7. Useful SPL Searches

Updated 1 month ago by Steven Chamales

Useful SPL Searches

What it does...

The search.

Unique Threat Keys

| inputlookup ip_intel
| stats values(threat_key)

Unique TruSTAR Threat Keys

| inputlookup ip_intel where threat_key = "*(TruSTAR)*"
| stats values(threat_key)

Modinput logs.

index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log"

# Observables

index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log" "Input vt, Found"

# Observables for modinput

index=_internal sourcetype="trustar_unified_trustar_observables_to_kvstores.log" "Input <input_name>, Found"

  • ....replace "<input_name>" with the name of the input you're interested int
  • set the search time range to last ~10 minutes.


How Did We Do?