Search Guide

Search combines report details, network activity, extracted artifacts, hashes, tags, dates, and text found in captured HTML documents or JavaScript.

Use fielded searches when you know where a value belongs, such as url.domain, http.url.addr, artifacts.files.sha256, or tags. Use plain text or quoted phrases when you want to search page content and scripts.

Start with a specific tag, domain, hash, or date range when you can. Broader content and wildcard searches are useful, but they work best after you narrow the result set.

Quick Start

Report fields

Fielded queries search structured data stored on reports. These are best for tags, URLs, domains, hashes, dates, alerts, submit metadata, and extracted artifacts.

tags:phishing AND final.url.domain:example.com

Content text

Plain text and quoted phrases search captured HTML documents and JavaScript. Combine them with tags, dates, or other filters to narrow the results.

"Logo loader" AND tags:phishing

Search Syntax

Boolean logic

Combine clauses with uppercase AND, OR, and NOT.

(tags:phishing OR tags:scam) AND url.tld:no

Default matching

Multiple plain terms are treated like an AND search in most report and content queries.

login portal

Exact phrases

Wrap a phrase in quotes when the words should appear together in that order.

"Google Favicons"

Fielded search

Use field:value when you know which report field should contain the value.

final.url.domain:example.com

Wildcards

Use * to match unknown text. Leading wildcards are useful, but slower.

http.url.addr:*download.html*

Ranges

Use square brackets for inclusive number and date ranges.

date:[2026-01-01 TO 2026-01-31]

Grouped fields

Use parentheses when a field should match one of several values.

tags:(phishing OR scam)

Hashes

MD5, SHA-1, SHA-256, and SHA-512 values can be searched directly.

44d88612fea8a8f36de82e1278abb02f

URL values

Search domains when possible; use URL fields when the path or full address matters.

url.addr:*login*

Notes and Limits

Visibility

Search only returns reports available to the current user:

public reports
restricted reports if your account has access
reports submitted by you or your team

Content scope

Plain text searches HTML documents and JavaScript, not every byte of every downloaded file.

Timeouts

Very broad or expensive searches may return partial results if the search timeout is reached.

Wildcard cost

Prefer exact domains, hashes, tags, and date ranges before using broad leading wildcards.

Complex URLs

If a full URL is awkward to search, narrow it to a domain, path fragment, hash, or exact phrase.

Dates

Use date ranges to keep high-volume searches focused and easier to review.

Example Queries

Tagged reports

tags:tycoon

Reports tagged with a known campaign or activity cluster.

Submitted domain

url.domain:example.com

Reports submitted for example.com.

Suspicious TLD

url.tld:xyz

Reports where the submitted URL uses the .xyz TLD.

Resolved IP

ip.addr:8.8.8.8

Reports where the submitted URL resolved to this IP address.

Archive filename

artifacts.files.archive.filename:*.php

Archived files with a PHP filename.

URL path fragment

url.addr:*login*

Submitted URLs containing login anywhere in the address.

Telegram token

artifacts.telegram.token:*

Reports where a Telegram token was extracted.

Response header

http.response.raw:"Apache"

Reports with Apache in an HTTP response header.

Extracted file type

artifacts.files.magic:"PDF"

Reports with extracted files identified as PDF documents.

Certificate expiry

http.security_info.cert.validity.end:[2026-01-01 TO 2026-02-03]

Reports where a TLS certificate expires in the selected range.

HTML phrase

"<title>AOL</title>"

Reports whose HTML documents or JavaScript resources contain that exact phrase.

Content plus tag

"Logo loader" AND tags:phishing

Phishing reports where captured HTML or JavaScript contains the phrase.

Tags in a date range

(tags:phishing OR tags:scam) AND date:[2026-05-01 TO 2026-05-09]

Phishing or scam reports in a date range.

Field Reference

Common Fields

Key	Description
date	Report generation date. Useful with ranges.
tags	Tags applied by urlquery.
url.domain	Submitted URL domain.
url.addr	Submitted URL without `http://` or `https://`.
final.url.domain	Final domain after redirects.
ip.addr	IP address for the submitted URL.
http.url.domain	Domain seen in HTTP traffic.
http.url.addr	Full URL seen in HTTP traffic.
http.response.data.sha256	SHA-256 of HTTP response data.
artifacts.files.sha256	SHA-256 of an extracted file.
artifacts.files.magic	Detected file type for an extracted file.
artifacts.telegram.token	Extracted Telegram token.

General Report Fields

Key	Description
date	The date when the report was generated.
tags	The tags associated with the report, applied by urlquery.
submit.tags	Tags assigned during the submission of the URL.
url.addr	Submitted URL - full URL, without schema, `http://` or `https://`
url.domain	Submitted URL, the domain part.
url.fqdn	Submitted URL - the Fully Qualified Domain Name (FQDN).
url.tld	Submitted URL - the top-level domain (TLD) of the URL (e.g., com, org).
ip.addr	The IP address associated with the submitted URL.
ip.country_code	The ISO 3166-1 alpha-2 country code of the IP address's location of the submitted URL.
ip.country	The country derived from the GeoIP location of the IP address of the submitted URL.
ip.as	The Autonomous System (AS) organization associated with the IP address of the submitted URL.
ip.asn	The Autonomous System Number (ASN) associated with the IP address of the submitted URL.
final.url.addr	The final URL address after redirects.
final.url.domain	The domain part of the final URL after redirects.
final.url.fqdn	The Fully Qualified Domain Name (FQDN) of the final URL after redirects.
final.url.tld	The top-level domain (TLD) of the final URL after redirects.
final.title	The final title of the web page after redirects.

HTTP Fields

Key	Description
http.url.addr	The full URL found in HTTP transactions within the report. This includes URLs visited during analysis. Supports wildcards (*).
http.url.domain	The domain part of the URLs found in HTTP transactions within the report. This includes URLs visited during analysis.
http.url.fqdn	The Fully Qualified Domain Name (FQDN) of the URLs found in HTTP transactions within the report.
http.url.tld	The top-level domain (TLD) of the URLs found in HTTP transactions within the report (e.g., .com, .org, etc.).
http.ip.addr	The IP address associated with the URLs found in HTTP transactions.
http.ip.country_code	The ISO 3166-1 alpha-2 country code for IP addresses found in HTTP transactions.
http.ip.country	The country derived from the GeoIP location of the URLs found in HTTP transactions
http.ip.as	The Autonomous System (AS) organization associated with the IP address.
http.ip.asn	The Autonomous System Number (ASN) associated with the IP address.
http.request.raw	The raw HTTP request data.
http.response.raw	The full response header.
http.response.data.magic	File magic (file type) from the response data.
http.response.data.size	The size of the response data.
http.response.data.md5	The MD5 hash of the HTTP response data.
http.response.data.sha1	The SHA-1 hash of the HTTP response data.
http.response.data.sha256	The SHA-256 hash of the HTTP response data.
http.response.data.sha512	The SHA-512 hash of the HTTP response data.
http.security_info.cert.validity.start	Start date of validity of TLS certificate.
http.security_info.cert.validity.end	End date of validity of TLS certificate.

Artifact Fields

Key	Description
artifacts.files.md5	The MD5 hash of the file.
artifacts.files.sha1	The SHA-1 hash of the file.
artifacts.files.sha256	The SHA-256 hash of the file.
artifacts.files.sha512	The SHA-512 hash of the file.
artifacts.files.magic	The file type magic signature.
artifacts.files.alerts.analyzer.alert	Alerts related to the file generated by an analyzer.
artifacts.files.archive.md5	The MD5 hash of the file in an archive.
artifacts.files.archive.sha1	The SHA-1 hash of the file in an archive.
artifacts.files.archive.sha256	The SHA-256 hash of the file in an archive.
artifacts.files.archive.sha512	The SHA-512 hash of the file in an archive.
artifacts.files.archive.magic	The file type magic signature of the within an archive.
artifacts.files.archive.filename	The filename of the file within an archive.
artifacts.files.archive.path	The file path of the file within an archive.
artifacts.files.archive.alerts.analyzer.alert	Alerts related to the file in an archive, generated by an analyzer.
artifacts.windows_shortcuts.md5	The MD5 hash of the Windows shortcut.
artifacts.windows_shortcuts.sha1	The SHA-1 hash of the Windows shortcut.
artifacts.windows_shortcuts.sha256	The SHA-256 hash of the Windows shortcut.
artifacts.windows_shortcuts.sha512	The SHA-512 hash of the Windows shortcut.
artifacts.windows_shortcuts.magic	The file type magic signature of the Windows shortcut.
artifacts.windows_shortcuts.size	The size of the Windows shortcut.
artifacts.windows_shortcuts.url.addr	The URL address where the Windows shortcut was found.
artifacts.windows_shortcuts.url.domain	The domain part of the URL where the Windows shortcut was found.
artifacts.windows_shortcuts.url.fqdn	The Fully Qualified Domain Name (FQDN) of the URL where the Windows shortcut was found.
artifacts.windows_shortcuts.url.tld	The top-level domain (TLD) of the URL where the Windows shortcut was found.
artifacts.windows_shortcuts.string_data_section.command_line_arguments	Command line arguments found in the string data section of the Windows shortcut.
artifacts.telegram.token	The Telegram token associated with the bot or user.
artifacts.telegram.is_revoked	Indicates whether the Telegram token has been revoked.
artifacts.telegram.bot.token	The Telegram bot's unique token.
artifacts.telegram.bot.user_id	The user ID of the Telegram bot.
artifacts.telegram.bot.username	The username of the Telegram bot.
artifacts.telegram.bot.first_name	The first name of the Telegram bot.
artifacts.telegram.bot.last_name	The last name of the Telegram bot.
artifacts.telegram.bot.chat.chat_id	The chat ID associated with the Telegram bot.
artifacts.telegram.bot.chat.title	The title of the Telegram bot's chat.
artifacts.telegram.bot.chat.type	The type of the Telegram bot's chat (e.g., private, group).
artifacts.telegram.bot.chat.bot_is	Indicates if the Telegram bot is active or bot-specific info.
artifacts.telegram.bot.chat.total_users	The total number of users in the Telegram bot's chat.
artifacts.telegram.bot.pending_messages	The number of pending messages in the Telegram bot's chat.