Email (valid email address)
- File hash (hexadecimal string of 32, 40, 64, or 128 characters)
- IP (valid IPV4 or IPv6 address)
- URL (valid, complete URL)
For the fields the value will be compared to, see [Target fields for threat indicators](#target-fields-for-threat-indicators) below. | | description | Optional. | | expires| Optional. The data and time when you want the indicator to be removed, in any ISO date format. | | active | Required. Specifies whether the indicator actively looks for threat intelligence in records. Valid values are `true` or `false`. | @@ -79,7 +75,7 @@ value,description,expires,active 22.333.22.252,Tante Intel,2022-06-01 01:00 PM,true ``` -### Upload the file +#### Upload the file 1. On the **Threat Intelligence** page, click the name of the target custom source. 1. Click **Import Indicators**. @@ -91,6 +87,50 @@ value,description,expires,active You can use Cloud SIEM threat intelligence APIs to create and manage indicators and custom threat sources. For information about Cloud SIEM APIs and how to access the API documentation, see [Cloud SIEM APIs](/docs/cse/administration/cse-apis/). +## Target fields for threat indicators + +Following are the fields that threat indicators are compared to. + +* Domain: + * bro_ntlm_domainname + * bro_ssl_serverName_rootDomain + * dns_queryDomain + * dns_replyDomain + * fromUser_authDomain + * http_referrerDomain + * http_url_rootDomain + * http_url_fqdn +* Email: + * email_sender + * fromUser_email + * fromUser_email_raw + * targetUser_email + * targetUser_email_raw + * user_email + * user_email_raw +* File hash: + * file_hash_imphash + * file_hash_md5 + * file_hash_pehash + * file_hash_sha1 + * file_hash_sha256 + * file_hash_ssdeep +* IP: + * bro_dhcp_assignedIp + * bro_radius_remoteIp + * bro_smtp_headers.xOriginatingIp + * bro_socks_boundIp + * bro_socks_requestIp + * device_ip + * device_natIp + * dns_replyIp + * dstDevice_ip + * dstDevice_natIp + * srcDevice_ip + * srcDevice_natIp +* URL: + * http_url + ## Search indicators To search threat indicators, click the **Search All Indicators** button at the top of the **Threat Intelligence** page. From 2c420ba409711e811aae996c735da922a86ce34c Mon Sep 17 00:00:00 2001 From: "John Pipkin (Sumo Logic)" Date: Thu, 23 Jan 2025 15:32:27 -0600 Subject: [PATCH 2/2] Update docs/cse/administration/create-custom-threat-intel-source.md --- docs/cse/administration/create-custom-threat-intel-source.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/cse/administration/create-custom-threat-intel-source.md b/docs/cse/administration/create-custom-threat-intel-source.md index a4124c3b7a..8636793923 100644 --- a/docs/cse/administration/create-custom-threat-intel-source.md +++ b/docs/cse/administration/create-custom-threat-intel-source.md @@ -14,8 +14,7 @@ You can set up and populate custom threat intelligence sources interactively fro ## How Cloud SIEM uses indicators -When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM -automatically create a signal for records that have been enriched in this way. +When Cloud SIEM encounters an indicator from your threat source in an incoming record it adds relevant information to the record. Because threat intelligence information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM automatically create a signal for records that have been enriched in this way. Rule authors can also write rules that look for threat intelligence information in records. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see [Threat Intelligence](/docs/cse/rules/about-cse-rules/#threat-intelligence) in the *About Cloud SIEM Rules* topic.