7. Useful SPL Searches
Useful SPL Searches
What it does... | The search. |
Unique Threat Keys | | inputlookup ip_intel |
Unique TruSTAR Threat Keys | | inputlookup ip_intel where threat_key = "*(TruSTAR)*" |
Modinput logs. | index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log" |
# Observables | index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log" "Input vt, Found" |
# Observables for modinput | index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log" "Input <input_name>, Found"
|