When using the Threat Intel app (which you will install in a later lab), no results is a good thing, as this means you do not have malicious threats in your logs. However, in order to test the lookup functionality, the Threat Intel FAQs provide samples for each type of IOC. Let's run a simple query with an actual IOC. you can replace the IP address with any other IOC in the FAQs.
- This query will only return one result by using the limit operator. Notice we haven't defined any specific scope of data because we are only checking a manually entered IP called my_threat against the CrowdStrike database. The lookup operator takes the IP address 18.104.22.168 and to see if it is a known threat.
| limit 1
| "22.214.171.124" as my_threat
| lookup type, actor, raw, threatlevel as malicious_confidence
from sumo://threat/cs on threat = my_threat
| if (isNull(malicious_confidence),"No","Yes") as DataExist //checks to see if any value is returned for the field "malicious confidence" from CrowdStrike
| fields my_threat,DataExist, malicious_confidence, actor //formats fields
- If the IP address malicious_confidence isNull, then it will return a No in for the DataExist. Fields controls the display order of the columns and is very useful for formatting the output. Let's play around with the ordering by modifying the order.
| fields my_threat, malicious_confidence, DataExist, actor //formats fields
- You can also switch the IP address referenced ("126.96.36.199") with whichever IP address you would like to check against CrowdStrike. If no data exist for the IP address, you'll see "no" for the "data exist" field.