> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pulsedive.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Query Language

> Learn Pulsedive's query language syntax for searching threat intelligence data. Use boolean logic, wildcards, and field-specific searches to find indicators by risk, type, attributes, and more.

<Callout icon="map-pin" color="#8b5cf6" iconType="regular">
  This syntax applies to searches made through the [`explore` endpoint](/api/explore/search/).
</Callout>

The Pulsedive query language enables searching across our dataset with boolean logic and wildcards for precise discovery.

## Search Modes

The explore endpoint supports two search modes, controlled by the `type` parameter:

* **Indicator mode** (`type=indicators`, default): Search for indicators by value, type, risk, attributes, properties, and associated threats or feeds.
* **Threat mode** (`type=threats`): Search for threats by name, alias, category, or associated indicator attributes.

The search mode determines which dataset you are querying and which filters are available.
All modes support the same [query syntax](#syntax).

<Note>
  Feeds are not a separate search mode.
  To search for indicators associated with specific feeds, use the `feed` search field in indicator mode (e.g., `feed=urlhaus`).
</Note>

## Syntax

Query terms follow a simple field-value structure for building search expressions:

```txt theme={null}
[search field]=[value]
```

## Search Fields

Search fields let you target specific aspects of indicators and threats.

### Indicator Mode Fields

These fields are available when searching indicators (`type=indicators`, default):

| Search Field                                                                  | Description                                                                 | Example Query                                                                                                                                          |
| ----------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `ioc`                                                                         | Search by indicator value. Default field when no search field is specified. | `ioc=pulsedive.com`<br />`ioc=pulsedive*`<br />`1.1.1.1`                                                                                               |
| `threat`                                                                      | Filter by associated threat name or alias.                                  | `threat=ryuk`<br />`threat=*zeus*`                                                                                                                     |
| `property`<br />`[property type]`<br />`[property name]`<br />`[type].[name]` | Filter by indicator properties.                                             | `dns.a=45.55.106.210`<br />`meta=*pulsedive*`<br />`content-type=text/html*`<br />`ssl="*let's encrypt*"`                                              |
| `type`                                                                        | Filter by indicator type.                                                   | `type=url`<br />`type=domain,ip,ipv6`                                                                                                                  |
| `seen`                                                                        | Filter by Last Seen timestamp (UTC).                                        | `seen=day`<br />`seen=week`<br />`seen=month`<br />`seen=2020-01-01`<br />`seen=2022-01-01+`<br />`seen=2021-12-31-`<br />`seen=2020-01-01-2020-12-31` |

### Threat Mode Fields

These fields are available when searching threats (`type=threats`):

| Search Field | Description                                                                      | Example Query                                    |
| ------------ | -------------------------------------------------------------------------------- | ------------------------------------------------ |
| `threat`     | Search by threat name or alias. Default field when no search field is specified. | `threat=ryuk`<br />`threat=*zeus*`<br />`ryuk`   |
| `ioc`        | Filter by associated indicator values.                                           | `ioc=pulsedive.com`<br />`ioc=pulsedive*`        |
| `category`   | Filter by threat category.                                                       | `category=malware`<br />`category=phishing,scam` |

### Fields Available in Both Modes

These fields work in both indicator and threat mode:

| Search Field                        | Description                                                                  | Example Query                                                                         |
| ----------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| `feed`<br />`source`                | Filter by associated feed name or organization.                              | `feed=urlhaus`<br />`feed=abuse.ch`                                                   |
| `attribute`<br />`[attribute type]` | Filter by indicator attributes. Includes ports, protocols, and technologies. | `port=443`<br />`protocol=http*`<br />`technology=apache`<br />`port=80 and port=443` |
| `risk`                              | Filter by risk level.                                                        | `risk=critical`<br />`risk=low,medium`<br />`risk=high+`<br />`risk=low-`             |
| `active`<br />`retired`             | Filter by active or retired status.                                          | `active=true`<br />`retired=0`                                                        |

## Boolean Logic and Wildcards

Combine search terms using logical operators and pattern matching for complex queries.

Queries allow for `AND`, `OR`, and `NOT` operations.
Wildcards are also allowed.

If an operator is omitted between search terms, the default operation is `AND`.

| Operation | Operator           | Example Query                                                                      |
| --------- | ------------------ | ---------------------------------------------------------------------------------- |
| AND       | `&`, `&&`, `and`   | `pulsedive.com && type=domain`<br />`pulsedive.com type=domain`                    |
| OR        | `\|`, `\|\|`, `or` | `google.com or pulsedive*`<br />`(*pulsedive* and type=domain) \| threat=phishing` |
| NOT       | `!=`               | `risk!=medium-`                                                                    |
| Wildcard  | `*`                | `*pulsedive*`                                                                      |

## Escaping and Quotes

Use escaping and quotes to handle special characters and spaces in your search terms.

Since special characters like asterisks (`*`) and parentheses (`()`) might conflict with your intended query, you can escape them with a backslash (`\`).

If your search field or search term has a space, you must wrap it in quotes (`"`).

## Examples

These examples show how to specify search modes using the `type` parameter and construct queries with proper URI encoding.

Search indicators (default):

```bash theme={null}
# These are equivalent
curl "https://pulsedive.com/api/explore.php?q=risk%3Dhigh"
curl "https://pulsedive.com/api/explore.php?type=indicators&q=risk%3Dhigh"
```

Search threats:

```bash theme={null}
curl "https://pulsedive.com/api/explore.php?type=threats&q=risk%3Dhigh"
```

Filter indicator types (within indicator mode):

```bash theme={null}
# Note: type=domain is inside the query string (q parameter)
curl "https://pulsedive.com/api/explore.php?q=type%3Ddomain%20and%20risk%3Dhigh"
```

<Note>
  The mode parameter `type` is separate from the query field `type=`.
  The parameter controls which dataset to search (indicators or threats), while the query field filters indicators by their type (e.g., domain, IP, URL).
</Note>

Combining both the parameter and the query field looks like:

```bash theme={null}
# Search indicator mode, filter by domain type only
curl "https://pulsedive.com/api/explore.php?type=indicators&q=type%3Ddomain%20and%20risk%3Dhigh"
```
