--- title: "How To Use Feed Search" slug: "how-to-use-feed-search" tags: ["Data Sources", "Feed Search", "Threat Intelligence"] updated: 2026-02-18T15:45:26Z published: 2026-02-18T15:45:26Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # How To Use Feed Search Feed Search is your unified window into dozens of IOFA Defend feeds, Scattered Spider, Crypto Chameleon, Poison Seed, and many more, all searchable simultaneously. ## Access Feed Search From the left navigation menu, select **Defend > Feed Search**. You’ll start in the Simple Search tab, which is ideal for most queries. ## Run a Simple Search 1. Choose a Datasource (or leave on “All Feeds” to search everything). 2. In the expression box, select: - Field (e.g., Indicator, Domain, Feed Name, Vendor…) - Operator (equals, contains, starts with, etc.) - Value (type or paste your target) 3. Hit + to add AND conditions. 4. Click **Search**. ### Example: Everything Scattered Spider added in the last 7 days - Field: Feed = Scattered Spider - Field: Date Added = is in the last = 7 days ## Switch to Advanced Search Click the [**Advanced Search**](/v1/docs/use-advanced-search)****tab for full SPQL power. ```plaintext feed_name:"Scattered Spider" AND sp_risk_score>80 vendor:"Silent Push" AND is_new_score>90 indicator_type:domain AND asn:15169 AND whois_age<30 feed_name:/Crypto Chameleon|Poison Seed/ ``` > [!NOTE] > Tip > > Build in [Simple Search](/v1/docs/use-simple-search) first, then click **Edit Feed Search Form**; it auto-converts to perfect SPQL. ## Default Columns and Why They Matter | Column | Why it matters | | --- | --- | | Indicator | The actual domain/IP/URL | | Indicator Type | Domain, IPv4, URL, etc. | | Feed | Exact feed (Scattered Spider, etc.) | | Date Added | When it first hit the feed | | Vendor | Who owns the feed | | ASN / AS Name | Immediate infrastructure context | | WHOIS Created Date | Brand-new domains = higher risk | | SP Risk Score | Silent Push 0–100 malice score | Need more? Click the columns icon next to **Total Results** and drag in any of 60+ enriched fields. ## Expand a Row for Deeper Insight Click the **Expand** arrow on any result; every enriched field appears. Blue values are one-click pivots that instantly refine your query. - Click a blue email to add registrant_email:that-email - Click a blue name server that provides instant NS pivot - Click a blue IP to add it to your running query ## Bulk Actions Select multiple rows to: - Copy to clipboard (plain or JSON) - Save directly into your own custom feeds - Run a [Web Search](/v1/docs/web-search) across every selected domain instantly ## Save Query and Set Up Automation/Monitoring Perfect query? Click **Save** (top right) to open the unified modal and configure everything in one place: 1. Add **Name**, **Description**, and optional **Tags**. 2. Toggle **Save Column Headers** for consistent views. 3. Enable **Share with Organization** for team access. 4. Toggle **Monitor**: Get alerts via In-App, Email, Slack, Teams, or Custom webhook. 5. Toggle **Automate Export**: Choose Indicators Only or Enriched (add up to 10 extra fields). 6. Click **Save**. Daily exports are generated automatically. After the first export runs, access formats (CSV, JSON, TXT, RPZ, STIX, TAXII) and the API endpoint via **Manage** in Monitored Queries or Organization Exports. Saved queries become live monitors and automated feeds – new matches trigger alerts and exports without manual effort. ## Manage Your Saved Queries Access saved queries via the **My Searches** button or Monitored Queries tab. - **Update a query:** Open it, modify parameters, re-run, and click Update (for private) or use Manage to edit metadata (name, description, tags, columns). - **Clone:** Open any query, modify as needed, click the three-dot menu > Save as. - **Delete:** Open in My Searches, three-dot menu > Delete. - **Share:** Three-dot menu > Share (makes it available organization-wide). ## Real-World Example Workflows - **“What did Scattered Spider drop this week?”** Feed = Scattered Spider + Date Added = last 7 days - **“Brand-new domains on any feed that live on Cloudflare”** `whois_age<14 AND asn:13335` - **“Poison Seed domains that changed name servers recently”** `feed_name:"Poison Seed" AND ns_entropy>15` - **“Domains listed by both Crypto Chameleon and Scattered Spider”** `feed_name:"Crypto Chameleon" AND feed_name:"Scattered Spider"` ### Allows customers to create a custom filtered-down view of all threat intelligence available, including enrichment data on each indicator (written in SPQL). A centralized module in a threat intelligence platform for organizing, searching, and analyzing data from various feeds, enabling efficient threat detection and response workflows. Autonomous System Number, a unique numeric identifier assigned to an Autonomous System (AS) for managing IP address routing within and between networks on the internet The descriptive name assigned to an Autonomous System (AS), a collection of IP routing prefixes under the control of one or more network operators, used to identify the network in routing operations. A risk score assigned to an indicator by Silent Push, quantifying its potential threat level based on various factors. Labels or metadata assigned to an indicator to provide additional context, such as its threat type, origin, or behavior. A user-defined HTTP callback that automatically sends real-time data or alerts from a system to an external application or service, enabling seamless integration for notifications or automated workflows. A collection of user-defined queries set to run automatically at regular intervals (e.g., every 24 hours) to track changes in DNS, WHOIS, or web data, providing real-time alerts for potential threats.