Filters

url

Filter by the URL of the post

url:"[https://bitcointalk.org/index.php?topic=5505335.20.40#subject\_64465585](https://bitcointalk.org/index.php?topic=5505335.20.40#subject_64465585)"

uuid

Filter by the unique Identifier of the document

uuid:2deafff403e35e574a9ba0471a524d9a0cf3ec17

parent_uuid

Filter by unique Identifier of the parent document

parent_uuid:ae203b33d422faaca88502b05586a61c161de50e

title

A textual Boolean query describing the keywords that should (or should not) appear in the post's title

title:("zero day" OR "0day")

text

A textual Boolean query describing the keywords that should (or should not) appear in the text

text:("zero day" OR "0day")

author

Return posts written by a specific author or actor

Find posts written by Thewiseguys:
author:lockbitsupp

author_extended.display_name

Return posts written by the user identified by the display name.

Find posts written by "Pmalek":

author_extended.display_name: "Pmalek"

author_extended.user_id

Return posts written by the user identified by the unique identifier in the website or application.

Find posts written by user id: 112493 in domain bitcointalk.org:

author_extended.user_id:112493 AND site.domain: "bitcointalk.org"

author_extended.user_link

Return posts written by the user identified by the user hyperlink in the website or application.

Find posts written by user link : author_extended.user_link:"[https://bitcointalk.org/index.php?action=profile;u=786113](https://bitcointalk.org/index.php?action=profile;u=786113)"

author_extended.adversary_group

Return posts written by a certain adversary group.

Find posts written by Lockbit:

author_extended.adversary_group:lockbit

language

The language of the post. The default is "any".

Find posts in French or Italian:
(language:french OR language:italian)

See Supported Languages under 'References'

published

A timestamp (in milliseconds) enabling you to filter items that were published before or after certain date/time.
Here is a Timestamp/Date converter

Return posts from threads published after
Tuesday, August 20, 2024 12:00:08 AM: published:><br />1724112008000

site.name

Filter posts based on the site name (in some cases there are multiple domains with the same name)

The filter also supports partial searches.

1. Find all posts from domain name : Tochka (as for Tochka Marketplace)
   site.name:"Tochka Free Market"
   2. Find all posts during the last month from partial name 8chan in the Zeronet network.
   (site.name:_8_chan* extended.network:zeronet crawled:>now-1M

site.domain

Limit the results to a specific site or sites. Search any replica domain and get all of the site's content.

site.domain:pbbnzshcgemf3d5y.onion

site.current_domain

Filter according to the specific domain used at the time the document was scanned

site.current_domain:breachforums.st

site.type

Filter sites by their type.
Available site types are:

• news
• blogs
• discussions
• chat
• market
• paste
• datastore
• social_media
• imageboard
• ransomware_blog
• code_repositories

The default is all.

site.type:(social_media OR discussions)

site.category

Filter posts based on their site category:

• cyber_threat_intelligence
• financial_crime
• illicit_trafficking
• extremism_misinformation
• brand_monitoring

The default is all.

For more details , please refer to this page.

1. Search for all hacking forums
   (site.category:cyber_threat_intelligence AND site.type:discussions)
   
   2. Search for all sites related to financial crime
   site.category:financial_crime

thread.url

Filter by the thread url. Also partial results can be filtered using wild card.
thread.url is also equal to Telegram Channel/Group URL.

thread.url:"[https://bitcointalk.org/index.php?topic=5505335.20.40](https://bitcointalk.org/index.php?topic=5505335.20.40)"

thread.uuid

Filter by the unique Identifier of the thread

thread.uuid:"be5dd9459b485c57977694fdec7a72a65e943dc1"

thread.title

A textual Boolean query describing the keywords that should (or should not) appear in the thread title

thread.title:("zero day" OR "0day")

thread.published

A timestamp (in milliseconds) enabling you to filter threads that were published before or after certain date/time.
Here is a Timestamp/Date converter

Return posts from threads published after
Tuesday, August 20, 2024 12:00:08 AM: thread.published:>1724112008000

thread.section_title

A textual Boolean query describing the keywords that should (or should not) appear in the section title

thread.section_title:("zero day" OR "0day")

thread.site_section

Filter by the site section url.
Also partial results can be filtered using wild card.

Find all posts that contains lihkg.com as part of their site section.
thread.site_section:_lihkg\.com_

thread.replies_count

Filter by the number of replies per post

Search for all posts that include
more than 2 replies.

thread.replies_count:>2

ord_in_thread

Filter by the numerical order of the post in the thread

Return for all first posts published in threads

ord_in_thread:0

extended.external_link

Search for posts that include links to another site

Search for pages that linked to
LinkedIn (note that both the
slashes and colons are prefixed
by a backslash):

extended.external_link:https\\:\/\/www\.linkedin\.com\*

extended.external_image

Search for posts that include image links

Retrieve all posts that include image links

extended.external_image:*

extended.external_video

Search for posts that include video links

Retrieve all posts that include video links

extended.external_video:*

extended.file_link

Search for posts that include file links

Retrieve all posts that include file links

extended.file_link:*

extended.file_type

Filter posts based on the file type crawled. Possible file types:

• html
• zip
• rar
• tar
• 7z
• pdf
• txt
• xls
• xlsx
• doc
• docx
• sql

Search only on sql documents:

extended.file_type:sql

extended.network

Filter posts by network.
Possible values are:

• tor
• i2P
• openbazaar
• telegram
• discord
• openweb
• icq

Default is all networks.

extended.network:telegram

extended.required_login

A Boolean field (true/false) stating if the content is password protected

Return content posted on
forums and marketplaces that
require authentication:

extended.required_login:true

enriched.category

Filter posts into one or more of the following 14 categories:

• hacking
• data_breach
• carding
• crypto
• phishing
• malware
• ransomware
• stealer_logs
• counterfeit
• gaming
• extremism
• drugs
• weapons
• sexual

For more details , please refer to this page.

Return posts that were
categorized as related to data breach:

enriched.category:data_breach

enriched.email.value

Filter by full or partial email address entity

Search for all posts that include
gmail accounts.

enriched.email.value:*@gmail.com

enriched.email.count

Filter by the number of email addresses mentions per post

Search for all posts that include
more than 40 emails.

enriched.email.count:>40

enriched.ssn.value

Filter by a full or partial social security number (SSN)

Search for all posts that include
the following ssn number.

enriched.ssn.value:"061-64-9920"

enriched.ssn.count

Filter by number of social security numbers (SSN) mentions per post

Search for all posts that include
more than 2 ssns.

enriched.ssn.count:>2

enriched.credit_card.value

Filter by full or partial credit card (CC) number entity

Search for all posts that include
credit card numbers that starts with "4580".

enriched.credit_card.value:4580*

enriched.credit_card.count

Filter by the number of credit card mentions per post

Search for all posts that include
more than 20 credit card numbers.

enriched.credit_card.count:>20

enriched.phone.value

Filter by a full or partial phone number entity

Search for all posts that include
phone numbers that starts with "+1212".

enriched.phone.value:\+1212*

enriched.phone.count

Filter by the number of phone number mentions per post

Search for all posts that include
more than 10 phone numbers.

enriched.phone.count:>10

enriched.wallet_id.value

Filter by a full or partial cryptocurrency wallet ID entity

enriched.wallet_id:1GeUpXyfHRGxzdwKDJfdHghdupkDrirrXw

enriched.wallet_id.count

Filter by the number of cryptocurrency wallet mentions per post

Search for all posts that include
more than 10 wallet IDs.

enriched.wallet_id.count:>10

enriched.ip.value

Filter by a specific , range or list of IP entities.

Supports currently IPv4 address type.

• Search for IP that match 127.0.0.1: enriched.ip.value:127.0.0.1
• Search for IP ranges from 127.0.0.1 to 127.0.0.255 : enriched.ip.value:[127.0.0.1 TO 127.0.0.255]
• Search for a list of IPs : enriched.ip.value:(192.168.0.1 OR 192.168.0.2)

enriched.ip.count

Filter by the number of IPs mentioned in the post

Search for all the posts that include more than 10 IPs.
enriched.ip.count:>10

enriched.domain.value

Filter by a specific or partial domain entity , it could be TLD or sub domain.

Search for all posts that include
the domain value : "microsoft.com"

enriched.domain.value:microsoft.com

enriched.domain.count

Filter by the number of domains mentioned in the post.

Search for all the posts that include more than 10 domains.
enriched.domain.count:>10

enriched.cve.value

Filter by a specific or partial CVE Id entity. The qualified CVE structure is : CVE-[4 digits]-[serial number 4-7 digits]

Search for all the posts that include CVE Ids from 2021.
enriched.cve.value:CVE-2021-*

enriched.cve.count

Filter by the number of CVE Ids mentioned in the post.

Search for all the posts that contain more than 5 CVE Ids.
enriched.cve.count:>5

enriched.person.value

Filter by a full or partial person name entity.
You should use this filter only for disambiguation, otherwise you should use a simple keyword search.

Search for all posts that include
the person name "dan".

enriched.person.value:dan

enriched.person.count

Filter by the number of person name mentions per post

Search for all posts that include
more than 3 persons.

enriched.person.count:>3

enriched.organization.value

Filter by a full or partial organization entity name.
You should use this filter only for disambiguation, otherwise you should use a simple keyword search.

Search for all posts that include
the organization name "cnn".

enriched.organization.value:cnn

enriched.organization.count

Filter by the number of organization mentions per post

Search for all posts that include
more than 10 organizations.

enriched.organization.count:>10

enriched.location.value

Filter by a full or partial location entity name

Search for all posts that include
the location name "israel".

enriched.location.value:israel

enriched.location.count

Filter by the number of locations mentions per post

Search for all posts that include
more than 10 locations.

enriched.location.count:>10

enriched.cyber_risk.value

Filter posts based on their cyber risk score, ranging from 0 to 10 (where 10 indicates the highest risk level)

1. Search for posts with a cyber risk score above 5
   enriched.cyber_risk.score:>5
   
   2. Search for posts with a cyber risk score of 10
   enriched.cyber_risk.score:10

crawled

A timestamp (in milliseconds) enabling you to filter items that were crawled before or after certain date/time.
Here is a Timestamp/Date converter

Return posts crawled after
Tuesday, August 20, 2024 12:00:08 AM: crawled:><br />1724112008000