docs
DocsFAQKnowledge BaseSubmit a RequestMy RequestsGet Started

Filters

Use the following filters to focus only on the data you need.

📘

Escaping reserved characters

If you need to use any of the characters which function as operators in your query itself (and not as operators), then you should escape them with a leading backslash. For instance, to search for external_links:https://www.linkedin.com*, you would need to write your query as external_links:https\:\/\/[www.linkedin.com\](http://www.linkedin.com\)\*

The reserved characters are: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /

Failing to escape these special characters correctly could lead to a syntax error which prevents your query from running.

ParameterDescriptionExample
urlFilter by the URL of the posturl:"https://bitcointalk.org/index.php?topic=5505335.20.40#subject_64465585"
uuidFilter by the unique Identifier of the documentuuid:2deafff403e35e574a9ba0471a524d9a0cf3ec17
parent_uuidFilter by unique Identifier of the parent documentparent_uuid:ae203b33d422faaca88502b05586a61c161de50e
titleA textual Boolean query describing the keywords that should (or should not) appear in the post's titletitle:("zero day" OR "0day")
textA textual Boolean query describing the keywords that should (or should not) appear in the texttext:("zero day" OR "0day")
authorReturn posts written by a specific author or actorFind posts written by Thewiseguys:
author:lockbitsupp
author_extended.display_nameReturn posts written by the user identified by the display name.Find posts written by "Pmalek":

author_extended.display_name: "Pmalek"
author_extended.user_idReturn posts written by the user identified by the unique identifier in the website or application.Find posts written by user id: 112493 in domain bitcointalk.org:

author_extended.user_id:112493 AND site.domain: "bitcointalk.org"
author_extended.user_linkReturn posts written by the user identified by the user hyperlink in the website or application.Find posts written by user link : author_extended.user_link:"https://bitcointalk.org/index.php?action=profile;u=786113"
languageThe language of the post. The default is "any".Find posts in French or Italian:
(language:french OR language:italian)

See Supported Languages under 'References'
publishedA timestamp (in milliseconds) enabling you to filter items that were published before or after certain date/time.
Here is a Timestamp/Date converter 		Return posts from threads published after
Tuesday, August 20, 2024 12:00:08 AM: published:>
1724112008000
site.nameFilter posts based on the site name (in some cases there are multiple domains with the same name)

The filter also supports partial searches.		1. Find all posts from domain name : Tochka (as for Tochka Marketplace)
site.name:"Tochka Free Market"
2. Find all posts during the last month from partial name 8chan in the Zeronet network.
site.name:*8*chan* extended.network:zeronet crawled:>now-1M
site.domainLimit the results to a specific site or sitessite.domain:pbbnzshcgemf3d5y.onion
site.current_domainFilter according to the specific domain used at the time the document was scannedsite.current_domain:breachforums.st
site.typeFilter sites by their type.
Available site types are:


  • news
  • blogs
  • discussions
  • chat
  • market
  • paste
  • datastore
  • social_media
  • imageboard
  • ransomware_blog
    The default is all.
site.type:(social_media OR discussions)
site.categoryFilter posts based on their site category:


  • cyber_threat_intelligence
  • financial_crime
  • illicit_trafficking
  • extremism_misinformation
  • brand_monitoring
    The default is all.
    For more details , please refer to this page.
1. Search for all hacking forums
site.category:cyber_threat_intelligence AND site.type:discussions

2. Search for all sites related to financial crime
site.category:financial_crime
thread.urlFilter by the thread url. Also partial results can be filtered using wild card.thread.url:"https://bitcointalk.org/index.php?topic=5505335.20.40"
thread.uuidFilter by the unique Identifier of the threadthread.uuid:"be5dd9459b485c57977694fdec7a72a65e943dc1"
thread.titleA textual Boolean query describing the keywords that should (or should not) appear in the thread titlethread.title:("zero day" OR "0day")
thread.publishedA timestamp (in milliseconds) enabling you to filter threads that were published before or after certain date/time.
Here is a Timestamp/Date converter 		Return posts from threads published after
Tuesday, August 20, 2024 12:00:08 AM: thread.published:>1724112008000
thread.section_titleA textual Boolean query describing the keywords that should (or should not) appear in the section titlethread.section_title:("zero day" OR "0day")
thread.site_sectionFilter by the site section url.
Also partial results can be filtered using wild card.		Find all posts that contains lihkg.com as part of their site section.
thread.sitesection:_lihkg.com
thread.replies_countFilter by the number of replies per postSearch for all posts that include
more than 2 replies.

thread.replies_count:>2
ord_in_threadFilter by the numerical order of the post in the threadReturn for all first posts published in threads

ord_in_thread:0
extended.external_linkSearch for posts that include links to another siteSearch for pages that linked to
LinkedIn (note that both the
slashes and colons are prefixed
by a backslash):

extended.external_link:https\:\/\/[www.linkedin.com\](http://www.linkedin.com\)\*
extended.external_imageSearch for posts that include image linksRetrieve all posts that include image links

extended.external_image:*
extended.external_videoSearch for posts that include video linksRetrieve all posts that include video links

extended.external_video:*
extended.file_linkSearch for posts that include file linksRetrieve all posts that include file links

extended.file_link:*
extended.file_typeFilter posts based on the file type crawled. Possible file types:


  • html
  • zip
  • rar
  • tar
  • 7z
  • pdf
  • txt
  • xls
  • xlsx
  • doc
  • docx
  • sql
Search only on sql documents:

extended.file_type:sql
extended.networkFilter posts by network.
Possible values are:


  • tor
  • i2P
  • openbazaar,
  • telegram
  • discord
  • openweb
  • icq

    • Default is all networks.
extended.network:telegram
extended.required_loginA Boolean field (true/false) stating if the content is password protectedReturn content posted on
forums and marketplaces that
require authentication:

extended.required_login:true
enriched.categoryFilter posts into one or more of the following 14 categories:


  • hacking
  • data_breach
  • carding
  • crypto
  • phishing
  • malware
  • ransomware
  • stealer_logs
  • counterfeit
  • gaming
  • extremism
  • drugs
  • weapons
  • sexual
For more details , please refer to this page.		Return posts that were
categorized as related to data breach:

enriched.category:data_breach
enriched.email.valueFilter by full or partial email address entitySearch for all posts that include
gmail accounts.

enriched.email.value:*@gmail.com
enriched.email.countFilter by the number of email addresses mentions per postSearch for all posts that include
more than 40 emails.

enriched.email.count:>40
enriched.ssn.valueFilter by a full or partial social security number (SSN)Search for all posts that include
the following ssn number.

enriched.ssn.value:"061-64-9920"
enriched.ssn.countFilter by number of social security numbers (SSN) mentions per postSearch for all posts that include
more than 2 ssns.

enriched.ssn.count:>2
enriched.credit_card.valueFilter by full or partial credit card (CC) number entitySearch for all posts that include
credit card numbers that starts with "4580".

enriched.credit_card.value:4580*
enriched.credit_card.countFilter by the number of credit card mentions per postSearch for all posts that include
more than 20 credit card numbers.

enriched.credit_card.count:>20
enriched.phone.valueFilter by a full or partial phone number entitySearch for all posts that include
phone numbers that starts with "+1212".

enriched.phone.value:\+1212*
enriched.phone.countFilter by the number of phone number mentions per postSearch for all posts that include
more than 10 phone numbers.

enriched.phone.count:>10
enriched.wallet_id.valueFilter by a full or partial cryptocurrency wallet ID entityenriched.wallet_id:1GeUpXyfHRGxzdwKDJfdHghdupkDrirrXw
enriched.wallet_id.countFilter by the number of cryptocurrency wallet mentions per postSearch for all posts that include
more than 10 wallet IDs.

enriched.wallet_id.count:>10
enriched.ip.valueFilter by a specific , range or list of IP entities.

Supports currently IPv4 address type.		_Search for IP that match _127.0.0.1: enriched.ip.value:127.0.0.1

Search for IP ranges from 127.0.0.1 to 127.0.0.255 : enriched.ip.value:[127.0.0.1 TO 127.0.0.255]

Search for a list of IPs : enriched.ip.value:(192.168.0.1 OR 192.168.0.2)
enriched.ip.countFilter by the number of IPs mentioned in the postSearch for all the posts that include more than 10 IPs.
enriched.ip.count:>10
enriched.domain.valueFilter by a specific or partial domain entity , it could be TLD or sub domain.Search for all posts that include
the domain value : "microsoft.com"

enriched.domain.value:microsoft.com
enriched.domain.countFilter by the number of domains mentioned in the post.Search for all the posts that include more than 10 domains.
enriched.domain.count:>10
enriched.cve.valueFilter by a specific or partial CVE Id entity. The qualified CVE structure is : CVE-[4 digits]-[serial number 4-7 digits]Search for all the posts that include CVE Ids from 2021.
enriched.cve.value:CVE-2021-*
enriched.cve.countFilter by the number of CVE Ids mentioned in the post.Search for all the posts that contain more than 5 CVE Ids.
enriched.cve.count:>5
enriched.person.valueFilter by a full or partial person name entity.
You should use this filter only for disambiguation, otherwise you should use a simple keyword search.		Search for all posts that include
the person name "dan".

enriched.person.value:dan
enriched.person.countFilter by the number of person name mentions per postSearch for all posts that include
more than 3 persons.

enriched.person.count:>3
enriched.organization.valueFilter by a full or partial organization entity name.
You should use this filter only for disambiguation, otherwise you should use a simple keyword search.		Search for all posts that include
the organization name "cnn".

enriched.organization.value:cnn
enriched.organization.countFilter by the number of organization mentions per postSearch for all posts that include
more than 10 organizations.

enriched.organization.count:>10
enriched.location.valueFilter by a full or partial location entity nameSearch for all posts that include
the location name "israel".

enriched.location.value:israel
enriched.location.countFilter by the number of locations mentions per postSearch for all posts that include
more than 10 locations.

enriched.location.count:>10
enriched.cyber_risk.valueFilter posts based on their cyber risk score, ranging from 0 to 10 (where 10 indicates the highest risk level)1. Search for posts with a cyber risk score above 5
enriched.cyber_risk.score:>5

2. Search for posts with a cyber risk score of 10
enriched.cyber_risk.score:10
crawledA timestamp (in milliseconds) enabling you to filter items that were crawled before or after certain date/time.
Here is a Timestamp/Date converter 		Return posts crawled after
Tuesday, August 20, 2024 12:00:08 AM: crawled:>
1724112008000

Thread Filters

A thread contains global information about the content of the whole page and its content. A thread can contain multiple posts grouped together.

ParameterDescriptionExample
thread.titleA textual Boolean query describing the keywords that should (or should not) appear in the thread titleSearch for posts containing the word "glass" and not "metal" in their title:

thread.title:glass -thread.title:metal
thread.section_titleA textual Boolean query describing the keywords that should (or should not) appear in the site’s section where the post was publishedSearch for the posts containing the word food only under sections with a title that contains the word "restaurants":

food AND thread.section_title:restaurants
thread.urlGet all the posts of a specific thread (note that you must escape the http:// part of the URL like so: http://).
thread.publishedA time-stamp (in milliseconds) filtering threads that were published before or after a certain date/time.
Here is a Timestamp/Date converter		Return threads published after Thu, 30 Mar 2017 09:16:28 GMT: thread.published:>
1490865388000

Note: The special characters are not supported in Cyber API search. Except for specific characters such as & , $ , @ which can be used as part of the keyword search.
Example : "НЕЙТА $ ДЕПОЗИТ"