RETRIEVE a list of forensic data (in full) for a given domain and time period

Perform searches in the forensic dataset using a query language. search criteria. The search is defined as a series of field:value attributes. Multiple attributes can be combined (for example "spf:fail dkim:neutral"). By default, all attributes are placed in the SHOULD list. In other words, in this example the result should satisfy at least one of the queries: spf is fail or dkim is neutral (this is a logical or)

Other operator are:

• + (attributes are included in the MUST list - logical and)
• - (attributes are included in the NOT list - logical not)

Example

Single attribute - spf:\"softfail\"

• Result should include spf = softfail

Multiple attributes - isoCountry:\"US\" spf:\"fail\" dkim:\"neutral\" subject:\"Click here\"

• Result should include records that satisfy at leas one of the queries

Multiple attributes - +isoCountry:\"US\" spf:\"fail\" dkim:\"neutral\" subject:\"Click here\"

• Result must include only records where country = US and it should include records that satisfy at least one of the other queries.