You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*`<fields>` is a list of comma separated Entity field names. At least one field name is required.
263
-
*`<filters>` is a logical expression using indicator attributes. (Allowed are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `=>`, `!=`.)
262
+
*`<fields>` is a list of comma-separated [entity field names](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md). At least one field name is required.
263
+
*`<filters>` is a logical expression using [indicator attributes](/docs/platform-services/threat-intelligence-indicators/#normalized-json-format). Allowed in the filtering are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `=>`, `!=`. <br/>You can filter on the following indicator attributes:
264
+
*`actors`
265
+
*`confidence`
266
+
*`id`
267
+
*`indicator`
268
+
*`killChain`
269
+
*`source`
270
+
*`threatType`
271
+
*`type`
272
+
*`validFrom`
273
+
*`validUntil`
264
274
*`<indicators>` is an optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
265
275
*`active_indicators`. Match active indicators only (default).
266
276
*`expired_indicators`. Match expired indicators only.
@@ -517,7 +528,7 @@ If you are uploading via the UI, do not include the `source` value in the file,
517
528
"created": "2023-03-21T12:00:00.000Z",
518
529
"modified": "2023-03-21T12:00:00.000Z",
519
530
"confidence": 30,
520
-
"pattern": "[ipv4-addr:value = '192.0.2.0']",
531
+
"pattern": "[ipv4-addr = '192.0.2.0']",
521
532
"pattern_type": "stix",
522
533
"pattern_version": "string",
523
534
"valid_from": "2023-03-21T12:00:00.000Z",
@@ -539,7 +550,7 @@ If you are uploading via the UI, do not include the `source` value in the file,
539
550
"created": "2023-03-21T12:00:00.000Z",
540
551
"modified": "2023-03-21T12:00:00.000Z",
541
552
"confidence": 30,
542
-
"pattern": "[ipv4-addr:value = '192.0.2.1']",
553
+
"pattern": "[ipv4-addr = '192.0.2.1']",
543
554
"pattern_type": "stix",
544
555
"pattern_version": "string",
545
556
"valid_from": "2023-03-21T12:00:00.000Z",
@@ -574,7 +585,7 @@ As shown in the following example, if uploading via the API you must add the `so
574
585
"created": "2023-03-21T12:00:00.000Z",
575
586
"modified": "2023-03-21T12:00:00.000Z",
576
587
"confidence": 30,
577
-
"pattern": "[ipv4-addr:value = '192.0.2.0']",
588
+
"pattern": "[ipv4-addr = '192.0.2.0']",
578
589
"pattern_type": "stix",
579
590
"pattern_version": "string",
580
591
"valid_from": "2023-03-21T12:00:00.000Z",
@@ -596,7 +607,7 @@ As shown in the following example, if uploading via the API you must add the `so
596
607
"created": "2023-03-21T12:00:00.000Z",
597
608
"modified": "2023-03-21T12:00:00.000Z",
598
609
"confidence": 30,
599
-
"pattern": "[ipv4-addr:value = '192.0.2.1']",
610
+
"pattern": "[ipv4-addr = '192.0.2.1']",
600
611
"pattern_type": "stix",
601
612
"pattern_version": "string",
602
613
"valid_from": "2023-03-21T12:00:00.000Z",
@@ -626,15 +637,15 @@ The following attributes are required:
626
637
* **created** (string [date-time]). The time at which the object was originally created. Timestamp in UTC in RFC3339 format. For example, `2016-05-01T06:13:14.000Z`.
627
638
* **modified** (string [date-time]). When the object is modified. Timestamp in UTC in RFC3339 format. For example, `2023-05-01T06:13:14.000Z`. This property is only used by STIX Objects that support versioning and represents the time that this particular version of the object was last modified.
628
639
* **pattern** (string). The pattern of this indicator (as defined by [pattern in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_me3pzm77qfnf)). Following are valid values:
629
-
* `domain-name:value`. Domain name. (Entity type in Cloud SIEM is `_domain`.)
630
-
* `email-addr:value`. Email address. (Entity type in Cloud SIEM is `_email`.)
640
+
* `domain-name`. Domain name. (Entity type in Cloud SIEM is `_domain`.)
641
+
* `email-addr`. Email address. (Entity type in Cloud SIEM is `_email`.)
631
642
* `file:hashes`. File hash. (Entity type in Cloud SIEM is `_hash`.)<br/>If you want to add the hash algorithm, enter `file:hashes.'<HASH-TYPE>'`. For example, `[file:hashes.'SHA-256' = '4bac393bdd']`.
632
643
* `file:name`. File name. (Entity type in Cloud SIEM is `_file`.)
633
-
* `ipv4-addr:value`. IPv4 IP address. (Entity type in Cloud SIEM is `_ip`.)
634
-
* `ipv6-addr:value`. IPv6 IP address. (Entity type in Cloud SIEM is `_ip`.)
635
-
* `mac-addr:value`. Mac address name. (Entity type in Cloud SIEM is `_mac`.)
644
+
* `ipv4-addr`. IPv4 IP address. (Entity type in Cloud SIEM is `_ip`.)
645
+
* `ipv6-addr`. IPv6 IP address. (Entity type in Cloud SIEM is `_ip`.)
646
+
* `mac-addr`. Mac address name. (Entity type in Cloud SIEM is `_mac`.)
636
647
* `process:name`. Process name. (Entity type in Cloud SIEM is `_process`.)
637
-
* `url:value`. URL. (Entity type in Cloud SIEM is `_url`.)
648
+
* `url`. URL. (Entity type in Cloud SIEM is `_url`.)
638
649
* `user-account:user-id`. User ID. (Entity type in Cloud SIEM is `_username`.)
639
650
* `user-account:login`. Login name. (Entity type in Cloud SIEM is `_username`.)
640
651
* **pattern_type** (string). The pattern language used in this indicator (as defined by [pattern_type in STIX 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_9lfdvxnyofxw)). Enter `stix` to specify the [STIX](https://oasis-open.github.io/cti-documentation/stix/intro) pattern language.
0 commit comments