Need help? Click here for search syntax
ElasticSearch queries do not use a prefix. e.g., *windows.* matches 'time.windows.com'.
For MD5, SHA1, SHA256, etc., no prefix is needed (matches any file generated by analysis, including dropped/extracted files).
To search for the initial submitted file specifically, use target_sha256: prefix.
By default, searches are exact matches. Use regex characters (e.g., ^ $ | ? * + ( ) [ ] { }) to force a regex search.
| Prefix | Description |
|---|---|
| General & Metadata | |
id: | Task ID (e.g., id:1) |
ids: | List of Task IDs (e.g., ids:1,2,3) |
options: | Task options (e.g., options:function=DllMain) |
tags_tasks: | Task tags (e.g., tags_tasks:mytag) |
package: | Analysis package (e.g., package:ps1) |
machinename: | Target Machine Name |
machinelabel: | Target Machine Label |
custom: | Custom data field |
comment: | Analysis Comments |
configs: | Extracted config value |
| File Properties & Static Analysis | |
target_sha256: | Target file SHA256 |
name: | File name pattern |
type: | File type/format |
ssdeep: | Fuzzy hash (SSDeep) |
crc32: | CRC32 hash |
imphash: | PE Imphash |
iconhash: | Exact icon hash |
iconfuzzy: | Fuzzy icon hash |
dhash: | Icon dhash |
die: | Detect It Easy (DIE) signature (e.g., die:obsidium) |
extracted_tool: | Extracted tool (e.g., InnoExtract) |
virustotal: | VirusTotal Detected Name |
clamav: | Local ClamAV detections |
yaraname: | Yara Rule Name (binary folder) |
capeyara: | Yara Rule Name (cape folder) |
procdumpyara: | Yara Rule Name (process dumps) |
procmemyara: | Yara Rule Name (memory dumps) |
| Network Analysis | |
ip: | Contacted IP address |
domain: | Contacted domain |
url: | Contacted URL or URL Analysis Target |
port: | Source or Destination port |
sport: | Source port |
dport: | Destination port |
ja3_string: | JA3 string |
ja3_hash: | JA3 hash |
asn: | AS ID (e.g., asn:AS15169) |
asn_name: | ASN name (e.g., asn_name:Google LLC) |
surimsg: | Suricata Alert Message |
surialert: | Suricata Alert Category |
surisid: | Suricata Alert SID |
suriurl: | Suricata HTTP URL |
suriua: | Suricata HTTP User-Agent |
surireferrer: | Suricata HTTP Referrer |
surihost: | Suricata HTTP Host |
suritlssubject: | Suricata TLS Subject |
suritlsissuerdn: | Suricata TLS Issuer DN |
suritlsfingerprint: | Suricata TLS Fingerprint |
suritls: | Suricata TLS Generic |
surihttp: | Suricata HTTP Generic |
| Behavior & Execution | |
file: | Open files matching pattern |
command: | Executed commands matching pattern |
resolvedapi: | APIs resolved at runtime |
key: | Open registry keys matching pattern |
mutex: | Open mutexes matching pattern |
signame: | CAPE Signature names |
signature: | CAPE Signature descriptions |
detections: | Malware family detections |
malscore: | Malscore > value |
ttp: | TTP ID (e.g., T1053) |