Search for entity attributes

Query key

Looks for

Query value examples

created_at

Entities whose creation date matches the specified pattern or literal.

[now-1w TO *], [now-24h TO *], [now-1w TO *], [now-1y TO *], [* TO *]

created_by

Entities whose user ID integer value matches the specified pattern or literal.

*, 1

data.confidence.value

Entities whose observable maliciousness confidence value matches the specified pattern or literal.

high, medium, low, none, unknown

data.kill_chain_phases.kill_chain_name

Entities whose kill chain phase name matches the specified pattern or literal.

reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives

data.kill_chain_phases.name

Entities whose official or standard name matches the specified pattern or literal.

LMCO Kill Chain

data.kill_chain_phases.ordinality

Entities whose integer order value matches the specified pattern or literal.
This value defines the order of a kill chain phase within a kill chain.

1, 2, 3, 4, 5, 6, 7

data.observable.title

Entities with at least an observable whose title/header matches the specified pattern or literal.

Mirai botnet-related observable

data.producer.identity.name

Entities whose data producer name matches the specified pattern or literal.
The Entity per producer gauge on the dashboard used this field to display the total amount of ingested entities, based on the corresponding producer.

phishtank, hailataxii

data.producer.time_produced

Entities whose creation time at the data producer matches the specified pattern or literal.
Fractions of seconds are optional and may not always be included in the time value.

Input format: yyyy-MM-ddTHH:mm:ssZ
Description: year, month, day, hour, T (the date and time separator), minutes, seconds, time zone

2016-11-08T05\:04\:12Z, 2016-11-08T05\:04\:12\+00\:00, [now-24M/M TO 2016-01-01]

data.producer.time_received

Entities whose reception time at the data producer matches the specified pattern or literal.
Fractions of seconds are optional and may not always be included in the time value.

Input format: yyyy-MM-ddTHH:mm:ssZ
Description: year, month, day, hour, T (the date and time separator), minutes, seconds, time zone

2015-03-26T14\:28\:24Z, 2015-03-26T14\:28\:24\+00\:00, [now-24M/M TO 2016-01-01]

data.sightings_count

Entities with at least an observable that has actually been sighted.
This is a counter whose integer value reports the number of sightings recorded for the corresponding observable.

*, 1, 2, 3

data.timestamp

Entities whose data creation time matches the specified pattern or literal.
Fractions of seconds are optional and may not always be included in the time value.

Input format: yyyy-MM-ddTHH:mm:ssZ
Description: year, month, day, hour, T (the date and time separator), minutes, seconds, time zone

2015-03-26T14\:28\:24Z, 2015-03-26T14\:28\:24\+00\:00, [now-24M/M TO 2016-01-01]

extracts.value

Entities with at least an observable whose value matches the specified pattern or literal.

malware.win32.sample

extracts.kind

Entities with at least an observable whose data type matches the specified pattern or literal.

ipv4, name

enrichment_extracts.value

Entities with at least an observable retrieved through enrichment whose value matches the specified pattern or literal.

www.w3.org

enrichment_extracts.kind

Entities with at least an observable retrieved through enrichment whose data type matches the specified pattern or literal.

domain, actor-id

exposure.sighted

Entities with at least an observable that has actually been sighted.
When entities are associated with a sighting, they are exposed.
Entities with exposure.sighted:true have a data.sightings_count value of at least 1.

true, false

meta.source_reliability

Entities whose data source reliability matches the specified pattern or literal.

A, (A B C)

meta.tlp_color

Entities whose TLP color matches the specified pattern or literal.

RED, AMBER, GREEN, WHITE, NONE

meta.tags

Entities whose custom tag values match the specified pattern or literal.

malware, ransomware

tags

Entities whose custom tag and standard taxonomy values match the specified pattern or literal.

malware, ransomware