ElasticSearch queries do not use a prefix. ie: '*windows.*' would match 'time.windows.com'
For MD5, SHA1, SHA256 and SHA512 no prefix is needed.
Prefix | Description |
---|---|
name: |
File name pattern |
type: |
File type/format |
string: |
String contained in the binary |
ssdeep: |
Fuzzy hash |
crc32: |
CRC32 hash |
imphash: |
Search for PE Imphash |
iconhash: |
Search for exact hash of the icon associated with the PE |
iconfuzzy: |
Search for hash designed to match on similar-looking icons |
file: |
Open files matching the pattern |
command: |
Executed commands matching the pattern |
resolvedapi: |
APIs resolved at runtime matching the pattern |
key: |
Open registry keys matching the pattern |
mutex: |
Open mutexes matching the pattern |
ip: |
Contact the specified IP address |
domain: |
Contact the specified domain |
url: |
Search for Cuckoo Sandbox URL analysis |
signame: |
Search for Cuckoo Sandbox signatures through signature names |
signature: |
Search for Cuckoo Sandbox signatures through signature descriptions |
malfamily: |
Search for samples associated with malware family |
surimsg: |
Search for Suricata Alerts MSG |
surialert: |
Search for Suricata Alerts |
surisid: |
Search for Suricata Alerts SID |
suriurl: |
Search for URL in Suricata HTTP Logs |
suriua: |
Search for User-Agent in Suricata HTTP Logs |
surireferrer: |
Search for Referrer in Suricata HTTP Logs |
surihhost: |
Search for Host in Suricata HTTP Logs |
suritlssubject: |
Search for TLS Subject in Suricata TLS Logs |
suritlsissuerdn: |
Search for TLS Issuer DN in Suricata TLS Logs |
suritlsfingerprint: |
Search for TLS Fingerprint in Suricata TLS Logs |
suritls: |
Search for Suricata TLS |
surihttp: |
Search for Suricata HTTP |
clamav: |
Local ClamAV detections |
yaraname: |
Yara Rule Name for analysis samples |
procmemyara: |
Yara Rule Name for process memory dumps |
virustotal: |
Virus Total Detected Name |
machinename: |
Name of the Target Machine |
machinelabel: |
Label of the Target Machine |
custom: |
Custom data |
shrikemsg: |
Shrike Suri Alert MSG |
shrikesid: |
Shrike Suri Alert Sid (exact int) |
shrikeurl: |
Shrike url before mangling |
shrikerefer: |
Shrike Referrer |
comment: |
Search for Analysis Comments |
malscore: |
Search for Malscore greater than the value |