How to query indicators in the threat intel library (without a TIM license).
You can search for indicators using any of the available search fields. This is a partial list of the available search fields.
Field | Description |
---|---|
| The type of the indicator, such as File or Email. |
| The reputation of the indicator:
|
| Searches for indicators based on a reliability score such as |
| Indicator feed or enrichment integrations. |
| A specific instance of an indicator feed or enrichment integration. |
| The source (such as script or manual.) that last set the indicator's expiration status. |
| Tags applied to indicators. |
| Search for keywords within indicators’ comments. |
You can use a wildcard query, which finds indicators containing terms that match the specified wildcard. For example, the *
pattern matches any sequence of 0 or more characters, and ?
matches any single character. For a regex query, use the following value:
"/.*\\?.*/"