Link for all options : https://beta.shodan.io/search/filters
Negate searches can be done with !
Searching via the API is even more simpler and more powerfull.
Small example of a script to generate IP list + certs of hosts that match CobalStrike JARM signature. It will also output a CSV file with the trusted URLs
Example of really really suspicious Domain names
update03.microsoft-essentials.com,Let’s Encrypt Authority X3
training42.microsoft-essentials.com,Let’s Encrypt Authority X3
*.microsoftupdate.space,Let’s Encrypt Authority X3
awsstreamingservices.xyz,Let’s Encrypt Authority X3
The 1st 3 have been reported to MSRC0