matchfeed
Filters the input records using the threat intelligence feed from the Logpresso CTI.
Syntax
Required Parameter
name=FEED_ID
-
The identifier of the threat intelligence feed to match against the field record specified by the
fields
option (default: none). Thename=FEED_ID
andtype=TYPE
options cannot be used at the same time. Use either one. -
See the following table for available identifiers. In addition, you can use the feeds provided by apps installed on Lopresso Sonar.
FEED_ID Type Description otx
ip
Real-time IP address reputation feed in the format of OTX (Open Threat Exchange) tor
ip
Tor exit node IP address information feed mdl_domain
domain
Malicious domain name (e.g. C&C domain) feed mdl_ip
ip
Malicious domain name (e.g. C&C IP address) feed abusech
domain
Malicious domain name (e.g. C&C domain) feed provided by abuse.ch malc0de
md5
Malware database provided by malc0de.com type=TYPE
-
The type of value to match against the threat intelligence feed. Valid values are
domain
,email
,ip
,md5
,sha256
, andurl
. Thetype
option matches against all threat intelligence feeds with that type information. Thename=FEED_ID
andtype=TYPE
options cannot be used at the same time. Use either one.domain
: Domain nameemail
: Email addressip
: IP addressmd5
: MD5 hash of the binary filesha256
: SHA256 hash of the binary fileurl
: URL
fields=FIELD,...
-
Fields to match values against threat intelligence feeds. Use comma (
,
) without any leading or trailing whitespaces as a separator.
Optional Parameter
invert=BOOL
- Option to invert the result of matching the value specified by the
fields
option against the threat intelligence feed (default:f
)t
: Returns records that do not contain the value specified by fields in the matching result.f
: Returns records that contain the value specified by fields in the matching result.
Description
Refer to the following table for the fields to be returned after executing the command and the feed identifiers.
Field | Type | Description |
---|---|---|
feed_name | String | Threat intelligence feed identifier |
feed_field | String | The name of the field where threat information was found |
feed_invert | Boolean | The value of the invert option |