Search for entity attributes
|
Query key |
Looks for |
Query value examples |
|
created_at |
Entities whose creation date matches the specified pattern or literal. |
[now-1w TO *], [now-24h TO *], [now-1w TO *], [now-1y TO *], [* TO *] |
|
created_by |
Entities whose user ID integer value matches the specified pattern or literal. |
*, 1 |
|
data.confidence.value |
Entities whose observable maliciousness confidence value matches the specified pattern or literal. |
high, medium, low, none, unknown |
|
data.kill_chain_phases.kill_chain_name |
Entities whose kill chain phase name matches the specified pattern or literal. |
reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives |
|
data.kill_chain_phases.name |
Entities whose official or standard name matches the specified pattern or literal. |
LMCO Kill Chain |
|
data.kill_chain_phases.ordinality |
Entities whose integer order value matches the specified pattern or literal. |
1, 2, 3, 4, 5, 6, 7 |
|
data.observable.title |
Entities with at least an observable whose title/header matches the specified pattern or literal. |
Mirai botnet-related observable |
|
data.producer.identity.name |
Entities whose data producer name matches the specified pattern or literal. |
phishtank, hailataxii |
|
data.producer.time_produced |
Entities whose creation time at the data producer matches the specified pattern or literal. |
2016-11-08T05\:04\:12Z, 2016-11-08T05\:04\:12\+00\:00, [now-24M/M TO 2016-01-01] |
|
data.producer.time_received |
Entities whose reception time at the data producer matches the specified pattern or literal. |
2015-03-26T14\:28\:24Z, 2015-03-26T14\:28\:24\+00\:00, [now-24M/M TO 2016-01-01] |
|
data.sightings_count |
Entities with at least an observable that has actually been sighted. |
*, 1, 2, 3 |
|
data.timestamp |
Entities whose data creation time matches the specified pattern or literal. |
2015-03-26T14\:28\:24Z, 2015-03-26T14\:28\:24\+00\:00, [now-24M/M TO 2016-01-01] |
|
extracts.value |
Entities with at least an observable whose value matches the specified pattern or literal. |
malware.win32.sample |
|
extracts.kind |
Entities with at least an observable whose data type matches the specified pattern or literal. |
ipv4, name |
|
enrichment_extracts.value |
Entities with at least an observable retrieved through enrichment whose value matches the specified pattern or literal. |
www.w3.org |
|
enrichment_extracts.kind |
Entities with at least an observable retrieved through enrichment whose data type matches the specified pattern or literal. |
domain, actor-id |
|
exposure.sighted |
Entities with at least an observable that has actually been sighted. |
true, false |
|
meta.source_reliability |
Entities whose data source reliability matches the specified pattern or literal. |
A, (A B C) |
|
meta.tlp_color |
Entities whose TLP color matches the specified pattern or literal. |
RED, AMBER, GREEN, WHITE, NONE |
|
meta.tags |
Entities whose custom tag values match the specified pattern or literal. |
malware, ransomware |
|
tags |
Entities whose custom tag and standard taxonomy values match the specified pattern or literal. |
malware, ransomware |