Threat Queries created and triggered to run with TICE Environment enabled are for gathering intelligence from the TICE cloud.
1. Navigate to Search and type keyword(s) for the desired data into the search field. Once the field is filled, the button for saving as a Threat Query will be enabled.
2. Next, click on TICE Environment to enable. You can save the search as a Threat Query even if there are no search results returned.
3. Next, confirm that threat query was saved by navigating to Workflow then to Threat Queries. Click on TICE Environment to view a list of your saved queries.
4. A Threat Query can be triggered by clicking on Run now under the Actions column.
Checking for Results
About 15 minutes after creating a Threat Query, options for checking results will become available.
Option A: Go to the TICE Module's Validation page to check for intelligence data items related to the query.
Option B: Go back to a saved query on scoutTHREAT (Workflows -> Threat Queries), click on the query, then check to see if any results have populated on the page.
Option C: In scoutTHREAT, go to Search, click to enable TICE Environment, and perform another search for the same term(s) used previously. If any cloud results appear, click on Download in TICE.
Next, go to the TICE Module's Validation page to look for the item originally selected for download, then proceed with validating the item.
For more information on validating TICE Module intelligence items, see: