Although we have the most common modifiers documented with description and examples at:
File search modifiers article.
IP Address search modifiers article.
Domain search modifiers article.
In this article you will find the full list of modifiers for each entity:
List of File modifiers
List of IP modifiers
List of Domain modifiers
List of URL modifiers
List of Collection modifiers
List of Reference modifiers
List of IOC Stream modifiers
| | | |
---|
acronis | ad_aware | ahnlab_v3 | alibaba |
alibabacloud | alyac | androguard | androguard_package |
antiy_avl | apex | arcabit | attack_tactic |
attack_technique | authentihash | avast | avast_mobile |
avg | avira | avware | babable |
baidu | behash | behaviour | behaviour_command_executions |
behaviour_created_processes | behaviour_files | behaviour_injected_processes | behaviour_network |
behaviour_processes | behaviour_registry | behaviour_services | behaviour_signature |
behaviour_tags | bitdam_atp | bitdefender | bitdefenderfalx |
bitdefendertheta | bkav | bytedefend_ai_analysis | bytedefend_ai_verdict |
c2ae | capa | capability_tag | cape |
cape_linux | cape_sandbox | cat_quickheal | clamav |
clue | cmc | codeinsight | collection |
comment | comment_author | contacted_ip | content |
cp | creation_date | crowdsourced_ai_analysis | crowdsourced_ids |
crowdsourced_yara_rule | crowdstrike | ctx | cyber_adapt |
cybereason | cylance | cynet | das_security_orcas |
deepinstinct | detectiteasy | dns_lookup_count | docguard |
dr_web_vxcube | drweb | elastic | elf_digest |
email_subject | embedded_domain | embedded_ip | embedded_url |
emsisoft | endgame | engines | ep |
eset_nod32 | exports | f_prot | f_secure |
f_secure_sandbox | filecondis_dhash | fireeye | first_submitter |
fortinet | fs | gdata | google |
google_safebrowsing | goresym | gridinsoft | gti_score |
gti_severity | gti_verdict | have | hispasec_ai_analysis |
hispasec_ai_verdict | http_conversation_count | huorong | ikarus |
imphash | imports | invincea | ip_traffic_count |
itw | jiangmin | k7antivirus | k7gw |
kaspersky | kingsoft | la | lang |
lastline | lionic | ls | magic |
magika | main_icon_dhash | main_icon_md5 | malware_config |
malwarebytes | malwation | maxsecure | mbc |
mcafee | mcafeed | metadata | microsoft |
microsoft_sysinternals | microworld_escan | min_engines_banker | min_engines_emotet |
name | nano_antivirus | netguid | nics_ai_analysis |
nics_ai_verdict | nprotect | nsfocus_poma | os_x_sandbox |
p | packer | paloalto | panda |
permhash | qianxin_reddrip | qihoo_360 | reaqta_hive |
reputation | resource | rich_pe_header_hash | rising |
rising_moves | s | sandbox_name | sangfor |
sangfor_zsand | scan_timeout | scan_unsupported | secneurx |
secondwrite | section | sectionmd5 | segment |
sentinelone | sha256 | sigcheck | sigma_critical |
sigma_high | sigma_low | sigma_medium | sigma_rule |
sigma_ruleset | similar-to | size | skyhigh |
sndbox | sophos | ssdeep | submitter |
subspan | suggested_threat_label | superantispyware | symantec |
symantecmobileinsight | symhash | tachyon | tag |
tehtris | telfhash | tencent | tencent_habo |
thehacker | threat_actor | tlsh | totaldefense |
traffic | trapmine | trendmicro | trendmicro_housecall |
trid | trustlook | type | us |
varist | vba32 | venuseye_sandbox | vhash |
vipre | virit | virobot | virustotal_androbox |
virustotal_box_of_apples | virustotal_cuckoofork | virustotal_droidy | virustotal_jsbox |
virustotal_jujubox | virustotal_observer | virustotal_r2dbox | vmray |
webroot | whitearmor | xcitium | yandex |
yomi_hunter | zenbox | zenbox | zenbox_android |
zenbox_linux | zenbox_macos | zillya | zonealarm |
zoner | | zscaler | |
| | | |
---|
0xsi_f33d | abusix | acronis | adminuslabs |
ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
antiy_avl | arcsight_threat_intelligence | asn | aso |
autoshun | axur | benkow_cc | bfore_ai_precrime |
bitdefender | bkav | blueliv | certego |
chong_lua_dao | cins_army | cluster25 | cmc_threat_intelligence |
collection | comment | comment_author | communicating_files_max_detections |
continent | country | crdf | criminal_ip |
csis_security_group | cyan | cyble | cyradar |
desenmascara_me | detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count |
detected_urls_count | dns8 | domain_resolutions_count | downloaded_files_max_detections |
dr_web | emergingthreats | emsisoft | engines |
ermes | eset | estsecurity | forcepoint_threatseeker |
fortinet | g_data | gcp_abuse_intelligence | google_safebrowsing |
greensnow | gridinsoft | gti_score | gti_severity |
gti_verdict | have | heimdal_security | hunt_io_intelligence |
ip | ipsum | jarm | juniper_networks |
kaspersky | last_modification_date | lionic | lumu |
malwared | malwarepatrol | malwares_com_url_checker | malwareurl |
mimecast | netcraft | openphish | p |
path | phishfort | phishing_database | phishlabs |
phishtank | prebytes | precisionsec | quick_heal |
quttera | referring_files_max_detections | regional_internet_registry | reputation |
safetoopen | sansec_ecomscan | scantitan | scumware_org |
seclookup | securebrain | securolytics | snort_ip_sample_list |
socradar | sophos | spam404 | ssl_issuer |
ssl_not_after | ssl_not_before | ssl_serial | ssl_subject |
ssl_thumbprint | stopforumspam | sucuri_sitecheck | tag |
threat_actor | threathive | threatsourcing | trustwave |
underworld | urlhaus | urlquery | urls_max_detections |
viettel_threat_intelligence | vipre | viriback | vx_vault |
webroot | whois | whois_date | xcitium_verdict_cloud |
yandex_safebrowsing | zerocert | zerofox | zvelo |
| | | |
---|
0xsi_f33d | a_record | a_ttl | aaaa_record |
aaaa_ttl | abusix | acronis | adminuslabs |
ailabs_monitorapp | alexa_rank | alienvault | alphamountain_ai |
alphasoc | antiy_avl | arcsight_threat_intelligence | asn |
aso | autoshun | axur | benkow_cc |
bfore_ai_precrime | bitdefender | bkav | blueliv |
caa_record | caa_ttl | category | certego |
chong_lua_dao | cins_army | cisco_umbrella_rank | cluster25 |
cmc_threat_intelligence | cname_record | cname_ttl | collection |
comment | comment_author | communicating_files_max_detections | crdf |
creation_date | criminal_ip | csis_security_group | cyan |
cyble | cyradar | depth | desenmascara_me |
detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count | detected_urls_count |
dname_record | dname_ttl | dns8 | domain |
domain_regex | downloaded_files_max_detections | dr_web | emergingthreats |
emsisoft | engines | ermes | eset |
estsecurity | forcepoint_threatseeker | fortinet | fuzzy_domain |
g_data | gcp_abuse_intelligence | google_safebrowsing | greensnow |
gridinsoft | gti_score | gti_severity | gti_verdict |
have | heimdal_security | hunt_io_intelligence | ipsum |
jarm | juniper_networks | kaspersky | last_modification_date |
last_update_date | lionic | lumu | main_icon_dhash |
main_icon_md5 | majestic_rank | malwared | malwarepatrol |
malwares_com_url_checker | malwareurl | mimecast | mx_record |
mx_ttl | netcraft | ns_record | ns_ttl |
openphish | p | parent_domain | path |
phishfort | phishing_database | phishlabs | phishtank |
popularity_rank | prebytes | precisionsec | quick_heal |
quttera | referring_files_max_detections | registrar | reputation |
safetoopen | sansec_ecomscan | scantitan | scumware_org |
seclookup | securebrain | securolytics | snort_ip_sample_list |
soa_record | soa_ttl | socradar | sophos |
spam404 | ssl_issuer | ssl_not_after | ssl_not_before |
ssl_serial | ssl_subject | ssl_thumbprint | statvoo_rank |
stopforumspam | sucuri_sitecheck | tag | threat_actor |
threathive | threatsourcing | tld | trustwave |
ttl | txt_record | txt_ttl | underworld |
urlhaus | urlquery | urls_max_detections | viettel_threat_intelligence |
vipre | viriback | vx_vault | webroot |
whois | whois_date | xcitium_verdict_cloud | yandex_safebrowsing |
zerocert | | zerofox | |
| | | |
---|
0xsi_f33d | abusix | acronis | adminuslabs |
ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
antiy_avl | arcsight_threat_intelligence | asn | aso |
autoshun | axur | benkow_cc | bfore_ai_precrime |
bitdefender | bkav | blueliv | category |
certego | chong_lua_dao | cins_army | cluster25 |
cmc_threat_intelligence | collection | comment | comment_author |
contacted_domain | contacted_ip | content | cookie |
cookie_value | crdf | criminal_ip | csis_security_group |
cyan | cyble | cyradar | desenmascara_me |
dns8 | dr_web | emergingthreats | emsisoft |
engines | ermes | eset | estsecurity |
exact_path | extension | first_submitter | forcepoint_threatseeker |
fortinet | fs | fuzzy_hostname | g_data |
gcp_abuse_intelligence | google_safebrowsing | greensnow | gridinsoft |
gti_score | gti_severity | gti_verdict | have |
header | header_value | heimdal_security | hostname |
hunt_io_intelligence | ip | ipsum | juniper_networks |
kaspersky | la | lionic | ls |
lumu | main_icon_dhash | main_icon_md5 | malwared |
malwarepatrol | malwares_com_url_checker | malwareurl | max_url_positives |
meta | mimecast | netcraft | openphish |
outgoing_link | p | parent_domain | password |
path | phishfort | phishing_database | phishlabs |
phishtank | port | prebytes | precisionsec |
query_field | query_value | quick_heal | quttera |
redirects_to | reputation | response_code | response_positives |
response_sha256 | response_size | s | safetoopen |
sansec_ecomscan | scantitan | scheme | scumware_org |
seclookup | securebrain | securolytics | sha256 |
snort_ip_sample_list | socradar | sophos | spam404 |
stopforumspam | submitter | sucuri_sitecheck | tag |
targeted_brand | threat_actor | threathive | threatsourcing |
title | tld | tracker | trustwave |
underworld | url | urlhaus | urlquery |
username | viettel_threat_intelligence | vipre | viriback |
vx_vault | webroot | xcitium_verdict_cloud | yandex_safebrowsing |
zerocert | | zerofox | |
| | | |
---|
collection_type | | report_type | |
| | | |
---|
date | entity_type | origin | source_type |