Threat Intelligence Queries – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Tue, 06 Aug 2024 08:10:17 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp Threat Intelligence Queries – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Threat Intelligence Queries https://www.sgbox.eu/en/knowledge-base/threat-intelligence-queries/ Tue, 30 Nov 2021 11:25:12 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6877

Configure Threat Intelligence Queries

This article explain how to create a Threat Intelligence Query, that allows you to obtain simply the process of an Events Query to search a value in the list and take an action. In this way, queries can be used like LCE rules or sensors. Can be scheduled to run every minute on a time interval, performing actions when they found results. The available actions are Send Email, Generate Event, Add a parameter to a list.

Requirements:

  • SGBox version 5.3.1

From SGBox menu, go to LCE > Threat Intelligence Queries. Click on New Query
A guided interface is available to build specific queries to search for a parameter in any list. A time interval can be set too. In the following example, we get all MS-Windows admin users logons during non-working hours.
Threat Intelligence Queries

By default, Threat Intelligence Queries are scheduled and send an email and generate a new event every time they found any result.
Actions can be customized for each query, and default values can be edited by clicking the button DEFAULT VALUES on the page listing the Threat Intelligence Queries.

Threat Intelligence Queries

Threat Intelligence Queries

]]>