Use Feed Search

Prev Next

Feed Search enables users to explore and analyze enriched threat intelligence data, providing insights into indicators, their attributes, and associated metadata. By leveraging simple or advanced search methods, users can filter and retrieve actionable intelligence tailored to their needs. This guide outlines the process for accessing Feed Scanner, performing searches, and understanding the results.

Perform and Scan Feed Searches

Simple Feed Searches

Simple searches use a graphical UI to link a Field name, Operator, and Value in expressions chained with AND functionality.

  1. From the left navigation menu, select Threat Intelligence Management > Feed Search (the Simple Search tab is preselected).

  2. Select a Field name from the dropdown.

  3. Choose an Operator relevant to the field.

  4. Specify a Value.

  5. Click the plus icon to add more expressions using AND.

  6. (Optional) Click the Reset button to clear parameters.

  7. Click the Search button to execute.

  8. Results populate in the table view.

Advanced Feed Scanner Searches

Advanced searches utilize Silent Push Query Language (SPQL) command-line syntax for precise queries.

  1. From the left navigation menu, select Threat Intelligence Management > Feed Search and select the Advanced Search tab.

  2. Enter a query using correct SPQL syntax, including spaces and supported field names.

  3. Specify a Sort order via the dropdown or by typing a field name.

  4. (Optional) Click the Reset button to clear parameters.

  5. Press Enter or click the blue icon to execute.

  6. Results populate below, with parameters collapsed.

Edit Search Parameters

  • For simple searches, modify the Expression boxes and re-run by clicking Search.

  • For Advanced Searches, click Edit Feed Search Form, make amendments, and re-run by clicking the blue arrow or pressing Enter.

Save Queries

  1. Enter valid parameters in the Query box.

  2. Click the Save button in the top right.

  3. Enter a unique Search Name.

  4. (Optional) Add a Description or Tags to classify the search.

  5. (Optional) Check the Save column headers with the query to preserve reordered columns.

  6. Click Save.

  7. Access saved queries in My Searches under the Saved tab.

Customize Results Tables

  1. Click the vertical line icon next to Total Results.
    Search field names with checkmarks indicating selected options in a data table interface.

  2. Use checkboxes to include/exclude Field name data.

  3. Drag field names to reorder columns.

    Note: This affects only the visible output, not the underlying data.

Default Results table columns

The following columns are displayed by default for all queries:

  • Indicator: Technical artifact or observable (e.g., IP, domain, URL).

  • Indicator Type: Type of observable (e.g., IP address, domain, URL).

  • Feed: Online threat distributor, frequently updated.

  • Date Added: Date the indicator was added to the feed.

  • Vendor: Name of the feed owner.

  • ASN: Numeric number assigned to the Autonomous System.

  • WHOIS Created Date: Date and time the domain was registered with

    WHOIS.

  • SP Risk Score: Silent Push risk score associated with the indicator.

Expand results and add data to queries

Individual search results can be expanded to include additional data in the query.

  1. Execute a query and view results in the Results table.

  2. Click Expand on the far right of a result row.

  3. View a list of Field Names for the expanded result.

  4. Click any blue-colored text to select a Field Name and choose a relevant Operator.

  5. The selected Field Name is appended to the query, which can be re-run with the new parameters.

Copy Results data

Use the buttons on the top left of the Results table to copy data.

  1. Click Copy to copy all visible results to the clipboard, or use checkboxes to copy selected results.

  2. Click the Select icon Results to copy only the selected results.

  3. Click Basic Raw Data in the table header to view and copy the raw data behind all results.

Add results to feeds

Results can be added to existing or new feeds or draft feeds.

  • Individual Results:

    • Select a domain or IP from the results.

    • Click Save to.

    • Choose Existing or New feed.

  • Bulk Results:

    • Select indicators using checkboxes.

    • Click Save to.

    • Choose Existing or New feed.

Access Feed Search

From the left navigation menu, select Threat Intelligence Management > Feed Search.

Search with Feed Search

Feed Search offers two search methods to suit different needs:

Dropdown: Select search method

  • Simple Search: Build quick, straightforward queries using dropdown menus. Ideal for basic filtering and immediate results.

  • Advanced Search: Create complex, custom queries using Silent Push Query Language (SPQL). Best for precise, detailed filtering of enriched feed data.

Simple search

  1. From the Feed Search interface, select a Datasource from the dropdown menu.

  2. In the Expression Box:

    1. Field Name: Choose an option from the dropdown (e.g., Indicator, IP, Domain).

    2. Operator: Select an operator (e.g., equals, contains).

    3. Value: Enter the value you want to search for.

  3. Select Search.

Advanced search

  • Use Silent Push Query Language (SPQL) to craft custom queries for precise filtering.

  • Refer to the SPQL documentation for syntax and examples.

Use Case:

  • Simple Search: Quick checks for specific indicators or attributes.

  • Advanced Search: Detailed investigations requiring complex criteria, such as combining multiple indicator types or metadata.

Feed search results

Upon performing a search, Feed Search preloads results with all production feed indicators. The results display up to seven default columns for quick reference:

  • Indicator: The domain, IP, or URL value.

  • Indicator Type: Type of indicator (e.g., Domain, IP Address, URL).

  • Feed: Name of the feed containing the indicator.

  • Vendor: Name of the feed’s vendor.

  • ASN: Autonomous System Number associated with the indicator.

  • WHOIS Created Date: Date the domain was registered.

  • SP Risk Score: Silent Push risk score for the indicator.

Detailed Result Columns

Column Name

Category

Parameter

Description

Example

ASN

ASN & Subnet Information

asn

Numeric number assigned to the Autonomous System

AS15169

ASN Allocation Age

ASN & Subnet Information

asn_allocation_age

Number of days since the ASN was allocated

5

ASN Diversity

Domain Information

asn_diversity

The frequency with which IP(s) hosting this domain in the last 30 days changes between AS numbers

1

ASN Reputation Score

ASN & Subnet Information

asn_reputation

Score based on the trustworthiness and reputation of the networks associated with a particular ASN

78

ASN Takedown Reputation Score

ASN & Subnet Information

asn_takedown_reputation

Score based on the service provider's history of responding to abuse reports and taking action to mitigate malicious activity associated with their network.

65

AS Name

ASN & Subnet Information

asname

Descriptive name of the Autonomous System associated with the IP address

CLOUDFLARENET, US

Continent Code

IP Information

continent_code

Continent code that corresponds to the IP's geographical location

US

Country Code

IP Information

country_code

Two-letter country that corresponds to the IP's geographical location

NA

Date Added

Indicator Information

Date and time that the indicator was first added to the current feed

2025-04-01T10:07:17

Density

IP Information

density

Number of domains with A records pointing to the IP address

5

Domain Age

Domain Information

age

Number of days ago that the domain was first identified in zone files

106

Domain

Domain Information

domain

Name of the domain associated with the indicator

weeblysite.com

Feed

Indicator Information

feed_name

Name of the feed that the indicator is on

APT - Lazarus Domains

Feed Frequency

Indicator Information

Average frequency in hours that a feed receives indicator updates (based on the previous 30 days)

23

Feed UUID

Indicator Information

UUID of the feed that the indicator is on

Host

Domain Information

host

Name of the host associated with the indicator

btinternet-109545.weeblysite.com

Indicator Type

Indicator Information

type

Type of indicator:

  • Domain

  • IP Address

  • URL

Domain

IOFA Score

Indicator Information

iofa_listing_score

Score associated with the indicator's placement on an IOFA feed

100

IP Diversity All

Domain Information

ip_diversity_all

The number of IPs that a domain has pointed to over the previous 30 days

2

IP Diversity Groups

Domain Information

ip_diversity_groups

The number of different groupings of IPs pointed to over the last 30 days, where a grouping may consist of one or more IPs that are pointed to at the same time

1

IP PTR

IP Information

ip_ptr

Reverse DNS record (PTR) that is associated with the IP address

74-115-51-55.weebly.net

IP Reputation Score

IP Information

ip_reputation_score

A score based on the number of domains hosted on the IP that are listed on a feed

100

IPv4

IP Information

ipv4

IPv4 address that is associated with the indicator

74.115.51.55

Is DSL Dynamic

IP Information

ip_is_dsl_dynamic

Flag that indicates if the IP address is linked to dynamic DSL services

1 for true, 0 for false

Is Dynamic Domain

Domain Information

is_dynamic_domain

Flag that indicates if the domain is associated with dynamic DNS or regularly changing IP assignments

1 for true, 0 for false

Is Known Benign

IP Information

known_benign

Flag that indicates if the indicator is confirmed to be benign or a false positive. (8888 for example)

1 for true, 0 for false

Is New Score

is_new_score

Score that represents how new the indicator is.

Is Parked

Domain Information

is_parked

Flag that indicates if the domain is parked

1 for true, 0 for false

Is Sinkholed

IP Information

is_sinkholed

Flag that indicates if the indicator is currently sinkholed to divert malicious traffic

1 for true, 0 for false

Is TOR Exit Node

IP Information

ip_is_tor_exit_node

Flag that indicates if the IP address is recognised as a Tor exit node

1 for true, 0 for false

Is Tranco Top 10k

Domain Information

is_tranco_top10k

Flag that indicates if the domain is listed on the Tranco Top 10k most popular domains list

1 for true, 0 for false

Is URL Shortener

Domain Information

is_url_shortener

Flag that indicates if the URL is provided by a recognized URL shortening service

1 for true, 0 for false

Last Seen On

Indicator Information

last_seen_on

Date and time that the indicator was most recently observed on a feed

2025-03-21T04:57:20

Name

Indicator Information

name

Indicator domain or URL value

https://btinternet-109545.weeblysite.com/

Name servers Tags

Domain Information

nameservers_tags

Tags that are associated with each name server.

ns-1375.awsdns-43.org:ns-1854.awsdns-39.co.uk:ns-510.awsdns-63.com:ns-522.awsdns-01.net

Name Server Entropy Score

Domain Information

ns_entropy

Score that includes recency, frequency, and the number of name server changes

20

NS Reputation Max Score

Domain Information

ns_reputation_max

Highest value associated with the reputation score of the associated name servers

18

SP Risk Score

Indicator Information

sp_risk_score

Silent Push risk score associated with the indicator

18

Subdomain

Domain Information

subdomain

Name of the subdomain extracted from the hostname.

btinternet-109545 (btinternet-109545.weeblysite.com)

Subnet

ASN & Subnet Information

subnet

Subnet associated with the IP

74.115.51.0/24

Subnet Allocation Age

ASN & Subnet Information

subnet_allocation_age

Number of days since the subnet was allocated

5215

Subnet Reputation Score

ASN & Subnet Information

subnet_reputation

Score based on the trustworthiness and reputation of a specific subnet or range of IP addresses within a larger network

10

Tags

Indicator Information

all_tags

Tags and labels that are assigned to the indicator to provide additional context

malware

Tranco Rank

Domain Information

tranco_rank

Rank of the indicator on the Tranco Top 10k list

8.750

Tranco Top 10k

Domain Information

tranco_top_10k

Score that represents the domain’s rank in the Tranco Top 10K.

20

Vendor

Indicator Information

feed_vendor_name

Name of the vendor who created the feed

Silent Push

Whois age

Domain Information

whois_age

The number of days ago the domain was registered with WHOIS

4436

WHOIS Created Date

Domain Information

whois_created_date

Date and time that the domain was registered with WHOIS

2012-12-19T04:07:22