Documentation

URL search modifiers

Google Threat Intelligence allows you to perform advanced faceted searches over the historical collection of URLs. These searches can act on basically all the metadata that we generate for URLs: url string, path, query parameters and values, favicon, meta tags, contained Ad trackers, tags, reputation, etc.

Google Threat Intelligence searches by default over the historical collection of files, in order to search over URLs you need to add the facet condition entity:url. For example, let's ask for all those URLs that have been detected by more than 5 URL scanners and were first submitted after October 17th 2019:

entity:url p:5+ fs:2019-10-17+

You can click on the filter icon inside the main search box in order to navigate to a URL search assistant:

URL search modifiers

Note that the assistant will not allow you to build complex searches combining AND, OR and NOT conditions. For example:

(entity:url AND positives:5+ AND fs:2019-10-17+) AND (tld:ru OR tld:tk)

The following table describes all the search modifiers (facets) that can be used, you can combine any number of them:

The following modifiers admits wildcards: hostname , outgoing_link, path , url.

comment:Search for URLs that have a Google Threat Intelligence Community comment containing the word or phrase provided.
Example: entity:url comment:IOCs
comment_author:Search for URLs that have been commented by the user with the username provided.
Example: entity:url comment_author:68h7EGyNm
fs:Filter URLs based on the first seen date in Google Threat Intelligence. Note that less than and greater than syntax is allowed.
Examples: entity:url fs:2019-10-10+, entity:url fs:2019-10-10-
ls:Filter URLs based on the last seen date in Google Threat Intelligence. Note that less than and greater than syntax is allowed.
Examples: entity:url ls:2019-10-10-, entity:url ls:2019-10-10+
la:Filter
main_icon_dhash:Search for URLs with a favicon which is visually similar to another favicon, a visual similarity hash is used for this purpose. This search can be triggered by clicking on the favicon preview of the URL in the search listings. Can be useful to discover phishing sites targeting a given company.
Example: entity:url main_icon_dhash:"cc8cccccaae070b2" NOT hostname:"dropbox.com" NOT hostname:"dropboxforum.com"
p:
positives:		Filter URLs according to the number of engines/blocklists that detect them. Less than and greater than syntax is allowed.
Examples: entity:url p:10+, entity:url p:10-
engines:Focus on URLs that have been detected with a given label by at least one scanner/blocklist.
Example: entity:url engines:malware
engine_name:Focus on URLs that have been detected with a given label by a specific scanner/blocklist.
You can check the full list of engines names in this link
Example: entity:url fortinet:malware
reputation:Filter URLs according to its reputation among the Google Threat Intelligence user base.
Example: entity:url reputation:70+
s:
submissions:		Filter URLs according to the number of times they have been sent to Google Threat Intelligence for analysis. Less than and greater than syntax is allowed.
Examples: entity:url s:10+, entity:url s:10-
submitter:Search for URLs submitted via a given interface (API, web) or sent from a given country (two-letter ISO country code).
Example: entity:url submitter:web submitter:MY
first_submitter:Search for URLs which first submission was sent from a given country (two-letter ISO country code).
Example: entity:url first_submitter:ua
tag:Filter URLs according to their tags.
Example: entity:url tag:"downloads-pe" header_value:"image/jpeg"
List of available tags:
  • ip: the URL's hostname is a bare IP address rather than a domain.
  • non-ascii: the URL's hostname contains non-ascii characters, i.e. punycode.
  • downloads-pe: the URL downloads a windows executable.
  • downloads-apk: the URL downloads an Android APK.
  • downloads-elf: the URL downloads a Linux executable.
  • downloads-dmg: the URL downloads an OS X package.
  • downloads-zip: the URL downloads a ZIP bundle.
  • downloads-pdf: the URL downloads a PDF document.
  • downloads-doc: the URL downloads a Microsoft Office document.
  • opendir: the URL is an open directory, i.e. directory browsing is possible.
  • contains-pe:the URL is an open directory and it lists at least one file with an .exe extension.
  • contains-zip: same as above but for .zip extension.
  • contains-msi:same as above but for .msi extension.
  • contains-apk: same as above but for .apk extension.
  • contains-dmg: same as above but for .dmg extension.
    For a complete list of tags, see Full list of Google TI tag modifier
asn:
autonomous_system_number:		Search for URLs in domains that resolve to an IP address under the responsibility of the given autonomous system number.
Example: entity:url asn:7506
aso:
as_owner:
autonomous_system_owner:		Search for URLs in domains that resolve to an IP address under the responsibility of the given autonomous system owner label.
Example: entity:url aso:"Google LLC"
category:Filter URLs according to the content category of its domain, as depicted in the details section of the pertinent domain report.
Examples: entity:url category:"business and economy", entity:url category:"known infection source"
cookie:Filter URLs according to the cookie name set in the HTTP server response. Note that this is a fulltext search, you can search for the entire cookie name or for subwords of it.
Example: entity:url cookie:"VT_PREFERRED_LANGUAGE"
cookie_value:Filter URLs according to a cookie value set in the HTTP server response. Note that this is a fulltext search, you can search for the entire cookie value or for subwords of it.
Example: entity:url cookie:"VT_PREFERRED_LANGUAGE" cookie_value:"en"
header:Filter URLs according to the HTTP server response header keys.
Example: entity:url header:"set-cookie"
header_value:Filter URLs according to the HTTP server response header values.
Example: entity:url header_value:"PHP/5.3.29, PleskLin"
hostname:Filter URLs according to the hostname. Note that this is a fulltext search, meaning that subwords can be used.
Example: entity:url hostname:santander NOT hostname:bancosantander
ip:Filter URLs according to the IP address to which its domain resolved at the time of analysis. Allows range searches and CIDRs.
Examples: entity:url ip:"200.61.38.216", entity:url ip:"200.61.38.216/24"
max_url_positives:Filter URLs according to the maximum number of detections considering all historical analyses performed on the URL.
Example: entity:url max_url_positives:10+ positives:0
meta:Filter URLs according to the META tags contained in the HTML that gets returned. Can be used to discover phishing sites.
Example: entity:url meta:"NAB personal banking financial solutions"
password:Focus on URLs that have a password field and match a given text.
Example: entity:url have:password NOT username:mailto
path:Filter URLs according to path sequences or subwords within the URL’s path.
Example: entity:url path:"gate.php" response_code:200
exact_path:Filter URLs whose path is exactly the given value.
Example: entity:url exact_path:"/google/"
extension:Filter URLs according to extension parsing based on the URL path or content disposition filename HTTP response header.
Example: entity:url extension:jpg tag:downloads-pe
port:Filter URLs according to the port on which the HTTP server is operating.
Example: entity:url port:8080
query_field:Filter URLs according to the key/name of query fields contained in the URL.
Example: entity:url query_field:"loginpage"
query_value:Filter URLs according to the value contained in its query values.
Example: entity:url query_value:"walala10.cab"
redirects_to:Identify URLs that redirect to a given URL. This is a fulltext search, meaning that subwords can be used:
Example: entity:url redirects_to:"login.php"
response_code:Filter URLs according to the HTTP status code returned by the server.
Example: entity:url response_code:200 path:"gate.php"
response_positives:Filter URLs according to the number of antivirus detections for the content that the URL delivers.
Example: entity:url positives:0 response_positives:10+
response_size:Filter URLs according to the size of the content returned, in bytes.
Example: entity:url response_code:200 response_size:1000000+
scheme:Filter URLs according to their protocol scheme.
Example: entity:url scheme:https response_code:200 path:”gate.php”
title:Filter URLs according to the title tag contained in their HTML response, if any. Can be used to identify phishing against particular entities.
Example: entity:url title:"NAB Personal Banking"
tld:Filter URLs according to their top level domain.
Example: entity:url tld:ru path:"gate.php"
tracker:Focus on URLs sharing a given ads tracker in their HTML bodies.
Example: entity:url tracker:"15015754"
url:Filter URLs according to subwords contained in the URL string.
Example: entity:url url:bankofamerica NOT hostname:bankofamerica
username:Filter URLs according to the URI username portion.
Example: entity:url username:anonymous
have:Allows you to impose a condition that the URL’s indexed metadata should meet, it accepts any of the modifiers above and it means that the URL should have data for a given modifier.
Example: entity:url p:3+ have:tracker
parent_domain:Filter URLs based on the parent Domain.
Example:entity:url parent_domain:dropbox.com
threat_actor
related_actor		Filter URLs which have that related threat actor.
Example: entity:url threat_actor:"Lazarus Group"
gti_scoreGoogle Threat Intelligence assessment threat score.
Example: entity:url gti_score:30+
gti_severityGoogle Threat Intelligence assessment severity of the IOC.
Example: entity:url gti_severity:high
gti_verdictGoogle Threat Intelligence assessment verdict of the IOC.
Example: entity:url gti_verdict:benign
targeted_brandFilter URLs based on info extracted from phishing engines.
Example: entity:url targeted_brand:apple

Updated 4 months ago