In this article, you will find the available parameters for searching Deep & Dark Web sources in Threat Hunting, organized by source type. We have also included usage examples for each parameter.
Messages
Search for messages collected from monitored communication platforms such as Telegram, WhatsApp, and Discord.
Available parameters
Parameter | What it is | Example |
platform | Message source platform | platform=telegram platform=whatsapp platform=discord |
messageDate | Message date | messageDate=YYYY-MM-DD |
authorId | Author identifier (e.g., phone number) | authorId=555195740480 |
accountPhoneHash | Hash of the phone number associated with the account | accountPhoneHash=abc123 |
authorProfile | Sender profile | authorProfile="profile name" |
authorType | Sender type | authorType=user |
channelName | Channel name | channelName="channel name" |
chatId | Chat identifier | chatId=123456 |
chatName | Group or channel name | chatName="market" |
chatType | Chat type | chatType=group |
content | Message content | content="for sale" |
dataSource | Data source | dataSource=telegram |
layer | Web layer where the message was collected | layer=deep |
origin | Message origin | origin=monitoring |
serverChannelId | Server channel identifier (e.g., Discord) | serverChannelId=123456789 |
serverName | Server name (e.g., Discord) | serverName="example server" |
timestamp | Message timestamp | timestamp=YYYY-MM-DDThh:mm:ss |
Forums & Markets
Search for posts collected from Deep & Dark Web forums and marketplaces, including market platforms, forums, and ransomware feeds.
Available parameters
Parameter | What it is | Example |
platform | Post source platform | platform=market platform=forum platform=ransomware-feed |
publishedDate | Post publication date | publishedDate=YYYY-MM-DD |
domain | Forum or marketplace domain | domain=breached.sh |
content | Post content | content="for sale" |
contentTitle | Published content title | contentTitle="database leak" |
crawlDate | Date when the content was collected | crawlDate=YYYY-MM-DD |
dataSource | Data source | dataSource=forum |
discoveredDate | Date the content was discovered | discoveredDate=YYYY-MM-DD |
group | Group associated with the content | group="group name" |
groups | List of associated groups | groups="group1" |
languages | Languages identified in the content | languages=pt |
layer | Web layer where the content was collected | layer=dark |
legacyCrawlDate | Legacy crawl date | legacyCrawlDate=YYYY-MM-DD |
network | Network where the content was found | network=tor |
searchCategory | Search category associated with the content | searchCategory="ransomware" |
searchQuery | Associated search query | searchQuery="credential dump" |
targetWebsite | Target website mentioned in the content | targetWebsite=example.com |
timestamp | Content timestamp | timestamp=YYYY-MM-DDThh:mm:ss |
title | Post title | title="leaked database" |
uri | Content URI | uri=/thread/12345 |
url | Full content URL | |
virtualPlatform | Source virtual platform | virtualPlatform=tor |
Social Media Posts
Search for posts collected from monitored social media platforms such as Twitter/X.
Available parameters
Parameter | What it is | Example |
platform | Post source platform | platform=twitter |
postDate | Post publication date | postDate=YYYY-MM-DD |
userName | Author username | userName=john_doe |
authorName | Post author name | authorName="John Doe" |
content | Post content | content="for sale" |
dataSource | Data source | dataSource=twitter |
favoriteCount | Number of likes | favoriteCount=100 |
language | Post language | language=pt |
layer | Web layer where the post was collected | layer=surface |
mediaType | Post media type | mediaType=text |
replyCount | Number of replies | replyCount=10 |
repostCount | Number of reposts | repostCount=50 |
timestamp | Post timestamp | timestamp=YYYY-MM-DDThh:mm:ss |
If you have any questions, feel free to reach out to us at [email protected] 😊