Search | Query Syntax | Observable properties

When drafting an Observable search query or quering Entities by related Observables, you can include the attributes below to match the intended Observables.

Attribute	Looks for	Example values
id	Returns the Observable with this unique ID.	id:13
value	Returns Observables whose value matches the specified pattern or literal. The value attribute has tokens and keyword attributes you can use. See our document about tokenization.	value:malware.win32.sample
kind	Returns Observables whose data type matches the specified pattern or literal.	kind:ipv4, kind:name
meta.confidence	Returns Observables with the specified level of Confidence. Used together with classification to determine maliciousness. See Observable maliciousness.	meta.confidence:high, meta.confidence:medium, meta.confidence:low
meta.classification	Returns Observables with the specified Classification. Used together with confidence to determine maliciousness. See Observable maliciousness.	meta.classification:good, meta.classification:bad, meta.classification:unknown.
meta.blacklisted	Returns Observables that either have or have not been ignored by an Observable rule.	meta.blacklisted:true, meta.blacklisted:false