Query string syntax


  • All terms are separated by a blank space
  • The default operators between terms is OR unless prefixed by + (AND) or - (NOT)
  • Parenthesis (()) can be used to group terms together

Operator Description Example
+ A condition prefixed with + is required to match +host:leakix.net
- A condition prefixed with - must not match +port:443 -host:leakix.net
: : is a field delimiter, the name being on the left and the value on the right ip:
> A field suffixed with :> must be greater to match +dataset.size:>1024
< A field suffixed with :< must be lower to match +time:<2020-06-01


Field Description Example
time Time at which the event was indexed time:>2020-06-01
age Age in days of the indexed service/leak age:>100
ip IP of the indexed service/leak ip: or range ip:
port Open ports on the indexed service/leak port:443
dataset.rows Number of rows in the open database dataset.rows:>100
dataset.size Number of bytes in the leak dataset.size:>1024
dataset.infected True if the probe detected evidence of external activity ( ransom, meow, etc... ) dataset.infected
plugin Plugin used to index the event plugin:NucleiPlugin
leak_count Count of different plugin for this host leak_count:>3
l9fp LeakIX hash for the event +l9fp:"8d2c2bb4ae592f66115676dd56a199644da52fba9a03ef9ba400f7fbb7a9bcd8"
jarm JARM hash for the event +jarm:"28d28d28d00028d1ec42d42d000000f7be33a964d0daa97a97a8068db17dd3"
transport Transport used to index the event ( http, tls, tcp, ... ) +transport:tls
transport Final protocol for the indexed event +protocol:http -protocol:elasticsearch
header.server Filters on the Server http header +header.server:"Kaseya App Server"
header.content-length Filters on the content-length http header +header.content-length:>10
tags Filters for meaningful tags in the events (wordpress, php, plc, printer, ...) +tags:printer