Feed Scanner supports both Simple and Advanced search modes to query threat intelligence data, with options to save searches for future use.
Simple Feed Scanner Searches
Simple searches use a graphical UI to link a Field name, Operator, and Value in expressions chained with AND functionality.
Navigate to Threat Intelligence Management > Feed Scanner (the Simple Search tab is preselected).
Select a Field name from the dropdown.
Choose an Operator relevant to the field.
Specify a Value.
Click the plus icon to add more expressions using AND.
(Optional) Click the Reset button to clear parameters.
Click the Search button to execute.
Results populate in the table view.
Advanced Feed Scanner Searches
Advanced searches use SPQL command line syntax for precise queries.
Navigate to Threat Intelligence Management > Feed Scanner and select the Advanced Search tab.
Enter a query using correct SPQL syntax, including spaces and supported field names.
Specify a Sort order via the dropdown or by typing a field name.
(Optional) Click the Reset button to clear parameters.
Press Enter or click the blue icon to execute.
Results populate below, with parameters collapsed.
Edit Search Parameters
For Simple Searches: Modify Expression boxes and re-run by clicking Search.
For Advanced Searches: Click Edit Feed Scanner Search Form, make amendments, and re-run by clicking the blue arrow or pressing Enter.
Save Queries
Enter valid parameters in the Query box.
Click the Save button in the top right.
Enter a unique Search Name.
(Optional) Add a Description or Tags to classify the search.
(Optional) Check Save column headers with the query to preserve reordered columns.
Click Save.
Access saved queries in My Searches under the Saved tab.
Customize Results Tables
Click the vertical line icon next to Total Results.
.png)
Use checkboxes to include/exclude Field name data.
Drag field names to reorder columns.
Note: This affects only the visible output, not the underlying data.
Defaults Results Tables Columns
The following columns are displayed by default for all queries:
Indicator: Technical artifact or observable (e.g., IP, domain, URL).
Indicator Type: Type of observable (e.g., IP address, domain, URL).
Feed: Online threat distributor, frequently updated.
Date Added: Date the indicator was added to the feed.
Vendor: Name of the feed owner.
ASN: Numeric number assigned to the Autonomous System.
WHOIS Created Date: Date and time the domain was registered with
WHOIS.
SP Risk Score: Silent Push risk score associated with the indicator.
Expand Results and Add Data to Queries
Individual search results can be expanded to include additional data in the query.
Execute a query and view results in the Results table.
Click Expand on the far right of a result row.
View a list of Field Names for the expanded result.
Click any blue-colored text to select a Field Name and choose a relevant Operator.
The selected Field Name is appended to the query, which can be re-run with the new parameters.
Copy Results Data
Use the buttons on the top left of the Results table to copy data.
.png)
Click Copy to copy all visible results to the clipboard, or use checkboxes to copy selected results.
Click Select icon results to copy only the selected results.
Click Basic Raw Data in the table header to view and copy the raw data behind all results.
Add Results to Feeds
Results can be added to existing or new feeds or draft feeds.
Individual Results:
Select a domain or IP from the results.
Click Save to.
Choose Existing or New feed.
Bulk Results:
Select indicators using checkboxes.
Click Save to.
Choose Existing or New feed.