Skip to content

Instantly share code, notes, and snippets.

@wesinator

wesinator/tql_queries.md

Forked from fhightower/tql_queries.md
Last active October 21, 2019 23:38
Show Gist options
  • Save wesinator/a0566339e1a93eed655bd84431dfbcbc to your computer and use it in GitHub Desktop.
Save wesinator/a0566339e1a93eed655bd84431dfbcbc to your computer and use it in GitHub Desktop.
Download ZIP
List of helpful TQL (ThreatConnect Query Language) Queries and Browse Screen Views for ThreatConnect
Raw
tql_queries.md

View tasks assigned to me that are not completed or deferred:

typeName in ("Task") and taskAssignee = me and taskStatus != "Completed" and taskStatus != "Deferred"

View internationalized domains:

typeName in ("Host", "URL") and summary contains "xn--"

View over 50 security blogs in ThreatConnect:

https://app.threatconnect.com/auth/browse/index.xhtml?filters=typeName%20in%20(%22Incident%22)&intelType=groups&owners=10666

(More details here: https://threatconnect.com/blog/ingest-technical-blogs-reports/)

Find indicators with an attribute or tag that contains 'wanna':

typeName in ("Host", "Address", "EmailAddress", "File", "URL") and (summary like "%wanna%" or tag like "%wanna%")

Find filename occurrence

fileName = "posh443.ps1"

Find security blog posts in a certain language:

typeName in ("Adversary", "Campaign", "Document", "Email", "Incident", "Signature", "Threat", "Task") and attribute1884 = "fr"*

* This works in the Technical Blogs and Reports Source. In the example above, it will show blog posts in French (hence the fr).

You can see a basic overview and some more examples here and here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment