When working with Dark web or Surface web data, you should typically run a custom search based on keywords. These include your company, brand, product name, or unique strings related to your organization.
For the Dark web posts, social media publications, and other hidden publications, Kaspersky Threat Intelligence Portal supports simple Elasticsearch queries.
The following search operators can be used:
Example: keyword1 + keyword2
— returns messages containing both keyword1
and keyword2
.
Example: -keyword1
— returns messages that do not contain keyword1
.
Example: keyword1 keyword2
/ keyword1 | keyword2
— returns messages containing keyword1
or keyword2
.
Example: "keyword1 keyword2"
.
Example: keyw*
— returns all messages that begin with keyw
: keyword1
, keyword2
, keywhat
, etc.
Example: darknet_site.com*
— returns all publications found on the darknet_site.com web site.
Do not use schemes (HTTP or HTTPS) or slash character (/) to perform the search.
Example: (keyword1 | keyword2) + YYYY*
— returns messages for the specified year (YYYY
) that contain keyword1
or keyword2
.
Example: keyword~2
— returns messages which allow two edits to make the keyword
.
Example: "keyword1 keyword2"~2
— returns messages which allow two changes in word sequence to make the "keyword1 keyword2
" phrase.
Example: \" + keyw*
— Returns messages containing " (double quotes) and keyword1
, keyword2
, keywhat
, etc.
Example: "Kaspersky Lab" + -keys + 202112*
— returns messages that contain the phrase "Kaspersky Lab"
and do not contain the word "keys"
, posted in December, 2021.
More information on syntax and working with search operators is available at: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html#simple-query-string-syntax.
Page top