Display List of Top 10 Malware Families

Display most frequent malware families

This is a query example for the Top 10 Malware Families widget in the CrowdStrike Intel Indicators: Overview dashboard of the crowdstrike/intel-indicators package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result
logscale
top("malware_families[0]")
| split(malware_families)
| Count := rename(_count)
| "Malware Family" := rename(malware_families[0])
| table(["Malware Family", "Count"])

Introduction

This widget is used to identify and display the most frequently occurring malware families in the dataset, helping analysts understand the predominant malware threats.

In this widget, the top() and split() functions are used to identify the most common malware families, while rename() and table() format the results for display.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@error_msg[1]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezone_markeractors[0]actors[1]deleteddomain_types[0]idindicatorip_address_types[0]kill_chains[0]labels[0].created_onlabels[0].last_valid_onlabels[0].namelabels[1].created_onlabels[1].last_valid_onlabels[1].namelabels[2].created_onlabels[2].last_valid_onlabels[2].namelabels[3].created_onlabels[3].last_valid_onlabels[3].namelabels[4].created_onlabels[4].last_valid_onlabels[4].namelabels[5].created_onlabels[5].last_valid_onlabels[5].namelast_updatedmalicious_confidencemalware_families[0]published_datethreat_types[0]threat_types[1]type
2026-01-15T14:42:01 auto-dashboard-queriesCS_Intel_Indicators     VAq2qyZrM0xlcuqUmqUNchHO_2_204_17684881212026-01-15T14:42:01{"_marker":"1596041942bdd628471893b18bec97d0b4d6edd659","actors":["APT29"],"deleted":false,"domain_types":[],"id":"domain_malicious-site.com","indicator":"192.168.2.143","ip_address_types":["C2"],"kill_chains":["C2"],"labels":[{"created_on":"2026-01-15T14:42:01.002Z","last_valid_on":"2026-01-15T14:42:01.002Z","name":"Malware/Qakbot"},{"created_on":"2026-01-15T14:42:01.002Z","last_valid_on":"2026-01-15T14:42:01.002Z","name":"ThreatType/Criminal"},{"created_on":"2026-01-15T14:42:01.002Z","last_valid_on":"2026-01-15T14:42:01.002Z","name":"Status/Inactive"}],"last_updated":"2026-01-15T14:42:01.002Z","malicious_confidence":"high","malware_families":["Qakbot"],"published_date":"2026-01-15T14:42:01.002Z","relations":[],"reports":[],"targets":[],"threat_types":["Malware"],"type":"ip","vulnerabilities":[]} 32b5b8ff1be8633d9978fa0c3b5ae4da0Z1596041942bdd628471893b18bec97d0b4d6edd659APT29 false domain_malicious-site.com192.168.2.143C2C22026-01-15T14:42:01.002Z2026-01-15T14:42:01.002ZMalware/Qakbot2026-01-15T14:42:01.002Z2026-01-15T14:42:01.002ZThreatType/Criminal2026-01-15T14:42:01.002Z2026-01-15T14:42:01.002ZStatus/Inactive         2026-01-15T14:42:01.002ZhighQakbot2026-01-15T14:42:01.002ZMalware ip
2026-01-15T14:42:01 auto-dashboard-queriesCS_Intel_Indicators     VAq2qyZrM0xlcuqUmqUNchHO_2_205_17684881212026-01-15T14:42:02{"_marker":"1596041943aef739582904c29cfd08e1c5e7fee760","actors":["Lazarus Group","Fancy Bear"],"deleted":false,"domain_types":["DGA"],"id":"domain_evil-host.net","indicator":"malicious-domain.com","ip_address_types":[],"kill_chains":["Reconnaissance"],"labels":[{"created_on":"2026-01-15T14:42:01.793Z","last_valid_on":"2026-01-15T14:42:01.793Z","name":"Malware/Emotet"},{"created_on":"2026-01-15T14:42:01.793Z","last_valid_on":"2026-01-15T14:42:01.793Z","name":"DomainType/DGA"},{"created_on":"2026-01-15T14:42:01.793Z","last_valid_on":"2026-01-15T14:42:01.793Z","name":"ThreatType/Banking"},{"created_on":"2026-01-15T14:42:01.793Z","last_valid_on":"2026-01-15T14:42:01.793Z","name":"Status/Active"}],"last_updated":"2026-01-15T14:42:01.793Z","malicious_confidence":"medium","malware_families":["Emotet"],"published_date":"2026-01-15T14:42:01.793Z","relations":[],"reports":[],"targets":[],"threat_types":["Ransomeware","Phishing"],"type":"domain","vulnerabilities":[]} 32b5b8ff1be8633d9978fa0c3b5ae4da0Z1596041943aef739582904c29cfd08e1c5e7fee760Lazarus GroupFancy BearfalseDGAdomain_evil-host.netmalicious-domain.com Reconnaissance2026-01-15T14:42:01.793Z2026-01-15T14:42:01.793ZMalware/Emotet2026-01-15T14:42:01.793Z2026-01-15T14:42:01.793ZDomainType/DGA2026-01-15T14:42:01.793Z2026-01-15T14:42:01.793ZThreatType/Banking2026-01-15T14:42:01.793Z2026-01-15T14:42:01.793ZStatus/Active      2026-01-15T14:42:01.793ZmediumEmotet2026-01-15T14:42:01.793ZRansomewarePhishingdomain
2026-01-15T14:42:02 auto-dashboard-queriesCS_Intel_Indicators     VAq2qyZrM0xlcuqUmqUNchHO_2_206_17684881222026-01-15T14:42:02{"_marker":"1596041944bcf840693015d30dge19f2d6f8gff871","actors":[],"deleted":false,"domain_types":["Phishing"],"id":"domain_phishing-portal.org","indicator":"evil-site.net","ip_address_types":[],"kill_chains":["Weaponization"],"labels":[{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"Malware/TrickBot"},{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"DomainType/Phishing"},{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"ThreatType/Ransomware"},{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"Status/Historic"},{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"KillChain/C2"},{"created_on":"2026-01-15T14:42:02.362Z","last_valid_on":"2026-01-15T14:42:02.362Z","name":"MaliciousConfidence/High"}],"last_updated":"2026-01-15T14:42:02.362Z","malicious_confidence":"low","malware_families":["TrickBot"],"published_date":"2026-01-15T14:42:02.362Z","relations":[],"reports":[],"targets":[],"threat_types":["Malware"],"type":"domain","vulnerabilities":[]} 32b5b8ff1be8633d9978fa0c3b5ae4da0Z1596041944bcf840693015d30dge19f2d6f8gff871  falsePhishingdomain_phishing-portal.orgevil-site.net Weaponization2026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZMalware/TrickBot2026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZDomainType/Phishing2026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZThreatType/Ransomware2026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZStatus/Historic2026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZKillChain/C22026-01-15T14:42:02.362Z2026-01-15T14:42:02.362ZMaliciousConfidence/High2026-01-15T14:42:02.362ZlowTrickBot2026-01-15T14:42:02.362ZMalware domain
2026-01-15T14:42:03trueauto-dashboard-queriesCS_Intel_IndicatorstrueCould not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSON | Error finding timestamp. Unknown field: "last_updated"Could not parse json for field=@rawstring msg=Could not handle input. reason=Could not parse JSONError finding timestamp. Unknown field: "last_updated"falseDny5CTK5iIJyunQyWbcL4fEA_2_67_17684881232026-01-15T14:42:03{ "_marker": "1596041945cda951704126e41ehf20a3e7a9haa982", "actors": [], "deleted": true, "domain_types": [ "C2" ], "id": "ip_192.168.1.100", "indicator": "phishing-portal.org", "ip_address_types": [], "kill_chains": [ "Delivery" ], "labels": [ { "created_on": 1710340124, "last_valid_on": 1710343724, "name": "Malware/Dridex" }, { "created_on": 1710347324, "last_valid_on": 1710350924, "name": "DomainType/C2" }, { "created_on": 1710354524, "last_valid_on": 1710358124, "name": "ThreatType/APT" }, { "created_on": 1710361724, "last_valid_on": 1710365324, "name": "Status/Confirmed" }, { "created_on": 1710368924, "last_valid_on": 1710372524, "name": "KillChain/Reconnaissance" }, { "created_on": 1710376124, "last_valid_on": 1710379724, "name": "MaliciousConfidence/Medium" }, { "created_on": 1710383324, "last_valid_on": 1710386924, "name": "ThreatType/Espionage" }, { "created_on": 1710390524, "last_valid_on": 1710394124, "name": "Status/Suspected" } ], "last_updated": "2026-01-15T14:42:02.922Z", "malicious_confidence": "Critical", "malware_families": [ "Dridex" "Zeus" "Ryuk" ], "published_date": "2026-01-15T14:42:02.922Z", "relations": [], "reports": [], "targets": [], "threat_types": [ "Ransomeware", "Malware" ], "type": "IP Address", "vulnerabilities": [] } 32b5b8ff1be8633d9978fa0c3b5ae4da0Z                                  
2026-01-15T14:42:03 auto-dashboard-queriesCS_Intel_Indicators     VAq2qyZrM0xlcuqUmqUNchHO_2_207_17684881232026-01-15T14:42:04{"_marker":"1596041946deb062815237f52fhg31b4f8b0ibb093","actors":["Cozy Bear"],"deleted":false,"domain_types":[],"id":"ip_10.0.0.50","indicator":"192.168.0.87","ip_address_types":["Proxy"],"kill_chains":["Exploitation"],"labels":[{"created_on":"2026-01-15T14:42:03.489Z","last_valid_on":"2026-01-15T14:42:03.489Z","name":"Malware/Zeus"},{"created_on":"2026-01-15T14:42:03.489Z","last_valid_on":"2026-01-15T14:42:03.489Z","name":"ThreatType/Malware"},{"created_on":"2026-01-15T14:42:03.489Z","last_valid_on":"2026-01-15T14:42:03.489Z","name":"Status/FalsePositive"}],"last_updated":"2026-01-15T14:42:03.489Z","malicious_confidence":"high","malware_families":["Conti"],"published_date":"2026-01-15T14:42:03.489Z","relations":[],"reports":[],"targets":[],"threat_types":["Ransomeware"],"type":"ip","vulnerabilities":[]} 32b5b8ff1be8633d9978fa0c3b5ae4da0Z1596041946deb062815237f52fhg31b4f8b0ibb093Cozy Bear false ip_10.0.0.50192.168.0.87ProxyExploitation2026-01-15T14:42:03.489Z2026-01-15T14:42:03.489ZMalware/Zeus2026-01-15T14:42:03.489Z2026-01-15T14:42:03.489ZThreatType/Malware2026-01-15T14:42:03.489Z2026-01-15T14:42:03.489ZStatus/FalsePositive         2026-01-15T14:42:03.489ZhighConti2026-01-15T14:42:03.489ZRansomeware ip

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    top("malware_families[0]")

    Finds the most frequent values in the malware_families[0] field, sorted by occurrence count in descending order.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | split(malware_families)

    Splits the malware_families array field into individual events, creating one event per malware family entry.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | Count := rename(_count)

    Renames the _count field to Count for better readability.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | "Malware Family" := rename(malware_families[0])

    Renames the malware_families[0] field to Malware Family for better readability.

  6. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2[\Add Field/] 3[\Add Field/] 4[\Add Field/] 5[(Function)] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | table(["Malware Family", "Count"])

    Creates a table displaying the specified fields in the given order.

  7. Event Result set.

Summary and Results

The widget is used to identify the most prevalent malware families based on frequency of occurrence.

This widget is useful to prioritize malware analysis and understand which malware families are most active in the current event set.

Sample output from the incoming example data:

Count
3
3
3
3
3

The output shows the most frequent malware families and their occurrence counts in descending order.