Manage Threat Intelligence Indicators
The Threat Intelligence page displays the indicators added to your threat intelligence datastore. Use this documentation to add and manage your threat intelligence indicators. You can add indicators from several sources (see Ingest threat intelligence indicators). Threat intelligence indicators imported to Sumo Logic not only integrate with your existing core Sumo Logic deployment, but also Cloud SIEM and Cloud SOAR.
Threat Intelligence overview
To access Threat Intelligence in Sumo Logic,
- New UI. In the main Sumo Logic menu, navigate to Data Management > Threat Intelligence. You can also click the Go To... menu at the top of the screen and select Threat Intelligence.
Classic UI. In the main Sumo Logic menu, select Manage Data > Threat Intelligence.
- Click +Add Source to add threat intelligence sources to your datastore:
- New Source. This flow lets you select from available threat intelligence sources, choose a collector, and complete configuration in a streamlined workflow.
- Upload. Manually upload files that add threat intelligence indicators.
- Actions. Select to perform additional actions:
- Edit Retention Period. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. See Change the retention period for expired indicators.

- Edit Retention Period. Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180. See Change the retention period for expired indicators.
- Status. The current status of the indicator source (Enabled or Disabled).
- Source Name. The name of the threat intelligence indicator file. The name usually indicates the supplier of the indicators.
- Description. The description of the threat intelligence indicator.
- Storage Consumed. The amount of storage consumed by the threat intelligence indicator file.
- Number of Indicators. The total count of threat intelligence indicators provided by the source.
- The
SumoLogic_ThreatInteland_sumo_global_feed_cssources are default sources and cannot be changed or deleted. - The default storage limit is 10 million total indicators (not including any indicators provided by Sumo Logic such as in the
SumoLogic_ThreatInteland_sumo_global_feed_cssources).
Add a source
Use the +Add Source button in the Sources tab to add threat intelligence sources to your datastore. You can connect to an external threat intelligence feed or manually upload indicators from a file. For information on the other methods, see Ingest threat intelligence indicators.
Only Cloud SIEM administrators can add threat intelligence indicators to the datastore.
New source
- Click + Add Source and then select New Source from the dropdown.
- Select a collector from the Collector dropdown and a source (for example, CrowdStrike Threat Intel) from the available integrations grid.
- Click Next.

- Enter the following details to configure the source:
note
The fields are source-specific and vary by integration.
- Enter a Name for the source. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory. - (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and a value.
A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as Dropped.
- Region. Select the region of your account from the dropdown.
- Client ID: Provide the client ID you want to use to authenticate collection requests.
- Client Secret. Provide the client secret key you want to use to authenticate collection requests.
- Sumo Logic Threat Intel Source ID. Provide your own threat intel source ID for organizing multiple sources.
note
If no Application ID is provided, a random ID is generated. Any time this ID is changed, the Source will re-read the data stream starting at the beginning.
- (Optional) Malicious Confidence. Select the confidence level of the threat type from the dropdown as High, Medium, Low, Unverified, or leave it empty for all types.
- When you are finished configuring the Source, click Next.
- Once you have reviewed all the details, click Done. A confirmation message appears when the source is successfully configured.
Upload
To manually upload threat intelligence indicators from a file:
- Click + Add Source and then select Upload from the dropdown. The upload dialog displays.
- Select the format of the file to upload (see Upload formats for the format to use in the file):
- Normalized JSON. A normalized JSON file.

- CSV. A comma-separated value (CSV) file.

- Normalized JSON. A normalized JSON file.
- Click Upload to upload the file.
- Click Import.
When you add indicators, the event is recorded in the Audit Event Index. See Audit logging for threat intelligence.
Delete threat intelligence indicators
- New UI. In the main Sumo Logic menu, navigate to Data Management > Threat Intelligence. You can also click the Go To... menu at the top of the screen and select Threat Intelligence.
Classic UI. In the main Sumo Logic menu, select Manage Data > Threat Intelligence. - Select a source in the list of sources. Details of the source appear in a sidebar.
- Click the More Actions dropdown and then select Delete Indicators.

- Click Delete on the Delete Indicators dialog.
You do not have to wait until indicators reach the end of their retention period to delete them. You can delete indicators from the Sources tab in the Threat Intelligence page, as well as use the APIs in the Threat Intel Ingest Management API resource.
When you remove indicators, the event is recorded in the Audit Event Index. See Audit logging for threat intelligence.
Change the retention period for expired indicators
Indicators are deemed valid until they reach the date set by their "valid until" attribute (validUntil for normalized JSON and CSV, and valid_until for STIX). After that date, they are considered expired.
Expired indicators are retained until they reach the end of the retention period. At the end of the retention period, expired indicators are automatically deleted. Between the time they expire and are deleted, the indicators are still in the system, and you can still use them to find threats.
By default, expired indicators are retained for 180 days. To change the retention period:
- New UI. In the main Sumo Logic menu, navigate to Data Management > Threat Intelligence. You can also click the Go To... menu at the top of the screen and select Threat Intelligence.
Classic UI. In the main Sumo Logic menu, select Manage Data > Threat Intelligence. - Click the more actions button in the upper-right corner of the page.

- Click Edit Retention Period.
- Enter the length of time in days to retain expired threat intelligence indicator files. The maximum number of days is 180.

- Click Save.
When you change the retention period, the event is recorded in the Audit Event Index. See Audit logging for threat intelligence.