Skip to content

Commit 2dcd1f1

Browse files
jpipkin1jpipkin1
committed
Comment out text
1 parent f0b3f03 commit 2dcd1f1

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

docs/security/threat-intelligence/find-threats.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,48 @@ For syntax and examples, see [`threatlookup` search operator](/docs/search/searc
2525
You can also [run threatlookup with the cat search operator](/docs/search/search-query-language/search-operators/threatlookup/#run-threatlookup-with-the-cat-search-operator) to search the entire store of threat intelligence indicators.
2626
-->
2727

28+
<!-- Add this after sumo://threat/cs is replaced by threatlookup":
29+
30+
## Threatlookup queries in dashboards
31+
32+
The `threatlookup` search operator is used for queries in some dashboards, including [dashboards in the Threat Intel Quick Analysis app](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/#viewing-threat-intel-quick-analysis-dashboards). These queries provide great examples of how to use the operator.
33+
34+
To see `threatlookup` used in a query:
35+
1. Open the Threat Intel Quick Analysis app.
36+
1. Navigate to a dashboard, such as **Overview**.
37+
1. Click the three-dot kebab in the upper-right corner of the dashboard panel.
38+
1. Select **Open in Log Search**.
39+
1. Look for `threatlookup` used in the query.
40+
41+
For example, here is the query used for the **Threat Count** panel in the **Threat Intel Quick Analysis - IP** dashboard:
42+
43+
```
44+
_sourceCategory=<source-category-name>
45+
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
46+
| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"
47+
| count as ip_count by ip_address
48+
49+
| threatlookup singleIndicator ip_address
50+
51+
// normalize confidence level to a string
52+
| if (_threatlookup.confidence >= 85, "high", if (_threatlookup.confidence >= 50, "medium", if (_threatlookup.confidence >= 15, "low", if (_threatlookup.confidence >= 0, "unverified", "unknown")))) as threat_confidence
53+
54+
// filter for threat confidence
55+
| where  threat_confidence matches "*"
56+
57+
//rename to match threat_<foo> convention
58+
| %"_threatlookup.actors" as threat_actors
59+
| %"_threatlookup.type" as type
60+
| %"_threatlookup.threat_type" as threat_type
61+
62+
//convert threat valid from to human readable time
63+
| toLong(%"_threatlookup.valid_from" * 1000) as %"_threatlookup.valid_from"
64+
| formatDate(%"_threatlookup.valid_from", "MM-dd-yyyy") as threat_valid_from
65+
66+
| where type matches "ipv4-addr*" and !isNull(threat_confidence)
67+
68+
| if (isEmpty(threat_actors), "Unassigned", threat_actors) as threat_actors
69+
70+
|sum (ip_count) as threat_count
71+
```  
72+
-->

0 commit comments

Comments
 (0)