SumoLogic · jpipkin1 · Oct 13, 2025 · Oct 16, 2025
@@ -0,0 +1,15 @@
+---
+title: October 17, 2025 - Application Update
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+keywords:
+  - insights
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+### Threat Intel 471 update
+
+We're happy to announce that the [**SumoLogic_ThreatIntel** source](/docs/security/threat-intelligence/about-threat-intelligence/#sumo-logic-threat-intelligence-sources) and the [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source), which incorporate threat indicators supplied by [Intel 471](https://www.intel471.com/), now include domain and email threat indicators. Now you can use these sources to identify threats based on domain URLs and email addresses.
+
+For instructions on how to use these and other sources, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence).
@@ -290,7 +290,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 |  <img src={useBaseUrl('img/integrations/misc/infoblox-logo.svg')} alt="Thumbnail icon" width="75"/> | [Infoblox](https://www.infoblox.com/) | Cloud SIEM integration: [Infoblox](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/fa08cfce-e611-42b7-8317-8b0beca298d5.md) |
 | <img src={useBaseUrl('img/integrations/misc/isc-logo.png')} alt="Thumbnail icon" width="50"/> | [ISC](https://www.isc.org/) | Cloud SIEM integration: [ISC](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1583cfd2-7ece-4060-991b-06dcf8567943.md) |
 |  <img src={useBaseUrl('img/integrations/saas-cloud/istio.png')} alt="Thumbnail icon" width="50"/>   | [Istio](https://istio.io/)  | 	App: [Istio](/docs/integrations/saas-cloud/istio/)	 |
-| <img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="Thumbnail icon" width="75"/>  | [Intel471](https://intel471.com/) | Automation integration: [Intel471](/docs/platform-services/automation-service/app-central/integrations/intel-471/) <br/>Collector: [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source) |
+| <img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="Thumbnail icon" width="75"/>  | [Intel 471](https://intel471.com/) | Automation integration: [Intel 471](/docs/platform-services/automation-service/app-central/integrations/intel-471/) <br/>Collector: [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/intelligence-x.png')} alt="Thumbnail icon" width="100"/> | [Intelligence X](https://intelx.io/) | Automation integration: [Intelligence X](/docs/platform-services/automation-service/app-central/integrations/intelligence-x/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/intezer.png')} alt="Thumbnail icon" width="75"/> | [Intezer](https://intezer.com/) | Automation integration: [Intezer](/docs/platform-services/automation-service/app-central/integrations/intezer/) |
 |  <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/intsights-tip.png')} alt="Thumbnail icon" width="75"/>  | [Intsights TIP](https://intsights.com/) | Automation integration: [Intsights TIP](/docs/platform-services/automation-service/app-central/integrations/intsights-tip/) |

@@ -9,7 +9,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 ***Version: 1.1  
 Updated: Jul 06, 2023***
 
-Intel 471provides comprehensive coverage of the criminal underground, SaaS platform which exposes locally sourced human-driven, automation-enabled insights to gain broad coverage and monitor the threats.
+Intel 471 provides comprehensive coverage of the criminal underground, SaaS platform which exposes locally sourced human-driven, automation-enabled insights to gain broad coverage and monitor the threats.
 
 ## Actions
 
@@ -47,7 +47,7 @@ import IntegrationTimeout from '../../../../reuse/automation-service/integration
 
 <img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/misc/intel-471-configuration.png')} style={{border:'1px solid gray'}} alt="Intel 471 configuration" width="400"/>
 
-For information about Intel 471, see the [Intel 471 website](https://intel471.com/resources). The Intel471 documentation is not public and can only be accessed by partners or customers.
+For information about Intel 471, see the [Intel 471 website](https://intel471.com/resources). The Intel 471 documentation is not public and can only be accessed by partners or customers.
 
 ## Category
 

@@ -59,7 +59,7 @@ Sumo Logic provides the following out-of-the-box default sources of threat indic
 A Cloud SIEM administrator must first ingest the indicators before they can be used to uncover threats. Indicators can be ingested using:
 * **A collector**. See:
    * [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source)
-   * [Intel471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source)
+   * [Intel 471 Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source)
    * [Mandiant Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source)
    * [STIX/TAXII 1 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source)  
    * [STIX/TAXII 2 Client Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source)

@@ -36,8 +36,6 @@ Sumo Logic's native security applications will be updated to support this vendor
 
 If your queries reference `json field=raw` or `parse field=raw` (or `raw_threat`, in the case of the `threatip` operator), you are extracting vendor-specific data that might need to be updated.
 
-Additionally, the Intel 471 source currently does not include domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. 
-
 ## How can I translate CrowdStrike-specific fields to Intel 471-specific fields?
 
 In many cases, it may not be possible to translate CrowdStrike-specific fields to Intel 471-specific fields, as the two vendors emphasize different aspects of indicators of compromise. However, the table below provides approximate mappings to help you start adapting your queries.
@@ -48,7 +46,7 @@ As a starting point to analyze field mapping, examine the following translations
 
 | CrowdStrike | Intel 471 | Translation notes |
 | :-- | :-- | :-- |
-| `indicator` | `data.indicator_data.*` <br/><br/>For example:<br/>`data.indicator_data.address`<br/>`data.indicator_data.file.md5`<br/>`data.indicator_data.file.sha1`<br/>`data.indicator_data.file.sha256`<br/>`data.indicator_data.url` | Depends on the type. Every Intel 471 file hash record includes all hash types. <br/><br/>Intel 471 also includes geoip data for IP addresses under `data.indicator_data.geo_ip`.<br/><br/>Intel 471 has no domain or email indicators, instead prioritizing IP addresses, URLs, and file hashes. |
+| `indicator` | `data.indicator_data.*` <br/><br/>For example:<br/>`data.indicator_data.address`<br/>`data.indicator_data.file.md5`<br/>`data.indicator_data.file.sha1`<br/>`data.indicator_data.file.sha256`<br/>`data.indicator_data.url` | Depends on the type. Every Intel 471 file hash record includes all hash types. <br/><br/>Intel 471 also includes geoip data for IP addresses under `data.indicator_data.geo_ip`. |
 | `kill_chains` | `data.mitre_tactics` |
 | `labels[*].name` | `data.threat.type`<br/>`data.threat.data.family`<br/>`data.context.description`<br/>`data.mitre_tactics` | CrowdStrike's labels are redundant with other sections in the CrowdStrike record. |
 | `last_updated` | `last_updated` | CrowdStrike's timestamps are in epoch seconds whereas Intel 471's are in milliseconds. |
@@ -78,7 +76,6 @@ You may need to make changes in these scenarios:
 * If you have rules with `hasThreatMatch` syntax that explicitly point to the legacy `_sumo_global_feed_cs` source, change them to point to `SumoLogic_ThreatIntel` source. For example: 
    * Change this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="_sumo_global_feed_cs")` 
    * To this: <br/>`hasThreatMatch([srcDevice_ip], confidence > 50 AND source="SumoLogic_ThreatIntel")`
-* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using `hasThreatMatch`, update your rule syntax to remove them.
 
 ### lookup operator
 
@@ -89,7 +86,6 @@ In most cases, no change is needed if you use the [lookup](/docs/search/search-q
 -->
 
 You may need to make changes in these scenarios:
-* The `domain-name` and `email-addr` types are not supported in Intel 471. If you filter for these types using the `lookup` operator, update your queries to remove them.
 * If you parse the `raw` field returned from the `lookup` operation, you will see different fields when you use the new `SumoLogic_ThreatIntel` source. To avoid problems with fields not returning data, use a [nodrop](/docs/search/search-query-language/parse-operators/parse-nodrop-option/) clause when you use `parse field=raw` or `json field=raw`. In the following excerpt from a query, `nodrop` is added at the end of the line where `json field=raw` is called:
    ```
    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip

@@ -16,7 +16,7 @@ Following are the formats for file upload:
 * [STIX 2.x JSON format](#stix-2x-json-format) (API use only)
 
 :::note
-Rather than manually uploading files, you can also add threat intelligence sources using collectors, including for [CrowdStrike](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source), [Intel471](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source), [Mandiant](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source), [STIX/TAXII 1](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source), [STIX/TAXII 2](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source), and [ZeroFox](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source). For more information, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
+Rather than manually uploading files, you can also add threat intelligence sources using collectors, including for [CrowdStrike](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source), [Intel 471](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source), [Mandiant](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/mandiant-threat-intel-source), [STIX/TAXII 1](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-1-client-source), [STIX/TAXII 2](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/stix-taxii-2-client-source), and [ZeroFox](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/zerofox-intel-source). For more information, see [Ingest threat intelligence indicators](/docs/security/threat-intelligence/about-threat-intelligence/#ingest-threat-intelligence-indicators).
 :::
 
 ## Normalized JSON format

@@ -350,8 +350,8 @@ In this section, we'll introduce the following concepts:
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href={useBaseUrl('docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source')}><img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="thumbnail icon" width="100"/><h4>Intel471 Threat Intel</h4></a>
-  <p>Learn to collect threat indicators from the Intel471 platform.</p>
+  <a href={useBaseUrl('docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/intel471-threat-intel-source')}><img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="thumbnail icon" width="100"/><h4>Intel 471 Threat Intel</h4></a>
+  <p>Learn to collect threat indicators from the Intel 471 platform.</p>
   </div>
 </div>
 <div className="box smallbox card">

@@ -1,20 +1,20 @@
 ---
 id: intel471-threat-intel-source
-title: Intel471 Threat Intel Source
-sidebar_label: Intel471 Threat Intel
+title: Intel 471 Threat Intel Source
+sidebar_label: Intel 471 Threat Intel
 tags:
   - cloud-to-cloud
   - intel471-threat-intel
-description: This integration collects threat indicators using the Intel471 API and sends them to Sumo Logic for analysis.
+description: This integration collects threat indicators using the Intel 471 API and sends them to Sumo Logic for analysis.
 ---
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
 <img src={useBaseUrl('img/integrations/security-threat-detection/intel471-threat-intel.png')} alt="intel471-threat-intel.png" width="100" />
 
-The Intel471 Threat Intel source collects threat intelligence indicators using the [Intel471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
+The Intel 471 Threat Intel source collects threat intelligence indicators using the [Intel 471 Stream API](https://titan.intel471.com/api/docs-openapi/#tag/Indicators/paths/~1indicators~1stream/get) and sends them to Sumo Logic as normalized threat indicators for analysis. For more information, see [About Sumo Logic Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/).
 
-Intel471 is a cybersecurity firm specializing in providing cyber threat intelligence services. Their focus is primarily on delivering information about threats originating from the criminal underground, including malware, malicious actors, and their tactics, techniques, and procedures (TTPs). Intel471 provides these insights to help organizations protect themselves against cyber threats. Their intelligence-gathering efforts often involve monitoring and analyzing underground marketplaces, forums, and other communication channels used by cyber criminals.
+Intel 471 is a cybersecurity firm specializing in providing cyber threat intelligence services. Their focus is primarily on delivering information about threats originating from the criminal underground, including malware, malicious actors, and their tactics, techniques, and procedures (TTPs). Intel 471 provides these insights to help organizations protect themselves against cyber threats. Their intelligence-gathering efforts often involve monitoring and analyzing underground marketplaces, forums, and other communication channels used by cyber criminals.
 
 ## Data collected
 
@@ -27,16 +27,16 @@ Intel471 is a cybersecurity firm specializing in providing cyber threat intellig
 ### Vendor configuration
 
 :::info
-The Intel471 documentation is not public and can only be accessed by partners or customers.
+The Intel 471 documentation is not public and can only be accessed by partners or customers.
 :::
 
-The Intel471 Threat Intel source requires you to provide the **Username** and **API Key** found in the API section in the [Intel471 portal](https://titan.intel471.com/api/docs-openapi/#section/Authentication).
+The Intel 471 Threat Intel source requires you to provide the **Username** and **API Key** found in the API section in the [Intel 471 portal](https://titan.intel471.com/api/docs-openapi/#section/Authentication).
 
 ### Source configuration
 
-When you create an Intel471 Threat Intel source, you add it to a Hosted Collector. Before creating the source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector).
+When you create an Intel 471 Threat Intel source, you add it to a Hosted Collector. Before creating the source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see [Configure a Hosted Collector and Source](/docs/send-data/hosted-collectors/configure-hosted-collector).
 
-To configure an Intel471 Threat Intel source:
+To configure an Intel 471 Threat Intel source:
 
 1. [**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic main menu select **Data Management**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**.  <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. 
 1. On the Collectors page, click **Add Source** next to a Hosted Collector.
@@ -47,7 +47,7 @@ To configure an Intel471 Threat Intel source:
    * <img src={useBaseUrl('img/reuse/green-check-circle.png')} alt="green check circle.png" width="20"/> A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
    * <img src={useBaseUrl('img/reuse/orange-exclamation-point.png')} alt="orange exclamation point.png" width="20"/> An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**. 
 1. **Username**. Enter your login ID or email address.
-1. **API Key**. Enter the API key of the user account collected from the [Intel471 Threat Intel platform](#vendor-configuration).
+1. **API Key**. Enter the API key of the user account collected from the [Intel 471 Threat Intel platform](#vendor-configuration).
 1. **Sumo Logic Threat Intel Source ID**. Enter the name you want to use for the Intel 471 source that will be created in the [Threat Intelligence](/docs/security/threat-intelligence/about-threat-intelligence/) tab in Sumo Logic. The Intel 471 threat intelligence indicators will be stored in this source. Do not use spaces in the name.
 1. **Polling Interval**. The polling interval is set for one hour by default. You can adjust it based on your needs. This sets how often the source checks for new data.
 1. **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).