I am trying to create an ECAT IIOC sql query to look for specific urls. How ca this be done?
AFAIK complete url is not recorded by the agent therefore you will not be able to create an IIOC that looks for a specific url, however you can create an IIOC to look for a specific domain. You can also import the list of domains or IPs to NetWitness Endpoint and when visited there is already an existing IIOC "Custom: Bad domain" & "Custom: Bad IP" that will get triggered. You can do this by going to Tools>Import/Export>Checksums..
Retrieving data ...