Using SUBQUERY

Greetings to everyone

I would like to get more information about how “SUBQUERY” works.

I have the following rule: where(SUBQUERY(“TOR Exit Node”)

Thanks in advance for any advice

Subqueries are utilized by our Threat Intelligence Detection Engineering team to build and maintain rules with dynamic IOCs, these IOCs for TOR exit nodes and constantly updated, so instead of updating the rule we update the subqueries. These are not exposed to customers currently. We can provided a snapshot of a current subquery, but it would potentially become stale relatively soon as we continuously update it based on new information, as well as aging out known good IPs after a time.

David

1 Like

David thanks for your answer.

However now I have the following doubts:

  1. Could you help me by providing a snapshot of the subquery, I would like to know how it works and how it gets the data.
  2. I understand that the subquery are used by the Threat Intelligence Detection team, I would like to know if I can use or create a subquery, if the answer is yes how could I use it.
  3. I would like to know if there is an option to automate the import of IOCs and additionally how I could use them in a query. Example: I add a threat “IoCs” that contains different hashes and I would like to create a query to see if a hash matches my “IoCs” list.

Thank you in advance for any advice, I am sorry to have so many doubts.

  1. Please raise a support ticket for this request, I cannot share the contents on this forum.
  2. No you cannot, however you can use variables, which are similar see - Use Variables in Queries | InsightIDR Documentation
  3. You could automate the import of IOCs into an aforementioned variable yes, using the API - see https://docs.rapid7.com/insightidr/log-search-api/#operation/Manage-LEQL-Variables
    Alternatively we also have our community threat feature specifically for hashes InsightIDR API Documentation