Feed Search enables users to explore and analyze enriched threat intelligence data, providing insights into indicators, their attributes, and associated metadata. By leveraging simple or advanced search methods, users can filter and retrieve actionable intelligence tailored to their needs. This guide outlines the process for accessing Feed Scanner, performing searches, and understanding the results.
Perform and Scan Feed Searches
Simple Feed Searches
Simple searches use a graphical UI to link a Field name, Operator, and Value in expressions chained with AND
functionality.
From the left navigation menu, select Threat Intelligence Management > Feed Search (the Simple Search tab is preselected).
Select a Field name from the dropdown.
Choose an Operator relevant to the field.
Specify a Value.
Click the plus icon to add more expressions using AND.
(Optional) Click the Reset button to clear parameters.
Click the Search button to execute.
Results populate in the table view.
Advanced Feed Scanner Searches
Advanced searches utilize Silent Push Query Language (SPQL) command-line syntax for precise queries.
From the left navigation menu, select Threat Intelligence Management > Feed Search and select the Advanced Search tab.
Enter a query using correct SPQL syntax, including spaces and supported field names.
Specify a Sort order via the dropdown or by typing a field name.
(Optional) Click the Reset button to clear parameters.
Press Enter or click the blue icon to execute.
Results populate below, with parameters collapsed.
Edit Search Parameters
For simple searches, modify the Expression boxes and re-run by clicking Search.
For Advanced Searches, click Edit Feed Search Form, make amendments, and re-run by clicking the blue arrow or pressing Enter.
Save Queries
Enter valid parameters in the Query box.
Click the Save button in the top right.
Enter a unique Search Name.
(Optional) Add a Description or Tags to classify the search.
(Optional) Check the Save column headers with the query to preserve reordered columns.
Click Save.
Access saved queries in My Searches under the Saved tab.
Customize Results Tables
Click the vertical line icon next to Total Results.
Use checkboxes to include/exclude Field name data.
Drag field names to reorder columns.
Note: This affects only the visible output, not the underlying data.
Default Results table columns
The following columns are displayed by default for all queries:
Indicator: Technical artifact or observable (e.g., IP, domain, URL).
Indicator Type: Type of observable (e.g., IP address, domain, URL).
Feed: Online threat distributor, frequently updated.
Date Added: Date the indicator was added to the feed.
Vendor: Name of the feed owner.
ASN: Numeric number assigned to the Autonomous System.
WHOIS Created Date: Date and time the domain was registered with
WHOIS.
SP Risk Score: Silent Push risk score associated with the indicator.
Expand results and add data to queries
Individual search results can be expanded to include additional data in the query.
Execute a query and view results in the Results table.
Click Expand on the far right of a result row.
View a list of Field Names for the expanded result.
Click any blue-colored text to select a Field Name and choose a relevant Operator.
The selected Field Name is appended to the query, which can be re-run with the new parameters.
Copy Results data
Use the buttons on the top left of the Results table to copy data.
Click Copy to copy all visible results to the clipboard, or use checkboxes to copy selected results.
Click the Select icon Results to copy only the selected results.
Click Basic Raw Data in the table header to view and copy the raw data behind all results.
Add results to feeds
Results can be added to existing or new feeds or draft feeds.
Individual Results:
Select a domain or IP from the results.
Click Save to.
Choose Existing or New feed.
Bulk Results:
Select indicators using checkboxes.
Click Save to.
Choose Existing or New feed.
Access Feed Search
From the left navigation menu, select Threat Intelligence Management > Feed Search.
Search with Feed Search
Feed Search offers two search methods to suit different needs:
Dropdown: Select search method
Simple Search: Build quick, straightforward queries using dropdown menus. Ideal for basic filtering and immediate results.
Advanced Search: Create complex, custom queries using Silent Push Query Language (SPQL). Best for precise, detailed filtering of enriched feed data.
Simple search
From the Feed Search interface, select a Datasource from the dropdown menu.
In the Expression Box:
Field Name: Choose an option from the dropdown (e.g., Indicator, IP, Domain).
Operator: Select an operator (e.g., equals, contains).
Value: Enter the value you want to search for.
Select Search.
Advanced search
Use Silent Push Query Language (SPQL) to craft custom queries for precise filtering.
Refer to the SPQL documentation for syntax and examples.
Use Case:
Simple Search: Quick checks for specific indicators or attributes.
Advanced Search: Detailed investigations requiring complex criteria, such as combining multiple indicator types or metadata.
Feed search results
Upon performing a search, Feed Search preloads results with all production feed indicators. The results display up to seven default columns for quick reference:
Indicator: The domain, IP, or URL value.
Indicator Type: Type of indicator (e.g., Domain, IP Address, URL).
Feed: Name of the feed containing the indicator.
Vendor: Name of the feed’s vendor.
ASN: Autonomous System Number associated with the indicator.
WHOIS Created Date: Date the domain was registered.
SP Risk Score: Silent Push risk score for the indicator.
Detailed Result Columns
Column Name | Category | Parameter | Description | Example |
---|---|---|---|---|
ASN | ASN & Subnet Information |
| Numeric number assigned to the Autonomous System | AS15169 |
ASN Allocation Age | ASN & Subnet Information |
| Number of days since the ASN was allocated | 5 |
ASN Diversity | Domain Information |
| The frequency with which IP(s) hosting this domain in the last 30 days changes between AS numbers | 1 |
ASN Reputation Score | ASN & Subnet Information |
| Score based on the trustworthiness and reputation of the networks associated with a particular ASN | 78 |
ASN Takedown Reputation Score | ASN & Subnet Information |
| Score based on the service provider's history of responding to abuse reports and taking action to mitigate malicious activity associated with their network. | 65 |
AS Name | ASN & Subnet Information |
| Descriptive name of the Autonomous System associated with the IP address | CLOUDFLARENET, US |
Continent Code | IP Information |
| Continent code that corresponds to the IP's geographical location | US |
Country Code | IP Information |
| Two-letter country that corresponds to the IP's geographical location | NA |
Date Added | Indicator Information | Date and time that the indicator was first added to the current feed | 2025-04-01T10:07:17 | |
Density | IP Information |
| Number of domains with A records pointing to the IP address | 5 |
Domain Age | Domain Information |
| Number of days ago that the domain was first identified in zone files | 106 |
Domain | Domain Information |
| Name of the domain associated with the indicator | weeblysite.com |
Feed | Indicator Information |
| Name of the feed that the indicator is on | APT - Lazarus Domains |
Feed Frequency | Indicator Information | Average frequency in hours that a feed receives indicator updates (based on the previous 30 days) | 23 | |
Feed UUID | Indicator Information | UUID of the feed that the indicator is on | ||
Host | Domain Information |
| Name of the host associated with the indicator | btinternet-109545.weeblysite.com |
Indicator Type | Indicator Information |
| Type of indicator:
| Domain |
IOFA Score | Indicator Information |
| Score associated with the indicator's placement on an IOFA feed | 100 |
IP Diversity All | Domain Information |
| The number of IPs that a domain has pointed to over the previous 30 days | 2 |
IP Diversity Groups | Domain Information |
| The number of different groupings of IPs pointed to over the last 30 days, where a grouping may consist of one or more IPs that are pointed to at the same time | 1 |
IP PTR | IP Information |
| Reverse DNS record (PTR) that is associated with the IP address | 74-115-51-55.weebly.net |
IP Reputation Score | IP Information |
| A score based on the number of domains hosted on the IP that are listed on a feed | 100 |
IPv4 | IP Information |
| IPv4 address that is associated with the indicator | 74.115.51.55 |
Is DSL Dynamic | IP Information |
| Flag that indicates if the IP address is linked to dynamic DSL services | 1 for true, 0 for false |
Is Dynamic Domain | Domain Information |
| Flag that indicates if the domain is associated with dynamic DNS or regularly changing IP assignments | 1 for true, 0 for false |
Is Known Benign | IP Information |
| Flag that indicates if the indicator is confirmed to be benign or a false positive. (8888 for example) | 1 for true, 0 for false |
Is New Score |
| Score that represents how new the indicator is. | ||
Is Parked | Domain Information |
| Flag that indicates if the domain is parked | 1 for true, 0 for false |
Is Sinkholed | IP Information |
| Flag that indicates if the indicator is currently sinkholed to divert malicious traffic | 1 for true, 0 for false |
Is TOR Exit Node | IP Information |
| Flag that indicates if the IP address is recognised as a Tor exit node | 1 for true, 0 for false |
Is Tranco Top 10k | Domain Information |
| Flag that indicates if the domain is listed on the Tranco Top 10k most popular domains list | 1 for true, 0 for false |
Is URL Shortener | Domain Information |
| Flag that indicates if the URL is provided by a recognized URL shortening service | 1 for true, 0 for false |
Last Seen On | Indicator Information |
| Date and time that the indicator was most recently observed on a feed | 2025-03-21T04:57:20 |
Name | Indicator Information |
| Indicator domain or URL value | https://btinternet-109545.weeblysite.com/ |
Name servers Tags | Domain Information |
| Tags that are associated with each name server. | ns-1375.awsdns-43.org:ns-1854.awsdns-39.co.uk:ns-510.awsdns-63.com:ns-522.awsdns-01.net |
Name Server Entropy Score | Domain Information |
| Score that includes recency, frequency, and the number of name server changes | 20 |
NS Reputation Max Score | Domain Information |
| Highest value associated with the reputation score of the associated name servers | 18 |
SP Risk Score | Indicator Information |
| Silent Push risk score associated with the indicator | 18 |
Subdomain | Domain Information |
| Name of the subdomain extracted from the hostname. | btinternet-109545 (btinternet-109545.weeblysite.com) |
Subnet | ASN & Subnet Information |
| Subnet associated with the IP | 74.115.51.0/24 |
Subnet Allocation Age | ASN & Subnet Information |
| Number of days since the subnet was allocated | 5215 |
Subnet Reputation Score | ASN & Subnet Information |
| Score based on the trustworthiness and reputation of a specific subnet or range of IP addresses within a larger network | 10 |
Tags | Indicator Information |
| Tags and labels that are assigned to the indicator to provide additional context | malware |
Tranco Rank | Domain Information |
| Rank of the indicator on the Tranco Top 10k list | 8.750 |
Tranco Top 10k | Domain Information |
| Score that represents the domain’s rank in the Tranco Top 10K. | 20 |
Vendor | Indicator Information |
| Name of the vendor who created the feed | Silent Push |
Whois age | Domain Information |
| The number of days ago the domain was registered with WHOIS | 4436 |
WHOIS Created Date | Domain Information |
| Date and time that the domain was registered with WHOIS | 2012-12-19T04:07:22 |