Documentation Index
Fetch the complete documentation index at: https://docs.pulsedive.com/llms.txt
Use this file to discover all available pages before exploring further.
This syntax applies to searches made through the
explore endpoint.Search Modes
The explore endpoint supports two search modes, controlled by thetype parameter:
- Indicator mode (
type=indicators, default): Search for indicators by value, type, risk, attributes, properties, and associated threats or feeds. - Threat mode (
type=threats): Search for threats by name, alias, category, or associated indicator attributes.
Feeds are not a separate search mode.
To search for indicators associated with specific feeds, use the
feed search field in indicator mode (e.g., feed=urlhaus).Syntax
Query terms follow a simple field-value structure for building search expressions:Search Fields
Search fields let you target specific aspects of indicators and threats.Indicator Mode Fields
These fields are available when searching indicators (type=indicators, default):
| Search Field | Description | Example Query |
|---|---|---|
ioc | Search by indicator value. Default field when no search field is specified. | ioc=pulsedive.comioc=pulsedive*1.1.1.1 |
threat | Filter by associated threat name or alias. | threat=ryukthreat=*zeus* |
property[property type][property name][type].[name] | Filter by indicator properties. | dns.a=45.55.106.210meta=*pulsedive*content-type=text/html*ssl="*let's encrypt*" |
type | Filter by indicator type. | type=urltype=domain,ip,ipv6 |
seen | Filter by Last Seen timestamp (UTC). | seen=dayseen=weekseen=monthseen=2020-01-01seen=2022-01-01+seen=2021-12-31-seen=2020-01-01-2020-12-31 |
Threat Mode Fields
These fields are available when searching threats (type=threats):
| Search Field | Description | Example Query |
|---|---|---|
threat | Search by threat name or alias. Default field when no search field is specified. | threat=ryukthreat=*zeus*ryuk |
ioc | Filter by associated indicator values. | ioc=pulsedive.comioc=pulsedive* |
category | Filter by threat category. | category=malwarecategory=phishing,scam |
Fields Available in Both Modes
These fields work in both indicator and threat mode:| Search Field | Description | Example Query |
|---|---|---|
feedsource | Filter by associated feed name or organization. | feed=urlhausfeed=abuse.ch |
attribute[attribute type] | Filter by indicator attributes. Includes ports, protocols, and technologies. | port=443protocol=http*technology=apacheport=80 and port=443 |
risk | Filter by risk level. | risk=criticalrisk=low,mediumrisk=high+risk=low- |
activeretired | Filter by active or retired status. | active=trueretired=0 |
Boolean Logic and Wildcards
Combine search terms using logical operators and pattern matching for complex queries. Queries allow forAND, OR, and NOT operations.
Wildcards are also allowed.
If an operator is omitted between search terms, the default operation is AND.
| Operation | Operator | Example Query |
|---|---|---|
| AND | &, &&, and | pulsedive.com && type=domainpulsedive.com type=domain |
| OR | |, ||, or | google.com or pulsedive*(*pulsedive* and type=domain) | threat=phishing |
| NOT | != | risk!=medium- |
| Wildcard | * | *pulsedive* |
Escaping and Quotes
Use escaping and quotes to handle special characters and spaces in your search terms. Since special characters like asterisks (*) and parentheses (()) might conflict with your intended query, you can escape them with a backslash (\).
If your search field or search term has a space, you must wrap it in quotes (").
Examples
These examples show how to specify search modes using thetype parameter and construct queries with proper URI encoding.
Search indicators (default):
The mode parameter
type is separate from the query field type=.
The parameter controls which dataset to search (indicators or threats), while the query field filters indicators by their type (e.g., domain, IP, URL).