Getting started

Download our Free View official cheat sheet

Starting straight away with standard filters

If you just want to try out and have some quick results, you may want to search for all exposed RDP services, for instance. It is as easy as using a unique filter:

From the Web search engine:

protocol:rdp

From curl:

curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XGET 'https://www.onyphe.io/api/v2/search/?q=protocol:rdp'

Or you want to find exposed SSH services? We find all these services by performing protocol identification. Yes, you can find services on non-standard port in the way:

protocol:ssh

Want to search all Windows operating systems? Easy:

os:windows

You can even directly search for a specific domain:

domain:google.com

We have tens of usable filters. Basically, all those available in the JSON output can be used as a search filter. This includes, of course, search by country or by asn… What is more, you can multiply your filters to form a AND query:

domain:google.com protocol:ssh

NOTE: use the following curl request to execute this last search.

curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XGET 'https://www.onyphe.io/api/v2/search/?q=domain:google.com+protocol:ssh'

Search using keywords

As we store 16KB of raw data in the data field, you can apply some keyword searches. Let’s try with some classic string:

data:“hello world”

By default, fields only accept exact searches, like the example fields given in previous section. For the following list, you can search by using keywords or complete phrases with the following fields:

• data
• summary
• app.http.title
• app.http.description
• app.http.keywords
• app.http.copyright
• title

And that’s pretty much all for keywords based fields. Keep in mind, if a field is not listed here, it can only be used for exact searches.

Examples:

• Search a unique keyword in data field:

data:confidential

• Search for a complete phrase in data field:

data:“do not disclose”

• Search for keywords AND phrases in data field:

data:confidential data:“do not disclose”

NOTE: this search performs an AND query. It will find matching documents that have the ‘confidential’ keyword somewhere in the data field AND also the ‘do not disclose’ phrase somewhere in the data field. You can perform OR queries starting from subscriptions allowing ‘Advanced query language’.

Defining an asset

We work with the concept of asset. Usually, an organization is comprised of multiple assets. An asset can:

• IP address
• IP block
• domain name
• subdomain name
• organization
• Top-level domain

An IP address can be searched for with the ip filter:

ip:8.8.8.8

An IP block can be searched for also with the ip filter but with a CIDR mask:

ip:8.8.8.0/24

A domain name can be searched for with the domain filter:

domain:google.com

A subdomain name can be searched for with the subdomains filter:

subdomains:sandbox.googleusercontent.com

An organization can be searched for with the organization filter:

organization:google

NOTE: search terms are NOT case sensitive.

A top-level domain can be searched for with the tld filter:

tld:google

Defining a pivot

The previous use case was to search for specific assets. Maybe you want to find linked assets? For instance, a company usually have multiple domain names. What if you could pivot on some field to identify related domains? Pivots are just some other filters you can use:

• TLS subject organization
• Another linked domain
• A subnet (or IP block)
• An organization
• Some HTTP trackers like these from Google or Meta

To search for related domains starting from subject.organization filter:

subject.organization:google

To search for linked domains, just look at the output for the domain fields:

{
   "domain": [
      "1e100.net",
      "bg-call-donation-alpha.goog",
      "bg-call-donation-canary.goog",
      "bg-call-donation-dev.goog",
      "bg-call-donation.goog",
      "google.com",
      "googleapis.com",
      "youtube-3rd-party.com",
      "youtube.com"
   ]
}

NOTE: you guessed it, we collect so much data we can easily create an asset inventory based on these pivots.

To search for HTTP trackers, you have different available filters:

• app.http.tracker.ga
• app.http.tracker.gaw
• app.http.tracker.gpub
• app.http.tracker.gtm
• app.http.tracker.fbq
• app.http.tracker.snaptr
• app.http.tracker.newrelic

Defining an analytics

An analytics allows to search for similarities in our data. For instance, a common use case is to find devices having the same favicon. You can use the app.favicon.imagemd5 or app.favicon.imagemmh3 filters for that. We have other analytics fields as follows:

• Raw data MD5: datamd5 field, a plain MD5 of complete raw response;
• App HTTP Body MD5: app.http.bodymd5 field, a plain MD5 of HTTP response body, untouched;
• App HTTP Header MD5: app.http.headermd5 field, a plain MD5 of HTTP header, we strip values that can change, like dates, but we keep order of header values;
• Favicon MD5: app.favicon.imagemd5 field, we apply MD5 against raw image content.

We also support the MMH3 algorithm for all these fields, just replace MD5 by MMH3:

• Raw data MMH3: datammh3;
• App HTTP Body MMH3: app.http.bodymmh3;
• App HTTP Header MMH3: app.http.headermmh3;
• Favicon MMH3: app.favicon.imagemmh3.

NOTE: MMH3 is on 32-bits only. Thus, this algorithm may have numerous collisions and is not recommanded for big data.

Improving your search skills

Now that you have the basics to get started, you should continue to improve your knowlege by reading the ONYPHE Query Language chapter.