matchfeed()
The matchfeed() function checks whether a specific value is included in a specified threat intelligence feed.
Syntax
matchfeed(STR_FEED, STR_EXPR)
Parameters
STR_FEED- The name of the threat intelligence feed to search. Specify as a string literal. If an invalid feed name is specified, an error occurs at query parse time.
Name STR_FEED Type Description Logpresso CTI IP logpresso_cti_ipIP Malicious IP address information associated with cyberattacks Logpresso CTI Domain logpresso_cti_domainDOMAIN Malicious domain address information such as malware distribution sites and C&C servers Logpresso CTI URL logpresso_cti_urlURL Logpresso CTI URL IOC information Logpresso CTI MD5 logpresso_cti_md5MD5 Logpresso CTI MD5 hash IOC feed Logpresso CTI SHA1 logpresso_cti_sha1SHA1 Logpresso CTI SHA1 hash IOC feed Logpresso CTI SHA256 logpresso_cti_sha256SHA256 Logpresso CTI SHA256 hash IOC feed In addition, feeds provided by apps installed in Sonar are also available. Refer to the documentation for the respective app for its feed identifiers.
STR_EXPR- The field or expression containing the value to search for in the threat intelligence feed. Supports string and IP address types.
Description
The matchfeed() function returns true if STR_EXPR exists in the specified threat intelligence feed, or false if it does not.
If STR_EXPR is null, false is returned. If STR_EXPR is an IP address type, it is converted to a string before searching the feed.
Error codes
N/A
Usage examples
-
Check whether the value of the
src_ipfield is included in the malicious IP feedjson "{'src_ip': '192.0.2.1'}" | eval result = matchfeed("logpresso_cti_ip", src_ip) | # result: false -
Use the URL feed to check whether a URL is a phishing URL
json "{'url': 'http://example.com/path'}" | eval result = matchfeed("logpresso_cti_url", url) | # result: false -
STR_EXPRvalue isnulljson "{'src_ip': null}" | eval result = matchfeed("logpresso_cti_ip", null) | # result: false
Compatibility
matchfeed() has been available since before Sonar 4.0.