Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

The Active Indicators search tool allows for filter-based searches of threat indicators by data type, threat class/property, and data provider. The indicator data returned from a search is displayed on the Active Indicators page. The returned indicator search data can also be exported in CSV, JSON, and XML formats. Active indicators searches have a return limit of 1000 records. In cases where all active indicator data is needed, it can be pulled via the API using a CURL Command. The Active Indicators tool is available to subscribers of BloxOne Threat Defense Business On-Premises, BloxOne Threat Defense Business Cloud, and BloxOne Threat Defense Advanced packages. 

Note

SURBL Multi - FRESH Domains Feed

BloxOne Threat Defense subscribers can obtain SURBL data as RPZ feeds and can also query the indicators via Dossier. The ability to query SURBL indicators using Active indicators or with the TIDE API requires an additional subscription to the SURBL Multi - FRESH Domains Feed.

Viewing Active Indicators

To view active indicators, perform the following:

  1. From the Cloud Services Portal, click Research -> Active Indicators.
  2. On the Active Indicators page, you can view the following information:
    • INDICATOR: The location of the indicator. 
    • DATA TYPE: Host, IP, and URL.
    • THREAT CLASS: The threat class, such as Phishing, MalwareC2DGA, and others.
    • THREAT PROPERTY: The nature of the threat.
    • DETECTED: The timestamp when the indicator was detected.
    • DATA PROVIDER: The data provider reporting the indicator.
    • THREAT: Threat severity rating based on a scale from 0 to 100.

Performing an Active Indicators Search Using the Filter Tool

To perform an active indicators search using the filter tool, perform the following:

  1. From the Cloud Services Portal, click Research > Active Indicators.
  2. On the Active Indicators page, you can apply filtering to select and narrow down the indicator search data you want to be returned.
    • To apply filtering, complete the following:
      • Select a DATA TYPE: Choices include Host, IP, and URL. You can choose one or more Data Types, in any combination, when selecting data type filters.
      • Select a THREAT CLASS/PROPERTY: The threat class/property list includes all active threat types. You can select one or more threat classes or properties from the list. The user can only open "class" filters to select "properties" under that class. Properties cannot be opened.
      • Select a DATA PROVIDER: You can select one or more Data providers as search filters.
      • After you select your filters, click Apply Filters to run the active indicators search and view the search results.

Performing an Active Indicators Search Using the Search Tool

To locate active indicators already in the system, use the search tool located below the top Action bar on the right-hand side of the Active Indicators page.  Type or paste your search keywords into the search field. The system returns all active indicator data related to your provided search criteria.

Exporting the Results from an Active Indicators Search

To export the results of an active indicators search, click Export located below the top Action bar. Select either CSV, JSON, or XML to download the data.

Using the API/CURL Command to Retrieve All Active Indicators Data

To pull all Active Threats indicator data, perform the following:

  1. From the Cloud Services Portal, click Research > Active Indicators.
  2. Click Generate API Request to generate the CURL command for downloading all records.
  3. From the Generate API Request pop-up window, copy the CURL command to run the PULL request.


  • No labels