Although we have the most common modifiers documented with description and examples at:
File search modifiers article.
IP Address search modifiers article.
Domain search modifiers article.
In this article you will find the full list of modifiers for each entity:
List of File modifiers
List of IP modifiers
List of Domain modifiers
List of URL modifiers
List of Collection modifiers
List of IOC Stream modifiers
| | | |
|---|
| acronis | ad_aware | ahnlab_v3 | alibaba |
| alibabacloud | alyac | androguard | androguard_package |
| antiy_avl | apex | arcabit | attack_tactic |
| attack_technique | authentihash | avast | avast_mobile |
| avg | avira | avware | babable |
| baidu | behash | behaviour | behaviour_command_executions |
| behaviour_created_processes | behaviour_files | behaviour_injected_processes | behaviour_network |
| behaviour_processes | behaviour_registry | behaviour_services | behaviour_signature |
| behaviour_tags | bitdam_atp | bitdefender | bitdefenderfalx |
| bitdefendertheta | bkav | bytedefend_ai_analysis | bytedefend_ai_verdict |
| c2ae | capa | capability_tag | cape |
| cape_linux | cape_sandbox | cat_quickheal | clamav |
| clue | cmc | codeinsight | codeinsight_verdict |
| collection | comment | comment_author | contacted_ip |
| content | cp | creation_date | crowdsourced_ai_analysis |
| crowdsourced_ids | crowdsourced_yara_rule | crowdstrike | ctx |
| cyber_adapt | cybereason | cylance | cynet |
| das_security_orcas | deepinstinct | detectiteasy | dns_lookup_count |
| docguard | dr_web_vxcube | drweb | elastic |
| elf_digest | email_subject | embedded_domain | embedded_ip |
| embedded_url | emsisoft | endgame | engines |
| ep | eset_nod32 | exodialabs_ai_analysis | exodialabs_ai_verdict |
| exports | f_prot | f_secure | f_secure_sandbox |
| filecondis_dhash | fireeye | first_submitter | fortinet |
| fs | gdata | google | google_safe_browsing |
| google_safebrowsing | goresym | gridinsoft | gti_score |
| gti_severity | gti_verdict | have | hispasec_ai_analysis |
| hispasec_ai_verdict | http_conversation_count | huorong | ikarus |
| imphash | imports | invincea | ip_traffic_count |
| itw | jiangmin | k7antivirus | k7gw |
| kaspersky | kingsoft | la | lang |
| last_modification_date | lastline | lionic | ls |
| magic | magika | main_icon_dhash | main_icon_md5 |
| malware_config | malwarebytes | malwation | maxsecure |
| mbc | mcafee | mcafeed | metadata |
| microsoft | microsoft_sysinternals | microworld_escan | min_engines_banker |
| min_engines_emotet | name | nano_antivirus | netguid |
| nics_ai_analysis | nics_ai_verdict | nprotect | nsfocus_poma |
| omniasec_ai_analysis | omniasec_ai_verdict | os_x_sandbox | p |
| packer | paloalto | panda | permhash |
| pickle_vhash | qianxin_reddrip | qihoo_360 | reaqta_hive |
| reputation | resource | rich_pe_header_hash | rising |
| rising_moves | s | sandbox_name | sangfor |
| sangfor_zsand | scan_timeout | scan_unsupported | secneurx |
| secondwrite | section | sectionmd5 | segment |
| sentinelone | sha256 | sigcheck | sigma_critical |
| sigma_high | sigma_low | sigma_medium | sigma_rule |
| sigma_ruleset | similar-to | size | skyhigh |
| sndbox | sophos | ssdeep | submitter |
| subspan | suggested_threat_label | superantispyware | symantec |
| symantecmobileinsight | symhash | tachyon | tag |
| tehtris | telfhash | tencent | tencent_habo |
| thehacker | threat_actor | tlsh | totaldefense |
| traffic | trapmine | trellixens | trendmicro |
| trendmicro_housecall | trid | trustlook | type |
| us | varist | vba32 | venuseye_sandbox |
| vhash | vipre | virit | virobot |
| virustotal_androbox | virustotal_box_of_apples | virustotal_cuckoofork | virustotal_droidy |
| virustotal_jsbox | virustotal_jujubox | virustotal_observer | virustotal_r2dbox |
| vmray | webroot | whitearmor | xcitium |
| yandex | yomi_hunter | zenbox | zenbox |
| zenbox_android | zenbox_linux | zenbox_macos | zillya |
| zonealarm | | zoner | |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs__monitorapp_ | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | axur | benkow_cc | bfore_ai_precrime |
| bitdefender | bkav | blueliv | certego |
| chainpatrol | chong_lua_dao | cins_army | cluster25 |
| cmc_threat_intelligence | collection | comment | comment_author |
| communicating_files_max_detections | continent | country | crdf |
| criminal_ip | csis_security_group | cyan | cyble |
| cyradar | desenmascara_me | detected_communicating_files_count | detected_downloaded_files_count |
| detected_referring_files_count | detected_urls_count | dns8 | domain_resolutions_count |
| downloaded_files_max_detections | dr_web | emergingthreats | emsisoft |
| engines | ermes | eset | estsecurity |
| forcepoint_threatseeker | fortinet | g_data | gcp_abuse_intelligence |
| google_safebrowsing | greensnow | greynoise | gridinsoft |
| gti_score | gti_severity | gti_verdict | guardpot |
| have | heimdal_security | hunt_io_intelligence | ip |
| ipsum | jarm | juniper_networks | kaspersky |
| last_modification_date | levelblue | lionic | lumu |
| malwared | malwarepatrol | malwares_com_url_checker | malwareurl |
| mimecast | netcraft | openphish | p |
| path | phishfort | phishing_database | phishlabs |
| phishtank | prebytes | precisionsec | quick_heal |
| quttera | referring_files_max_detections | regional_internet_registry | reputation |
| safetoopen | sansec_ecomscan | scantitan | scumware_org |
| seclookup | securebrain | securolytics | snort_ip_sample_list |
| socradar | sophos | spam404 | ssl_issuer |
| ssl_not_after | ssl_not_before | ssl_serial | ssl_subject |
| ssl_thumbprint | stopforumspam | sucuri_sitecheck | tag |
| threat_actor | threathive | urlhaus | urlquery |
| urls_max_detections | viettel_threat_intelligence | vipre | viriback |
| vx_vault | webroot | whois | whois_date |
| xcitium_verdict_cloud | yandex_safebrowsing | zerocert | zerofox |
| | | |
|---|
| 0xsi_f33d | a_record | a_ttl | aaaa_record |
| aaaa_ttl | abusix | acronis | adminuslabs |
| ailabs__monitorapp_ | alexa_rank | alienvault | alphamountain_ai |
| alphasoc | antiy_avl | arcsight_threat_intelligence | asn |
| aso | autoshun | axur | benkow_cc |
| bfore_ai_precrime | bitdefender | bkav | blueliv |
| caa_record | caa_ttl | category | certego |
| chainpatrol | chong_lua_dao | cins_army | cisco_umbrella_rank |
| cluster25 | cmc_threat_intelligence | cname_record | cname_ttl |
| collection | comment | comment_author | communicating_files_max_detections |
| crdf | creation_date | criminal_ip | csis_security_group |
| cyan | cyble | cyradar | depth |
| desenmascara_me | detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count |
| detected_urls_count | dname_record | dname_ttl | dns8 |
| domain | domain_regex | downloaded_files_max_detections | dr_web |
| emergingthreats | emsisoft | engines | ermes |
| eset | estsecurity | forcepoint_threatseeker | fortinet |
| fuzzy_domain | g_data | gcp_abuse_intelligence | google_safebrowsing |
| greensnow | greynoise | gridinsoft | gti_score |
| gti_severity | gti_verdict | guardpot | have |
| heimdal_security | hunt_io_intelligence | ipsum | jarm |
| juniper_networks | kaspersky | last_modification_date | last_update_date |
| levelblue | lionic | lumu | main_icon_dhash |
| main_icon_md5 | majestic_rank | malwared | malwarepatrol |
| malwares_com_url_checker | malwareurl | mimecast | mx_record |
| mx_ttl | netcraft | ns_record | ns_ttl |
| openphish | p | parent_domain | path |
| phishfort | phishing_database | phishlabs | phishtank |
| popularity_rank | prebytes | precisionsec | quick_heal |
| quttera | referring_files_max_detections | registrar | reputation |
| safetoopen | sansec_ecomscan | scantitan | scumware_org |
| seclookup | securebrain | securolytics | snort_ip_sample_list |
| soa_record | soa_ttl | socradar | sophos |
| spam404 | ssl_issuer | ssl_not_after | ssl_not_before |
| ssl_serial | ssl_subject | ssl_thumbprint | statvoo_rank |
| stopforumspam | sucuri_sitecheck | tag | threat_actor |
| threathive | tld | ttl | txt_record |
| txt_ttl | urlhaus | urlquery | urls_max_detections |
| viettel_threat_intelligence | vipre | viriback | vx_vault |
| webroot | whois | whois_date | xcitium_verdict_cloud |
| yandex_safebrowsing | | zerocert | |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs__monitorapp_ | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | axur | benkow_cc | bfore_ai_precrime |
| bitdefender | bkav | blueliv | category |
| certego | chainpatrol | chong_lua_dao | cins_army |
| cluster25 | cmc_threat_intelligence | collection | comment |
| comment_author | contacted_domain | contacted_ip | content |
| cookie | cookie_value | crdf | criminal_ip |
| csis_security_group | cyan | cyble | cyradar |
| desenmascara_me | detected_brand | dns8 | dr_web |
| emergingthreats | emsisoft | engines | ermes |
| eset | estsecurity | exact_path | extension |
| first_submitter | forcepoint_threatseeker | fortinet | fs |
| fuzzy_hostname | g_data | gcp_abuse_intelligence | google_safebrowsing |
| greensnow | greynoise | gridinsoft | gti_score |
| gti_severity | gti_verdict | guardpot | have |
| header | header_value | heimdal_security | hostname |
| hunt_io_intelligence | ip | ipsum | juniper_networks |
| kaspersky | la | last_modification_date | levelblue |
| lionic | ls | lumu | main_icon_dhash |
| main_icon_md5 | malwared | malwarepatrol | malwares_com_url_checker |
| malwareurl | max_url_positives | meta | mimecast |
| netcraft | openphish | outgoing_link | p |
| parent_domain | password | path | phishfort |
| phishing_database | phishlabs | phishtank | port |
| prebytes | precisionsec | query_field | query_value |
| quick_heal | quttera | redirects_to | reputation |
| response_code | response_positives | response_sha256 | response_size |
| s | safetoopen | sansec_ecomscan | scantitan |
| scheme | scumware_org | seclookup | securebrain |
| securolytics | sha256 | snort_ip_sample_list | socradar |
| sophos | spam404 | stopforumspam | submitter |
| sucuri_sitecheck | tag | targeted_brand | threat_actor |
| threathive | title | tld | tracker |
| url | urlhaus | urlquery | username |
| viettel_threat_intelligence | vipre | viriback | vx_vault |
| webroot | xcitium_verdict_cloud | yandex_safebrowsing | zerocert |
| zerofox | | | |
| | | |
|---|
| available_mitigation | capability | collection_type | comment |
| comment_author | creation_date | cvss_2x_base_score | cvss_2x_temporal_score |
| cvss_3x_base_score | cvss_3x_temporal_score | cvss_4x_score | description |
| detection | domains | exploitation_consequence | exploitation_state |
| exploitation_vector | files | first_seen | fs |
| have | ips | last_modification_date | last_seen |
| ls | malware_role | merged_actor | motivation |
| name | operating_system | origin | owner |
| priority | publisher | publisher_priority | publisher_relevance |
| publisher_reliability | references | report_type | risk_rating |
| shared_with_me | sigma_rules | software_toolkit | source_region |
| suspected_threat_actor | tag | targeted_industry | targeted_industry_group |
| targeted_region | threat_actor | threat_actors | threat_category |
| threat_scape | urls | vulnerability_filter | vulnerable_cpe |
| vulnerable_product | | vulnerable_vendor | |
| | | |
|---|
| date | entity_type | origin | source_type |
