matchfeed()

Returns true if the threat intelligence feed contains a target value, and false otherwise.

Syntax

matchfeed(FEED_ID, STR_EXPR)
Required Parameters
FEED_ID

Identifier of the threat intelligence feed. If you specify an invalid feed string constant, the query fails.

See the following table for available identifiers. In addition, you can use the feeds provided by apps installed on Logpresso Sonar or Logpresso Maestro.

FEED_IDTypeDescription
otxipReal-time IP address reputation feed in the format of OTX (Open Threat Exchange)
toripReal-time Tor exit node IP address information feed
mdl_domaindomainReal-time malicious domain name (e.g. C&C domain)
mdl_ipipReal-time malicious domain name (e.g. C&C IP address)
abusechdomainReal-time malicious domain name (e.g. C&C domain) feed provided by abuse.ch
malc0demd5Real-time Malware database provided by malc0de.com
STR_EXPR

Expression to return the string to be searched in the feed