Intellifind
Selecting the Intellifind module on the navigation panel in Intelligence Hub will direct you to the Intelligence Hub > Intellifind module on the Threat Command platform.
Rapid7 continuously monitors the clear, deep, and dark web inspecting thousands of sources and tens of millions of web pages with proprietary crawlers.
While the Threat Command and Threat Intelligence IOCs (indicators of compromise) provide tactical intelligence, IntelliFind search gives you operational intelligence.
Use the IntelliFind search module to:
- Search company-specific assets and mentions (matching results) across the entire intelligence surface.
- Perform complex searches to find relevant findings and relevant context.
- For example, you can search for a result that contains both a specific threat and your company name.
- Proactively track threat actors and view their activity.
- Automate searches via Threat Command RESTful APIs.
- Use IntelliAlert to automatically trigger alerts when results match specific query criteria.
Access to IntelliFind is limited to users with a subscription to the Intelligence Hub module.
The use of IntelliFind must comply with the applicable laws and terms of use.
The Service may use or contain links and references to third-party websites and applications. Rapid7 does not make any representations with respect to such websites or applications, or regarding the completeness of the sources and information contained in such websites or applications, nor to their availability or correctness.
It is hereby clarified Rapid7 may stop making use of any such application or third-party website at any time, without providing any notification to that effect. In no event shall Rapid7 be responsible or liable in any way for the use of such third party websites and applications, their practices, the information driven from such and your reliance on such third-party websites or applications, or the information driven from such.
To search with IntelliFind:
- Navigate to the IntelliFind tab.
- Type a search term in the Search bar and press enter on your keyboard.
By default, the IntelliFind search page shows mentions from all sources, from the past 12 months, with the most recent shown first. You can Export IntelliFind Results to CSV.
You can view results from specific sources and filter according to the report date, matching assets, and tags. When using the top row filter buttons, a mention must match ALL of the filters to be displayed. Within each filter, a mention can match ANY of the selected criteria.
The information included in each mention, if known, is described in this table.
| Field | Description |
|---|---|
| Title | The title of the article, post, or comment in which the mention was found. |
| Date | Source date: The date the mention was published in the source. Found date: The date when the mention was found. If there is no source date, this date is presented. |
| Source type | In which source type the mention was found. You can select to show only mentions found in the dark web. |
| Indications | If a post is tagged (for example as Product for Sale, Credit card, SSN), the tags are displayed. |
| Source URL | The URL (if applicable) where the mention was found. You can click the URL to go to the source or click the copy icon to copy the URL. |
| Author | The name of the author of the mention. You can click the Author name to show all mentions by this author. |
| Preview | The mention is displayed in English, regardless of the source language (translated, if necessary). To revert to the original language, click Show original. If the full mention cannot be displayed, click ...Read more. The full mention is displayed with the relevant text highlighted. |
Results with identical content and source type are grouped together under the latest mention. To view these results, click View Similar Mentions.
When a matched result is part of a thread, either as an original post or as a comment about a post, all of the thread posts and comments are grouped together in the Threads tab. To see those, click View Thread.
When an alert has been triggered for a result, its severity and alert type is indicated in the display. To see the alert in the Alerts page, click Go To Alert.
When multiple alerts have been triggered for the same source URL, you can see them all in the Alerts page by clicking View Related Alerts.
You can elevate a result to an alert by clicking Create Alert. You can also use IntelliAlert to automatically trigger alerts when results match specific query criteria.
You can save search queries and pinpoint search results by using search options.
The Mentions graph shows the number of mentions from all sources over the time range of the report. Mentions are a very strong sign of a potential threat and therefore are useful for monitoring trends. You can click on a peak to show all results in the designated time frame.
For additional filter and query options, see Filter and search IntelliFind results.
Export IntelliFind Results to CSV
You can export IntelliFind mentions to a downloadable CSV file. All results (limit 200) that match the current search query and filters will be downloaded.
To export results to a CSV:
- From the IntelliFind tab, search for IntelliFind mentions.
- (Optional) You can filter the page to limit the mentions that are exported.
- Click Export CSV.
The Export page displays the query details and the current filters. - (Optional) You can select columns to be included in the CSV:
- Click Column Options (by default, all columns are selected).
- Select or clear columns.
- Create column order by dragging columns up or down.
- Click Download.
The CSV report is downloaded to the default download location.
Filter and search IntelliFind results
Filter IntelliFind results
You can filter the results by the source of mention, report date, and dark web source. You can also filter by results in a time frame indicated by peak points in the Mentions graph.
To filter Intellifind results:
- Use IntelliFind to search for a term.
- From the results page, apply filters, as follows:
| To filter this | Do this |
|---|---|
| Report date | Click the Date filter button. By default, mentions are shown for the last 12 months. To find mentions in a different time period, click the filter and change the time period. |
| Author | Click the Author filter button. Type the author name or select to show only results that have no author. |
| Matching assets | Click the Asset filter button, and select company assets to match (max: 5000). |
| Product for sale | Click the Product for Sale filter button and select Product for sale. |
| Tags | Click the Tags filter button, and select tags to match. Options include: Credit Card, Domain, Email Address, IP Address, SSN, and URL |
| Source type | To display dark web (Onion) mentions, toggle on the Show only mentions from the dark web switch. To show mentions from other sources, click any of the mention sources. |
| Time frame | Click any peak in the Mentions graph. |
| Clear filters | Click Clear all filters. |
Search options
The following table describes the various ways to create more effective searches, from either the landing page or the search page:
| Search tool | Usage |
|---|---|
| Simple keywords | Enter keywords to search for. To search for all parts of a phrase, use quotes around the words. For example, "intsights.com" or "intsights cyber intelligence". |
| Basic operators | Add the following (case-sensitive) for more exact results: AND Searching for "intsights" AND "scam" returns only results that contain both intsights and scam. OR Searching for "intsights" OR "scam" returns results that contain at least one of the search terms. NOT Searching for “intsights” AND “hack” AND NOT (“scam”) returns results that contain intsights and hack, but don’t contain the word “scam”. For readability, it is recommended to use parentheses. () Searching for “intsights” AND (“scam” OR “hack”) returns results that contain both intsights and scam, or both intsights and hack, or all three. |
| Advanced search operators | See following table. |
| Search by document type | Searching for type:comment returns all comments. Searching for type:post returns all posts. You can also search for the following types: (type:) chat_message = IRC chats instant_message = Telegram post = Forums comment = Forums blog = Cybersecurity blogs ransomware_blog = Ransomware blogs paste = Pastes product = Black market status = Twitter |
Advanced search operators
Type any of these operators to find an exact match. The operators (only) are case-sensitive.
| Operator name | Example | Displays all mentions... |
|---|---|---|
| author: | black panther | ... authored by Black Panther. |
| title: | underground market | ... with “underground market” in the title. |
| url.url: | login | ... with the word “login” in the source URL. |
| url.domain: | facebook | ... with the word “facebook” in the domain source URL, regardless of the TLD. |
| url.tld: | com | ... with a specific TLD in the source URL (can be combined with the ‘domain’ operator). |
| source_url_full: | http://www.facebook.com/login-now | ... with the exact URL in the Source URL. |
| source_url_root_domain: | facebook.com | ... with the exact root domain in the Source URL. |
| source_url_domain_name: | facebook | ... with the exact domain name in the Source URL. |
| source_url_tld: | com | ... with the exact TLD in the Source URL. |
| domains_root_domain: | google.com | ... with the exact root domain in the content or title. |
| domains_tld: | com | ... with the exact TLD in the content or title. |
| domains_domain_name: | google | ... with the exact domain name in the content or title. |
| domains_full: | http://login.google.com | ... with the exact full domain in the content or title. |
| url_content_full: | http://www.facebook.com/login-now | ... with the exact URL in the content. |
| url_content_keyword: * | facebook or login or now | ... with a specified keyword in the content. |
| ssn_number: | 123456789” or “123-45-6789 | ... with a specified Social Security number (with or without dashes) in the content or title. |
| credit_cards: | 1234notepad567890123456 | ... with a specified credit card number in the content or title. |
| bin_number: | 1234 | ... with a specified BIN number in the content or title. |
| emails_full: | john_smith@intsights.com | ... with a specified full email address in the content or title. |
| emails_domain: | intsights.com | ... with a specified email domain in the content or title. |
| emails_user_name: | john_smith | ... with a specified email user name in the content or title. |
| ip: | 192.158.1.38 or [127.0.0.0 TO 127.0.0.24] | ... with a specified IP address or range of addresses in the content or title. |
Save and edit search queries
You can use the Query Manager to save, use, and manage search queries. When you save a search query, you can easily reuse, edit, name, or delete that query. Saved queries include all the search terms.
A maximum of 200 queries can be saved, per account. In the Query Manager, the latest updated query is shown first.
Each line shows a saved query, its details, whether (and how many) alerts are being generated from the query, the name of the user who made the most recent changes, and when the query was last updated.
Product for Sale query
Querying for product for sale will return results, as follows:
- Hacking forum posts with the product for sale tag.
- By enabling alert triggering for this query, future IntelliFind results that contain an indication of a product being offered for sale and a match to the company's name or brand name will be elevated to alerts.
Automatic alert creation is described in IntelliAlert.
To save a search query:
- From the IntelliFind search page or landing page, type a search query, then press enter on the keyboard.
The searched mentions are displayed. - Click Save query.
The Save query dialog displays the search query terms and selected filters. - Type a unique name for the query.
Names are case-sensitive. - Click Save query.
To search with a saved query:
- Open the Query Manager, in either of these ways:
- If no IntelliFind page is open, choose Threat Command > Intellifind, then click Query Manager.
- If an IntelliFind page is open, click Query Manager.
- Select a saved query, then click the magnifiying glass icon. You can find a saved query by searching by name or by query terms.
To edit or delete a saved query:
- Open the Query Manager, in either of these ways:
- If no IntelliFind page is open, navigate to Intellifind, then click Query Manager.
- If an IntelliFind page is open, click Query Manager.
- Select a saved query.
You can find a saved query by searching by name or query terms. - Perform any of the following:
- Click the magnifiyng glass to change the query search terms or alert triggering settings, and to search for the new terms. Press enter on your keyboard to search.
- Click the pencil to edit a query name or the alert triggering options.
- Click the trash can to delete a saved query.
IntelliAlert
You can cause automatic alert triggering for mentions that match specific search criteria. If the search query returns more than 200 average daily mentions, this option is disabled. You can add additional tags to the default query name tag. Queries that automatically trigger alerts are displayed as such in the Query Manager, together with the count of how many alerts they generated.
The IntelliAlert feature is available for users with a subscription to both Threat Command and Intelligence Hub.
Limitations
The following limitations apply to automatic alert triggering with IntelliAlert:
- Per account, you can select up to 100 queries to trigger alerts.
- Per query, a maximum of 100 alerts can be triggered every 24 hours.
- Alert triggering takes place on each selected query once an hour.
To trigger alerts automatically:
- Create or edit a search, as described in the previous sections.
- Before saving the search, select Create alerts from query.
- Set the create alerts from query options:
- Set the maximum number of alerts, up to 100, to be triggered in 24 hours (default: 10).
- Set the severity for the alerts (default: medium).
- Add additional tags to the created alerts.
- Save the query.
Mentions that match the specific criteria will create new alerts.
You can edit the alert triggering settings, as described in the Save and edit search queries section.