Use the following filters to focus only on the data you need.
Escaping reserved characters
If you need to use any of the characters which function as operators in your query itself (and not as operators), then you should escape them with a leading backslash. For instance, to search for external_links:https://www.linkedin.com*, you would need to write your query as external_links:https\:\/\/www.linkedin.com\*
The reserved characters are: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
Failing to escape these special characters correctly could lead to a syntax error which prevents your query from running.
Parameter | Description | Example |
---|---|---|
uuid | Filter by the unique Identifier of the document | uuid:2deafff403e35e574a9ba0471a524d9a0cf3ec17 |
parent_uuid | Filter by unique Identifier of the parent document | parent_uuid:ae203b33d422faaca88502b05586a61c161de50e |
site.domain | Limit the results to a specific site or sites | site.domain:pbbnzshcgemf3d5y.onion |
site.type | What type of sites to search in (the default is any) Available site types are: News Blogs Discussions Chat Market Paste datastore social_media imageboard ransomware_blog Without this filter, all site types are included. | site.type:(social_media OR discussions) |
site.name | Filter posts based on the site name (in some cases there are multiple domains with the same name) The filter also supports partial searches. | 1. Find all posts from domain name : Tochka (as for Tochka Marketplace) site.name:"Tochka Free Market" 2. Find all posts during the last month from partial name 8chan in the Zeronet network. site.name:*8*chan* extended.network:zeronet crawled:>now-1M |
thread.site_section | Filter by the site section url. Also partial results can be filtered using wild card. | Find all posts that contains lihkg.com as part of their site section. thread.sitesection:_lihkg.com |
title | A textual Boolean query describing the keywords that should (or should not) appear in the thread title | title:(0dayz OR 0days) |
text | A textual Boolean query describing the keywords that should (or should not) appear in the text | text:(0dayz OR 0days) |
language | The language of the post. The default is "any". | Find posts in French or Italian: (language:french OR language:italian) See Supported Languages under 'References' |
author | Return posts written by a specific author or actor | Find posts written by Thewiseguys: author:Thewiseguys |
author_extended.display_name | Return posts written by the user identified by the display name. | Find posts written by "Pmalek": author_extended.display_name: "Pmalek" |
author_extended.user_id | Return posts written by the user identified by the unique identifier in the website or application. | Find posts written by user id: 112493 in domain bitcointalk.org: author_extended.user_id:112493 AND site.domain: "bitcointalk.org" |
author_extended.user_link | Return posts written by the user identified by the user hyperlink in the website or application. | Find posts written by user link : ""https://bitcointalk.org/index.php?action=profile;u=112493 " ": author_extended.user_link:"https://bitcointalk.org/index.php?action=profile;u=112493" |
published | A timestamp (in milliseconds) enabling you to filter items that were published before or after certain date/time. Here is a Timestamp/Date converter | Return posts published after Thu, 30 Mar 2017 09:16:28 GMT: thread.published:> 1490865388000 |
crawled | A timestamp (in milliseconds) enabling you to filter items that were crawled before or after certain date/time. Here is a Timestamp/Date converter | Return pages crawled after Thu, 30 Mar 2017 09:16:28 GMT: crawled:>1490865388000 |
reffering_url | Filter by the URL that referred our crawler to the current document | referring_url:"http://porn-movie-in-3gp.wgledvn3hmbzl7hrkbw7vzebefybqvamnaz22a2maha6vqym7lj2wpad.onion/female-athlete-porn/" |
extended.network | Filter posts by network. Possible values are:
Default is all networks. | extended.network:tor |
extended.external_link | Search for pages that include links to another site | Search for pages that linked to LinkedIn (note that both the slashes and colons are prefixed by a backslash): extended.external_link:https\:\/\/www.linkedin.com\* |
extended.file_type | Filter posts based on the file type crawled. Possible file types:
| Search only on sql documents: extended.file_type:sql |
extended.required_login | A Boolean field (true/false) stating if the content is password protected | Return content posted on forums and marketplaces that require authentication: extended.required_login:true |
enriched.category | Filter posts (English only) that fall into one of the following 7 categories:
| Return posts that were categorized as related to drugs: enriched.category:drugs |
enriched.email.value | Filter by full or partial email address entity | Search for all posts that include gmail accounts. enriched.email.value:*@gmail.com |
enriched.email.count | Filter by the number of email addresses mentions per post | Search for all posts that include more than 40 emails. enriched.email.count:>40 |
enriched.ssn.value | Filter by a full or partial social security number (SSN) | Search for all posts that include the following ssn number. enriched.ssn.value:"061-64-9920" |
enriched.ssn.count | Filter by number of social security numbers (SSN) mentions per post | Search for all posts that include more than 2 ssns. enriched.ssns.count:>2 |
enriched.credit_card.value | Filter by full or partial credit card (CC) number entity | Search for all posts that include credit card numbers that starts with "4580". enriched.credit_card.value:4580* |
enriched.credit_card.count | Filter by the number of credit card mentions per post | Search for all posts that include more than 20 credit card numbers. enriched.credit_card.count:>20 |
enriched.phone.value | Filter by a full or partial phone number entity | Search for all posts that include phone numbers that starts with "+1212". enriched.phone.value:\+1212* |
enriched.phone.count | Filter by the number of phone number mentions per post | Search for all posts that include more than 10 phone numbers. enriched.phone.count:>10 |
enriched.wallet_id.value | Filter by a full or partial cryptocurrency wallet ID entity | enriched.wallet_id:1GeUpXyfHRGxzdwKDJfdHghdupkDrirrXw |
enriched.wallet_id.count | Filter by the number of cryptocurrency wallet mentions per post | Search for all posts that include more than 10 wallet IDs. enriched.wallet_id.count:>10 |
enriched.ip.value | Filter by a specific , range or list of IP entities. Supports currently IPv4 address type. | _Search for IP that match _127.0.0.1: enriched.ip.value:127.0.0.1 Search for IP ranges from 127.0.0.1 to 127.0.0.255 : enriched.ip.value:[127.0.0.1 TO 127.0.0.255] Search for a list of IPs : enriched.ip.value:(192.168.0.1 OR 192.168.0.2) |
enriched.ip.count | Filter by the number of IPs mentioned in the post | Search for all the posts that include more than 10 IPs. enriched.ip.count:>10 |
enriched.domain.value | Filter by a specific or partial domain entity , it could be TLD or sub domain. | Search for all posts that include the domain value : "microsoft.com" enriched.domain.value:microsoft.com |
enriched.domain.count | Filter by the number of domains mentioned in the post. | Search for all the posts that include more than 10 domains. enriched.domain.count:>10 |
enriched.cve.value | Filter by a specific or partial CVE Id entity. The qualified CVE structure is : CVE-[4 digits]-[serial number 4-7 digits] | Search for all the posts that include CVE Ids from 2021. enriched.cve.value:CVE-2021-* |
enriched.cve.count | Filter by the number of CVE Ids mentioned in the post. | Search for all the posts that contain more than 5 CVE Ids. enriched.cve.count:>5 |
enriched.person.value | Filter by a full or partial person name entity. You should use this filter only for disambiguation, otherwise you should use a simple keyword search. | Search for all posts that include the person name "dan". enriched.person.value:dan |
enriched.person.count | Filter by the number of person name mentions per post | Search for all posts that include more than 3 persons. enriched.person.count:>3 |
enriched.organization.value | Filter by a full or partial organization entity name. You should use this filter only for disambiguation, otherwise you should use a simple keyword search. | Search for all posts that include the organization name "cnn". enriched.organization.value:cnn |
enriched.organization.count | Filter by the number of organization mentions per post | Search for all posts that include more than 10 organizations. enriched.organization.count:>10 |
enriched.location.value | Filter by a full or partial location entity name | Search for all posts that include the location name "israel". enriched.location.value:israel |
enriched.location.count | Filter by the number of locations mentions per post | Search for all posts that include more than 10 locations. enriched.location.count:>10 |
Thread Filters
A thread contains global information about the content of the whole page and its content. A thread can contain multiple posts grouped together.
Parameter | Description | Example |
---|---|---|
thread.title | A textual Boolean query describing the keywords that should (or should not) appear in the thread title | Search for posts containing the word "glass" and not "metal" in their title: thread.title:glass -thread.title:metal |
thread.section_title | A textual Boolean query describing the keywords that should (or should not) appear in the site’s section where the post was published | Search for the posts containing the word food only under sections with a title that contains the word "restaurants": food AND thread.section_title:restaurants |
thread.url | Get all the posts of a specific thread (note that you must escape the http:// part of the URL like so: http://). | |
thread.published | A time-stamp (in milliseconds) filtering threads that were published before or after a certain date/time. Here is a Timestamp/Date converter | Return threads published after Thu, 30 Mar 2017 09:16:28 GMT: thread.published:> 1490865388000 |
Note: The special characters are not supported in Cyber API search. Except for specific characters such as & , $ , @ which can be used as part of the keyword search.
Example : "НЕЙТА $ ДЕПОЗИТ"