Queries
This guide provides an overview of Flare’s query capabilities, categorized by common use cases. It includes instructions on using basic and advanced operators, filtering features, and crafting complex searches to extract meaningful insights from Flare’s data sources.
You suspect that your employees’ credentials may have been compromised and potentially sold on illicit marketplaces or shared in stealer logs. To address this, you can search for any references to your corporate email domains from the past seven days.
- Source Filtering: Restrict your search to stealer logs by specifying the source.
- Date Range: Focus on data from the last 7 days using metadata.estimated_created_at.
- Keyword Filtering: Look for any mention of the corporate email domain.
metadata.source:stealer_logs* AND features.emails:*@yourcompany.com AND metadata.estimated_created_at:>now-7d
Explanation:
- metadata.source:stealer_logs* filters results only from stealer logs.
- features.emails:*@yourcompany.com looks for any mention of corporate email addresses.
- metadata.estimated_created_at:>now-7d limits the search to records created in the past 7 days.
Complex Query:
(metadata.source:stealer_logs* AND (features.emails:*@corp-domain1.com OR features.emails:*@corp-domain2.com) AND metadata.estimated_created_at:>now-14d) AND NOT features.emails:*@trusted-partner.com
- metadata.source:stealer_logs* restricts the search to stealer logs.
- (features.emails:*@corp-domain1.com OR features.emails:*@corp-domain2.com) looks for emails from two different corporate domains.
- metadata.estimated_created_at:>now-14d limits results to events that occurred in the last 14 days.
- AND NOT features.emails:*@falsepositive.com excludes any logs referencing a known harmless domain to reduce noise.
Your security team aims to detect accidental leaks of sensitive code or configuration files on public repositories, such as GitHub or other code-sharing platforms.
- Source selection: Use a relevant source ID like GitHub
- Exact matches: Search for references to a confidential project name or proprietary code snippet in the extracted_content field.
- Secrets detection: Optionally, filter for documents flagged by the secret detection rule.
Sample dork:
metadata.source:"driller_github"AND "ProprietaryProjectName" AND is_secret_detection_rule_match:true
metadata.source:telegram AND extracted_content:invoice AND extracted_content:companyname
Explanation:
- metadata.source:"driller_github" restricts results to GitHub.
- "ProprietaryProjectName" (in quotes) searches for that exact term.
- is_secret_detection_rule_match:true shows documents flagged for potential secret leaks.
- metadata.source:telegram restricts results to Telegram.
- extracted_content:invoice search in OCR extracted content.
An organization wants to find hosts within a specific subnet that are vulnerable to a known CVE. This helps them prioritize remediation for critical flaws and minimize external attack surface risks.
- Vulnerability field: Use features.vulnerabilities:"CVE-2018-15919" to identify resources affected by that particular CVE.
- IP range restriction: Combine it with features.ip_addresses_cidr:"100.100.100.0/24" to focus on hosts in that subnet only.
Sample dork:
features.vulnerabilities:"CVE-2018-15919" AND features.ip_addresses_cidr:"100.100.100.0/24"
Explanation
- features.vulnerabilities:"CVE-2018-15919" pinpoints any assets known (or flagged) to be vulnerable to this specific CVE.
- features.ip_addresses_cidr:"100.100.100.0/24" narrows the query to a 24-bit subnet, ensuring you only see hosts within the 100.100.100.x range.
By combining these fields, you quickly locate misconfigured or unpatched systems in a specific network segment—allowing you to prioritize and remediate the most critical vulnerabilities before attackers exploit them.
Organizations often track discussions about potential ransomware threats involving their third-party suppliers. This helps mitigate supply chain risks.
- Source selection: select Ransom Leaks in the platform.
- Keyword search: Use proximity search or boolean operators to find mentions of “YourSupplierName” near words like “ransomware.”
Sample dork:
"companyname" OR features.domains:companydomain.com
Or look for information about a victim directly on the ransom leak site that interests you:
metadata.source:"ransomhub" AND (YourSupplierName OR YourSupplierDomain)
Explanation
- metadata.source:"ransomhub" narrows the search to RansomHub’s leak site.
- (YourSupplierName OR YourSupplierDomain) finds instances where “YourSupplierName” or YourSupplierdomain are mentioned on the leak site.
A security analyst wants to track posts by a known threat actor who frequently targets the organization’s domain names.
- Author Filtering: Use author_name: to find posts from a specific threat actor handle.
- Domain Features: Combine with features.domains: to identify whether your domain is being discussed.
author_name:"ThreatActor123" AND (features.domains:*yourcompanydomain.com OR “yourcompanyname”)
Explanation:
- author_name:"ThreatActor123" filters posts to those created by a specific actor.
- features.domains:*yourcompanydomain.com flags any mention of the targeted domain in the extracted features.
The organization needs to monitor for direct mentions of newly exposed usernames that might be used to breach systems.
- Credentials username: Focus on the credentials.username field to see if any corporate user IDs are leaked.
- Date range: Filter for newly leaked credentials from the last 30 days.
- Domain features: Combine with features.domains: to identify whether your domain is being discussed.
Sample dork:
credentials.username:admin AND metadata.estimated_created_at:>now-30d AND features.domains:*yourcompanydomain.com
Or
metadata.source:"russian_market” AND metadata.estimated_created_at:>now-30d AND features.domains:*yourcompanydomain.com
Explanation:
- credentials.username:admin isolates events mentioning the “admin” credential.
- metadata.estimated_created_at:>now-30d ensures only recent leaks are included.
- features.domains:*yourcompanydomain.com flags any mention of the targeted domain in the extracted features.
Use Case You want to spot potential ransomware threats targeting your brand name but also exclude a competitor’s brand from the results. You also want to limit the search to posts discovered in the past 48 hours.
First select the following sources: Forums Posts, Chats, Ransom Leaks. This will focus your search, of course you can add other relevant sources like Market or Infected Devices.
Complex Query:
(features.ip_addresses_cidr:IP OR ("YourBrand"~5 AND (exploit OR hack OR database OR data*)) AND metadata.first_crawled_at:>now-48h AND NOT ("CompetitorBrand")
- ("YourBrand" OR ("YourBrand"~5 AND (exploit OR hack OR database OR data* )) does two things:
- "features.ip_addresses_cidr:IP" searches only for the mention of your IP or IP range.
- "YourBrand"~5 AND data*" finds “YourBrand” within five words of “data*,” catching content like “YourBrand - 2025 Dataleak”. You can use any other relevant words and try to experiment with either language like Russian.
- metadata.first_crawled_at:>now-48h looks for content newly discovered in the past 48 hours.
- AND NOT ("CompetitorBrand") excludes any results mentioning the competitor’s brand.
To maintain compliance (e.g., GDPR, HIPAA), you need to quickly find if personally identifiable information is being leaked. For instance, if you suspect credit card numbers are exposed.
- Features for CC Numbers: Use the features.cc_numbers field to catch any mention of credit card data.
- Source Filtering: Restrict your search to a known marketplace or “Autoshop” source where financial data is sold.
Sample dork:
metadata.source:bidencash AND features.cc_numbers:* AND (price:>10 AND price:<200)
Or
features.emails:vip@email
Explanation
- metadata.source:bidencash focuses on a known marketplace that sells credit card information).
- features.cc_numbers:* retrieves any records where credit card details were extracted. * can be replaced by your bank code and finish with a * to find any variations (4798*).
- price:>10 AND price:<200 limits listings to the $10–$200 range.
- features.emails:vip@email will search for any mentions of the email.
You want to catch mentions of your product name “FlareWidget,” but exclude references to a competitor’s product “GlowWidget.”
- Keyword Search: Look for your product references.
- Exclusion: Use the NOT or - operator for the competitor’s product.
Sample dork:
FlareWidget AND NOT GlowWidget
Explanation
- FlareWidget ensures your product name is mentioned.
- NOT GlowWidget (or -GlowWidget) removes any events that also mention the competitor, helping you focus on relevant data only.
When constructing queries in Flare.io, consider the following best practices:
- Start broad, then refine
- Begin with basic keywords or domain features and gradually add filters (e.g., date ranges, excluded terms) to narrow results.
- Test and iterate
- Run smaller queries first to gauge data volume. Then refine using additional filters to hone in on actionable intelligence.
- Use parentheses: Group related terms and operators with ().
- Combine boolean operators: Chain multiple AND, OR, and NOT clauses to precisely refine search results.
- Leverage date filters: metadata.estimated_created_at and metadata.first_crawled_at can focus on relevant time windows.
- Escape special characters: If you need to search for symbols like + - && || ! ( ) { } [ ] ^ " ~ * ? : \, remember to escape them with \.
- Experiment with proximity: "Term1 Term2"~X can help you find near matches.
- Careful with wildcards: Wide-range wildcards (*) can return large result sets, so try to narrow them with context.
With these dorks, security teams can proactively track stolen credentials, identify data leaks, manage supply chain risks, and maintain compliance. By fine-tuning the queries, organizations can quickly surface the most critical threats and alerts within Flare.io’s platform.
How to find sources names to use with metadata.source:
