Output Format Options
The Special Parameters and Output Format Template fields allow you to control the data included in your exports. The Special Parameters field allows you filter the data included in the export and the Output Format Template field allows you to specify which data points are included in the export.
You can customize these fields for an custom or duplicated export but not for the seeded exports supplied by ThreatQ.
Special Parameters Field
The Special Parameters field allows you to filter the data exported.
Examples:
|
To export all indicators with an active status |
Indicator.Status=Active |
|
To export all CIDR Block indicators that have an active status |
Indicator.Status=Active&Indicator.Type=cidr block |
|
To export all CIDR Block indicators and IP Addresses that have an active status |
Indicator.Status=Active&Indicator.Type=cidr block&Indicator.Type=ip address |
| To export all indicators with a score greater than or equal to 7 | Indicator.Score>=7 |
You can add the following parameters to an export's Special Parameters field to filter the data included in the export:
assets.status
assets.point_of_contact
assets.description
assets.Sources
assets.Attributes
assets.Indicators
assets.Adversaries
assets.Events
assets.Attachments
assets.Signatures
assets.Investigations
assets.Tasks
assets.Campaign
assets.Course_of_action
assets.Exploit_target
assets.Incident
assets.Ttp
assets.Attack_pattern
assets.Identity
assets.Intrusion_set
assets.Malware
assets.Report
assets.Tool
assets.Vulnerability
assets.Tags
assets.Assets
adversary.touched_at
adversary.deleted_at
adversary.deleted
adversary.sources_count
adversary.id
adversary.description
adversary.created_at
adversary.updated_at
adversary.Sources
adversary.sources.dates=Y
adversary.Attributes
adversary.Indicators
adversary.Adversaries
adversary.Events
adversary.Attachments
adversary.Signatures
adversary.Investigations
adversary.Tasks
adversary.Campaign
adversary.Course_of_action
adversary.Exploit_target
adversary.Incident
adversary.Ttp
adversary.Attack_pattern
adversary.Identity
adversary.Intrusion_set
adversary.Malware
adversary.Report
adversary.Tool
adversary.Vulnerability
adversary.Tags
adversary.Assets
attack_pattern.status_id
attack_pattern.status
attack_pattern.point_of_contact
attack_pattern.type_id
attack_pattern.description
attack_pattern.deleted_at
attack_pattern.deleted
attack_pattern.sources_count
attack_pattern.sources.dates=Y
attack_pattern.id
attack_pattern.status
attack_pattern.type
attack_pattern.touched_at
attack_pattern.created_at
attack_pattern.updated_at
attack_pattern.Sources
attack_pattern.Attributes
attack_pattern.Indicators
attack_pattern.Adversaries
attack_pattern.Events
attack_pattern.Attachments
attack_pattern.Signatures
attack_pattern.Investigations
attack_pattern.Tasks
attack_pattern.Campaign
attack_pattern.Course_of_action
attack_pattern.Exploit_target
attack_pattern.Incident
attack_pattern.Ttp
attack_pattern.Attack_pattern
attack_pattern.Identity
attack_pattern.Intrusion_set
attack_pattern.Malware
attack_pattern.Report
attack_pattern.Tool
attack_pattern.Vulnerability
attack_pattern.Tags
attack_pattern.Assets
campaign.status_id
campaign.type_id
campaign.description
campaign.objective
campaign.started_at
campaign.ended_at
campaign.deleted_at
campaign.deleted
campaign.sources_count
campaign.id
campaign.status
campaign.type
campaign.touched_at
campaign.created_at
campaign.updated_at
campaign.Sources
campaign.sources.dates=Y
campaign.Attributes
campaign.Indicators
campaign.Adversaries
campaign.Events
campaign.Attachments
campaign.Signatures
campaign.Investigations
campaign.Tasks
campaign.Campaign
campaign.Course_of_action
campaign.Exploit_target
campaign.Incident
campaign.Ttp
campaign.Attack_pattern
campaign.Identity
campaign.Intrusion_set
campaign.Malware
campaign.Report
campaign.Tool
campaign.Vulnerability
campaign.Tags
campaign.Assets
Course of ActionCourse of Action
course_of_action.status_id
course_of_action.type_id
course_of_action.description
course_of_action.deleted_at
course_of_action.deleted
course_of_action.sources_count
course_of_action.sources.dates=Y
course_of_action.id
course_of_action.status
course_of_action.type
course_of_action.touched_at
course_of_action.created_at
course_of_action.updated_at
course_of_action.Sources
course_of_action.Attributes
course_of_action.Indicators
course_of_action.Adversaries
course_of_action.Events
course_of_action.Attachments
course_of_action.Signatures
course_of_action.Investigations
course_of_action.Tasks
course_of_action.Campaign
course_of_action.Course_of_action
course_of_action.Exploit_target
course_of_action.Incident
course_of_action.Ttp
course_of_action.Attack_pattern
course_of_action.Identity
course_of_action.Intrusion_set
course_of_action.Malware
course_of_action.Report
course_of_action.Tool
course_of_action.Vulnerability
course_of_action.Tags
course_of_action.Assets
event.status
event.point_of_contact
event.title
event.happened_at
event.hash
event.description
event.deleted_at
event.deleted
event.sources_count
event.id
event.type
event.touched_at
event.created_at
event.updated_at
event.Sources
event.sources.dates=Y
event.Attributes
event.Indicators
event.Adversaries
event.Events
event.Attachments
event.Signatures
event.Investigations
event.Tasks
event.Campaign
event.Course_of_action
event.Exploit_target
event.Incident
event.Ttp
event.Attack_pattern
event.Identity
event.Intrusion_set
event.Malware
event.Report
event.Tool
event.Vulnerability
event.Tags
event.Assets
exploit_target.status_id
exploit_target.type_id
exploit_target.description
exploit_target.deleted_at
exploit_target.deleted
exploit_target.sources_count
exploit_target.sources.dates=Y
exploit_target.id
exploit_target.status
exploit_target.type
exploit_target.touched_at
exploit_target.created_at
exploit_target.updated_at
exploit_target.Sources
exploit_target.Attributes
exploit_target.Indicators
exploit_target.Adversaries
exploit_target.Events
exploit_target.Attachments
exploit_target.Signatures
exploit_target.Investigations
exploit_target.Tasks
exploit_target.Campaign
exploit_target.Course_of_action
exploit_target.Exploit_target
exploit_target.Incident
exploit_target.Ttp
exploit_target.Attack_pattern
exploit_target.Identity
exploit_target.Intrusion_set
exploit_target.Malware
exploit_target.Report
exploit_target.Tool
exploit_target.Vulnerability
exploit_target.Tags
exploit_target.Assets
identity.status_id
identity.status
identity.point_of_contact
identity.type_id
identity.description
identity.contact_information
identity.deleted_at
identity.deleted
identity.sources_count
identity.sources.dates=Y
identity.id
identity.status
identity.type
identity.touched_at
identity.created_at
identity.updated_at
identity.Sources
identity.Attributes
identity.Indicators
identity.Adversaries
identity.Events
identity.Attachments
identity.Signatures
identity.Investigations
identity.Tasks
identity.Campaign
identity.Course_of_action
identity.Exploit_target
identity.Incident
identity.Ttp
identity.Attack_pattern
identity.Identity
identity.Intrusion_set
identity.Malware
identity.Report
identity.Tool
identity.Vulnerability
identity.Tags
identity.Assets
incident.status_id
incident.type_id
incident.description
incident.started_at
incident.ended_at
incident.deleted_at
incident.deleted
incident.sources_count
incident.sources.dates=Y
incident.id
incident.status
incident.type
incident.touched_at
incident.created_at
incident.updated_at
incident.Sources
incident.Attributes
incident.Indicators
incident.Adversaries
incident.Events
incident.Attachments
incident.Signatures
incident.Investigations
incident.Tasks
incident.Campaign
incident.Course_of_action
incident.Exploit_target
incident.Incident
incident.Ttp
incident.Attack_pattern
incident.Identity
incident.Intrusion_set
incident.Malware
incident.Report
incident.Tool
incident.Vulnerability
incident.Tags
incident.Assets
indicator.status_id
indicator.value
indicator.description
indicator.hash
indicator.last_detected_at
indicator.expires_at
indicator.expired_at
indicator.touched_at
indicator.deleted_at
indicator.deleted
indicator.sources_count
indicator.sources.dates=Y
indicator.id
indicator.status
indicator.type
indicator.sincedeleted
indicator.whitelisted *
indicator.score
indicator.created_at
indicator.updated_at
indicator.Sources
indicator.Attributes
indicator.Tags
indicator.Assets
* Using the indicator.whitelisted=Y flag allows whitelisted indicators to be exported. It does not filter indicators by the whitelisted status. For that option, use the indicator.status=whitelistedflag. Additionally, to include only whitelisted indicators in your export, you will need to use both flags: indicator.status=Whitelisted&indicator.whitelisted=Y
intrusion_set.status_id
intrusion_set.status
intrusion_set.point_of_contact
intrusion_set.type_id
intrusion_set.description
intrusion_set.started_at
intrusion_set.ended_at
intrusion_set.deleted_at
intrusion_set.deleted
intrusion_set.sources_count
intrusion_set.sources.dates=Y
intrusion_set.id
intrusion_set.status
intrusion_set.type
intrusion_set.touched_at
intrusion_set.created_at
intrusion_set.updated_at
intrusion_set.Sources
intrusion_set.Attributes
intrusion_set.Indicators
intrusion_set.Adversaries
intrusion_set.Events
intrusion_set.Attachments
intrusion_set.Signatures
intrusion_set.Investigations
intrusion_set.Tasks
intrusion_set.Campaign
intrusion_set.Course_of_action
intrusion_set.Exploit_target
intrusion_set.Incident
intrusion_set.Ttp
intrusion_set.Attack_pattern
intrusion_set.Identity
intrusion_set.Intrusion_set
intrusion_set.Malware
intrusion_set.Report
intrusion_set.Tool
intrusion_set.Vulnerability
intrusion_set.Tags
intrusion_set.Assets
malware.status_id
malware.status
malware.point_of_contact
malware.type_id
malware.description
malware.deleted_at
malware.deleted
malware.sources_count
malware.sources.dates=Y
malware.id
malware.status
malware.type
malware.touched_at
malware.created_at
malware.updated_at
malware.Sources
malware.Attributes
malware.Indicators
malware.Adversaries
malware.Events
malware.Attachments
malware.Signatures
malware.Investigations
malware.Tasks
malware.Campaign
malware.Course_of_action
malware.Exploit_target
malware.Incident
malware.Ttp
malware.Attack_pattern
malware.Identity
malware.Intrusion_set
malware.Malware
malware.Report
malware.Tool
malware.Vulnerability
malware.Tags
malware.Assets
report.status_id
report.status
report.point_of_contact
report.type_id
report.description
report.deleted_at
report.deleted
report.sources_count
report.id
report.status
report.type
report.touched_at
report.created_at
report.updated_at
report.Sources
report.sources.dates=Y
report.Attributes
report.Indicators
report.Adversaries
report.Events
report.Attachments
report.Signatures
report.Investigations
report.Tasks
report.Campaign
report.Course_of_action
report.Exploit_target
report.Incident
report.Ttp
report.Attack_pattern
report.Identity
report.Intrusion_set
report.Malware
report.Report
report.Tool
report.Vulnerability
report.Tags
report.Assets
signature.hash
signature.last_detected_at
signature.name
signature.status_id
signature.touched_at
signature.type_id
signature.value
signature.deleted_at
signature.deleted
signature.sources_count
signature.id
signature.status
signature.type
signature.created_at
signature.updated_at
signature.Sources
signature.sources.dates=Y
signature.Attributes
signature.Indicators
signature.Adversaries
signature.Events
signature.Attachments
signature.Signatures
signature.Investigations
signature.Tasks
signature.Campaign
signature.Course_of_action
signature.Exploit_target
signature.Incident
signature.Ttp
signature.Attack_pattern
signature.Identity
signature.Intrusion_set
signature.Malware
signature.Report
signature.Tool
signature.Vulnerability
signature.Tags
signature.Assets
&<object>.Tags=tag1,tag2,tag3) or the presence of at least one of the specified tags (ex: &<object>.Tags=tag1|tag2|tag3)tool.status_id
tool.status
tool.point_of_contact
tool.type_id
tool.description
tool.deleted_at
tool.deleted
tool.sources_count
tool.sources.dates=Y
tool.id
tool.status
tool.type
tool.touched_at
tool.created_at
tool.updated_at
tool.Sources
tool.Attributes
tool.Indicators
tool.Adversaries
tool.Events
tool.Attachments
tool.Signatures
tool.Investigations
tool.Tasks
tool.Campaign
tool.Course_of_action
tool.Exploit_target
tool.Incident
tool.Ttp
tool.Attack_pattern
tool.Identity
tool.Intrusion_set
tool.Malware
tool.Report
tool.Tool
tool.Vulnerability
tool.Tags
too.Assets
ttp.status_id
ttp.status
ttp.point_of_contact
ttp.type_id
ttp.description
ttp.deleted_at
ttp.deleted
ttp.sources_count
ttp.sources.dates=Y
ttp.id
ttp.status
ttp.type
ttp.touched_at
ttp.created_at
ttp.updated_at
ttp.Sources
ttp.Attributes
ttp.Indicators
ttp.Adversaries
ttp.Events
ttp.Attachments
ttp.Signatures
ttp.Investigations
ttp.Tasks
ttp.Campaign
ttp.Course_of_action
ttp.Exploit_target
ttp.Incident
ttp.Ttp
ttp.Attack_pattern
ttp.Identity
ttp.Intrusion_set
ttp.Malware
ttp.Report
ttp.Tool
ttp.Vulnerability
ttp.Tags
ttp.Assets
vulnerability.status_id
vulnerability.status
vulnerability.point_of_contact
vulnerability.type_id
vulnerability.description
vulnerability.deleted_at
vulnerability.deleted
vulnerability.sources_count
vulnerability.sources.dates=Y
vulnerability.id
vulnerability.status
vulnerability.type
vulnerability.touched_at
vulnerability.created_at
vulnerability.updated_at
vulnerability.Sources
vulnerability.Attributes
vulnerability.Indicators
vulnerability.Adversaries
vulnerability.Events
vulnerability.Attachments
vulnerability.Signatures
vulnerability.Investigations
vulnerability.Tasks
vulnerability.Campaign
vulnerability.Course_of_action
vulnerability.Exploit_target
vulnerability.Incident
vulnerability.Ttp
vulnerability.Attack_pattern
vulnerability.Identity
vulnerability.Intrusion_set
vulnerability.Malware
vulnerability.Report
vulnerability.Tool
vulnerability.Vulnerability
vulnerability.Tags
vulnerability.Assets
Filtering by Attribute Value
You can filter your export results by a specific attribute name and value. You can view all attribute names and values in the Attribute Management tab within the Object Management page.
Example:
To create an export that only includes objects with a Confidence attribute value of High, you would add the following to the Special Parameters field:
Example:
This example restricts your export to objects with a Confidence attribute set to High.
indicator.Attributes[Confidence]=High
Adding Differential Flags
You can use a differential flag in the Special Parameters field to limit the output to new data. This allows you to include only new data each time the export is run instead of exporting all data.
Include the following to limit exports to new data only:
If you have multiple systems pulling from the same Export, each system should use a unique differential value.
external system 1
https://{tq-host}/api/export/c2ab6df72e67ee13cef90f0e00981b62/?
token=npc6z01pFXwfHYb5tm51hMvKQJNYecTG& differential=1
external system 2
https://{tq-host}/api/export/c2ab6df72e67ee13cef90f0e00981b62/?
token=npc6z01pFXwfHYb5tm51hMvKQJNYecTG& differential=2
Adding Parameters to the End of the URL
You can append the parameters listed above to the end of any export URL to achieve the same results. However, you lose the option of having one place to manage what is being exported via that export.
Using Export Filters
You can configure exports to output objects matching filter conditions based on comparisons such as greater than (>) or less than (<) as well as logical operators such as AND and OR. You can add these filters to the export's Special Parameters field (Output Format window) or append the filter criteria to the export's URL. Use the following examples as guidelines for creating your own export filters.
-
Searching using greater than, less than, or equal to
The first example captures indicators with a score greater than or equal to 5. The second example captures indicators with a score less than or equal to 5.-
Special Parameters field:
indicator.score>=5indicator.score<=5 -
Appended to Export URL:
&indicator.score=>=5&indicator.score=<=8
-
-
Adding multiple criteria for a single field using an AND comparison
The following example captures indicators with a score of 5 and indicators with a score of 8.-
Special Parameters field:
indicator.score=5&indicator.score=8 -
Appended to Export URL:
&indicator.score[]=5&indicator.score[]=8
-
-
Adding a criteria range for a single field using an AND comparison
The following example captures indicators with a score of 5, 6, 7 and 8.-
Special Parameters field:
indicator.score>=5&indicator.score<=8 -
Appended to Export URL:
&indicator.score[]=>=5&indicator.score[]=<=8
-
-
Adding criteria for multiple fields using an OR comparison
The following example captures indicators with a score of 8 OR a status of indirect.-
Special Parameters field:
indicator.score=8||indicator.status=indirect -
Appended to Export URL:
&indicator.score[]=8||indicator.status[]=indirect
-
-
Adding criteria for a multiple fields using an AND comparison
The following example captures indicators with a score of 8 AND a status of indirect.-
Special Parameters field:
indicator.score>=8&indicator.status=indirect -
Appended to Export URL:
&indicator.score[]=>=8&indicator.status[]=indirect
-
Output Format Template Field
You can use the template examples provided by ThreatQuotient as a baseline for your exports or you can add your own export parameters to the Output Template field.
Inserting Variables
The Insert Variable button above the field allows you to select from a drop down list of variables based on the object type included in the export. To insert a variable, click the location for the variable, click the Insert Variable button, and select the variable from the dropdown list.
Template Format
This Output Format Template field allows you to control exactly how your data is printed out within an export.
When formatting your output template, you must wrap all of your declarations within a loop as shown in the following example:
{foreach $data as $indicator}Your variables go here{/foreach}