IP address search modifiers
Google Threat Intelligence allows you to perform advanced faceted searches over the historical collection of IP addresses seen by Google Threat Intelligence. These searches can act on basically all the metadata generated for IPs: autonomous system, country, whois, SSL certificate, community comments, detections, relationships, etc. For example, you can pivot on SSL certificate fields to try to identify other network infrastructure set up by a given adversary.
Google Threat Intelligence searches by default over the historical collection of files, in order to search over IPs you need to add the facet condition entity:ip. For example, let's ask for all those IP addresses that have been detected by more than 5 blocklists:
You can click on the filter icon inside the main search box in order to navigate to an IP address search assistant:
Note that the assistant will not allow you to build complex searches combining AND, OR and NOT conditions. For example:
entity:ip positives:5+ AND (aso:ovh OR aso:google)
The following table describes all the search modifiers (facets) that can be used, you can combine any number of them:
| Modifier | Description |
|---|---|
| ip | Narrow down a search to a given IP address range. Example: entity:ip ip:"8.8.8.8/24" |
| asn autonomous_system_number: | Narrow down a search to a given autonomous system (by number). Example: entity:ip asn:"15169" |
| aso autonomous_system_owner: | Narrow down a search to a given autonomous system (by organization). Example: entity:ip as_owner:"Google LLC" |
| country | Country where IPs matching a given criteria should be located. ISO ALPHA 2 code required. Example: entity:ip country:us |
| continent | Continent where IPs matching a given criteria should be located. ISO ALPHA 2 code required. Example: entity:ip continent:eu |
| comment | Search for IPs that have a Google Threat Intelligence Community comment containing the word or phrase provided. Example: entity:ip comment:phishing |
| comment_author | Search for domains that have been commented by the user with the username provided. Example: entity:ip comment:hugoklugman |
| p positives | Filter IPs according to the number of engines/blocklists that detect them. Less than and greater than syntax is allowed. Examples: entity:ip p:5+ |
| engines | Focus on IPs that have a given detection label by at least one blocklist/scanner. Example: entity:ip engines:phishing |
| <engine name> | Focus on IPs that are detected with a given label by a given blocklist/scanner. Example: entity:ip eset:phishing |
| reputation | Filter IPs according to their reputation among the Google Threat Intelligence user base. Example: entity:ip reputation:-20- |
| domain_resolutions_count | Search for IPs that have hosted a given number of domains. Accepts greater and less than syntax and saturates at a count of 100. Example: entity:ip domain_resolutions_count:20+ p:5+ |
| detected_communicating_files_count | Fix a condition based on how many detected files have been seen contacting the given ip when executed in a sandbox. Less than and greater than syntax is allowed but the count saturates at 10. Example: entity:ip detected_communicating_files_count:5+ |
| communicating_files_max_detections | Fix a condition based on the maximum number of detections observed for files that communicate with a given IP. Example: entity:ip communicating_files_max_detections:30+ detected_communicating_files_count:5+ |
| detected_downloaded_files_count | Fix a condition based on how many detected files Google Threat Intelligence has downloaded from a URL hosted under a given IP address. Example: entity:ip detected_downloaded_files_count:10+ |
| downloaded_files_max_detections | Fix a condition based on the maximum number of detections observed for files that were downloaded by Google Threat Intelligence from a given IP address. Example: entity:ip downloaded_files_max_detections:20+ |
| detected_referring_files_count | Fix a condition based on how many detected files have been seen containing the given IP address in their strings. Example: entity:ip detected_referring_files_count:10+ |
| referring_files_max_detections | Fix a condition based on the maximum number of detections observed for files that contain a given IP address in their strings. Example: entity:ip referring_files_max_detections:10+ |
| detected_urls_count | Fix a condition based on how many detected URLs have been seen hosted under a given IP address. Example: entity:ip detected_urls_count:10+ |
| urls_max_detections | Fix a condition based on the maximum number of detections observed for URLs hosted under a given IP address. Example: entity:ip urls_max_detections:5+ detected_urls_count:10+ |
| tag | Filter IPs according to their tags. Example: entity:ip tag:reserved List of available tags: - private: private IP address space, e.g. 192.168.0.1. - multicast: IP address in the multicast range. - link-local: IP valid only for communications within the network segment. - reserved: reserved IP address space. - loopback: IP for the local machine. For a complete list of tags, see Full list of Google TI tag modifier |
| ssl_issuer | Focus on IPs that contain a given string or fulltext pattern within their SSL certificate issuer field. Example: entity:ip ssl_issuer:"Starfield Secure Certificate Authority - G2" |
| ssl_serial | Focus on IPs that share a given SSL certificate serial field. Example: entity:ip ssl_serial:"99c942e5f4049537" |
| ssl_subject | Focus on IPs that contain a given string or fulltext pattern within their subject field. Example: entity:ip ssl_subject:"naranjamarketing.com" |
| ssl_thumbprint | Focus on IPs sharing a given SSL certificate thumbprint field. Example: entity:ip ssl_thumbprint:"f0d173c9009c172bc38062a0a295a4ef1c9e3336" |
| whois | Filter IPs according to any word or phrase contained within their Whois record. Example: entity:ip whois:"Hurricane Electric LLC" |
| have | Allows you to fix a condition that the IP’s indexed metadata should meet, it accepts any of the modifiers above and it means that the IP should have data for a given modifier. Example: entity:ip have:comment p:5+ |
| last_modification_date: lm: | Filter IPs based on the latest update on Google Threat Intelligence for IP. Example: entity:ip last_modification_date:3d+ |
| jarm | Filter IPs based on the JARM fingerprint. Example: entity:ip jarm:29d3fd00029d29d21c42d43d00041d188e8965256b2536432a9bd447ae607f |
| ssl_not_before | Filter Domains based on the start date of the last SSL certificates' validity. Example: entity:domain ssl_not_before:2023-10-01 |
| ssl_not_after | Filter Domains based on the end date of the last SSL certificates' validity. Example: entity:domain ssl_not_after:2023-10-01 |
| threat_actor related_actor | Filter Domains which have that related threat actor. Example: entity:ip threat_actor:"Lazarus Group" |
| gti_score | Google Threat Intelligence assessment threat score. Example: entity:ip gti_score:30+" |
| gti_severity | Google Threat Intelligence assessment severity of the IOC. Example: entity:ip gti_severity:high" |
| gti_verdict | Google Threat Intelligence assessment verdict of the IOC. Example: entity:ip gti_verdict:benign" |
Updated 4 months ago