Skip to main content

Threat Intelligence Mapping

Schema from vendor-supplied threat intelligence indicators are mapped to normalized values in the Sumo Logic threat intelligence datastore to provide ease of interoperability. The mapping is described in this article.

CrowdStrike

You can ingest threat indicators from CrowdStrike using the CrowdStrike Threat Intel Source. In addition, Sumo Logic provides an out-of-the-box _sumo_global_feed_cs source whose indicators are supplied by CrowdStrike. The same normalization applies to schema in both sources.

Following are the normalized values for CrowdStrike:

CrowdStrike schemaNormalized schema in the datastoreNotes
actoractorsArray joined with a comma: ", "
ididArray joined with a comma: ", "
indicatorindicator
kill_chain_phaseskillChain
labels.ThreatTypethreatType*The threatType value can vary based on matches*.
last_updatedupdated
malicious_confidenceconfidenceNormalized to a 0-100 scale.
published_datevalidFrom and imported
typetypeSee Type mapping for CrowdStrike below.

All other fields will be kept in the fields{} object.

*The value malicious-activity is used for the threatType if the regex matches: name=threattype\/(clickfraud|commodity|pointofsale|ransomware|targeted|targetedcrimeware). The value anomalous-activity is used if the regex matches name=threattype\/, and the value unknown is used if nothing matches.

Type mapping for CrowdStrike

The type object is mapped to the following normalized type values:

Original type in CrowdStrikeNormalized type in the datastore
binary_stringartifact:payload_bin
bitcoin_addressurl
ip_addressipv4-addr / ipv6-addr
domaindomain-name
email_addressemail-add
file_pathfile:name
file_namefile:name
hash_md5file:hashes.'MD5'
hash_sha1file:hashes.'SHA-1'
hash_sha256file:hashes.'SHA-256'
mutex_namemutex:name
service_nameprocess:name
urlurl
usernameuser-account:user_id
user_agenthttp-request-ext:request_header.'User-Agent'
x509_subjectx509-certificate:serial_number

Intel 471

You can ingest threat indicators from Intel 471 using the Intel 471 Threat Intel Source. In addition | Sumo Logic provides an out-of-the-box SumoLogic_ThreatIntel source whose indicators are supplied by Intel 471. The same normalization applies to schema in both sources.

Following are the normalized values for Intel 471:

Intel 471 schemaNormalized schema in the datastoreNotes
activity.lastvalidFromConverted from epoch timestamp.
data.expirationvalidUntilConverted from epoch timestamp.
data.mitre_tacticskillChain
data.threat.uidid
Not applicablethreatTypeAll indicators have threatType set to unknown.

Mandiant

You can ingest threat indicators from Mandiant using the Mandiant Threat Intel Source.

Following are the normalized values for Mandiant:

Mandiant schemaNormalized schema in the datastoreNotes
[]actorsactorsThe JSON structure of individual actors are joined with a " , "
idid
threat_rating.confidence_scoreconfidence
unknownthreatType
valueindicator

ZeroFox

You can ingest threat indicators from ZeroFox using the ZeroFox Threat Intel Source.

Following are the normalized values for ZeroFox:

ZeroFox endpointZeroFox schemaNormalized schema in the datastoreNotes
/botnet endpoint with ip_address populatedipv4-addr--<ip_address>idTemplated
/botnet endpoint with ip_address populatedip_addressindicator
/botnet endpoint with ip_address populatedtypeStatically set to ip_address
/botnet endpoint with ip_address populatedthreatTypeStatically set to compromised
/botnet endpoint with ip_address populatedlisted_atvalidFrom
/botnet endpoint with ip_address populatedconfidenceStatically set to 50
/botnet endpoint with c2_ip_address populatedipv4-addr--<c2_ip_address>idTemplated
/botnet endpoint with c2_ip_address populatedc2_ip_addressindicator
/botnet endpoint with c2_ip_address populatedtypeStatically set to ip_address
/botnet endpoint with c2_ip_address populatedthreatTypeStatically set to compromised
/botnet endpoint with c2_ip_address populatedlisted_atvalidFrom
/botnet endpoint with c2_ip_address populatedtagsconfidenceDefault statically set to 75, but set to 25 if c2_domain_top_1m` found as a tag
/botnet endpoint with c2_domain populatedipv4-addr--<c2_domain>idTemplated
/botnet endpoint with c2_domain populatedc2_domainindicator
/botnet endpoint with c2_domain populatedtypeStatically set to domain-name
/botnet endpoint with c2_domain populatedthreatTypeStatically set to compromised
/botnet endpoint with c2_domain populatedlisted_atvalidFrom
/botnet endpoint with c2_domain populatedtagsconfidenceDefault statically set to 75, but set to 25 if c2_domain_top_1m found as a tag
/c2-domains endpoint with domain populateddomain-name--<domain>idTemplated
/c2-domains endpoint with domain populateddomainindicator
/c2-domains endpoint with domain populatedtypeStatically set to domain-name
/c2-domains endpoint with domain populatedthreatTypeStatically set to compromised
/c2-domains endpoint with domain populatedcreated_at or updated_atvalidFromUse the latest of the two
/c2-domains endpoint with domain populatedtagsconfidenceDefault statically set to 75, but set to 25 if c2_domain_top_1m found as a tag
/c2-domains endpoint with each Ip_addresses populatedipv4-addr--<c2_ip_address> or ipv6-addr--<c2_ip_address>idTemplated. Depends if value is IPv4 or IPv6
/c2-domains endpoint with each Ip_addresses populated[]Ip_addressesindicatorThe specific value in the list
/c2-domains endpoint with each Ip_addresses populatedtypeStatically set to ipv4-addr or ipv6-addr
/c2-domains endpoint with each Ip_addresses populatedthreatTypeStatically set to compromised
/c2-domains endpoint with each Ip_addresses populatedcreated_at or updated_atvalidFromUse the latest of the two
/c2-domains endpoint with each Ip_addresses populatedconfidenceStatically set to 50
/disruption endpoint with url populatedurl--<url>idTemplated
/disruption endpoint with url populatedurlindicator
/disruption endpoint with url populatedtypeStatically set to url
/disruption endpoint with url populatedthreatTypeStatically set to compromised
/disruption endpoint with url populatedcreated_at or updated_atvalidFromUse the latest of the two
/disruption endpoint with url populatedconfidenceStatically set to 100
/disruption endpoint with ip populatedipv4-addr--<ip>idTemplated
/disruption endpoint with ip populatedipindicator
/disruption endpoint with ip populatedtypeStatically set to ipv4-addr
/disruption endpoint with ip populatedthreatTypeStatically set to compromised
/disruption endpoint with ip populatedcreated_at or updated_atvalidFromUse the latest of the two
/disruption endpoint with ip populatedconfidenceStatically set to 50
/malware endpoint with md5 populatedfile:hashes.MD5--<md5>idTemplated
/malware endpoint with md5 populatedmd5indicator
/malware endpoint with md5 populatedfile:hashes.MD5type
/malware endpoint with md5 populatedthreatTypeStatically set to compromised
/malware endpoint with md5 populatedcreated_atvalidFrom
/malware endpoint with md5 populatedconfidenceStatically set to 75
/malware endpoint with sha1 populatedfile:hashes.'SHA-1'--<sha1>idTemplated
/malware endpoint with sha1 populatedsha1indicator
/malware endpoint with sha1 populatedfile:hashes.'SHA-1'type
/malware endpoint with sha1 populatedthreatTypeStatically set to compromised
/malware endpoint with sha1 populatedcreated_atvalidFrom
/malware endpoint with sha1 populatedconfidenceStatically set to 75
/malware endpoint with sha256 populatedfile:hashes.'SHA-256'--<sha256>idTemplated
/malware endpoint with sha256 populatedsha256indicator
/malware endpoint with sha256 populatedfile:hashes.'SHA-256'type
/malware endpoint with sha256 populatedthreatTypeStatically set to compromised
/malware endpoint with sha256 populatedcreated_atvalidFrom
/malware endpoint with sha256 populatedconfidenceStatically set to 75
/malware endpoint with sha512 populatedfile:hashes.'SHA-512'--<sha512>idTemplated
/malware endpoint with sha512 populatedsha512indicator
/malware endpoint with sha512 populatedfile:hashes.'SHA-512'type
/malware endpoint with sha512 populatedthreatTypeStatically set to compromised
/malware endpoint with sha512 populatedcreated_atvalidFrom
/malware endpoint with sha512 populatedconfidenceStatically set to 75
/phishing endpoint with domain populated domain-name--<domain>idTemplated
/phishing endpoint with domain populateddomainindicator
/phishing endpoint with domain populatedtypeStatically set to domain-name
/phishing endpoint with domain populatedthreatTypeStatically set to compromised
/phishing endpoint with domain populatedscannedvalidFrom
/phishing endpoint with domain populatedconfidenceStatically set to 50
/phishing endpoint with url populated url--<domain>idTemplated
/phishing endpoint with url populatedurlindicator
/phishing endpoint with url populatedtypeStatically set to url
/phishing endpoint with url populatedthreatTypeStatically set to compromised
/phishing endpoint with url populatedscannedvalidFrom
/phishing endpoint with url populatedconfidenceStatically set to 50
/ransomware endpoint with md5 populatedfile:hashes.MD5--<md5>idTemplated
/ransomware endpoint with md5 populatedmd5indicator
/ransomware endpoint with md5 populatedfile:hashes.MD5type
/ransomware endpoint with md5 populatedthreatTypeStatically set to compromised
/ransomware endpoint with md5 populatedcreated_atvalidFrom
/ransomware endpoint with md5 populatedconfidenceStatically set to 75
/ransomware endpoint with sha1 populatedfile:hashes.'SHA-1'--<sha1>idTemplated
/ransomware endpoint with sha1 populatedsha1indicator
/ransomware endpoint with sha1 populatedfile:hashes.'SHA-1'type
/ransomware endpoint with sha1 populatedthreatTypeStatically set to compromised
/ransomware endpoint with sha1 populatedcreated_atvalidFrom
/ransomware endpoint with sha1 populatedconfidenceStatically set to 75
/ransomware endpoint with sha256 populatedfile:hashes.'SHA-256'--<sha256>idTemplated
/ransomware endpoint with sha256 populatedsha256indicator
/ransomware endpoint with sha256 populatedfile:hashes.'SHA-256'type
/ransomware endpoint with sha256 populatedthreatTypeStatically set to compromised
/ransomware endpoint with sha256 populatedcreated_atvalidFrom
/ransomware endpoint with sha256 populatedconfidenceStatically set to 75
/ransomware endpoint with sha512 populatedfile:hashes.'SHA-512'--<sha512>idTemplated
/ransomware endpoint with sha512 populatedsha512indicator
/ransomware endpoint with sha512 populatedfile:hashes.'SHA-512'type
/ransomware endpoint with sha512 populatedthreatTypeStatically set to compromised
/ransomware endpoint with sha512 populatedcreated_atvalidFrom
/ransomware endpoint with sha512 populatedconfidenceStatically set to 75

Type mapping for ZeroFox

The type object is mapped to the following normalized type values:

Original typeNormalized type in the datastore
c2_domaindomain-name
c2_ip_addressip_address
domaindomain-name
ipipv4-addr
ip_addressip_address
Ip_addressesipv4-addr or ipv6-addr
urlurl
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.