What is indexed?
Most content from HTML documents and JavaScript (scripts, eval and writes) are indexed and searchable. This means tracking codes, obscure comments and uncommon domains can all be searched. (Filemagic is also searchable)
Queries can be combined with boolean operators: AND OR NOT
All hashes are searchable without any prefix
url.addr - The submitted URL (supports wildcards)
url.fqdn - The FQDN of submitted URL
url.domain - The domain of submitted URL
url.tld - The TLD of submitted URL
ip.addr - IP of submitted URL
ip.asn - ASN number (e.i. 24940 )
ip.as - AS string (i.e Hetzner Online GmbH)
ip.country - GeoIP country
ip.country_code - GeoIP country code US, DE, NO (ISO 3166-1-alpha-2)
http.url.addr - All URLs in the report (supports wildcards)
http.url.fqdn - All FQDNs in the report
http.url.domain - All domains in the report
http.url.tld - All TLDs in the report
tags - Tags applied to the report
Examples
tags:phishing AND url.tld:no - Search for reports submitted with .NO tld and has been tagged as phishing
"<title>AOL</title>" - Content search, find any report which has javascript or html containing the query
http.url.fqdn:kws2.web.telegram.org - Any report which has requested data from server "kws2.web.telegram.org"
Searching on
....