Although we have the most common modifiers documented with description and examples at:
File search modifiers article.
IP Address search modifiers article.
Domain search modifiers article.
URL search modifiers article
Collection search modifiers article
In this article you will find the full list of modifiers for each entity:
List of File modifiers
List of IP modifiers
List of Domain modifiers
List of URL modifiers
List of Collection modifiers
List of Reference modifiers
List of IOC Stream modifiers
| | | |
|---|
| acronis | ad_aware | ahnlab_v3 | alibaba |
| alibabacloud | alyac | androguard | androguard_package |
| antiy_avl | apex | arcabit | attack_tactic |
| attack_technique | authentihash | avast | avast_mobile |
| avg | avira | avware | babable |
| baidu | behash | behaviour | behaviour_command_executions |
| behaviour_created_processes | behaviour_files | behaviour_injected_processes | behaviour_network |
| behaviour_processes | behaviour_registry | behaviour_services | behaviour_signature |
| behaviour_tags | bitdam_atp | bitdefender | bitdefenderfalx |
| bitdefendertheta | bkav | bytedefend_ai_analysis | bytedefend_ai_verdict |
| c2ae | capa | capability_tag | cape |
| cape_linux | cape_sandbox | cat_quickheal | clamav |
| clue | cmc | codeinsight | collection |
| comment | comment_author | contacted_ip | content |
| cp | creation_date | crowdsourced_ai_analysis | crowdsourced_ids |
| crowdsourced_yara_rule | crowdstrike | ctx | cyber_adapt |
| cybereason | cylance | cynet | das_security_orcas |
| deepinstinct | detectiteasy | dns_lookup_count | docguard |
| dr_web_vxcube | drweb | elastic | elf_digest |
| email_subject | embedded_domain | embedded_ip | embedded_url |
| emsisoft | endgame | engines | ep |
| eset_nod32 | exports | f_prot | f_secure |
| f_secure_sandbox | fireeye | first_submitter | fortinet |
| fs | gdata | google | goresym |
| gridinsoft | have | hispasec_ai_analysis | hispasec_ai_verdict |
| http_conversation_count | huorong | ikarus | imphash |
| imports | invincea | ip_traffic_count | itw |
| jiangmin | k7antivirus | k7gw | kaspersky |
| kingsoft | la | lang | lastline |
| lionic | ls | magic | magika |
| main_icon_dhash | main_icon_md5 | malware_config | malwarebytes |
| malwation | maxsecure | mbc | mcafee |
| mcafeed | metadata | microsoft | microsoft_sysinternals |
| microworld_escan | min_engines_banker | min_engines_emotet | name |
| nano_antivirus | netguid | nics_ai_analysis | nics_ai_verdict |
| nprotect | nsfocus_poma | os_x_sandbox | p |
| packer | paloalto | panda | permhash |
| qianxin_reddrip | qihoo_360 | reaqta_hive | reputation |
| resource | rich_pe_header_hash | rising | rising_moves |
| s | sandbox_name | sangfor | sangfor_zsand |
| scan_timeout | scan_unsupported | secneurx | secondwrite |
| section | sectionmd5 | segment | sentinelone |
| sha256 | sigcheck | sigma_critical | sigma_high |
| sigma_low | sigma_medium | sigma_rule | sigma_ruleset |
| similar-to | size | skyhigh | sndbox |
| sophos | ssdeep | submitter | subspan |
| suggested_threat_label | superantispyware | symantec | symantecmobileinsight |
| symhash | tachyon | tag | tehtris |
| telfhash | tencent | tencent_habo | thehacker |
| threat_actor | tlsh | totaldefense | traffic |
| trapmine | trendmicro | trendmicro_housecall | trid |
| trustlook | type | us | varist |
| vba32 | venuseye_sandbox | vhash | vipre |
| virit | virobot | virustotal_androbox | virustotal_box_of_apples |
| virustotal_cuckoofork | virustotal_droidy | virustotal_jsbox | virustotal_jujubox |
| virustotal_observer | virustotal_r2dbox | vmray | webroot |
| whitearmor | xcitium | yandex | yomi_hunter |
| zenbox | zenbox | zenbox_android | zenbox_linux |
| zenbox_macos | zillya | zonealarm | zoner |
| zscaler | | | |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | axur | benkow_cc | bfore_ai_precrime |
| bitdefender | bkav | blueliv | certego |
| chong_lua_dao | cins_army | cluster25 | cmc_threat_intelligence |
| collection | comment | comment_author | communicating_files_max_detections |
| continent | country | crdf | criminal_ip |
| csis_security_group | cyan | cyble | cyradar |
| desenmascara_me | detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count |
| detected_urls_count | dns8 | domain_resolutions_count | downloaded_files_max_detections |
| dr_web | emergingthreats | emsisoft | engines |
| ermes | eset | estsecurity | forcepoint_threatseeker |
| fortinet | g_data | gcp_abuse_intelligence | google_safebrowsing |
| greensnow | gridinsoft | have | heimdal_security |
| hunt_io_intelligence | ip | ipsum | jarm |
| juniper_networks | kaspersky | last_modification_date | lionic |
| lumu | malwared | malwarepatrol | malwares_com_url_checker |
| malwareurl | netcraft | openphish | p |
| path | phishfort | phishing_database | phishlabs |
| phishtank | prebytes | precisionsec | quick_heal |
| quttera | referring_files_max_detections | regional_internet_registry | reputation |
| safetoopen | sansec_ecomscan | scantitan | scumware_org |
| seclookup | securebrain | securolytics | segasec |
| snort_ip_sample_list | socradar | sophos | spam404 |
| ssl_issuer | ssl_not_after | ssl_not_before | ssl_serial |
| ssl_subject | ssl_thumbprint | stopforumspam | sucuri_sitecheck |
| tag | threat_actor | threathive | threatsourcing |
| trustwave | underworld | urlhaus | urlquery |
| urls_max_detections | viettel_threat_intelligence | vipre | viriback |
| vx_vault | webroot | whois | whois_date |
| xcitium_verdict_cloud | yandex_safebrowsing | zerocert | zerofox |
| zvelo | | | |
| | | |
|---|
| 0xsi_f33d | a_record | a_ttl | aaaa_record |
| aaaa_ttl | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alexa_rank | alienvault | alphamountain_ai |
| alphasoc | antiy_avl | arcsight_threat_intelligence | asn |
| aso | autoshun | axur | benkow_cc |
| bfore_ai_precrime | bitdefender | bkav | blueliv |
| caa_record | caa_ttl | category | certego |
| chong_lua_dao | cins_army | cisco_umbrella_rank | cluster25 |
| cmc_threat_intelligence | cname_record | cname_ttl | collection |
| comment | comment_author | communicating_files_max_detections | crdf |
| creation_date | criminal_ip | csis_security_group | cyan |
| cyble | cyradar | depth | desenmascara_me |
| detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count | detected_urls_count |
| dname_record | dname_ttl | dns8 | domain |
| domain_regex | downloaded_files_max_detections | dr_web | emergingthreats |
| emsisoft | engines | ermes | eset |
| estsecurity | forcepoint_threatseeker | fortinet | fuzzy_domain |
| g_data | gcp_abuse_intelligence | google_safebrowsing | greensnow |
| gridinsoft | have | heimdal_security | hunt_io_intelligence |
| ipsum | jarm | juniper_networks | kaspersky |
| last_modification_date | last_update_date | lionic | lumu |
| main_icon_dhash | main_icon_md5 | majestic_rank | malwared |
| malwarepatrol | malwares_com_url_checker | malwareurl | mx_record |
| mx_ttl | netcraft | ns_record | ns_ttl |
| openphish | p | parent_domain | path |
| phishfort | phishing_database | phishlabs | phishtank |
| popularity_rank | prebytes | precisionsec | quick_heal |
| quttera | referring_files_max_detections | registrar | reputation |
| safetoopen | sansec_ecomscan | scantitan | scumware_org |
| seclookup | securebrain | securolytics | segasec |
| snort_ip_sample_list | soa_record | soa_ttl | socradar |
| sophos | spam404 | ssl_issuer | ssl_not_after |
| ssl_not_before | ssl_serial | ssl_subject | ssl_thumbprint |
| statvoo_rank | stopforumspam | sucuri_sitecheck | tag |
| threat_actor | threathive | threatsourcing | tld |
| trustwave | ttl | txt_record | txt_ttl |
| underworld | urlhaus | urlquery | urls_max_detections |
| viettel_threat_intelligence | vipre | viriback | vx_vault |
| webroot | whois | whois_date | xcitium_verdict_cloud |
| yandex_safebrowsing | zerocert | zerofox | zvelo |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | axur | benkow_cc | bfore_ai_precrime |
| bitdefender | bkav | blueliv | category |
| certego | chong_lua_dao | cins_army | cluster25 |
| cmc_threat_intelligence | collection | comment | comment_author |
| contacted_domain | contacted_ip | content | cookie |
| cookie_value | crdf | criminal_ip | csis_security_group |
| cyan | cyble | cyradar | desenmascara_me |
| dns8 | dr_web | emergingthreats | emsisoft |
| engines | ermes | eset | estsecurity |
| exact_path | extension | first_submitter | forcepoint_threatseeker |
| fortinet | fs | fuzzy_hostname | g_data |
| gcp_abuse_intelligence | google_safebrowsing | greensnow | gridinsoft |
| have | header | header_value | heimdal_security |
| hostname | hunt_io_intelligence | ip | ipsum |
| juniper_networks | kaspersky | la | lionic |
| ls | lumu | main_icon_dhash | main_icon_md5 |
| malwared | malwarepatrol | malwares_com_url_checker | malwareurl |
| max_url_positives | meta | netcraft | openphish |
| outgoing_link | p | parent_domain | password |
| path | phishfort | phishing_database | phishlabs |
| phishtank | port | prebytes | precisionsec |
| query_field | query_value | quick_heal | quttera |
| redirects_to | reputation | response_code | response_positives |
| response_sha256 | response_size | s | safetoopen |
| sansec_ecomscan | scantitan | scheme | scumware_org |
| seclookup | securebrain | securolytics | segasec |
| sha256 | snort_ip_sample_list | socradar | sophos |
| spam404 | stopforumspam | submitter | sucuri_sitecheck |
| tag | targeted_brand | threat_actor | threathive |
| threatsourcing | title | tld | tracker |
| trustwave | underworld | url | urlhaus |
| urlquery | username | viettel_threat_intelligence | vipre |
| viriback | vx_vault | webroot | xcitium_verdict_cloud |
| yandex_safebrowsing | zerocert | zerofox | zvelo |
| | | |
|---|
| capability | comment | comment_author | creation_date |
| description | detection | domains | files |
| fs | have | ips | last_modification_date |
| ls | malware_role | merged_actor | motivation |
| name | operating_system | origin | owner |
| references | shared_with_me | sigma_rules | source_region |
| sponsor_region | tag | targeted_industry | targeted_industry_group |
| targeted_region | threat_actor | threat_actors | threat_category |
| urls | | yara_rulesets | |
| | | |
|---|
| author | collections | creation_date | description |
| domain | domains | files | iocs |
| ip_addresses | last_modification_date | parent_domain | reference_type |
| source_region | sponsor_region | submitter | tag |
| targeted_industry | targeted_region | threat_actor | threat_actors |
| threat_category | | title | |
| | | |
|---|
| date | entity_type | origin | source_type |
