Getting started
Download our Free View official cheat sheet
Starting straight away with standard filters
If you just want to try out and have some quick results, you may want to search for all exposed RDP services, for instance. It is as easy as using a unique filter:
From the Web search engine:
From curl:
curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XGET 'https://www.onyphe.io/api/v2/search/?q=protocol:rdp'
Or you want to find exposed SSH services? We find all these services by performing protocol identification. Yes, you can find services on non-standard port in the way:
Want to search all Windows operating systems? Easy:
You can even directly search for a specific domain:
We have tens of usable filters. Basically, all those available in the JSON output can be used as a search filter. This includes, of course, search by country or by asn… What is more, you can multiply your filters to form a AND query:
domain:google.com protocol:ssh
NOTE: use the following curl request to execute this last search.
curl -H 'Content-Type: application/json' -H 'Authorization: bearer YOUR_APIKEY' -XGET 'https://www.onyphe.io/api/v2/search/?q=domain:google.com+protocol:ssh'
Search using keywords
As we store 16KB of raw data in the data field, you can apply some keyword searches. Let’s try with some classic string:
By default, fields only accept exact searches, like the example fields given in previous section. For the following list, you can search by using keywords or complete phrases with the following fields:
- data
- summary
- app.http.title
- app.http.description
- app.http.keywords
- app.http.copyright
- title
And that’s pretty much all for keywords based fields. Keep in mind, if a field is not listed here, it can only be used for exact searches.
Examples:
- Search a unique keyword in data field:
- Search for a complete phrase in data field:
- Search for keywords AND phrases in data field:
data:confidential data:“do not disclose”
NOTE: this search performs an AND query. It will find matching documents that have the ‘confidential’ keyword somewhere in the data field AND also the ‘do not disclose’ phrase somewhere in the data field. You can perform OR queries starting from subscriptions allowing ‘Advanced query language’.
Defining an asset
We work with the concept of asset. Usually, an organization is comprised of multiple assets. An asset can:
- IP address
- IP block
- domain name
- subdomain name
- organization
- Top-level domain
An IP address can be searched for with the ip filter:
An IP block can be searched for also with the ip filter but with a CIDR mask:
A domain name can be searched for with the domain filter:
A subdomain name can be searched for with the subdomains filter:
subdomains:sandbox.googleusercontent.com
An organization can be searched for with the organization filter:
NOTE: search terms are NOT case sensitive.
A top-level domain can be searched for with the tld filter:
Defining a pivot
The previous use case was to search for specific assets. Maybe you want to find linked assets? For instance, a company usually have multiple domain names. What if you could pivot on some field to identify related domains? Pivots are just some other filters you can use:
- TLS subject organization
- Another linked domain
- A subnet (or IP block)
- An organization
- Some HTTP trackers like these from Google or Meta
To search for related domains starting from subject.organization filter:
To search for linked domains, just look at the output for the domain fields:
{
"domain": [
"1e100.net",
"bg-call-donation-alpha.goog",
"bg-call-donation-canary.goog",
"bg-call-donation-dev.goog",
"bg-call-donation.goog",
"google.com",
"googleapis.com",
"youtube-3rd-party.com",
"youtube.com"
]
}
NOTE: you guessed it, we collect so much data we can easily create an asset inventory based on these pivots.
To search for HTTP trackers, you have different available filters:
- app.http.tracker.ga
- app.http.tracker.gaw
- app.http.tracker.gpub
- app.http.tracker.gtm
- app.http.tracker.fbq
- app.http.tracker.snaptr
- app.http.tracker.newrelic
Defining an analytics
An analytics allows to search for similarities in our data. For instance, a common use case is to find devices having the same favicon. You can use the app.favicon.imagemd5 or app.favicon.imagemmh3 filters for that. We have other analytics fields as follows:
- Raw data MD5: datamd5 field, a plain MD5 of complete raw response;
- App HTTP Body MD5: app.http.bodymd5 field, a plain MD5 of HTTP response body, untouched;
- App HTTP Header MD5: app.http.headermd5 field, a plain MD5 of HTTP header, we strip values that can change, like dates, but we keep order of header values;
- Favicon MD5: app.favicon.imagemd5 field, we apply MD5 against raw image content.
We also support the MMH3 algorithm for all these fields, just replace MD5 by MMH3:
- Raw data MMH3: datammh3;
- App HTTP Body MMH3: app.http.bodymmh3;
- App HTTP Header MMH3: app.http.headermmh3;
- Favicon MMH3: app.favicon.imagemmh3.
NOTE: MMH3 is on 32-bits only. Thus, this algorithm may have numerous collisions and is not recommanded for big data.
Improving your search skills
Now that you have the basics to get started, you should continue to improve your knowlege by reading the ONYPHE Query Language chapter.