Maltiverse Search Engine
Maltiverse’s Search Engine is a powerful tool that can be used to explore and filter Indicators of Compromise (IoCs) efficiently. By using the Lucene Query Syntax you can have precise control to carry out searches for specific types of indicators like IP, Hostname; you can also use logical operators (AND, OR), and combine conditions to run complex search queries. Here are some examples of that:
- Malicious IPs related to the Cobalt Strike malware family
type:ip AND classification:malicious AND blacklist.description:"Cobalt Strike"
- Malicious IPs located in the Autonomous System AS4134 that are distributing malware
type:ip AND classification:malicious AND as_name:AS4134* AND is_distributing_malware:true
You can find a list of fields that you can run in the queries in the
Field reference guide section.
Maltiverse Search Engine allows you to:
- Run a query
- Aggregate queries to a simple search
- Generate queries using plain text
The following sections will go over these features.
Run a query
To filter IoCs in the Maltiverse Portal, you need to:
1. Head to the left navigation menu and select Search (1).
For Platform plan users, if you select Platform Search, you will only filter the IoCs your organization has uploaded.
2. Type your query in the search field using the query syntax.
If you are not certain about what to write, you can use the autocomplete feature of the search engine as seen in the image above.
3. Click Search (1) or press Enter on your keyboard to run your search. You will see the list of filtered IoCs that match your query.
4. Now that you have filtered the IoCs, you can analyze the results or create a custom feed.
Aggregate queries
This feature helps you drill down into data by starting from a general search and then refining it by using query fields at your disposal. You can first run a broad query to capture a wide range of IoCs, then aggregate results by fields such as country_code, domain_keyword, or state. Based on the results, you can also apply additional filters using logical operators (AND/OR) to narrow or expand your focus, turning a high-level overview into a precise, targeted investigation.
To aggregate queries, you need to:
1. Run a simple search that filters a high number of IoC, for example, type:ip.
2. Click on the Aggregate Query button (1) to open the aggregation modal.
3. Select the fields you want to aggregate, you can select multiple fields at a time. Once you select the fields, simply close the Aggregate Query modal.
If a selected field does not have any associated IoCs, it will be deselected automatically.
4. Once you have aggregated the fields, you will see a tab for each of the aggregations.
5. Go into the aggregation tabs, you will see the results are organized by the numbers IoCs included on each result (number of IoCs on the right).
6. From here you can:
- Click AND add to query (1) to add an AND condition to your original query, further restricting the results to only IoCs that match both your current criteria and the chosen value.
- Click OR add to query (2) to add an OR condition to your original query, broadening the results to any IoCs that match your current criteria or the chosen value.
7. Clicking any of those options opens a new window with the new search results that include both the initial query and the aggregation.
Query Generator
The Query Generator is a useful AI tool that allows you to use plain text to create queries for your search without having to remember the specific syntax. To use this feature follow these steps:
1. Go to the search engine and click on the Generate Query button (1).
2. Now simply type your request, for example: Malicious IPs located in China that are distributing malware. Then, click Ask AI to generate the query in the correct syntax.
3. Once the query has been generated, click on Use this query (1) or click on the generated query (2) to run the search.
4. You will see the filtered search using the generated query.
Field reference guide
Use any of these fields to filter and refine your queries. Here you can find the expected field formats and usage examples. Keep in mind that you can also rely on the autocomplete feature.
Blacklist Item
| Field | Description |
| blacklist.description* | string Example: Emotet
|
| blacklist.source* | string Example: Maltiverse Research Team
|
| blacklist.first_seen | date (YYYY:MM:DD hh:mm:ss) First date when the blacklist blame was noticed. If not specified, it takes the current date value. This date can't point to the future and must be less or equal than last_seen.
|
| blacklist.last_seen | date (YYYY:MM:DD hh:mm:ss) Last date when the blacklist blame was noticed. If not specified, it takes the current date value. This date can't point to the future and must be greater or equal than first_seen.
|
| blacklist.external_references.source_name | string Example: Mitre
The source within which the external-reference is defined (system, registry, organization, etc.).
|
| blacklist.external_references.description | string Example: User Execution: Malicious File
A human readable description.
|
| blacklist.external_references.url | string($uri) Example: https://attack.mitre.org/techniques/T1204/002/
A URL reference to an external resource.
|
| blacklist.external_references.external_id | string Example: T1204.002
An identifier for the external reference content.
|
IP Item
| Field | Description |
| ip_addr* | string($ipv4) Example: 77.53.9.158 |
| type* | stringEnum: [ ip ] |
| classification* | stringEnum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | uniqueItems: true Example: List [ "c&c", "banker", "phishing", "compromised" ] string |
| blacklist | [...] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) Example: 2021-12-27 01:36:09 The date when the indicator is created. If not specified, it takes the current date value. |
| modification_time | date (YYYY:MM:DD hh:mm:ss) Example: 2021-12-27 01:36:09 The date when the indicator got its last modification. If not specified, it takes the current date value. |
| country_code | string minLength: 2 maxLength: 2 Example: SE Country code related to the IP address. |
| city | string City related to the IP address. |
| state | string State related to the IP address. |
| location | locationItem{...} |
| [...] | |
| address | string Address related to the IP address. |
Hostname Item
| Field | Description |
| hostname* | string Example: paypal.com-information-update-activity-account.gq |
| type* | stringEnum: [ hostname ] |
| classification* | stringEnum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | string uniqueItems: true
Example: List [ "c&c", "banker", "phishing", "compromised" ] |
| blacklist | [...] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) The date when the indicator is created. If not specified, it takes the current date value. |
| modification_time | date (YYYY:MM:DD hh:mm:ss) The date when the indicator got its last modification. If not specified, it takes the current date value. |
| is_iot_threat | boolean Example: false Flag that determines if the hostname performs malicious activity against Internet of Things targets. |
| is_alive | boolean Example: false Flag that determines if the hostname is currently resolving against some IP Address. |
| is_cnc | boolean Example: false Flag that determines if the IP Address performs Command & Control activities. |
| is_distributing_malware | boolean Example: false Flag that determines if the IP Address is distributing malware. |
| is_mining_pool | boolean Example: false Flag that determines if the IP Address belongs to a mining pool. |
| is_storing_phishing | boolean Example: false Flag that determines if the hostname is currently allocating some phishing URL. |
| is_phishing | boolean Example: false Flag that determines if the hostname is a phishing host. |
Sample Item
| Field | Description |
| md5 | string minLength: 32 maxLength: 32 |
| sha1 | string minLength: 40 maxLength: 40 |
| sha256* | string minLength: 64 maxLength: 64 Example: a6dd716f4ef6ec69f14720e41a9f04b577413283ddae601dba88421c0c4e4044 |
| filename | string Example: dropper.exe |
| antivirus.name | string Example: Trojan.Linux.Mirai.1 |
| antivirus.description | string Example: FireEye |
| filetype | string |
| type* | stringEnum: [ sample ] |
| classification* | stringEnum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | uniqueItems: true Example: List [ "rat", "ransomware", "banker", "geodo" ] string |
| blacklist | [...] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) The date when the indicator is created. If not specified, it takes the current date value. |
| modification_time | date (YYYY:MM:DD hh:mm:ss) The date when the indicator got its last modification. If not specified, it takes the current date value. |
Related Articles
Upload Private IoCs via Maltiverse Portal
This feature is only available for the Platform plan users. Maltiverse allows users to upload and manage IoCs directly through the platform. This feature streamlines the process of parsing IoCs from raw text, associating them with relevant metadata, ...Getting Started with Maltiverse
Maltiverse by Lumu enhances your cybersecurity stack's Continuous Compromise Assessment by injecting curated threat intelligence feeds, thereby empowering threat detection. This article will guide you through the initial steps to integrate ...Maltiverse Datasets
Maltiverse processes threat intelligence from multiple sources and classifies it so it can be easily consumed and understood. Each Indicator of Compromise (IoC) is run by the Maltiverse Algorithm to be categorized not only by its type, but also by ...Use Case: IoC Dissemination
When talking about securing your operations, speed and coverage are two critical aspects in keeping your data safe. Having access to private or global IoCs is valuable, but their real power comes when they are distributed across your security stack. ...Create Custom Threat Intelligence Feeds
Maltiverse offers the possibility of creating Custom Threat Intelligence Feeds. This feature allows you to carefully select the IoCs you are going to disseminate through your security stack, allowing you to maximize your security posture based on the ...