This documentation provides a introduction to search prefixes helping you track down digital threats. Whether you're hunting malware, phishing, or gathering threat intel, these prefixes will be essential to track and identify threats your looking for. While there are other possibilities, this list is a great starting point to get you on your way.
Advanced Search Techniques
- Logical Operators: Combine conditions with
AND,OR,NOT. - Wildcard Searches: Use
*to match any string, e.g.,url.domain:*.gov. - Range Searches: Specify numeric ranges using square brackets, e.g.,
http.response.data.size:[10000 TO 20000]to search within a particular range. - Grouping: Use parentheses
()to combine multiple conditions. - Time-based Searches: Filter results by date using the date range format, e.g.,
date:[2025-01-01 TO 2025-12-31]to search within a specific time period.
General Search Prefixes
| Key | Description |
|---|---|
| date | The date when the report was generated. |
| tags | The tags associated with the report, applied by urlquery. |
| submit.tags | Tags assigned during the submission of the URL. |
| url.addr | Submitted URL - full URL, without schema, http:// or https:// |
| url.domain | Submitted URL, the domain part. |
| url.fqdn | Submitted URL - the Fully Qualified Domain Name (FQDN). |
| url.tld | Submitted URL - the top-level domain (TLD) of the URL (e.g., com, org). |
| ip.addr | The IP address associated with the submitted URL. |
| ip.country_code | The ISO 3166-1 alpha-2 country code of the IP address's location of the submitted URL. |
| ip.country | The country derived from the GeoIP location of the IP address of the submitted URL. |
| ip.as | The Autonomous System (AS) number associated with the IP address of the submitted URL. |
| final.url.addr | The final URL address after redirects. |
| final.url.domain | The domain part of the final URL after redirects. |
| final.url.fqdn | The Fully Qualified Domain Name (FQDN) of the final URL after redirects. |
| final.url.tld | The top-level domain (TLD) of the final URL after redirects. |
| final.title | The final title of the web page after redirects. |
HTTP Search Prefixes
| Key | Description |
|---|---|
| http.url.addr | The full URL found in HTTP transactions within the report. This includes URLs visited during analysis. Supports wildcards (*). |
| http.url.domain | The domain part of the URLs found in HTTP transactions within the report. This includes URLs visited during analysis. |
| http.url.fqdn | The Fully Qualified Domain Name (FQDN) of the URLs found in HTTP transactions within the report. |
| http.url.tld | The top-level domain (TLD) of the URLs found in HTTP transactions within the report (e.g., .com, .org, etc.). |
| http.ip.addr | The IP address associated with the URLs found in HTTP transactions. |
| http.ip.country_code | The ISO 3166-1 alpha-2 country code for IP addresses found in HTTP transactions. |
| http.ip.country | The country derived from the GeoIP location of the URLs found in HTTP transactions |
| http.ip.as | The Autonomous System (AS) number associated with the IP address. |
| http.request.raw | The raw HTTP request data. |
| http.response.raw | The full response header. |
| http.response.data.magic | File magic (file type) from the response data. |
| http.response.data.size | The size of the response data. |
| http.response.data.md5 | The MD5 hash of the HTTP response data. |
| http.response.data.sha1 | The SHA-1 hash of the HTTP response data. |
| http.response.data.sha256 | The SHA-256 hash of the HTTP response data. |
| http.response.data.sha512 | The SHA-512 hash of the HTTP response data. |
| http.security_info.cert.validity.start | Start date of validity of TLS certificate. |
| http.security_info.cert.validity.end | End date of validity of TLS certificate. |
Artifacts Search Prefixes
| Key | Description |
|---|---|
| artifacts.files.md5 | The MD5 hash of the file. |
| artifacts.files.sha1 | The SHA-1 hash of the file. |
| artifacts.files.sha256 | The SHA-256 hash of the file. |
| artifacts.files.sha512 | The SHA-512 hash of the file. |
| artifacts.files.magic | The file type magic signature. |
| artifacts.files.alerts.analyzer.alert | Alerts related to the file generated by an analyzer. |
| artifacts.files.archive.md5 | The MD5 hash of the file in an archive. |
| artifacts.files.archive.sha1 | The SHA-1 hash of the file in an archive. |
| artifacts.files.archive.sha256 | The SHA-256 hash of the file in an archive. |
| artifacts.files.archive.sha512 | The SHA-512 hash of the file in an archive. |
| artifacts.files.archive.magic | The file type magic signature of the within an archive. |
| artifacts.files.archive.filename | The filename of the file within an archive. |
| artifacts.files.archive.path | The file path of the file within an archive. |
| artifacts.files.archive.alerts.analyzer.alert | Alerts related to the file in an archive, generated by an analyzer. |
| artifacts.windows_shortcuts.md5 | The MD5 hash of the Windows shortcut. |
| artifacts.windows_shortcuts.sha1 | The SHA-1 hash of the Windows shortcut. |
| artifacts.windows_shortcuts.sha256 | The SHA-256 hash of the Windows shortcut. |
| artifacts.windows_shortcuts.sha512 | The SHA-512 hash of the Windows shortcut. |
| artifacts.windows_shortcuts.magic | The file type magic signature of the Windows shortcut. |
| artifacts.windows_shortcuts.size | The size of the Windows shortcut. |
| artifacts.windows_shortcuts.url.addr | The URL address where the Windows shortcut was found. |
| artifacts.windows_shortcuts.url.domain | The domain part of the URL where the Windows shortcut was found. |
| artifacts.windows_shortcuts.url.fqdn | The Fully Qualified Domain Name (FQDN) of the URL where the Windows shortcut was found. |
| artifacts.windows_shortcuts.url.tld | The top-level domain (TLD) of the URL where the Windows shortcut was found. |
| artifacts.windows_shortcuts.string_data_section.command_line_arguments | Command line arguments found in the string data section of the Windows shortcut. |
| artifacts.telegram.token | The Telegram token associated with the bot or user. |
| artifacts.telegram.is_revoked | Indicates whether the Telegram token has been revoked. |
| artifacts.telegram.bot.token | The Telegram bot's unique token. |
| artifacts.telegram.bot.user_id | The user ID of the Telegram bot. |
| artifacts.telegram.bot.username | The username of the Telegram bot. |
| artifacts.telegram.bot.first_name | The first name of the Telegram bot. |
| artifacts.telegram.bot.last_name | The last name of the Telegram bot. |
| artifacts.telegram.bot.chat.chat_id | The chat ID associated with the Telegram bot. |
| artifacts.telegram.bot.chat.title | The title of the Telegram bot's chat. |
| artifacts.telegram.bot.chat.type | The type of the Telegram bot's chat (e.g., private, group). |
| artifacts.telegram.bot.chat.bot_is | Indicates if the Telegram bot is active or bot-specific info. |
| artifacts.telegram.bot.chat.total_users | The total number of users in the Telegram bot's chat. |
| artifacts.telegram.bot.pendint_messages | The number of pending messages in the Telegram bot's chat. |
Example Search Queries
| Description | Example Query |
|---|---|
| Search for a specific domain used (submitted url): | url.domain:example.com |
| Look for any URL with `xyz`: | url.tld:xyz |
| Find any report where URL submitted resolve to IP: | ip.addr:8.8.8.8 |
| Look for a specific file extension inside archives files (e.g., `.php`): | artifacts.files.archive.filename:*.php |
| Find URLs by checking for URLs with the word `login` in the path: | url.addr:*login* |
| Search for Telegram bot tokens that could be linked to malicious activity: | artifacts.telegram.bot.token:abc123xyz |
| Find URLs that contain a pattern or signature in the HTTP response header: | http.response.raw:"Apache" |
| Check for files of a given type (e.g., PDF files): | artifacts.files.magic:"PDF" |
| Find report where TLS certificate's validity expires within a time range: | http.security_info.cert.validity.end:[2024-01-01 TO 2024-02-03] |