scoutTHREAT - Workflow Example: Threat Queries

Guided example on using Threat Queries

Written by Benjamin Dewey
Updated over a week ago

Let's imagine a scenario where you have been assigned to investigate a new malware called Angel Claw, but there is little or no intelligence about it in your scoutTHREAT system. Follow these steps for using Threat Queries and TICE to help you with this task.

1. Start with a search in scoutTHREAT to see if any intelligence exists. Make sure you do your search with and without TICE Environment enabled.

2. Next, with TICE Environment enabled click on Save as Threat Query.

3. Save the query with the term you used for your search, in this example we'll save it as Angel Claw. After saving, a banner will display confirming that the query was saved.

4. Next, navigate to Threat Queries (Workflow -> Threat Queries) and click to enable TICE Environment on the page.

5. Look for the query you saved, then click on it. Ensure that you use the pagination arrows at the bottom of the table to navigate to the latest added list of queries.

6. You can take two actions on this page.

#1 - When you click this icon (the three dots) you will be taken back to the search section to re-run your search.

#2 - When you click this icon (the pencil) you will be able to edit the contents of the query, including its name, filters, and add a description. If you make any edits, click the checkmark icon to save.

7. After making edits and saving your query, return to the Threat Queries list, search for your query again, and click Run Now to trigger it. TICE will search for the intelligence you need in the background.

8. After creating your Threat Query and waiting about 15 minutes, you have a few options for checking if any results or intelligence items came back from the cloud.

Option A: Go to the TICE Module's Validation page to check for intelligence data items related to your query.

Option B: Go back to your saved query on scoutTHREAT (Workflows -> Threat Queries), click on your query, then check to see if any results have populated on the page. In this example, we can see that the cloud contains a report about the malware.

Option C: In scoutTHREAT, go to Search, click to enable TICE Environment, and do another search for the term(s) you were looking for. If any cloud results appear, click on Download in TICE. Next, go to the TICE Module's Validation page to look for the item you clicked to download, then proceed with validating the item.

9. For this scenario, we'll use the method for Option C, but instead of navigating to Search, just click the icon with the three dots on the query page to re-run the search.

10. Now, click to enable TICE Environment on the search page to see if any intelligence items for *Angel Claw* exist in the cloud. For this example, we see that a report has been found. Click on Download in TICE.

11. In order to view the report contents and download the item to scoutTHREAT you must first go through the validation process in the TICE Module. Navigate to the Validation page and use the pagination arrows at the bottom of the table to access the latest cloud downloads. Once you find the report, click on Review.

12. Now, follow the steps for validating new TICE intelligence items and downloading to scoutTHREAT, see:

13. After completing the validation process on scoutTHREAT, go to the list of Information Reports and click to view the newly downloaded intelligence on Angel Claw.

Related Content

Did this answer your question?