Although we have the most common modifiers documented with description and examples at:
File search modifiers article.
IP Address search modifiers article.
Domain search modifiers article.
URL search modifiers article
Collection search modifiers article
In this article you will find the full list of modifiers for each entity:
List of File modifiers
List of IP modifiers
List of Domain modifiers
List of URL modifiers
List of Collection modifiers
List of Reference modifiers
List of IOC Stream modifiers
| | | |
|---|
| acronis | ad_aware | ahnlab_v3 | alibaba |
| alibabacloud | alyac | androguard | androguard_package |
| antiy_avl | apex | arcabit | attack_tactic |
| attack_technique | authentihash | avast | avast_mobile |
| avg | avira | avware | babable |
| baidu | behash | behaviour | behaviour_command_executions |
| behaviour_created_processes | behaviour_files | behaviour_injected_processes | behaviour_network |
| behaviour_processes | behaviour_registry | behaviour_services | behaviour_tags |
| bitdam_atp | bitdefender | bitdefenderfalx | bitdefendertheta |
| bkav | bytedefend_ai_analysis | bytedefend_ai_verdict | c2ae |
| capa | capability_tag | cape | cape_linux |
| cape_sandbox | cat_quickheal | clamav | clue |
| cmc | codeinsight | collection | comment |
| comment_author | contacted_ip | content | cp |
| creation_date | crowdsourced_ai_analysis | crowdsourced_ids | crowdsourced_yara_rule |
| crowdstrike | cyber_adapt | cybereason | cylance |
| cynet | das_security_orcas | deepinstinct | detectiteasy |
| dns_lookup_count | docguard | dr_web_vxcube | drweb |
| elastic | elf_digest | email_subject | embedded_domain |
| embedded_ip | embedded_url | emsisoft | endgame |
| engines | ep | eset_nod32 | exports |
| f_prot | f_secure | f_secure_sandbox | fireeye |
| first_submitter | fortinet | fs | gdata |
| google | goresym | gridinsoft | have |
| hispasec_ai_analysis | hispasec_ai_verdict | http_conversation_count | huorong |
| ikarus | imphash | imports | invincea |
| ip_traffic_count | itw | jiangmin | k7antivirus |
| k7gw | kaspersky | kingsoft | la |
| lang | lastline | lionic | ls |
| magic | main_icon_dhash | main_icon_md5 | malware_config |
| malwarebytes | malwation | max | maxsecure |
| mcafee | mcafeed | metadata | microsoft |
| microsoft_sysinternals | microworld_escan | min_engines_banker | min_engines_emotet |
| name | nano_antivirus | netguid | nics_ai_analysis |
| nics_ai_verdict | nprotect | nsfocus_poma | os_x_sandbox |
| p | packer | paloalto | panda |
| permhash | qianxin_reddrip | qihoo_360 | reaqta_hive |
| reputation | resource | rich_pe_header_hash | rising |
| rising_moves | s | sandbox_name | sangfor |
| sangfor_zsand | scan_timeout | scan_unsupported | secneurx |
| secondwrite | section | sectionmd5 | segment |
| sentinelone | sha256 | sigcheck | sigma_critical |
| sigma_high | sigma_low | sigma_medium | sigma_rule |
| sigma_ruleset | similar-to | size | skyhigh |
| sndbox | sophos | ssdeep | submitter |
| subspan | suggested_threat_label | superantispyware | symantec |
| symantecmobileinsight | symhash | tachyon | tag |
| tehtris | telfhash | tencent | tencent_habo |
| thehacker | threat_actor | tlsh | totaldefense |
| traffic | trapmine | trendmicro | trendmicro_housecall |
| trid | trustlook | type | us |
| varist | vba32 | venuseye_sandbox | vhash |
| vipre | virit | virobot | virustotal_androbox |
| virustotal_box_of_apples | virustotal_cuckoofork | virustotal_droidy | virustotal_jsbox |
| virustotal_jujubox | virustotal_observer | virustotal_r2dbox | vmray |
| webroot | whitearmor | xcitium | yandex |
| yomi_hunter | zenbox | zenbox | zenbox_android |
| zenbox_linux | zenbox_macos | zillya | zonealarm |
| zoner | | zscaler | |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | benkow_cc | bfore_ai_precrime | bitdefender |
| bkav | blueliv | certego | chong_lua_dao |
| cins_army | cluster25 | cmc_threat_intelligence | collection |
| comment | comment_author | communicating_files_max_detections | continent |
| country | crdf | criminal_ip | csis_security_group |
| cyan | cyble | cyradar | desenmascara_me |
| detected_communicating_files_count | detected_downloaded_files_count | detected_referring_files_count | detected_urls_count |
| dns8 | domain_resolutions_count | downloaded_files_max_detections | dr_web |
| emergingthreats | emsisoft | engines | ermes |
| eset | estsecurity | forcepoint_threatseeker | fortinet |
| g_data | google_safebrowsing | greensnow | gridinsoft |
| have | heimdal_security | hunt_io_intelligence | ip |
| ipsum | jarm | juniper_networks | k7antivirus |
| kaspersky | last_modification_date | lionic | lumu |
| malwared | malwarepatrol | malwares_com_url_checker | malwareurl |
| netcraft | openphish | p | path |
| phishfort | phishing_database | phishlabs | phishtank |
| prebytes | precisionsec | quick_heal | quttera |
| referring_files_max_detections | regional_internet_registry | reputation | safetoopen |
| sansec_ecomscan | scantitan | scumware_org | seclookup |
| securebrain | securolytics | segasec | snort_ip_sample_list |
| socradar | sophos | spam404 | ssl_issuer |
| ssl_not_after | ssl_not_before | ssl_serial | ssl_subject |
| ssl_thumbprint | stopforumspam | sucuri_sitecheck | tag |
| threat_actor | threathive | threatsourcing | trustwave |
| underworld | urlhaus | urlquery | urls_max_detections |
| viettel_threat_intelligence | vipre | viriback | vx_vault |
| webroot | whois | whois_date | xcitium_verdict_cloud |
| yandex_safebrowsing | zerocert | zerofox | zvelo |
| | | |
|---|
| 0xsi_f33d | a_record | a_ttl | aaaa_record |
| aaaa_ttl | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alexa_rank | alienvault | alphamountain_ai |
| alphasoc | antiy_avl | arcsight_threat_intelligence | asn |
| aso | autoshun | benkow_cc | bfore_ai_precrime |
| bitdefender | bkav | blueliv | caa_record |
| caa_ttl | category | certego | chong_lua_dao |
| cins_army | cisco_umbrella_rank | cluster25 | cmc_threat_intelligence |
| cname_record | cname_ttl | collection | comment |
| comment_author | communicating_files_max_detections | crdf | creation_date |
| criminal_ip | csis_security_group | cyan | cyble |
| cyradar | depth | desenmascara_me | detected_communicating_files_count |
| detected_downloaded_files_count | detected_referring_files_count | detected_urls_count | dname_record |
| dname_ttl | dns8 | domain | domain_regex |
| downloaded_files_max_detections | dr_web | emergingthreats | emsisoft |
| engines | ermes | eset | estsecurity |
| forcepoint_threatseeker | fortinet | fuzzy_domain | g_data |
| google_safebrowsing | greensnow | gridinsoft | have |
| heimdal_security | hunt_io_intelligence | ipsum | jarm |
| juniper_networks | k7antivirus | kaspersky | last_modification_date |
| last_update_date | lionic | lumu | main_icon_dhash |
| main_icon_md5 | majestic_rank | malwared | malwarepatrol |
| malwares_com_url_checker | malwareurl | mx_record | mx_ttl |
| netcraft | ns_record | ns_ttl | openphish |
| p | parent_domain | path | phishfort |
| phishing_database | phishlabs | phishtank | popularity_rank |
| prebytes | precisionsec | quick_heal | quttera |
| referring_files_max_detections | registrar | reputation | safetoopen |
| sansec_ecomscan | scantitan | scumware_org | seclookup |
| securebrain | securolytics | segasec | snort_ip_sample_list |
| soa_record | soa_ttl | socradar | sophos |
| spam404 | ssl_issuer | ssl_not_after | ssl_not_before |
| ssl_serial | ssl_subject | ssl_thumbprint | statvoo_rank |
| stopforumspam | sucuri_sitecheck | tag | threat_actor |
| threathive | threatsourcing | tld | trustwave |
| ttl | txt_record | txt_ttl | underworld |
| urlhaus | urlquery | urls_max_detections | viettel_threat_intelligence |
| vipre | viriback | vx_vault | webroot |
| whois | whois_date | xcitium_verdict_cloud | yandex_safebrowsing |
| zerocert | | zerofox | |
| | | |
|---|
| 0xsi_f33d | abusix | acronis | adminuslabs |
| ailabs_monitorapp | alienvault | alphamountain_ai | alphasoc |
| antiy_avl | arcsight_threat_intelligence | asn | aso |
| autoshun | benkow_cc | bfore_ai_precrime | bitdefender |
| bkav | blueliv | category | certego |
| chong_lua_dao | cins_army | cluster25 | cmc_threat_intelligence |
| collection | comment | comment_author | contacted_domain |
| contacted_ip | content | cookie | cookie_value |
| crdf | criminal_ip | csis_security_group | cyan |
| cyble | cyradar | desenmascara_me | dns8 |
| dr_web | emergingthreats | emsisoft | engines |
| ermes | eset | estsecurity | exact_path |
| extension | first_submitter | forcepoint_threatseeker | fortinet |
| fs | fuzzy_hostname | g_data | google_safebrowsing |
| greensnow | gridinsoft | have | header |
| header_value | heimdal_security | hostname | hunt_io_intelligence |
| ip | ipsum | juniper_networks | k7antivirus |
| kaspersky | la | lionic | ls |
| lumu | main_icon_dhash | main_icon_md5 | malwared |
| malwarepatrol | malwares_com_url_checker | malwareurl | max_url_positives |
| meta | netcraft | openphish | outgoing_link |
| p | parent_domain | password | path |
| phishfort | phishing_database | phishlabs | phishtank |
| port | prebytes | precisionsec | query_field |
| query_value | quick_heal | quttera | redirects_to |
| reputation | response_code | response_positives | response_sha256 |
| response_size | s | safetoopen | sansec_ecomscan |
| scantitan | scheme | scumware_org | seclookup |
| securebrain | securolytics | segasec | sha256 |
| snort_ip_sample_list | socradar | sophos | spam404 |
| stopforumspam | submitter | sucuri_sitecheck | tag |
| targeted_brand | threat_actor | threathive | threatsourcing |
| title | tld | tracker | trustwave |
| underworld | url | urlhaus | urlquery |
| username | viettel_threat_intelligence | vipre | viriback |
| vx_vault | webroot | xcitium_verdict_cloud | yandex_safebrowsing |
| zerocert | | zerofox | |
| | | |
|---|
| capability | comment | comment_author | creation_date |
| description | detection | domains | files |
| fs | have | ips | last_modification_date |
| ls | malware_role | merged_actor | motivation |
| name | operating_system | origin | owner |
| references | sigma_rules | source_region | sponsor_region |
| tag | targeted_industry | targeted_industry_group | targeted_region |
| threat_actor | threat_actors | threat_category | urls |
| yara_rulesets | | | |
| | | |
|---|
| author | collections | creation_date | description |
| domain | domains | files | iocs |
| ip_addresses | last_modification_date | parent_domain | reference_type |
| source_region | sponsor_region | submitter | tag |
| targeted_industry | targeted_region | threat_actor | threat_actors |
| threat_category | | title | |
| | | |
|---|
| date | entity_type | origin | source_type |
