Use the following filters to focus only on the data you need.
Escaping reserved characters
If you need to use any of the characters which function as operators in your query itself (and not as operators), then you should escape them with a leading backslash. For instance, to search for external_links:https://www.linkedin.com*, you would need to write your query as external_links:https\:\/\/[www.linkedin.com\](http://www.linkedin.com\)\*
The reserved characters are: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
Failing to escape these special characters correctly could lead to a syntax error which prevents your query from running.
| Parameter | Description | Example |
|---|---|---|
| url | Filter by the URL of the post | url:"https://bitcointalk.org/index.php?topic=5505335.20.40#subject_64465585" |
| uuid | Filter by the unique Identifier of the document | uuid:2deafff403e35e574a9ba0471a524d9a0cf3ec17 |
| parent_uuid | Filter by unique Identifier of the parent document | parent_uuid:ae203b33d422faaca88502b05586a61c161de50e |
| title | A textual Boolean query describing the keywords that should (or should not) appear in the post's title | title:("zero day" OR "0day") |
| text | A textual Boolean query describing the keywords that should (or should not) appear in the text | text:("zero day" OR "0day") |
| author | Return posts written by a specific author or actor | Find posts written by Thewiseguys: author:lockbitsupp |
| author_extended.display_name | Return posts written by the user identified by the display name. | Find posts written by "Pmalek": author_extended.display_name: "Pmalek" |
| author_extended.user_id | Return posts written by the user identified by the unique identifier in the website or application. | Find posts written by user id: 112493 in domain bitcointalk.org: author_extended.user_id:112493 AND site.domain: "bitcointalk.org" |
| author_extended.user_link | Return posts written by the user identified by the user hyperlink in the website or application. | Find posts written by user link : author_extended.user_link:"https://bitcointalk.org/index.php?action=profile;u=786113" |
| language | The language of the post. The default is "any". | Find posts in French or Italian: (language:french OR language:italian) See Supported Languages under 'References' |
| published | A timestamp (in milliseconds) enabling you to filter items that were published before or after certain date/time. Here is a Timestamp/Date converter | Return posts from threads published after Tuesday, August 20, 2024 12:00:08 AM: published:> 1724112008000 |
| site.name | Filter posts based on the site name (in some cases there are multiple domains with the same name) The filter also supports partial searches. | 1. Find all posts from domain name : Tochka (as for Tochka Marketplace) site.name:"Tochka Free Market" 2. Find all posts during the last month from partial name 8chan in the Zeronet network. site.name:*8*chan* extended.network:zeronet crawled:>now-1M |
| site.domain | Limit the results to a specific site or sites. Search any replica domain and get all of the site's content. | site.domain:pbbnzshcgemf3d5y.onion |
| site.current_domain | Filter according to the specific domain used at the time the document was scanned | site.current_domain:breachforums.st |
| site.type | Filter sites by their type. Available site types are:
| site.type:(social_media OR discussions) |
| site.category | Filter posts based on their site category:
| 1. Search for all hacking forums site.category:cyber_threat_intelligence AND site.type:discussions 2. Search for all sites related to financial crime site.category:financial_crime |
| thread.url | Filter by the thread url. Also partial results can be filtered using wild card.
| thread.url:"https://bitcointalk.org/index.php?topic=5505335.20.40" |
| thread.uuid | Filter by the unique Identifier of the thread | thread.uuid:"be5dd9459b485c57977694fdec7a72a65e943dc1" |
| thread.title | A textual Boolean query describing the keywords that should (or should not) appear in the thread title | thread.title:("zero day" OR "0day") |
| thread.published | A timestamp (in milliseconds) enabling you to filter threads that were published before or after certain date/time. Here is a Timestamp/Date converter | Return posts from threads published after Tuesday, August 20, 2024 12:00:08 AM: thread.published:>1724112008000 |
| thread.section_title | A textual Boolean query describing the keywords that should (or should not) appear in the section title | thread.section_title:("zero day" OR "0day") |
| thread.site_section | Filter by the site section url. Also partial results can be filtered using wild card. | Find all posts that contains lihkg.com as part of their site section. thread.sitesection:_lihkg.com |
| thread.replies_count | Filter by the number of replies per post | Search for all posts that include more than 2 replies. thread.replies_count:>2 |
| ord_in_thread | Filter by the numerical order of the post in the thread | Return for all first posts published in threads ord_in_thread:0 |
| extended.external_link | Search for posts that include links to another site | Search for pages that linked to LinkedIn (note that both the slashes and colons are prefixed by a backslash): extended.external_link:https\:\/\/[www.linkedin.com\](http://www.linkedin.com\)\* |
| extended.external_image | Search for posts that include image links | Retrieve all posts that include image links extended.external_image:* |
| extended.external_video | Search for posts that include video links | Retrieve all posts that include video links extended.external_video:* |
| extended.file_link | Search for posts that include file links | Retrieve all posts that include file links extended.file_link:* |
| extended.file_type | Filter posts based on the file type crawled. Possible file types:
| Search only on sql documents: extended.file_type:sql |
| extended.network | Filter posts by network. Possible values are:
Default is all networks. | extended.network:telegram |
| extended.required_login | A Boolean field (true/false) stating if the content is password protected | Return content posted on forums and marketplaces that require authentication: extended.required_login:true |
| enriched.category | Filter posts into one or more of the following 14 categories:
| Return posts that were categorized as related to data breach: enriched.category:data_breach |
| enriched.email.value | Filter by full or partial email address entity | Search for all posts that include gmail accounts. enriched.email.value:*@gmail.com |
| enriched.email.count | Filter by the number of email addresses mentions per post | Search for all posts that include more than 40 emails. enriched.email.count:>40 |
| enriched.ssn.value | Filter by a full or partial social security number (SSN) | Search for all posts that include the following ssn number. enriched.ssn.value:"061-64-9920" |
| enriched.ssn.count | Filter by number of social security numbers (SSN) mentions per post | Search for all posts that include more than 2 ssns. enriched.ssn.count:>2 |
| enriched.credit_card.value | Filter by full or partial credit card (CC) number entity | Search for all posts that include credit card numbers that starts with "4580". enriched.credit_card.value:4580* |
| enriched.credit_card.count | Filter by the number of credit card mentions per post | Search for all posts that include more than 20 credit card numbers. enriched.credit_card.count:>20 |
| enriched.phone.value | Filter by a full or partial phone number entity | Search for all posts that include phone numbers that starts with "+1212". enriched.phone.value:\+1212* |
| enriched.phone.count | Filter by the number of phone number mentions per post | Search for all posts that include more than 10 phone numbers. enriched.phone.count:>10 |
| enriched.wallet_id.value | Filter by a full or partial cryptocurrency wallet ID entity | enriched.wallet_id:1GeUpXyfHRGxzdwKDJfdHghdupkDrirrXw |
| enriched.wallet_id.count | Filter by the number of cryptocurrency wallet mentions per post | Search for all posts that include more than 10 wallet IDs. enriched.wallet_id.count:>10 |
| enriched.ip.value | Filter by a specific , range or list of IP entities. Supports currently IPv4 address type. | _Search for IP that match _127.0.0.1: enriched.ip.value:127.0.0.1 Search for IP ranges from 127.0.0.1 to 127.0.0.255 : enriched.ip.value:[127.0.0.1 TO 127.0.0.255] Search for a list of IPs : enriched.ip.value:(192.168.0.1 OR 192.168.0.2) |
| enriched.ip.count | Filter by the number of IPs mentioned in the post | Search for all the posts that include more than 10 IPs. enriched.ip.count:>10 |
| enriched.domain.value | Filter by a specific or partial domain entity , it could be TLD or sub domain. | Search for all posts that include the domain value : "microsoft.com" enriched.domain.value:microsoft.com |
| enriched.domain.count | Filter by the number of domains mentioned in the post. | Search for all the posts that include more than 10 domains. enriched.domain.count:>10 |
| enriched.cve.value | Filter by a specific or partial CVE Id entity. The qualified CVE structure is : CVE-[4 digits]-[serial number 4-7 digits] | Search for all the posts that include CVE Ids from 2021. enriched.cve.value:CVE-2021-* |
| enriched.cve.count | Filter by the number of CVE Ids mentioned in the post. | Search for all the posts that contain more than 5 CVE Ids. enriched.cve.count:>5 |
| enriched.person.value | Filter by a full or partial person name entity. You should use this filter only for disambiguation, otherwise you should use a simple keyword search. | Search for all posts that include the person name "dan". enriched.person.value:dan |
| enriched.person.count | Filter by the number of person name mentions per post | Search for all posts that include more than 3 persons. enriched.person.count:>3 |
| enriched.organization.value | Filter by a full or partial organization entity name. You should use this filter only for disambiguation, otherwise you should use a simple keyword search. | Search for all posts that include the organization name "cnn". enriched.organization.value:cnn |
| enriched.organization.count | Filter by the number of organization mentions per post | Search for all posts that include more than 10 organizations. enriched.organization.count:>10 |
| enriched.location.value | Filter by a full or partial location entity name | Search for all posts that include the location name "israel". enriched.location.value:israel |
| enriched.location.count | Filter by the number of locations mentions per post | Search for all posts that include more than 10 locations. enriched.location.count:>10 |
| enriched.cyber_risk.value | Filter posts based on their cyber risk score, ranging from 0 to 10 (where 10 indicates the highest risk level) | 1. Search for posts with a cyber risk score above 5 enriched.cyber_risk.score:>5 2. Search for posts with a cyber risk score of 10 enriched.cyber_risk.score:10 |
| crawled | A timestamp (in milliseconds) enabling you to filter items that were crawled before or after certain date/time. Here is a Timestamp/Date converter | Return posts crawled after Tuesday, August 20, 2024 12:00:08 AM: crawled:> 1724112008000 |
Thread Filters
A thread contains global information about the content of the whole page and its content. A thread can contain multiple posts grouped together.
| Parameter | Description | Example |
|---|---|---|
| thread.title | A textual Boolean query describing the keywords that should (or should not) appear in the thread title | Search for posts containing the word "glass" and not "metal" in their title: thread.title:glass -thread.title:metal |
| thread.section_title | A textual Boolean query describing the keywords that should (or should not) appear in the site’s section where the post was published | Search for the posts containing the word food only under sections with a title that contains the word "restaurants": food AND thread.section_title:restaurants |
| thread.url | Get all the posts of a specific thread (note that you must escape the http:// part of the URL like so: http://). | |
| thread.published | A time-stamp (in milliseconds) filtering threads that were published before or after a certain date/time. Here is a Timestamp/Date converter | Return threads published after Thu, 30 Mar 2017 09:16:28 GMT: thread.published:> 1490865388000 |
Note: The special characters are not supported in Cyber API search. Except for specific characters such as & , $ , @ which can be used as part of the keyword search.
Example : "НЕЙТА $ ДЕПОЗИТ"