Threat Intelligence Mapping
Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article.
CrowdStrike​
You can ingest threat indicators from CrowdStrike using the CrowdStrike Threat Intel Source. In addition, Sumo Logic provides an out-of-the-box _sumo_global_feed_cs source whose indicators are supplied by CrowdStrike. The same normalization applies to schema in both sources.
Following are the normalized values for CrowdStrike:
| CrowdStrike schema | Normalized schema in the datastore | Notes |
|---|---|---|
actor | actors | Array joined with a comma: ", " |
id | id | Array joined with a comma: ", " |
indicator | indicator | |
kill_chain_phases | killChain | |
labels.ThreatType | threatType* | The threatType value can vary based on matches*. |
last_updated | updated | |
malicious_confidence | confidence | Normalized to a 0-100 scale. |
published_date | validFrom and imported | |
type | type | See Type mapping for CrowdStrike below. |
All other fields will be kept in the fields{} object.
*The value malicious-activity is used for the threatType if the regex matches: name=threattype\/(clickfraud|commodity|pointofsale|ransomware|targeted|targetedcrimeware). The value anomalous-activity is used if the regex matches name=threattype\/, and the value unknown is used if nothing matches.
Type mapping for CrowdStrike​
The type object is mapped to the following normalized type values:
| Original type in CrowdStrike | Normalized type in the datastore |
|---|---|
binary_string | artifact:payload_bin |
bitcoin_address | url |
ip_address | ipv4-addr / ipv6-addr |
domain | domain-name |
email_address | email-add |
file_path | file:name |
file_name | file:name |
hash_md5 | file:hashes.'MD5' |
hash_sha1 | file:hashes.'SHA-1' |
hash_sha256 | file:hashes.'SHA-256' |
mutex_name | mutex:name |
service_name | process:name |
url | url |
username | user-account:user_id |
user_agent | http-request-ext:request_header.'User-Agent' |
x509_subject | x509-certificate:serial_number |
Intel 471​
You can ingest threat indicators from Intel 471 using the Intel 471 Threat Intel Source. In addition | Sumo Logic provides an out-of-the-box SumoLogic_ThreatIntel source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.
Following are the normalized values for Intel 471:
| Intel 471 schema | Normalized schema in the datastore | Notes |
|---|---|---|
activity.last | validFrom | Converted from epoch timestamp. |
data.expiration | validUntil | Converted from epoch timestamp. |
data.mitre_tactics | killChain | |
data.threat.uid | id | |
| Not applicable | threatType | All indicators have threatType set to unknown. |
Mandiant​
You can ingest threat indicators from Mandiant using the Mandiant Threat Intel Source.
Following are the normalized values for Mandiant:
| Mandiant schema | Normalized schema in the datastore | Notes |
|---|---|---|
[]actors | actors | The JSON structure of individual actors are joined with a " , " |
id | id | |
threat_rating.confidence_score | confidence | |
unknown | threatType | |
value | indicator |
ZeroFox​
You can ingest threat indicators from ZeroFox using the ZeroFox Threat Intel Source.
Following are the normalized values for ZeroFox:
| ZeroFox endpoint | ZeroFox schema | Normalized schema in the datastore | Notes |
|---|---|---|---|
/botnet endpoint with ip_address populated | ipv4-addr--<ip_address> | id | Templated |
/botnet endpoint with ip_address populated | ip_address | indicator | |
/botnet endpoint with ip_address populated | type | Statically set to ip_address | |
/botnet endpoint with ip_address populated | threatType | Statically set to compromised | |
/botnet endpoint with ip_address populated | listed_at | validFrom | |
/botnet endpoint with ip_address populated | confidence | Statically set to 50 | |
/botnet endpoint with c2_ip_address populated | ipv4-addr--<c2_ip_address> | id | Templated |
/botnet endpoint with c2_ip_address populated | c2_ip_address | indicator | |
/botnet endpoint with c2_ip_address populated | type | Statically set to ip_address | |
/botnet endpoint with c2_ip_address populated | threatType | Statically set to compromised | |
/botnet endpoint with c2_ip_address populated | listed_at | validFrom | |
/botnet endpoint with c2_ip_address populated | tags | confidence | Default statically set to 75, but set to 25 if c2_domain_top_1m` found as a tag |
/botnet endpoint with c2_domain populated | ipv4-addr--<c2_domain> | id | Templated |
/botnet endpoint with c2_domain populated | c2_domain | indicator | |
/botnet endpoint with c2_domain populated | type | Statically set to domain-name | |
/botnet endpoint with c2_domain populated | threatType | Statically set to compromised | |
/botnet endpoint with c2_domain populated | listed_at | validFrom | |
/botnet endpoint with c2_domain populated | tags | confidence | Default statically set to 75, but set to 25 if c2_domain_top_1m found as a tag |
/c2-domains endpoint with domain populated | domain-name--<domain> | id | Templated |
/c2-domains endpoint with domain populated | domain | indicator | |
/c2-domains endpoint with domain populated | type | Statically set to domain-name | |
/c2-domains endpoint with domain populated | threatType | Statically set to compromised | |
/c2-domains endpoint with domain populated | created_at or updated_at | validFrom | Use the latest of the two |
/c2-domains endpoint with domain populated | tags | confidence | Default statically set to 75, but set to 25 if c2_domain_top_1m found as a tag |
/c2-domains endpoint with each Ip_addresses populated | ipv4-addr--<c2_ip_address> or ipv6-addr--<c2_ip_address> | id | Templated. Depends if value is IPv4 or IPv6 |
/c2-domains endpoint with each Ip_addresses populated | []Ip_addresses | indicator | The specific value in the list |
/c2-domains endpoint with each Ip_addresses populated | type | Statically set to ipv4-addr or ipv6-addr | |
/c2-domains endpoint with each Ip_addresses populated | threatType | Statically set to compromised | |
/c2-domains endpoint with each Ip_addresses populated | created_at or updated_at | validFrom | Use the latest of the two |
/c2-domains endpoint with each Ip_addresses populated | confidence | Statically set to 50 | |
/disruption endpoint with url populated | url--<url> | id | Templated |
/disruption endpoint with url populated | url | indicator | |
/disruption endpoint with url populated | type | Statically set to url | |
/disruption endpoint with url populated | threatType | Statically set to compromised | |
/disruption endpoint with url populated | created_at or updated_at | validFrom | Use the latest of the two |
/disruption endpoint with url populated | confidence | Statically set to 100 | |
/disruption endpoint with ip populated | ipv4-addr--<ip> | id | Templated |
/disruption endpoint with ip populated | ip | indicator | |
/disruption endpoint with ip populated | type | Statically set to ipv4-addr | |
/disruption endpoint with ip populated | threatType | Statically set to compromised | |
/disruption endpoint with ip populated | created_at or updated_at | validFrom | Use the latest of the two |
/disruption endpoint with ip populated | confidence | Statically set to 50 | |
/malware endpoint with md5 populated | file:hashes.MD5--<md5> | id | Templated |
/malware endpoint with md5 populated | md5 | indicator | |
/malware endpoint with md5 populated | file:hashes.MD5 | type | |
/malware endpoint with md5 populated | threatType | Statically set to compromised | |
/malware endpoint with md5 populated | created_at | validFrom | |
/malware endpoint with md5 populated | confidence | Statically set to 75 | |
/malware endpoint with sha1 populated | file:hashes.'SHA-1'--<sha1> | id | Templated |
/malware endpoint with sha1 populated | sha1 | indicator | |
/malware endpoint with sha1 populated | file:hashes.'SHA-1' | type | |
/malware endpoint with sha1 populated | threatType | Statically set to compromised | |
/malware endpoint with sha1 populated | created_at | validFrom | |
/malware endpoint with sha1 populated | confidence | Statically set to 75 | |
/malware endpoint with sha256 populated | file:hashes.'SHA-256'--<sha256> | id | Templated |
/malware endpoint with sha256 populated | sha256 | indicator | |
/malware endpoint with sha256 populated | file:hashes.'SHA-256' | type | |
/malware endpoint with sha256 populated | threatType | Statically set to compromised | |
/malware endpoint with sha256 populated | created_at | validFrom | |
/malware endpoint with sha256 populated | confidence | Statically set to 75 | |
/malware endpoint with sha512 populated | file:hashes.'SHA-512'--<sha512> | id | Templated |
/malware endpoint with sha512 populated | sha512 | indicator | |
/malware endpoint with sha512 populated | file:hashes.'SHA-512' | type | |
/malware endpoint with sha512 populated | threatType | Statically set to compromised | |
/malware endpoint with sha512 populated | created_at | validFrom | |
/malware endpoint with sha512 populated | confidence | Statically set to 75 | |
/phishing endpoint with domain populated | domain-name--<domain> | id | Templated |
/phishing endpoint with domain populated | domain | indicator | |
/phishing endpoint with domain populated | type | Statically set to domain-name | |
/phishing endpoint with domain populated | threatType | Statically set to compromised | |
/phishing endpoint with domain populated | scanned | validFrom | |
/phishing endpoint with domain populated | confidence | Statically set to 50 | |
/phishing endpoint with url populated | url--<domain> | id | Templated |
/phishing endpoint with url populated | url | indicator | |
/phishing endpoint with url populated | type | Statically set to url | |
/phishing endpoint with url populated | threatType | Statically set to compromised | |
/phishing endpoint with url populated | scanned | validFrom | |
/phishing endpoint with url populated | confidence | Statically set to 50 | |
/ransomware endpoint with md5 populated | file:hashes.MD5--<md5> | id | Templated |
/ransomware endpoint with md5 populated | md5 | indicator | |
/ransomware endpoint with md5 populated | file:hashes.MD5 | type | |
/ransomware endpoint with md5 populated | threatType | Statically set to compromised | |
/ransomware endpoint with md5 populated | created_at | validFrom | |
/ransomware endpoint with md5 populated | confidence | Statically set to 75 | |
/ransomware endpoint with sha1 populated | file:hashes.'SHA-1'--<sha1> | id | Templated |
/ransomware endpoint with sha1 populated | sha1 | indicator | |
/ransomware endpoint with sha1 populated | file:hashes.'SHA-1' | type | |
/ransomware endpoint with sha1 populated | threatType | Statically set to compromised | |
/ransomware endpoint with sha1 populated | created_at | validFrom | |
/ransomware endpoint with sha1 populated | confidence | Statically set to 75 | |
/ransomware endpoint with sha256 populated | file:hashes.'SHA-256'--<sha256> | id | Templated |
/ransomware endpoint with sha256 populated | sha256 | indicator | |
/ransomware endpoint with sha256 populated | file:hashes.'SHA-256' | type | |
/ransomware endpoint with sha256 populated | threatType | Statically set to compromised | |
/ransomware endpoint with sha256 populated | created_at | validFrom | |
/ransomware endpoint with sha256 populated | confidence | Statically set to 75 | |
/ransomware endpoint with sha512 populated | file:hashes.'SHA-512'--<sha512> | id | Templated |
/ransomware endpoint with sha512 populated | sha512 | indicator | |
/ransomware endpoint with sha512 populated | file:hashes.'SHA-512' | type | |
/ransomware endpoint with sha512 populated | threatType | Statically set to compromised | |
/ransomware endpoint with sha512 populated | created_at | validFrom | |
/ransomware endpoint with sha512 populated | confidence | Statically set to 75 |
Type mapping for ZeroFox​
The type object is mapped to the following normalized type values:
| Original type | Normalized type in the datastore |
|---|---|
c2_domain | domain-name |
c2_ip_address | ip_address |
domain | domain-name |
ip | ipv4-addr |
ip_address | ip_address |
Ip_addresses | ipv4-addr or ipv6-addr |
url | url |