Feed Search is your single window into every IOFA threat intelligence feed that Silent Push ingests: Scattered Spider, Crypto Chameleon, Poison Seed, and dozens more, all searchable at once.
No more jumping between feeds. One query → every indicator → instantly.
Access Feed Search
From the left navigation menu, select Threat Intelligence Management > Feed Search.
You’ll land on the Simple Search tab by default (perfect for 90% of what you do).
Run Your First Search (Simple Mode)
Choose a Datasource (or leave on “All Feeds” to search everything).
In the expression box:
• Field → e.g., Indicator, Domain, Feed Name, Vendor…
• Operator → equals, contains, starts with, etc.
• Value → type or paste what you’re huntingHit the + to AND another condition.
Click the Search button.
Example: “Everything Scattered Spider added in the last 7 days”
Field: Feed → equals →
Scattered SpiderField: Date Added → is in the last →
7 days
Switch to Advanced Mode
Click the Advanced Search tab to write SPQL.
feed_name:"Scattered Spider" AND sp_risk_score>80
vendor:"Silent Push" AND is_new_score>90
indicator_type:domain AND asn:15169 AND whois_age<30
feed_name:/Crypto Chameleon|Poison Seed/Pro Tip:
Build it in Simple Search first. Click Edit Feed Search Form. It converts to perfect SPQL automatically.
Default Columns
Column | Why it matters |
|---|---|
Indicator | The actual domain/IP/URL |
Indicator Type | Domain, IPv4, URL, etc. |
Feed | Exact feed (Scattered Spider, etc.) |
Date Added | When it first hit the feed |
Vendor | Who owns the feed |
ASN / AS Name | Immediate infrastructure context |
WHOIS Created Date | Brand-new domains = higher risk |
SP Risk Score | Silent Push 0–100 malice score |
Want everything else? Click the vertical line icon next to Total Results and drag in any of the 60+ enriched fields.
Expand a Row
Click the Expand arrow on any result → every enriched field appears. Anything in blue is a one-click pivot.
Click a blue email → instantly adds
registrant_email:that-emailClick a blue name server → instant NS pivot
Click a blue IP → adds it to your running query
Save a Query
Perfect query? Click Save (top right) → name it → add tags → done.
Saved searches become live monitors that auto-export new matches to SIEM/EDR/blocklists.
Bulk Actions
Select rows to:
Copy → clipboard (plain or JSON)
Save to → push straight into your own feeds
Web Search → run Web Search across every selected domain instantly
Real-World Example Workflows
“What did Scattered Spider drop this week?”
Feed = Scattered Spider + Date Added = last 7 days“Brand-new domains on any feed that live on Cloudflare”
whois_age<14 AND asn:13335“Poison Seed domains that changed name servers recently”
feed_name:"Poison Seed" AND ns_entropy>15“Domains listed by both Crypto Chameleon and Scattered Spider”
feed_name:"Crypto Chameleon" AND feed_name:"Scattered Spider"