Feed Search is your unified window into dozens of IOFA threat intelligence feeds – Scattered Spider, Crypto Chameleon, Poison Seed, and many more – all searchable simultaneously.
No jumping between feeds. One query instantly searches all indicators for faster threat hunting.
Access Feed Search
From the left navigation menu, select Threat Intelligence Management > Feed Search.
You’ll start in the Simple Search tab, which is ideal for most queries.
Run a Simple Search
Choose a Datasource (or leave on “All Feeds” to search everything).
In the expression box, select:
Field (e.g., Indicator, Domain, Feed Name, Vendor…)
Operator (equals, contains, starts with, etc.)
Value (type or paste your target)
Hit + to add AND conditions.
Click Search.
Example: Everything Scattered Spider added in the last 7 days
Field: Feed → equals → Scattered Spider
Field: Date Added → is in the last → 7 days
Switch to Advanced Search
Click the Advanced Search tab for full SPQL power.
feed_name:"Scattered Spider" AND sp_risk_score>80
vendor:"Silent Push" AND is_new_score>90
indicator_type:domain AND asn:15169 AND whois_age<30
feed_name:/Crypto Chameleon|Poison Seed/Tip
Build in Simple Search first, then click Edit Feed Search Form; it auto-converts to perfect SPQL.
Default Columns and Why They Matter
Column | Why it matters |
|---|---|
Indicator | The actual domain/IP/URL |
Indicator Type | Domain, IPv4, URL, etc. |
Feed | Exact feed (Scattered Spider, etc.) |
Date Added | When it first hit the feed |
Vendor | Who owns the feed |
ASN / AS Name | Immediate infrastructure context |
WHOIS Created Date | Brand-new domains = higher risk |
SP Risk Score | Silent Push 0–100 malice score |
Need more? Click the columns icon next to Total Results and drag in any of 60+ enriched fields.
Expand a Row for Deeper Insight
Click the Expand arrow on any result – every enriched field appears. Blue values are one-click pivots that instantly refine your query.
Click a blue email to add registrant_email:that-email
Click a blue name server that provides instant NS pivot
Click a blue IP to add it to your running query
Bulk Actions
Select multiple rows to:
Copy to clipboard (plain or JSON)
Save directly into your own custom feeds
Run Web Search across every selected domain instantly
Save Queries and Set Up Automation/Monitoring
Perfect query? Click Save (top right) to open the unified modal and configure everything in one place:
Add Name, Description, and optional Tags.
Toggle Save Column Headers for consistent views.
Enable Share with Organization for team access.
Toggle Monitor: Get alerts via In-App, Email, Slack, Teams, or Custom webhook.
Toggle Automate Export: Choose Indicators Only or Enriched (add up to 10 extra fields).
Click Save. Daily exports are generated automatically.
After the first export runs, access formats (CSV, JSON, TXT, RPZ, STIX, TAXII) and the API endpoint via Manage in Monitored Queries or Organization Exports.
Saved queries become live monitors and automated feeds – new matches trigger alerts and exports without manual effort.
Manage Your Saved Queries
Access saved queries via the My Searches button or Monitored Queries tab.
Update a query: Open it, modify parameters, re-run, and click Update (for private) or use Manage to edit metadata (name, description, tags, columns).
Clone: Open any query, modify as needed, click the three-dot menu > Save as.
Delete: Open in My Searches, three-dot menu > Delete.
Share: Three-dot menu > Share (makes it available organization-wide).
Real-World Example Workflows
“What did Scattered Spider drop this week?”
Feed = Scattered Spider + Date Added = last 7 days“Brand-new domains on any feed that live on Cloudflare”
whois_age<14 AND asn:13335“Poison Seed domains that changed name servers recently”
feed_name:"Poison Seed" AND ns_entropy>15“Domains listed by both Crypto Chameleon and Scattered Spider”
feed_name:"Crypto Chameleon" AND feed_name:"Scattered Spider"