Feed Scanner enables users to explore and analyze enriched threat intelligence data, providing insights into indicators, their attributes, and associated metadata. By leveraging simple or advanced search methods, users can filter and retrieve actionable intelligence tailored to their needs. This guide outlines the process for accessing Feed Scanner, performing searches, and understanding the results.
Access Feed Scanner
To begin using Feed Scanner, follow these steps:
From the platform homepage, select the Menu icon.
Navigate to Threat Intelligence Management.
Select Feed Scanner.
Search with Feed Scanner
Feed Scanner offers two search methods to suit different needs:
Dropdown: Select Search Method
Simple Search: Build quick, straightforward queries using dropdown menus. Ideal for basic filtering and immediate results.
Advanced Search: Create complex, custom queries using Silent Push Query Language (SPQL). Best for precise, detailed filtering of enriched feed data.
Simple Search
From the Feed Scanner interface, select a Datasource from the dropdown menu.
In the Expression Box:
Field Name: Choose an option from the dropdown (e.g., Indicator, IP, Domain).
Operator: Select an operator (e.g., equals, contains).
Value: Enter the value you want to search for.
Select Search.
Advanced Search
Use Silent Push Query Language (SPQL) to craft custom queries for precise filtering.
Refer to the SPQL documentation for syntax and examples.
Use Case:
Simple Search: Quick checks for specific indicators or attributes.
Advanced Search: Detailed investigations requiring complex criteria, such as combining multiple indicator types or metadata.
Feed Scanner Results
Upon performing a search, Feed Scanner preloads results with all production feed indicators. The results display up to 7 default columns for quick reference:
Indicator: The domain, IP, or URL value.
Indicator Type: Type of indicator (e.g., Domain, IP Address, URL).
Feed: Name of the feed containing the indicator.
Vendor: Name of the feed’s vendor.
ASN: Autonomous System Number associated with the indicator.
WHOIS Created Date: Date the domain was registered.
SP Risk Score: Silent Push risk score for the indicator.
Detailed Result Columns
Column Name | Category | Parameter | Description | Example |
|---|---|---|---|---|
ASN | ASN & Subnet Information |
| Numeric number assigned to the Autonomous System | AS15169 |
ASN Allocation Age | ASN & Subnet Information |
| Number of days since the ASN was allocated | 5 |
ASN Diversity | Domain Information |
| The frequency that IP(s) hosting this domain in the last 30 days change between AS numbers | 1 |
ASN Reputation Score | ASN & Subnet Information |
| Score based on the trustworthiness and reputation of the networks associated with a particular ASN | 78 |
ASN Takedown Reputation Score | ASN & Subnet Information |
| Score based on the service provider's history of responding to abuse reports and taking action to mitigate malicious activity associated with their network. | 65 |
AS Name | ASN & Subnet Information |
| Descriptive name of the Autonomous System associated with the IP address | CLOUDFLARENET, US |
Continent Code | IP Information |
| Continent code that corresponds to the IP's geographical location | US |
Country Code | IP Information |
| Two letter country that corresponds to the IP's geographical location | NA |
Date Added | Indicator Information | Date and time that the indicator was first added to the current feed | 2025-04-01T10:07:17 | |
Density | IP Information |
| Number of domains with A records pointing to the IP address | 5 |
Domain Age | Domain Information |
| Number of days ago that the domain was first identified in zone files | 106 |
Domain | Domain Information |
| Name of the domain associated with the indicator | weeblysite.com |
Feed | Indicator Information |
| Name of the feed that the indicator is on | APT - Lazarus Domains |
Feed Frequency | Indicator Information | Average frequency in hours that a feed receives indicator updates (based on previous 30 days) | 23 | |
Feed UUID | Indicator Information | UUID of the feed that the indicator is on | ||
Host | Domain Information |
| Name of the host associated with the indicator | btinternet-109545.weeblysite.com |
Indicator Type | Indicator Information |
| Type of indicator:
| Domain |
IOFA Score | Indicator Information |
| Score associated with the indicator's placement on an IOFA feed | 100 |
IP Diversity All | Domain Information |
| The number of IPs that a domain pointed to over the previous 30 days | 2 |
IP Diversity Groups | Domain Information |
| The number of different groupings of IPs pointed to over the last 30 days, where a grouping may consist of one or more IPs that are pointed to at the same time | 1 |
IP PTR | IP Information |
| Reverse DNS record (PTR) that is associated with the IP address | 74-115-51-55.weebly.net |
IP Reputation Score | IP Information |
| A score based on the number of domains hosted on the IP that are listed on a feed | 100 |
IPv4 | IP Information |
| IPv4 address that is associated with the indicator | 74.115.51.55 |
Is DSL Dynamic | IP Information |
| Flag that indicates if the IP address is linked to dynamic DSL services | 1 for true, 0 for false |
Is Dynamic Domain | Domain Information |
| Flag that indicates if the domain is associated with dynamic DNS or regularly changing IP assignments | 1 for true, 0 for false |
Is Known Benign | IP Information |
| Flag that indicates if the indicator is confirmed to be benign or a false positive. (8888 for example) | 1 for true, 0 for false |
Is New Score |
| Score that represents how new the indicator is. | 100 | |
Is Parked | Domain Information |
| Flag that indicates if the domain is parked | 1 for true, 0 for false |
Is Sinkholed | IP Information |
| Flag that indicates if the indicator is currently sinkholed to divert malicious traffic | 1 for true, 0 for false |
Is TOR Exit Node | IP Information |
| Flag that indicates if the IP address is recognised as a Tor exit node | 1 for true, 0 for false |
Is Tranco Top 10K | Domain Information |
| Flag that indicates if the domain is listed on the Tranco Top 10k most popular domains list | 1 for true, 0 for false |
Is URL Shortener | Domain Information |
| Flag that indicates if the URL is provided by a recognized URL shortening service | 1 for true, 0 for false |
Last Seen On | Indicator Information |
| Date and time that the indicator was most recently observed on a feed | 2025-03-21T04:57:20 |
Name | Indicator Information |
| Indicator domain or URL value | https://btinternet-109545.weeblysite.com/ |
Name servers Tags | Domain Information |
| Tags that are associated with each name server. | ns-1375.awsdns-43.org:ns-1854.awsdns-39.co.uk:ns-510.awsdns-63.com:ns-522.awsdns-01.net |
Name Server Entropy Score | Domain Information |
| Score that includes recency, frequency, and the number of name server changes | 20 |
NS Reputation Max Score | Domain Information |
| Highest value associated with the reputation score of the associated name servers | 18 |
SP Risk Score | Indicator Information |
| Silent Push risk score associated with the indicator | 18 |
Subdomain | Domain Information |
| Name of the subdomain extracted from the hostname. | btinternet-109545 (btinternet-109545.weeblysite.com) |
Subnet | ASN & Subnet Information |
| Subnet associated with the IP | 74.115.51.0/24 |
Subnet Allocation Age | ASN & Subnet Information |
| Number of days since the subnet was allocated | 5215 |
Subnet Reputation Score | ASN & Subnet Information |
| Score based on the trustworthiness and reputation of a specific subnet or range of IP addresses within a larger network | 10 |
Tags | Indicator Information |
| Tags and labels that are assigned to the indicator to provide additional context | malware |
Tranco Rank | Domain Information |
| Rank of the indicator on the Tranco Top 10k list | 8.750 |
Tranco Top 10k | Domain Information |
| Score that represents the domains rank in in the Tranco Top 10K. | 20 |
Vendor | Indicator Information |
| Name of the vendor who created the feed | Silent Push |
WHOIS Age | Domain Information |
| Number of days ago the domain was registered with WHOIS | 4436 |
WHOIS Created Date | Domain Information |
| Date and time that the domain was registered with WHOIS | 2012-12-19T04:07:22 |