Feed Hit on Binary Query

This section describes binary query feed hits.

Binary Query Feed Hit – Example

2015-06-24 18:30:14 [13031] <warning>  reason=feed.query.hit type=module md5=6D4B29FB9307FBE8781E42B7CFDA4CE1 
sha256=F6E9D4834CBA57BCD0E77FE1D83C0B24A298B2CDEEF214ED6CC4BAB24C8DEF4E
host='WIN2008R2DC01' sensor_id=2 feed_id=18 feed_name='cbtestquery'  timestamp='1435185013.38' first_seen='' group='Default Group' desc='XML Resources' company_name='Microsoft Corporation' product_name='Microsoft XML Core Services' product_version='8.110.7600.16385' file_version='8.110.7600.16385' signed='Signed'

Binary Query Feed Hit – Default Template

reason=feed.query.hit type=module 
md5={{doc["md5"]}} 
sha256={{doc["sha256"]}}
host='{{doc.get('hostname')}}' 
sensor_id={{doc.get('sensor_id')}} 
feed_id={{doc['feed_id']}} 
feed_name='{{doc['feed_name']}}'
{% for k in doc['ioc_attr'] %} {{k}}='{{doc['ioc_attr'][k]}}'{% endfor %}  
timestamp='{{doc['event_timestamp']}}'
first_seen='{{doc["server_added_timlestamp"]}}'
group='{{doc["group"]}}' 
desc='{{doc["file_desc"]}}' 
company_name='{{doc["company_name"]}}'
product_name='{{doc["product_name"]}}'
product_version='{{doc["product_version"]}}'
file_version='{{doc["file_version"]}}' 
signed='{{doc["signed"]}}'
{% for k in doc %}{% if k.startswith("alliance_") %}
{{k}}='{{doc[k]}}'{% endif %}{% endfor %}

Binary Query Feed Hit – Key-Value Pairs

Key-value pairs for binary query feed hits are a subset of those for binary storage feed hits. See for descriptions.