Skip to main content

Searching for Samples

There are a range of ways to search for samples in Azul depending on what you are looking for.

Searching Globally

Azul's search is similar to Lucene and is based off LIQE. Searches can be made across all fields available in entities (security fields are not suggested in dropdowns for brevity, but can be searched on).

This search field can be found either on the home page or in Binaries -> Explore.

# search for "foo" in hashes, file types, magic, author or source fields (case insensitive)
foo

# search for "john.smith@example.com" in hashes, file types, magic, author or source fields (case insensitive)
'john.smith@example.com'

# search for "foo" in hashes, file types, magic, author or source fields (case **SeNsItIvE**)
"foo"

# search for "ELF" in the `file_type` field
file_type:ELF
"file_type":ELF

# search using wildcard (suffix only)
file_type:EL*

# boolean search
field.name:true
field.name:false

# null search
field.name:null

# search for a file size =, >, >=, <, <=
size:=100
size:>100
size:>=100
size:<100
size:<=100

# Search with a file size suffix
size:>100MB
size:>100tib
size:>"100 kb"

# search for size in range
# inclusive
size:[100 TO 200]
# exclusive
size:{100 TO 200}

# boolean operators
name:foo AND size:=100
name:foo OR name:bar

# unary operators
NOT foo
-foo
NOT foo:bar
-foo:bar
name:foo AND NOT (bio:bar OR bio:baz)

# implicit AND boolean operator
name:foo height:=100

# grouping
name:foo AND (bio:bar OR bio:baz)

Searching by Source

Files can be discovered based on their source. This is useful when working on a particular work item or for searching based on incidents.

The search functionality here filters source reference fields.

Searching by Feature

It is also possible to quickly pivot on common features in files. This is useful if a specific plugin feature is being looked for, or for identifying shared features between binaries.

If you are looking for a single feature and its values, you can explore this via the Features dropdown -> Explore.

If you are looking to pivot across multiple features, search queries for this can be built via the UI (assuming you already have a file with desired features):

  • Open the "Features" page for a given binary
  • Use the checkboxes on the left-hand side to select a series of features to pivot on
  • Click the "Search Selected" button

Searching by Plugin

Finally, results for a particular plugin can be observed independently from binaries.

The search feature here filters on plugin names.

This functionality can be found in Plugins -> Explore.

Known Issues

When performing a search for depth with a greater than or not equal value the RestAPI may respond with a depth outside of the requested range. The reason for this is that the document will have multiple sources one inside the range and one outside the range. And Azul preferences the smallest depth.

Example: !depth:1 the depth the RestAPI returns will be 1 if the depths are 1,2 and 5 as 1 is the smallest but a depth that isn't 1 exists.