Search page

You can start a new search workflow by building a query on the Search page.

Build a query

The Knowledge Base is accessed through a simple search form. To start a search, you must build a query to be entered in the search input field. A query is defined as one or more expressions, joined by operators.

Expressions

Expressions specify searches on individual features and are expressed as key:value pairs, where key specifies the type of feature to search and value is the specific value to be searched. Keys represent the different types of IoCs that are available for search. Keys have a hierarchical organization where generic keys can encompass multiple sub-keys corresponding to different levels of refinement in the search: refining types of operations with files for example. The search keys are divided into three index groups: main index, string index, and memory index. For more details, refer to Indexing service.

The following keys and sub-keys are supported in the main group covering the host, network and detection features:

  • file_md5 Search for analysis reports where a file with the given MD5 was observed.

    • file_md5_subject Search for analysis reports where a file with the given MD5 was executed.

    • file_md5_written Search for analysis reports where a file with the given MD5 was written.

  • file_sha1 Search for analysis reports where a file with the given SHA1 was observed.

    • file_sha1_subject Search for analysis reports where a file with the given SHA1 was executed.

    • file_sha1_written Search for analysis reports where a file with the given SHA1 was written.

  • file_sha256 Search for analysis reports where a file with the given SHA256 was observed.

    • file_sha256_subject Search for analysis reports where a file with the given SHA256 was executed.

    • file_sha256_written Search for analysis reports where a file with the given SHA256 was written.

  • file_importhash Search for analysis reports where a file with the given ImportHash (for PE executables) was observed.

    • file_importhash_subject Search for analysis reports where a file with the given ImportHash was executed.

    • file_importhash_written Search for analysis reports where a file with the given ImportHash was written.

  • file_name Search for analysis reports where a file with the given name was observed.

    • file_name_written Search for analysis reports where a file with the given name was written.

  • registry_key Search for analysis reports where the given registry key was observed.

    • registry_key_written Search for analysis reports where the given registry key was written.

  • registry_keyvalue Search for analysis reports where the given registry key and value were observed.

    • registry_keyvalue_written Search for analysis reports where the given key and value were written.

  • mutex_name Search for analysis reports where the given mutex name was used.

    • mutex_name_created Search for analysis reports where the given mutex name was created.

    • mutex_name_opened Search for analysis reports where the given mutex name was opened.

  • ip Search for analysis reports where the given IP address was contacted.

  • domain Search for analysis reports where the given domain name was resolved.

  • user_agent Search for analysis reports where the given HTTP user agent was used.

  • tls_fingerprint Search for analysis reports where a TLS certificate with the given fingerprint was used.

  • ja3_fingerprint Search for analysis reports where a TLS client with the given JA3 fingerprint was used.

  • threat Search for analysis reports attributed to the specified threat.

  • analysis_tag Search for analysis reports to which the specified analysis tag was attached.

  • detector_identifier Search for analysis reports where the specified network detector or signature triggered.

The following keys and sub-keys are supported in the string group covering the string features:

  • string Search for analysis reports where the given string was observed.

The following keys and sub-keys are supported in the memory group covering the memory features:

  • api_hash Search for analysis reports where the given API hash was observed.

  • code_hash Search for analysis reports where the given code hash was observed.

Using a generic key allows you to query all sub-keys in a single search. Concrete examples of the difference of granularity between keys and sub-keys are given in the Query Examples.

Values are simple strings interpreted literally without any special treatment. Traditional wildcard characters such as asterisk (*) do not receive special treatment. Where the value is imprecise (typographical error, incomplete value), suggestions of viable alternatives are offered by the interface (see intelligence suggestions).

Operators

Expressions can be joined using the AND, OR, and AND NOT operators. The behavior of these operators are respectively equivalent to the behavior of the intersection, union and difference operations in set theory.

For example, the following query searches for reports where the IP address 8.8.8.8 was contacted and the domain name example.com was resolved:

ip: '8.8.8.8' AND domain: 'example.com'
Note:

Operators can only be used to combine search term belonging to the same index group: main index, string index, and memory index.

Query Examples

To demonstrate the capabilities of the language, a number queries using different keys and sub-keys are provided to underline the use of certain language features such as refining the type of operation. These examples can be accessed directly under the search form. The Examples section is expandable and can be toggled to obtain more examples as well as short descriptions for each example.

Phorpiex Payload Server

The Phorphiex botnet family carries out massive spam campaigns to propagate and distribute ransomware such as BitRansomware. The domains used to deliver its payload can be leveraged to search for Phorphiex samples:

domain: 'trik.ws'
Sunburst Compromised DLLs

The Sunburst backdoor is part of a supply chain attack targeting SolarWinds Orion updates. The file hashes of the compromised libraries (SolarWinds.Orion.Core.BusinessLayer.dll) can be leveraged to search for Sunburst samples:

file_md5: '2c4a910a1299cdae2a4e55988a2f102e' OR file_md5: '3e329a4c9030b26ba152fb602a1d5893' OR file_md5: '846e27a652a5e1bfbd0ddd38a16dc865' OR file_md5: 'b91ce2fa41029f6955bff20079468448' OR file_md5: 'd5aad0d248c237360cf39c054b654d69' OR file_md5: 'e18a6a21eb44e77ca8d739a72209c370'
Petya Ransom Wallet

The Petya ransomware family uses Bitcoins to collect their ransom payments. The Bitcoin wallet address used by the family can be leveraged to search for Petya samples:

string: '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX'
Shade/Troldesh TLS C&C

The Shade/Troldesh ransomware family protects its Command and Control (C&C) communications using Transport Layer Security (TLS). The JA3 fingerprint of the TLS client used to establish the secured flow can be leveraged to search for Shade/Troldesh samples:

ja3_fingerprint: '1be3ecebe5aa9d3654e6e703d81f6928'
Matrix Decryption Note

The Matrix ransomware family, just likes others, drops instruction notes for the payment of the ransom. The file name under which these instruction notes are dropped can be leveraged to search for Matrix samples:

file_name: 'C:\#Decrypt_files_ReadMe#.rtf'

Query Helpers and Type Inference

To help you building queries, the interface offers wrappers to build well-formatted queries. You can access these wrappers by first clicking on the Advanced Search option to expand the search form. You can then directly click on the desired key from the list below. An input box will appear so you can enter the value you want to search for.

The interface also provides suggestions to help you improve your queries. These suggestions can be particularly helpful when you are not sure about the full path of a file or the different aliases of a threat. The interface automatically provides these suggestions as part of the results whenever they are available for the queried term.

In the case of simple queries, you can directly type the value you want to search for and the interface will infer the type to query for standard types of IoCs: filename, file MD5, file SHA1, registry path, domain, or IP. The interface will inform you of the inferred type in the information banner (see Query info banner).

Query info banner

The information banner displays additional information to understand how the query was processed and how the results should be interpreted.

Warning messages:

Type inference See query helpers and type inference.

Truncated results The interface returns a warning that your search results have been truncated. These messages often hint that the original query remains too broad. Try refining your query.

Normalized terms Many analysis artifact names depend on runtime parameters (date in log filenames, user name in folders, SID in registry keys) or random values (random folders in installers). The system handles the most common runtime dependencies by normalizing the searched artifacts when possible. This normalization maximizes the chances of finding matching results.

Filtered terms The interface returns a warning because your feature is filtered by the search. The system deploys different filters, enforced on strings more particularly, to detect seemingly random inputs or silenced inputs being observed in the majority of the reports.

Error messages:

Invalid query The interface returns an error because your query is not compliant with the query language.

Permission denied The interface returns an error because you no longer have permission to access the system. This is typically caused by the session expiring. Re-authenticating should restore your access.

Rate limit restriction The interface returns an error because you exceeded your rate limit. Queries are limited to 5,000 queries daily and 30 queries maximum per minute.