malicious user email match against gcti

Question

hello teamcould you please help me with belowIf I run the search below, I was expecting to see all malicious user emails reported by GTI. However, I’m not seeing any results, even when querying data from the past year.I am able to retrieve some malicious IPs when using entity_type = "IP_ADDRESS", but the count is relatively low (around 50). I was expecting a significantly larger number of results.while working on an another secops instance i was not even about to query globalcontext on searchHas anyone experienced something similar or can confirm whether this behavior iscould you please help me here as i am looking to match for email artifacts with gcti like ip , domain , sender email , hash etcif i need to match all user email from proofpoint on demand with gcti reported malicious emails  is this the correct way

SoarAndy · Answer

NL promptgraph.metadata.source_type = "ENTITY_CONTEXT", extract date from collection_timestamp, count by date, entity type and vendor,YARA querygraph.metadata.source_type = "ENTITY_CONTEXT"$date_day = timestamp.get_date(graph.metadata.collected_timestamp.seconds)match:$date_day, graph.metadata.entity_type, graph.metadata.vendor_nameoutcome:$count = count(graph.metadata.product_entity_id)Then you can start visualising / further filtering

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded