Skip to content

DOCS-1022 - Update filters list for the hasThreatMatch function #5618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 24, 2025
Merged

DOCS-1022 - Update filters list for the hasThreatMatch function #5618

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
09479a3
Update filters list
jpipkin1 Jul 23, 2025
0d65487
Change 'threatType' to 'threat_type'
jpipkin1 Jul 24, 2025
94c4a30
Merge branch 'main' into docs-1022-filter-fields-for-hasthreatmatch
kimsauce Jul 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions docs/cse/rules/cse-rules-syntax.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -645,16 +645,11 @@ When an entity is processed by a rule using the `hasThreatMatch` function and is
Parameters:
* **`<fields>`**. A list of comma-separated [field names](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/full_schema.md). At least one field name is required.
* **`<filters>`**. A logical expression using [indicator attributes](/docs/security/threat-intelligence/upload-formats/#normalized-json-format). Allowed in the filtering are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `>=`, `!=`. <br/>You can filter on the following indicator attributes:
* `actors`. An identified threat actor such as an individual, organization, or group.
* `confidence` Confidence that the data represents a valid threat, where 100 is highest. Malicious confidence scores from different sources are normalized and mapped to a 0-100 numerical value.
* `id`. ID of the indicator.
* `indicator`. Value of the indicator, such as an IP address, file name, email address, etc.
* `killChain`. The various phases an attacker may undertake to achieve their objectives (for example, `reconnaissance`, `weaponization`, `delivery`, `exploitation`, `installation`, `command-and-control`, `actions-on-objectives`).
* `source`. The source in the Sumo Logic datastore displayed in the **Threat Intelligence** tab.
* `threatType`. The threat type of the indicator (for example, `anomalous-activity`, `anonymization`, `benign`, `compromised`, `malicious-activity`, `attribution`, `unknown`).
* `threat_type`. The threat type of the indicator (for example, `anomalous-activity`, `anonymization`, `benign`, `compromised`, `malicious-activity`, `attribution`, `unknown`).
* `type`. The indicator type (for example, `ipv4-addr`, `domain-name`, `'file:hashes`, etc.)
* `validFrom`. Beginning time this indicator is valid.
* `validUntil`. Ending time this indicator is valid.
* **`<indicators>`**. An optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
* `active_indicators`. Match active indicators only (default).
* `expired_indicators`. Match expired indicators only.
Expand Down