From a1609c3c18975423c740ba1e043b08d39849a581 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 10 Apr 2025 17:20:17 -0500 Subject: [PATCH 1/2] Remove CrowdStrike deprecation mentions --- blog-service/2025-04-08-security.md | 2 + .../about-threat-intelligence.md | 42 +------------- .../threat-intelligence-vendor-switch.md | 55 ++++++++++++++++++- 3 files changed, 55 insertions(+), 44 deletions(-) diff --git a/blog-service/2025-04-08-security.md b/blog-service/2025-04-08-security.md index 845e16533f..d338b486b3 100644 --- a/blog-service/2025-04-08-security.md +++ b/blog-service/2025-04-08-security.md @@ -11,9 +11,11 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; We’re excited to announce a new `SumoLogic_ThreatIntel` source incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis. + [Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources). diff --git a/docs/security/threat-intelligence/about-threat-intelligence.md b/docs/security/threat-intelligence/about-threat-intelligence.md index d846c77892..059af1c4ce 100644 --- a/docs/security/threat-intelligence/about-threat-intelligence.md +++ b/docs/security/threat-intelligence/about-threat-intelligence.md @@ -104,44 +104,4 @@ _index=sumologic_audit_events _sourceCategory=threatIntelligence Sumo Logic provides the following out-of-the-box default sources of threat indicators supplied by third party intel vendors and maintained by Sumo Logic. You cannot edit these sources: * **SumoLogic_ThreatIntel**. This source incorporates threat indicators supplied by [Intel 471](https://intel471.com/). -* **_sumo_global_feed_cs**. This is a legacy source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/). ***This source will be discontinued on April 30, 2025***. - -:::warning -To maintain uninterrupted threat intelligence operation, if you have created rules, saved searches, monitors, or dashboard panel queries that explicitly reference the legacy `_sumo_global_feed_cs` source, follow the directions below to update them to use the new `SumoLogic_ThreatIntel` source ***before April 30, 2025***. If you need assistance, contact [Support](https://support.sumologic.com/support/). -::: - -### Migrate to the new source - -Perform the steps in the following sections to migrate to the `SumoLogic_ThreatIntel` source. - -#### hasThreatMatch rule syntax - -In most cases, no change is needed if you use [hasThreatMatch](/docs/cse/rules/cse-rules-syntax/#hasthreatmatch) in your rules: -* Until April 30, 2025 the rules point to the legacy `_sumo_global_feed_cs` source (and the rest of your tenant-specific sources). -* After April 30, 2025, the rules point to the new `SumoLogic_ThreatIntel` source (and the rest of your tenant-specific sources). - -You may need to make changes in these scenarios: -* If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `SumoLogic_ThreatIntel` source. For example: - * Change this:
`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` - * To this:
`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="SumoLogic_ThreatIntel")` -* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using `hasThreatMatch`, update your rule syntax to remove them. - -#### lookup operator - -In most cases, no change is needed if you use the [lookup](/docs/search/search-query-language/search-operators/lookup/) search operator to point to `sumo://threat/cs`: -* Until April 30, 2025, queries in apps that use the `lookup` search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) are unchanged. For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/) app. See [Threat Intel Optimization](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) for guidance on using those queries. -* After April 30, 2025, queries in apps that use the `lookup` operator to point to `sumo://threat/cs` are updated to point to `sumo://threat/i471` instead (the new `SumoLogic_ThreatIntel` source). **You must upgrade your apps to get this update.** In the App Catalog, open apps labeled **Upgrade Available** and select **Manage > Upgrade**. - -You may need to make changes in these scenarios: -* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them. -* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data after April 30, 2025, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause when you use `parse field=raw` or `json field=raw`. In the following excerpt from a query, `nodrop` is added at the end of the line where `json field=raw` is called: - ``` - | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip - | json field=raw "labels[*].name" as label_name nodrop - ``` - -#### threatip search operator - -If you use the [threatip](/docs/search/search-query-language/search-operators/threatip/) search operator, no change is needed: -* Until April 30, 2025, the `threatip` operator points to the legacy `_sumo_global_feed_cs` source. -* After April 30, 2025, the `threatip` operator points to the new `SumoLogic_ThreatIntel` source. +* **_sumo_global_feed_cs**. This is a source of threat indicators supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/). diff --git a/docs/security/threat-intelligence/threat-intelligence-vendor-switch.md b/docs/security/threat-intelligence/threat-intelligence-vendor-switch.md index 5acb3cbee0..6023c8b54e 100644 --- a/docs/security/threat-intelligence/threat-intelligence-vendor-switch.md +++ b/docs/security/threat-intelligence/threat-intelligence-vendor-switch.md @@ -12,17 +12,23 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; This article provides guidance on our switching from the legacy **_sumo_global_feed_cs** source supplied by [CrowdStrike](https://www.crowdstrike.com/en-us/) to the **SumoLogic_ThreatIntel** source supplied by [Intel 471](https://intel471.com/). + Switching to the Intel 471 global threat feed from CrowdStrike will introduce differences in the threat indicator content. Namely, the `raw` field from the `lookup` operator, and the `raw_threat` field from the `threatip` operator will contain different JSON-formatted fields. Sophisticated, security-centric Sumo Logic platform queries sometimes use these fields for searches and dashboards. Importantly, the intel vendors themselves control what appears in these "raw" fields, and each vendor prioritizes different aspects of the intel they provide. For example, CrowdStrike often includes CVEs where applicable, whereas Intel 471 bundles geo-IP data with some of its entries. CrowdStrike reports the publication timestamp of its indicators, whereas Intel 471 reports the recommended expiration timestamp. As such, Sumo Logic strongly encourages customers to review their searches and dashboards for "raw" field handling, and to modify them appropriately. -Beginning April 1, 2025, customers can experiment with the Intel 471 feed by referencing the `sumo://threat/i471` lookup table as a parameter to the [`lookup` search operator](/docs/search/search-query-language/search-operators/lookup). (It isn't possible to do the same for `threatip`, though its `raw_threat` field is the same as the `lookup` operator's `raw` field.) On April 30, 2025, the global CrowdStrike feed will be fully replaced by Intel 471 in the Sumo Logic platform, and references to the old feed will automatically be updated to point to the new feed. +Customers can experiment with the Intel 471 feed by referencing the `sumo://threat/i471` lookup table as a parameter to the [`lookup` search operator](/docs/search/search-query-language/search-operators/lookup). (It isn't possible to do the same for `threatip`, though its `raw_threat` field is the same as the `lookup` operator's `raw` field.) -Sumo Logic's native security applications will be updated to support this vendor change. To take advantage of the new Intel 471 feed, customers only need to update queries in their custom apps by April 30, 2025. For examples of queries using the `lookup` operator, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. + + +Sumo Logic's native security applications will be updated to support this vendor change. To take advantage of the new Intel 471 feed, customers only need to update queries in their custom apps. For examples of queries using the `lookup` operator, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) app. ## How do I know if I need to update a search or dashboard? @@ -52,4 +58,47 @@ As a starting point to analyze field mapping, examine the following translations ### JSON side-by-side approximate field mappings -Threat Intelligence field mappings \ No newline at end of file +Threat Intelligence field mappings + +## Migrate to the new source + +Perform the steps in the following sections to migrate to the `SumoLogic_ThreatIntel` source. + +### hasThreatMatch rule syntax + + + +You may need to make changes in these scenarios: +* If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `SumoLogic_ThreatIntel` source. For example: + * Change this:
`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` + * To this:
`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="SumoLogic_ThreatIntel")` +* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using `hasThreatMatch`, update your rule syntax to remove them. + +### lookup operator + +In most cases, no change is needed if you use the [lookup](/docs/search/search-query-language/search-operators/lookup/) search operator to point to `sumo://threat/cs` (the legacy `_sumo_global_feed_cs` source) instead of `sumo://threat/i471` instead (the new `SumoLogic_ThreatIntel` source). For examples, see the dashboards in the [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/) app. See [Threat Intel Optimization](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#threat-intel-optimization) for guidance on using those queries. + + +You may need to make changes in these scenarios: +* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them. +* If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause when you use `parse field=raw` or `json field=raw`. In the following excerpt from a query, `nodrop` is added at the end of the line where `json field=raw` is called: + ``` + | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip + | json field=raw "labels[*].name" as label_name nodrop + ``` + +### threatip search operator + +If you use the [threatip](/docs/search/search-query-language/search-operators/threatip/) search operator, no change is needed. + + \ No newline at end of file From faf0619ba48be56ef339be7456fca7d4ddeeeab1 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 10 Apr 2025 17:38:23 -0500 Subject: [PATCH 2/2] Removed hidden text from release note --- blog-service/2025-04-08-security.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/blog-service/2025-04-08-security.md b/blog-service/2025-04-08-security.md index d338b486b3..98ddd37457 100644 --- a/blog-service/2025-04-08-security.md +++ b/blog-service/2025-04-08-security.md @@ -11,12 +11,6 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; We’re excited to announce a new `SumoLogic_ThreatIntel` source incorporating Indicators of Compromise (IoC) from [Intel 471](https://intel471.com/). Analysts can use this out-of-the-box default source of threat indicators to aid in security analysis. - - [Learn more](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources). Threat Intelligence tab