Search Results

Search Help

ElasticSearch queries do not use a prefix. e.g., *windows.* matches 'time.windows.com'.

For MD5, SHA1, SHA256, etc., no prefix is needed (matches any file generated by analysis, including dropped/extracted files).

To search for the initial submitted file specifically, use target_sha256: prefix.

By default, searches are exact matches. Use regex characters (e.g., ^ $ | ? * + ( ) [ ] { }) to force a regex search.

Prefix	Description
General & Metadata
`id:`	Task ID (e.g., `id:1`)
`ids:`	List of Task IDs (e.g., `ids:1,2,3`)
`options:`	Task options (e.g., `options:function=DllMain`)
`tags_tasks:`	Task tags (e.g., `tags_tasks:mytag`)
`package:`	Analysis package (e.g., `package:ps1`)
`machinename:`	Target Machine Name
`machinelabel:`	Target Machine Label
`custom:`	Custom data field
`comment:`	Analysis Comments
`configs:`	Extracted config value
File Properties & Static Analysis
`target_sha256:`	Target file SHA256
`name:`	File name pattern
`type:`	File type/format
`ssdeep:`	Fuzzy hash (SSDeep)
`crc32:`	CRC32 hash
`imphash:`	PE Imphash
`iconhash:`	Exact icon hash
`iconfuzzy:`	Fuzzy icon hash
`dhash:`	Icon dhash
`die:`	Detect It Easy (DIE) signature (e.g., `die:obsidium`)
`extracted_tool:`	Extracted tool (e.g., `InnoExtract`)
`virustotal:`	VirusTotal Detected Name
`clamav:`	Local ClamAV detections
`yaraname:`	Yara Rule Name (binary folder)
`capeyara:`	Yara Rule Name (cape folder)
`procdumpyara:`	Yara Rule Name (process dumps)
`procmemyara:`	Yara Rule Name (memory dumps)
Network Analysis
`ip:`	Contacted IP address
`domain:`	Contacted domain
`url:`	Contacted URL or URL Analysis Target
`port:`	Source or Destination port
`sport:`	Source port
`dport:`	Destination port
`ja3_string:`	JA3 string
`ja3_hash:`	JA3 hash
`asn:`	AS ID (e.g., `asn:AS15169`)
`asn_name:`	ASN name (e.g., `asn_name:Google LLC`)
`surimsg:`	Suricata Alert Message
`surialert:`	Suricata Alert Category
`surisid:`	Suricata Alert SID
`suriurl:`	Suricata HTTP URL
`suriua:`	Suricata HTTP User-Agent
`surireferrer:`	Suricata HTTP Referrer
`surihost:`	Suricata HTTP Host
`suritlssubject:`	Suricata TLS Subject
`suritlsissuerdn:`	Suricata TLS Issuer DN
`suritlsfingerprint:`	Suricata TLS Fingerprint
`suritls:`	Suricata TLS Generic
`surihttp:`	Suricata HTTP Generic
Behavior & Execution
`file:`	Open files matching pattern
`command:`	Executed commands matching pattern
`resolvedapi:`	APIs resolved at runtime
`key:`	Open registry keys matching pattern
`mutex:`	Open mutexes matching pattern
`signame:`	CAPE Signature names
`signature:`	CAPE Signature descriptions
`detections:`	Malware family detections
`malscore:`	Malscore > value
`ttp:`	TTP ID (e.g., `T1053`)

ID	Timestamp	Package	Filename	Target	Detections	VT	Status
57	2026-03-26 20:13:27	chrome	-	globo.com	Clean	-	reported
55	2026-03-26 19:45:45	chrome	-	http://www.globo.com	Clean	-	reported
54	2026-03-26 19:43:32	chrome	-	http://example.com	Clean	-	reported
52	2026-03-26 19:37:20	chrome	-	http://example.com	Clean	-	reported
51	2026-03-26 19:35:23	chrome	-	globo.com	Clean	-	reported
50	2026-03-26 18:56:49	chrome	-	globo.com	Clean	-	reported
42	2026-03-26 18:40:13	chrome	-	globo.com	Clean	-	reported
41	2026-03-26 18:12:51	chrome	-	GLOBO.COM	Clean	-	reported
37	2026-03-26 17:20:41	chrome	-	globo.com	Clean	-	reported
36	2026-03-26 15:59:23	chrome	-	GLOBO.COM	Clean	-	reported
35	2026-03-23 19:59:50	chrome	-	globo.com	Clean	-	reported
28	2026-03-23 18:31:09	chrome	-	globo.com	Clean	-	reported
16	2026-03-23 17:30:43	chrome	-	globo.com	Clean	-	reported
13	2026-03-23 13:51:41	chrome	-	globo.com	Clean	-	reported
10	2026-03-23 13:24:42	chrome	-	globo.com	Clean	-	reported
8	2026-03-20 21:11:33	chrome	-	globo.com	Clean	-	reported

Search Help

Results for term: detections:Clean