node-feed
Queries threat intelligence feed data downloaded to the Data Node through the policy synchronization module.
Command properties
| Property | Description |
|---|---|
| Command type | Driver |
| Required permission | Administrator |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
node-feed [name=STR] [type={URL|DOMAIN|EMAIL|IP|REGISTRY|MD5|SHA1|SHA256}]
Options
name=STR- Threat intelligence feed name. You must specify either
nameortype. type={URL|DOMAIN|EMAIL|IP|REGISTRY|MD5|SHA1|SHA256}- Threat intelligence feed type. You must specify either
nameortype.
URL: URLDOMAIN: DomainEMAIL: EmailIP: IP addressREGISTRY: RegistryMD5: MD5 hashSHA1: SHA1 hashSHA256: SHA256 hash
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Time the feed entry was registered |
feed_name | string | Threat intelligence feed name |
| Feed type key | string | Value according to feed type (e.g., ip, domain, url, md5, etc.) |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 300340 | You do not have permission to run the node-feed command. | Executed from a session without administrator privileges. |
| 300341 | Specify either the name or type option for the node-feed command. | Both the name and type options were omitted. |
| 300342 | The identifier [name] specified in the node-feed command was not found. | A non-existent feed name was specified for the name option. |
| 300343 | The type [type] specified in the node-feed command was not found. | An invalid type was specified for the type option. |
| 300344 | Failed to initialize the feed specified in the node-feed command. | Feed matcher initialization failed. |
Runtime errors
None
Description
The node-feed command queries threat intelligence feed data deployed to the Data Node from the Control Node through policy synchronization. Use the name option to query data for a specific feed, or the type option to query all feed data of a specific type.
This command runs on the Data Node, so it is used to verify the status of feed data synchronized to the Data Node.
Examples
-
Query data for a specific feed name
node-feed name=malware_ipQueries all entries registered in the
malware_ipfeed. -
Query data by feed type
node-feed type=IPQueries all threat intelligence feed data of IP type.
-
Query domain type feed data
node-feed type=DOMAINQueries all threat intelligence feed data of DOMAIN type.