Added search to populate opencti_lookup

Author: CTIBurn0ut

TA-opencti-add-on/default/savedsearches.conf

@@ -35,6 +35,25 @@ alert.suppress = 0
 alert.track = 0
 action.summary_index = 0
 
+[Update OpenCTI Lookup]
+search = search `opencti_index` sourcetype="opencti:indicator" (event="create" OR event="update" OR event="delete") earliest=-15m latest=now \
+| eval delete_flag=if(event="delete", "true", null()) \
+| table id, _key, created, created_at, created_by, created_by_ref, description, detection, indicator_types, input_name, lang, main_observable_type, markings, modified, name, object_marking_refs, pattern, pattern_type, revoked, score, spec_version, type, updated_at, valid_from, valid_until, value, delete_flag \
+| append [ | inputlookup opencti_lookup ] \
+| stats latest(*) as * by id \
+| where isnull(delete_flag) \
+| fields - delete_flag \
+| outputlookup opencti_lookup
+description = Updates the opencti_lookup lookup with new and updated indicators, while flagging deleted ones.
+schedule = */5 * * * *
+enabled = 1
+dispatch.earliest_time = -15m
+dispatch.latest_time = now
+cron_schedule = */5 * * * *
+alert.suppress = 0
+alert.track = 0
+action.summary_index = 0
+
 [Update OpenCTI Threat Intelligence]
 search = search index=opencti_stream sourcetype="opencti:indicator" (event="create" OR event="update" OR event="delete") earliest=-15m latest=now \
 | eval delete_flag=if(event="delete", "true", null()) \