This topic provides example Threat Intelligence Search query strings and their results.
Any document matching a threat intelligence feed is tagged with an alliance_score_<feed> field, where the value is a score from -100 to 100.
<feed> is the “short name” of the threat intelligence feed, such as nvd or isight .
For any threat intelligence feed, you can click the View Hits button to discover the feed’s short name.
For more information, see Threat Intelligence Feeds.
| Example Query Strings |
Result |
|---|---|
| alliance_score_ <feed> |
Returns all binaries that have <feed> score > 0. |
| alliance_score__score_ <feed> |
Returns all binaries that have <feed> score = 10. |
| alliance_score__score_ <feed> |
Returns all binaries that have <feed> score >= 10 and <= 20. |
| alliance_score__score_ <feed> |
Returns all binaries that have <feed> score >= 10. |
| alliance_score__score_ <feed> |
Returns all binaries that have <feed> score < 10. |
