URL search modifiers
Google Threat Intelligence allows you to perform advanced faceted searches over the historical collection of URLs. These searches can act on basically all the metadata that we generate for URLs: url string, path, query parameters and values, favicon, meta tags, contained Ad trackers, tags, reputation, etc.
Google Threat Intelligence searches by default over the historical collection of files, in order to search over URLs you need to add the facet conditionentity:url. For example, let's ask for all those URLs that have been detected by more than 5 URL scanners and were first submitted after October 17th 2019:
entity:url p:5+ fs:2019-10-17+
You can click on the filter icon inside the main search box in order to navigate to a URL search assistant:

Note that the assistant will not allow you to build complex searches combining AND, OR and NOT conditions. For example:
(entity:url AND positives:5+ AND fs:2019-10-17+) AND (tld:ru OR tld:tk)
The following table describes all the search modifiers (facets) that can be used, you can combine any number of them:
The following modifiers admits wildcards: hostname , outgoing_link, path , url.
comment: | Search for URLs that have a Google Threat Intelligence Community comment containing the word or phrase provided. |
comment_author: | Search for URLs that have been commented by the user with the username provided. |
fs: | Filter URLs based on the first seen date in Google Threat Intelligence. Note that less than and greater than syntax is allowed. |
ls: | Filter URLs based on the last seen date in Google Threat Intelligence. Note that less than and greater than syntax is allowed. |
la: | Filter |
main_icon_dhash: | Search for URLs with a favicon which is visually similar to another favicon, a visual similarity hash is used for this purpose. This search can be triggered by clicking on the favicon preview of the URL in the search listings. Can be useful to discover phishing sites targeting a given company. |
p: | Filter URLs according to the number of engines/blocklists that detect them. Less than and greater than syntax is allowed. |
engines: | Focus on URLs that have been detected with a given label by at least one scanner/blocklist. |
engine_name: | Focus on URLs that have been detected with a given label by a specific scanner/blocklist. |
reputation: | Filter URLs according to its reputation among the Google Threat Intelligence user base. |
s: | Filter URLs according to the number of times they have been sent to Google Threat Intelligence for analysis. Less than and greater than syntax is allowed. |
submitter: | Search for URLs submitted via a given interface (API, web) or sent from a given country (two-letter ISO country code). |
first_submitter: | Search for URLs which first submission was sent from a given country (two-letter ISO country code). |
tag: | Filter URLs according to their tags.
|
asn: | Search for URLs in domains that resolve to an IP address under the responsibility of the given autonomous system number. |
aso: | Search for URLs in domains that resolve to an IP address under the responsibility of the given autonomous system owner label. |
category: | Filter URLs according to the content category of its domain, as depicted in the details section of the pertinent domain report. |
cookie: | Filter URLs according to the cookie name set in the HTTP server response. Note that this is a fulltext search, you can search for the entire cookie name or for subwords of it. |
cookie_value: | Filter URLs according to a cookie value set in the HTTP server response. Note that this is a fulltext search, you can search for the entire cookie value or for subwords of it. |
header: | Filter URLs according to the HTTP server response header keys. |
header_value: | Filter URLs according to the HTTP server response header values. |
hostname: | Filter URLs according to the hostname. Note that this is a fulltext search, meaning that subwords can be used. |
ip: | Filter URLs according to the IP address to which its domain resolved at the time of analysis. Allows range searches and CIDRs. |
max_url_positives: | Filter URLs according to the maximum number of detections considering all historical analyses performed on the URL. |
meta: | Filter URLs according to the META tags contained in the HTML that gets returned. Can be used to discover phishing sites. |
password: | Focus on URLs that have a password field and match a given text. |
path: | Filter URLs according to path sequences or subwords within the URL’s path. |
exact_path: | Filter URLs whose path is exactly the given value. |
extension: | Filter URLs according to extension parsing based on the URL path or content disposition filename HTTP response header. |
port: | Filter URLs according to the port on which the HTTP server is operating. |
query_field: | Filter URLs according to the key/name of query fields contained in the URL. |
query_value: | Filter URLs according to the value contained in its query values. |
redirects_to: | Identify URLs that redirect to a given URL. This is a fulltext search, meaning that subwords can be used: |
response_code: | Filter URLs according to the HTTP status code returned by the server. |
response_positives: | Filter URLs according to the number of antivirus detections for the content that the URL delivers. |
response_size: | Filter URLs according to the size of the content returned, in bytes. |
scheme: | Filter URLs according to their protocol scheme. |
title: | Filter URLs according to the title tag contained in their HTML response, if any. Can be used to identify phishing against particular entities. |
tld: | Filter URLs according to their top level domain. |
tracker: | Focus on URLs sharing a given ads tracker in their HTML bodies. |
url: | Filter URLs according to subwords contained in the URL string. |
username: | Filter URLs according to the URI username portion. |
have: | Allows you to impose a condition that the URL’s indexed metadata should meet, it accepts any of the modifiers above and it means that the URL should have data for a given modifier. |
parent_domain: | Filter URLs based on the parent Domain. |
threat_actor | Filter URLs which have that related threat actor. |
gti_score | Google Threat Intelligence assessment threat score. |
gti_severity | Google Threat Intelligence assessment severity of the IOC. |
gti_verdict | Google Threat Intelligence assessment verdict of the IOC. |
targeted_brand | Filter URLs based on info extracted from phishing engines. |
Updated 3 days ago