The Pulsedive query language enables searching across our dataset with boolean logic and wildcards for precise discovery.
Search Modes
The explore endpoint supports two search modes, controlled by the type parameter:
- Indicator mode (
type=indicators, default): Search for indicators by value, type, risk, attributes, properties, and associated threats or feeds.
- Threat mode (
type=threats): Search for threats by name, alias, category, or associated indicator attributes.
The search mode determines which dataset you are querying and which filters are available.
All modes support the same query syntax.
Feeds are not a separate search mode.
To search for indicators associated with specific feeds, use the feed search field in indicator mode (e.g., feed=urlhaus).
Syntax
Query terms follow a simple field-value structure for building search expressions:
Search Fields
Search fields let you target specific aspects of indicators and threats.
Indicator Mode Fields
These fields are available when searching indicators (type=indicators, default):
| Search Field | Description | Example Query |
|---|
ioc | Search by indicator value. Default field when no search field is specified. | ioc=pulsedive.com
ioc=pulsedive*
1.1.1.1 |
threat | Filter by associated threat name or alias. | threat=ryuk
threat=*zeus* |
property
[property type]
[property name]
[type].[name] | Filter by indicator properties. | dns.a=45.55.106.210
meta=*pulsedive*
content-type=text/html*
ssl="*let's encrypt*" |
type | Filter by indicator type. | type=url
type=domain,ip,ipv6 |
seen | Filter by Last Seen timestamp (UTC). | seen=day
seen=week
seen=month
seen=2020-01-01
seen=2022-01-01+
seen=2021-12-31-
seen=2020-01-01-2020-12-31 |
Threat Mode Fields
These fields are available when searching threats (type=threats):
| Search Field | Description | Example Query |
|---|
threat | Search by threat name or alias. Default field when no search field is specified. | threat=ryuk
threat=*zeus*
ryuk |
ioc | Filter by associated indicator values. | ioc=pulsedive.com
ioc=pulsedive* |
category | Filter by threat category. | category=malware
category=phishing,scam |
Fields Available in Both Modes
These fields work in both indicator and threat mode:
| Search Field | Description | Example Query |
|---|
feed
source | Filter by associated feed name or organization. | feed=urlhaus
feed=abuse.ch |
attribute
[attribute type] | Filter by indicator attributes. Includes ports, protocols, and technologies. | port=443
protocol=http*
technology=apache
port=80 and port=443 |
risk | Filter by risk level. | risk=critical
risk=low,medium
risk=high+
risk=low- |
active
retired | Filter by active or retired status. | active=true
retired=0 |
Boolean Logic and Wildcards
Combine search terms using logical operators and pattern matching for complex queries.
Queries allow for AND, OR, and NOT operations.
Wildcards are also allowed.
If an operator is omitted between search terms, the default operation is AND.
| Operation | Operator | Example Query |
|---|
| AND | &, &&, and | pulsedive.com && type=domain
pulsedive.com type=domain |
| OR | |, ||, or | google.com or pulsedive*
(*pulsedive* and type=domain) | threat=phishing |
| NOT | != | risk!=medium- |
| Wildcard | * | *pulsedive* |
Escaping and Quotes
Use escaping and quotes to handle special characters and spaces in your search terms.
Since special characters like asterisks (*) and parentheses (()) might conflict with your intended query, you can escape them with a backslash (\).
If your search field or search term has a space, you must wrap it in quotes (").
Examples
These examples show how to specify search modes using the type parameter and construct queries with proper URI encoding.
Search indicators (default):
# These are equivalent
curl "https://pulsedive.com/api/explore.php?q=risk%3Dhigh"
curl "https://pulsedive.com/api/explore.php?type=indicators&q=risk%3Dhigh"
curl "https://pulsedive.com/api/explore.php?type=threats&q=risk%3Dhigh"
# Note: type=domain is inside the query string (q parameter)
curl "https://pulsedive.com/api/explore.php?q=type%3Ddomain%20and%20risk%3Dhigh"
The mode parameter type is separate from the query field type=.
The parameter controls which dataset to search (indicators or threats), while the query field filters indicators by their type (e.g., domain, IP, URL).
# Search indicator mode, filter by domain type only
curl "https://pulsedive.com/api/explore.php?type=indicators&q=type%3Ddomain%20and%20risk%3Dhigh"
