DOCS-746 - Updates to threat intelligence upload formats (#5165)

* Update

* Update docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md

* Fix typo

docs/cse/schema/username-and-hostname-normalization.md

@@ -114,7 +114,7 @@ The raw name is populated in the un-normalized name field:
 
 `user_username_raw = bob`
 
-The same would logic would apply to a hostname:
+The same logic would apply to a hostname:
 
 `device_hostname = desktop1 `
 

docs/security/threat-intelligence/threat-indicators-in-cloud-siem.md

@@ -27,7 +27,7 @@ For more information, see [hasThreatMatch](/docs/cse/rules/cse-rules-syntax/#has
 
 ## View threat indicator labels in the Cloud SIEM UI
 
-Entities are automatically enriched with indicator data from [custom intelligence sources](/docs/cse/administration/create-custom-threat-intel-source/) and [sources in the threat intelligence datastore](/docs/security/threat-intelligence/about-threat-intelligence/) (excluding the **_sumo_global_feed_cs** global feed). 
+Entities are automatically enriched with indicator data from [custom intelligence sources](/docs/cse/administration/create-custom-threat-intel-source/) and [sources in the threat intelligence datastore](/docs/security/threat-intelligence/about-threat-intelligence/). (Entity enrichment doesn't make use of the `_sumo_global_feed_cs` global feed.)
 
 When a match to a threat indicator in sources is found, labels showing the entity's "reputation" will be displayed throughout the Cloud SIEM UI:
 

docs/security/threat-intelligence/upload-formats.md

@@ -80,6 +80,7 @@ The following attributes are required:
          * `user-account`. User ID. (Entity type in Cloud SIEM is `user_username`.)
        * **source** (string). User-provided text to identify the source of the indicator. For example, `TAXII2Source`.
        * **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
+       * **validUntil** (string [date-time]). Ending time this indicator is valid. If not set, the indicator never expires. Timestamp in UTC in RFC3339 format. For example, `2024-03-21T12:00:00.000Z`.
        * **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest (as [defined by the confidence scale in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_1v6elyto0uqg)). For example, `75`.
        * **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to entities in the Cloud SIEM UI. See [View threat indicator labels in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicator-labels-in-the-cloud-siem-ui).) <br/>Following are valid values:
           * `anomalous-activity`. Unexpected or unusual activity that may not necessarily be malicious or indicate compromise.
@@ -114,6 +115,11 @@ When uploading a CSV file with the UI, the format should be the same as used for
 0002,192.0.2.1,ipv4-addr,TAXII2Source,2023-02-21T12:00:00.00Z,2025-05-21T12:00:00.00Z,30,malicious-activity,actor3,reconnaissance
 ```
 
+:::tip
+* Even if you are not providing values for the optional `actors` and/or `killChain` fields, you must include comma delimiters in the CSV file for where they would normally appear. Otherwise, the file will be rejected during uploading with the error “Indicator data failed to import.”
+* Do not include a header row as the first row of the CSV file. Otherwise, the file will be rejected during uploading with the error “Indicator data failed to import.”
+:::
+
 ### Required attributes
 
 For information about the attributes to use, see ["Indicator" in the STIX 2.1 specification](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_muftrcpnf89v).