This topic provides example Threat Intelligence Search query strings and their results.

Any document matching a threat intelligence feed is tagged with an alliance_score_<feed> field, where the value is a score from -100 to 100.

<feed> is the “short name” of the threat intelligence feed, such as nvd or isight .

For any threat intelligence feed, you can click the View Hits button to discover the feed’s short name.

For more information, see Threat Intelligence Feeds.

Example Query Strings

Result

alliance_score_ <feed> :*

Returns all binaries that have <feed> score > 0.

alliance_score__score_ <feed> :10

Returns all binaries that have <feed> score = 10.

alliance_score__score_ <feed> :[10 TO 20]

Returns all binaries that have <feed> score >= 10 and <= 20.

alliance_score__score_ <feed> :[10 TO *]

Returns all binaries that have <feed> score >= 10.

alliance_score__score_ <feed> :[* TO 10]

Returns all binaries that have <feed> score < 10.