Skip to content

Instantly share code, notes, and snippets.

@fhightower

fhightower/tql_queries.md

Last active May 16, 2020 02:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save fhightower/b5ff1f95b96f9e89976ea6e31f13197d to your computer and use it in GitHub Desktop.
Save fhightower/b5ff1f95b96f9e89976ea6e31f13197d to your computer and use it in GitHub Desktop.
Download ZIP
List of helpful TQL (ThreatConnect Query Language) Queries and Browse Screen Views for ThreatConnect
Raw
tql_queries.md

View tasks assigned to me that are not completed or deferred:

typeName in ("Task") and taskAssignee = me and taskStatus != "Completed" and taskStatus != "Deferred"

View internationalized domains:

typeName in ("Host", "URL") and summary contains "xn--"

View over 50 security blogs in ThreatConnect:

https://app.threatconnect.com/auth/browse/index.xhtml?filters=typeName%20in%20(%22Incident%22)&intelType=groups&owners=10666

(More details here: https://threatconnect.com/blog/ingest-technical-blogs-reports/)

Find indicators with an attribute or tag that contains 'wanna':

typeName in ("Host", "Address", "EmailAddress", "File", "URL") and (summary like "%wanna%" or tag like "%wanna%")

Find security blog posts in a certain language:

typeName in ("Adversary", "Campaign", "Document", "Email", "Incident", "Signature", "Threat", "Task") and attribute1884 = "fr"*

* This works in the Technical Blogs and Reports Source. In the example above, it will show blog posts in French (hence the fr).

You can see a basic overview and some more examples here and here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment