Skip to main content

Using the Cumulative Search

The Cumulative Search allows you to search for threats using multiple identifiers, both of the same kind or different. It also comes with auto-complete and provides suggestions based on partially entered search identifiers.

To access the Cumulative Threat Search follow the steps below:

  1. Log in to the IntelliZone console.

  2. Go to the Threat Search page.

  3. Click on the Cumulative button on the right side of the search box.

    IntelliZone_Threat_Search_cumulative_353462_en.png

The Cumulative search function is enabled.

How it works

The Simple Search locates all known threats associated to a specific Indicator of Compromise (IoC). You can search for threats associated to a domain, URL, IP, hash, or certificate hash.

The Cumulative Search locates threats based on their association with a number of attributes. You can filter search results by using the following filters:

  • threat_actor - The primary name of the actor or aliases, as described Bitdefender taxonomy.

  • malware_threat_family - The name of the malware family the threat is associated with.

  • country - The country of origin of the threat.

  • industry - The industry the threat originated from.

  • device_type - The type of endpoint the threat uses to penetrate security.

  • min_score - Use this filter to search only for threats with a threat score equal or higher than this value.

  • min_confidence - Use this filter to search only for threats that have an attribution confidence equal or higher than this value.

  • indicator - An Indicator of Compromise associated with the threat.

Cumulative Search allows you to:

  • Combine search filters of the same type - The search will return the cumulative list of all threats associated to any of the indicators.

    Note

    You can only combine country and industry search filters of the same type in one entry.

  • Combine search filters of different types - The search will return only threats that are associated to both indicators.

The search comes with these tools to assist you in your search:

  • The Helper tool: this feature displays a list of available indicator types.

    IntelliZone_Threat_Search_cumulative_helper_tool_353462_en.png

    To enable the tool, you can either click on the search box, or press CTRL + / on your keyboard.

    Once the list of indicators is displayed, you can click on one of the items to insert it into the text box, or start typing to get partial results based on your entry.

    IntelliZone_Threat_Search_cumulative_helper_tool_autocomplete_353462_en.png

  • The Autocomplete tool: you can use this feature to suggest all possible entries based on what is currently typed in the search box:

    IntelliZone_Threat_Search_cumulative_autocomplete_1_353462_en.png
    IntelliZone_Threat_Search_cumulative_autocomplete_2_353462_en.png

    To enable the tool, press CTRL + / on your keyboard or type in " after a parameter.

Format

The Cumulative Search uses the following format:

<search_filter>: "<attribute_value>" AND <search_filter>: "<attribute_value>" ...

Parameter

Description

search_filter

The search filter used to filter the search results.

attribute_value

The value of the attribute to compare against.

Examples

Perform a search using a single filter:

actor_name: "Mummy Spider"

Perform a search using multiple filters of the same type:

country: "United States"  AND country: "United Kingdom"

Perform a search using multiple filters of different types:

country: "United States"  AND min_score: "60"

Perform a search using two filters of the same type and a third different type:

country: "United States" AND country: "United Kingdom"  AND min_score: "60"
In this section: