+ (AND) or - (NOT)
()) can be used to group terms together
| Operator | Description | Example |
|---|---|---|
+ |
A condition prefixed with + is required to match |
+host:leakix.net |
- |
A condition prefixed with - must not match |
+port:443 -host:leakix.net |
: |
: is a field delimiter, the name being on the left and the value on the right |
ip:8.8.8.8 |
> |
A field suffixed with :> must be greater to match |
+dataset.size:>1024 |
< |
A field suffixed with :< must be lower to match |
+time:<2020-06-01 |
| Field | Description | Example |
|---|---|---|
time |
Time at which the event was indexed | time:>2020-06-01 |
age |
Age in days of the indexed service/leak | age:>100 |
ip |
IP of the indexed service/leak | ip:8.8.8.8 or range ip:8.8.8.0/16 |
port |
Open ports on the indexed service/leak | port:443 |
dataset.rows |
Number of rows in the open database | dataset.rows:>100 |
dataset.size |
Number of bytes in the leak | dataset.size:>1024 |
dataset.infected |
True if the probe detected evidence of external activity ( ransom, meow, etc... ) | dataset.infected |
plugin |
Plugin used to index the event | plugin:NucleiPlugin |
leak_count |
Count of different plugin for this host | leak_count:>3 |
l9fp |
LeakIX hash for the event | +l9fp:"8d2c2bb4ae592f66115676dd56a199644da52fba9a03ef9ba400f7fbb7a9bcd8" |
jarm |
JARM hash for the event | +jarm:"28d28d28d00028d1ec42d42d000000f7be33a964d0daa97a97a8068db17dd3" |
transport |
Transport used to index the event ( http, tls, tcp, ... ) | +transport:tls |
transport |
Final protocol for the indexed event | +protocol:http -protocol:elasticsearch |
header.server |
Filters on the Server http header | +header.server:"Kaseya App Server" |
header.content-length |
Filters on the content-length http header | +header.content-length:>10 |
tags |
Filters for meaningful tags in the events (wordpress, php, plc, printer, ...) | +tags:printer |