Aggregate Query by Field

Overview
The Aggregate Query by Field feature in Maltiverse helps you quickly group and count search results by specific fields within Indicators of Compromise (IoCs). This feature is especially useful for security analysts and incident responders who need to explore patterns or pinpoint particular attributes within large datasets.

With this functionality, you can:

• Run a query on the IoC dataset
• Aggregate the results by one or more fields (for example, blacklist.external_references.external_id)
• See the distinct values for those fields, along with a count of how many results each value represents
• Refine your query in real time by adding additional field‐based filters with logical operators (AND or OR)

This guide explains how to use the Aggregate Query by Field feature and highlights best practices for performing deeper analysis on your data.

Accessing the Aggregation Feature #

1. Navigate to IoC Search
   Go to the IoC Search page in Maltiverse. In the main search bar, type or paste the query you want to run. This query can be as broad or as specific as you like.
2. Run Your Query
   Click Search (the magnifying glass icon) to get results. You should see the number of IoCs found for your query, along with any matching records listed below.
3. Open the Aggregation Modal
   In the top‐right corner, you’ll find a button marked with a +. Click it to open the Aggregate Query by Field modal.

Selecting Fields to Aggregate #

Within the Aggregate Query modal, you’ll see a multi‐select drop‐down that lists all the fields currently available in the IoC data model:

You can select one, several, or all of these fields. Each field you choose will be aggregated separately.

When you have chosen your fields, a new tab will be opened in the background of the IoC Search result view.

Viewing the Aggregations #

After you click Aggregate, a new tab appears in your search results labeled with the selected field(s). In that section, you’ll see something like:

Each row shows a distinct field value and the count of how many IoCs match that value within the current result set.

Drilling Down into the Data #

Seeing which values dominate a particular field can be extremely useful. For instance, if you aggregated on blacklist.external_references.external_id, you might quickly find that certain TTP IDs, software designations, or malware family codes appear at the top of the list. This helps you identify trending threats or frequently seen indicators across your entire dataset.

Refine Results with AND/OR Queries #

Each value in the aggregation list has two action links: AND add to query and OR add to query. Clicking on one of these links will open a new browser tab in Maltiverse with a refined (or expanded) query.

• AND add to query
  Appends an AND condition to your original query, further restricting the results to only IoCs that match both your current criteria and the chosen value.
• OR add to query
  Appends an OR condition, broadening the results to any IoCs that match your current criteria or the chosen value.

This approach allows you to pivot effortlessly:

1. Start Broad – Begin with a general search.
2. Aggregate – Identify top field values to explore.
3. Drill Down – Use AND add to query to narrow the focus further or OR add to query to expand the scope of your investigation.

Practical Use Cases #

1. Threat Hunting
   When investigating a campaign, you might search broadly for a related indicator. From there, use Aggregate Query by Field to see which threat actor IDs, techniques (MITRE ATT&CK references), or software references appear most frequently.
2. Incident Response
   After seeing an unusually large result set, you can quickly pivot on fields like IP addresses, domains, or external references to identify exactly which malicious entities are most relevant.
3. Intelligence Analysis
   Threat intelligence teams can leverage the aggregation counts to discover how often certain TTP IDs (like T1566) appear in a given cluster of IOCs, potentially exposing patterns in adversarial behavior.

Tips and Best Practices #

• Combine Multiple Fields: You can select multiple fields at once (e.g., blacklist.labels.keyword and blacklist.source.keyword) to gain broader visibility into how different attributes correlate.
• Use for Baseline Monitoring: Regularly running queries and aggregations can help you build a baseline of what “normal” looks like in your environment.
• Stay Organized with Tabs: Each aggregation or additional filter opens a new tab, which makes it easier to compare different pivoted queries without losing your initial results.

Conclusion #

The Aggregate Query by Field feature is a powerful capability that enables rapid exploration of large datasets in Maltiverse. By grouping IoCs by selected fields and providing quick pivot options (AND/OR), you can swiftly drill down or expand your searches, revealing deeper insights into threats, threat actors, malware families, or any other IoC attributes. This functionality is particularly valuable for incident responders and threat intelligence analysts who need to move quickly through large volumes of indicators to uncover key patterns and relationships.