Queries

this guide provides an overview of flare’s query capabilities, categorized by common use cases it includes instructions on using basic and advanced operators, filtering features, and crafting complex searches to extract meaningful insights from flare’s data sources use cases 1 detecting stolen credentials in dark web stealer logs https //docs flare io/queries#zqpoy 2 identifying data leaks in public repositories or in files shared in telegram https //docs flare io/queries# upe 3 monitoring external attack surface for misconfigurations https //docs flare io/queries#mgub8 4 checking supply chain for ransomware attacks https //docs flare io/queries#s1hay 5 searching for threat actor posts about specific assets https //docs flare io/queries#pneqp 6 preventing account takeover (ato) https //docs flare io/queries#9minq 7 monitoring cybercrime forums mentions of your brand or assets https //docs flare io/queries#bemch 8 compliance support searching for potentially exposed pii or banking information https //docs flare io/queries#hngil 9 excluding irrelevant mentions (not operator) https //docs flare io/queries#ffyma 1\ detecting stolen credentials in dark web stealer logs use case you suspect that your employees’ credentials may have been compromised and potentially sold on illicit marketplaces or shared in stealer logs to address this, you can search for any references to your corporate email domains from the past seven days how to do it source filtering restrict your search to stealer logs by specifying the source date range focus on data from the last 7 days using metadata estimated created at keyword filtering look for any mention of the corporate email domain metadata source\ stealer logs and features emails @yourcompany com and metadata estimated created at >now 7d explanation metadata source\ stealer logs filters results only from stealer logs features emails @yourcompany com looks for any mention of corporate email addresses metadata estimated created at >now 7d limits the search to records created in the past 7 days complex query (metadata source\ stealer logs and (features emails @corp domain1 com or features emails @corp domain2 com) and metadata estimated created at >now 14d) and not features emails @trusted partner com explanation metadata source\ stealer logs restricts the search to stealer logs (features emails @corp domain1 com or features emails @corp domain2 com) looks for emails from two different corporate domains metadata estimated created at >now 14d limits results to events that occurred in the last 14 days and not features emails @falsepositive com excludes any logs referencing a known harmless domain to reduce noise 2\ identifying data leaks in public repositories or in files shared in telegram use case your security team aims to detect accidental leaks of sensitive code or configuration files on public repositories, such as github or other code sharing platforms how to do it source selection use a relevant source id like github exact matches search for references to a confidential project name or proprietary code snippet in the extracted content field secrets detection optionally, filter for documents flagged by the secret detection rule sample dork metadata source "driller github"and "proprietaryprojectname" and contains secrets\ true metadata source\ telegram and extracted content\ invoice and extracted content\ companyname explanation metadata source "driller github" restricts results to github "proprietaryprojectname" (in quotes) searches for that exact term contains secrets\ true shows documents flagged for potential secret leaks metadata source\ telegram restricts results to telegram extracted content\ invoice search in ocr extracted content 3\ monitoring external attack surface for misconfigurations use case an organization wants to find hosts within a specific subnet that are vulnerable to a known cve this helps them prioritize remediation for critical flaws and minimize external attack surface risks how to do it vulnerability field use features vulnerabilities "cve 2018 15919" to identify resources affected by that particular cve ip range restriction combine it with features ip addresses cidr "100 100 100 0/24" to focus on hosts in that subnet only sample dork features vulnerabilities "cve 2018 15919" and features ip addresses cidr "100 100 100 0/24" explanation features vulnerabilities "cve 2018 15919" pinpoints any assets known (or flagged) to be vulnerable to this specific cve features ip addresses cidr "100 100 100 0/24" narrows the query to a 24 bit subnet, ensuring you only see hosts within the 100 100 100 x range by combining these fields, you quickly locate misconfigured or unpatched systems in a specific network segment—allowing you to prioritize and remediate the most critical vulnerabilities before attackers exploit them 4\ checking supply chain for ransomware attacks use case organizations often track discussions about potential ransomware threats involving their third party suppliers this helps mitigate supply chain risks how to do it source selection select ransom leaks in the platform keyword search use proximity search or boolean operators to find mentions of “yoursuppliername” near words like “ransomware ” sample dork "companyname" or features domains\ companydomain com or look for information about a victim directly on the ransom leak site that interests you metadata source "ransomhub" and (yoursuppliername or yoursupplierdomain) explanation metadata source "ransomhub" narrows the search to ransomhub’s leak site (yoursuppliername or yoursupplierdomain) finds instances where “yoursuppliername” or yoursupplierdomain are mentioned on the leak site 5\ searching for threat actor posts about specific assets use case a security analyst wants to track posts by a known threat actor who frequently targets the organization’s domain names how to do it author filtering use author name to find posts from a specific threat actor handle domain features combine with features domains to identify whether your domain is being discussed author name "threatactor123" and (features domains yourcompanydomain com or “yourcompanyname”) explanation author name "threatactor123" filters posts to those created by a specific actor features domains yourcompanydomain com flags any mention of the targeted domain in the extracted features 6\ preventing account takeover (ato) use case the organization needs to monitor for direct mentions of newly exposed usernames that might be used to breach systems how to do it credentials username focus on the credentials username field to see if any corporate user ids are leaked date range filter for newly leaked credentials from the last 30 days domain features combine with features domains to identify whether your domain is being discussed sample dork credentials username\ admin and metadata estimated created at >now 30d and features domains yourcompanydomain com or metadata source "russian market” and metadata estimated created at >now 30d and features domains yourcompanydomain com explanation credentials username\ admin isolates events mentioning the “admin” credential metadata estimated created at >now 30d ensures only recent leaks are included features domains yourcompanydomain com flags any mention of the targeted domain in the extracted features 7\ monitoring cybercrime forums mentions of your brand or assets use case you want to spot potential ransomware threats targeting your brand name but also exclude a competitor’s brand from the results you also want to limit the search to posts discovered in the past 48 hours first select the following sources forums posts, chats, ransom leaks this will focus your search, of course you can add other relevant sources like market or infected devices complex query ("yourbrand exploit" 5 or "yourbrand hack" 5 or "yourbrand database" 5 or "yourbrand data " 5) and metadata first crawled at >now 48h and not ("competitorbrand")) explanation ("yourbrand exploit" 5 or "yourbrand hack" 5 or "yourbrand database" 5 or "yourbrand data " 5) searches for occurrences where "yourbrand" appears within five words of any of the specified terms such as "exploit," "hack," "database," or "data " you can use any other relevant words and try to experiment with either language like russian metadata first crawled at >now 48h looks for content newly discovered in the past 48 hours and not ("competitorbrand") excludes any results mentioning the competitor’s brand 8\ compliance support searching for potentially exposed pii or banking information use case to maintain compliance (e g , gdpr, hipaa), you need to quickly find if personally identifiable information is being leaked for instance, if you suspect credit card numbers are exposed how to do it features for cc numbers use the features cc numbers field to catch any mention of credit card data source filtering restrict your search to a known marketplace or “autoshop” source where financial data is sold sample dork metadata source\ bidencash and features cc numbers and (price >10 and price <200) or features emails\ vip\@email explanation metadata source\ bidencash focuses on a known marketplace that sells credit card information) features cc numbers retrieves any records where credit card details were extracted can be replaced by your bank code and finish with a to find any variations (4798 ) price >10 and price <200 limits listings to the $10–$200 range features emails\ vip\@email will search for any mentions of the email 9\ excluding irrelevant mentions (not operator) use case you want to catch mentions of your product name “flarewidget,” but exclude references to a competitor’s product “glowwidget ” how to do it keyword search look for your product references exclusion use the not or operator for the competitor’s product sample dork flarewidget and not glowwidget explanation flarewidget ensures your product name is mentioned not glowwidget (or glowwidget ) removes any events that also mention the competitor, helping you focus on relevant data only putting it all together when constructing queries in flare io, consider the following best practices start broad, then refine begin with basic keywords or domain features and gradually add filters (e g , date ranges, excluded terms) to narrow results test and iterate run smaller queries first to gauge data volume then refine using additional filters to hone in on actionable intelligence tips for building complex queries use parentheses group related terms and operators with () combine boolean operators chain multiple and , or , and not clauses to precisely refine search results leverage date filters metadata estimated created at and metadata first crawled at can focus on relevant time windows escape special characters if you need to search for symbols like + && || ! ( ) { } \[ ] ^ " ? \ , remember to escape them with \\ experiment with proximity "term1 term2" x can help you find near matches careful with wildcards wide range wildcards ( ) can return large result sets, so try to narrow them with context with these dorks, security teams can proactively track stolen credentials, identify data leaks, manage supply chain risks, and maintain compliance by fine tuning the queries, organizations can quickly surface the most critical threats and alerts within flare io’s platform how to find sources names to use with metadata source go to https //app flare io/#/collection https //app flare io/#/collection and click on the source of your choice