You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/search/search-query-language/search-operators/threatlookup.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ Where:
28
28
If there's still a tie at this point, the system picks the indicator the back-end database returned first.
29
29
30
30
*`source` is the source to search for the threat intelligence indicator. If `source` is not specified, all sources are searched.
31
-
*`include` includes either all, only active, or only expired threat intelligence indicators. If `include` is not specified, all matching indicators are returned.
31
+
*`include` includes either all, only active, or only expired threat intelligence indicators. If `include` is not specified, only active matching indicators are returned.
32
32
*`<indicator_value_field>` is the indicator to look up.
33
33
*`<optional_indicator_value_field>` is used to add more indicators to look up.
34
34
@@ -114,7 +114,7 @@ You can run the `threatlookup` search operator with the [`cat` search operator](
114
114
cat sumo://threat-intel | where _threatlookup.indicator = "192.0.2.0"
115
115
```
116
116
```
117
-
cat sumo://threat-intel | where _threatlookup.source = "FreeTAXII" and _threatlookup.indicator = "192.0.2.0"
117
+
cat sumo://threat-intel | where _threatlookup.source = "TAXII2Source" and _threatlookup.indicator = "192.0.2.0"
118
118
```
119
119
120
120
In the `cat` output, timestamp fields (like `valid_until`) will appear as integers. You can use the `formatDate()` function to convert them back to timestamps. For example:
Copy file name to clipboardExpand all lines: docs/security/threat-intelligence/upload-formats.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ Following is an example threat indicator file in normalized JSON format. (For an
28
28
"id": "0001",
29
29
"indicator": "192.0.2.0",
30
30
"type": "ipv4-addr:value",
31
-
"source": "FreeTAXII",
31
+
"source": "TAXII2Source",
32
32
"validFrom": "2023-03-21T12:00:00.000Z",
33
33
"validUntil": "2025-03-21T12:00:00.000Z",
34
34
"confidence": 30,
@@ -44,7 +44,7 @@ Following is an example threat indicator file in normalized JSON format. (For an
44
44
"id": "0002",
45
45
"indicator": "192.0.2.1",
46
46
"type": "ipv4-addr:value",
47
-
"source": "FreeTAXII",
47
+
"source": "TAXII2Source",
48
48
"validFrom": "2023-03-21T12:00:00.000Z",
49
49
"validUntil": "2025-03-21T12:00:00.000Z",
50
50
"confidence": 30,
@@ -77,7 +77,7 @@ The following attributes are required:
77
77
* `process`. Process name. (Entity type in Cloud SIEM is `_process`.)
78
78
* `url`. URL. (Entity type in Cloud SIEM is `_url`.)
79
79
* `user-account`. User ID. (Entity type in Cloud SIEM is `_username`.)
80
-
* **source** (string). User-provided text to identify the source of the indicator. For example, `FreeTAXII`.
80
+
* **source** (string). User-provided text to identify the source of the indicator. For example, `TAXII2Source`.
81
81
* **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
82
82
* **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest (as [defined by the confidence scale in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_1v6elyto0uqg)). For example, `75`.
83
83
* **threatType** (string). Type of indicator (as [defined by indicator_types in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_cvhfwe3t9vuo)). For example, `malicious-activity`. (This attribute can result in a special label appearing next to Entities in the Cloud SIEM UI. See [View threat indicators in the Cloud SIEM UI](/docs/security/threat-intelligence/threat-indicators-in-cloud-siem/#view-threat-indicators-in-the-cloud-siem-ui).) <br/>Following are valid values:
@@ -111,8 +111,8 @@ Comma-separated value (CSV) is a standard format for data upload.
111
111
If uploading a CSV file with the UI, the format should be the same as used for a standard CSV file:
@@ -145,7 +145,7 @@ Columns for the following attributes are required in the upload file:
145
145
* `process`. Process name. (Entity type in Cloud SIEM is `_process`.)
146
146
* `url`. URL. (Entity type in Cloud SIEM is `_url`.)
147
147
* `user-account`. User ID. (Entity type in Cloud SIEM is `_username`.)
148
-
* **source** (string). User-provided text to identify the source of the indicator. For example, `FreeTAXII`.
148
+
* **source** (string). User-provided text to identify the source of the indicator. For example, `TAXII2Source`.
149
149
* **validFrom** (string [date-time]). Beginning time this indicator is valid. Timestamp in UTC in RFC3339 format. For example, `2023-03-21T12:00:00.000Z`.
150
150
* **validUntil** (string [date-time]). Ending time this indicator is valid. If not set, the indicator never expires. Timestamp in UTC in RFC3339 format. For example, `2024-03-21T12:00:00.000Z`.
151
151
* **confidence** (integer [ 1 .. 100 ]). Confidence that the creator has in the correctness of their data, where 100 is highest. For example, `75`.
@@ -260,7 +260,7 @@ As shown in the following example, if uploading via the API you must add the `so
0 commit comments