Search Scans
Help & Examples
Please also see the Search API Reference: Search API Reference
- Search requests (either through the UI or API) are subject to your individual API Quotas.
- The query field uses the ElasticSearch Query String to search for results.
- All queries are run in filter mode, sorted by date descending. There is no scoring of search results.
- Refer to the documentation for advanced queries such as wildcard, regex, boolean operators, fuzzy searches, etc.
- You can group and concatenate search-terms with brackets ( ),AND,OR, andNOT. The default operator isAND.
- You can concatenate terms within a group, e.g. page.domain:(foo.com OR bar.com).
- Always use the field names of the fields you want to search. Wildcards for the field-name are not supported!
- Always escape reserved characters with backslash: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
- Always limit the time-range if possible using date, e.g.date:>now-7dordate:>now-1y.
- You can use wildcard (leading wildcard only on urlscan Pro) and regex search on almost any field.
- Regexes are always anchored to beginning/end of the tokens.
- The dateallows relative queries likedate:>now-7dor range-queries likedate:[2020-01-01 TO 2020-02-01]or both combined.
- Domain fields contain the whole domain and each smaller domain component, i.e. domaincan be searched by google.com which will include www.google.com
Examples - Common searches and multiple query terms combined
- page.ip:* AND date:>now-7d Non-empty scans in the past seven days
- page.url.keyword:https\:\/\/www.paypal.com\/* Page URL Prefix search
- domain:paypal.com AND NOT page.domain:paypal.com Domain was contacted but isn't the page/primary domain
- page.domain:(paypal.com~ AND NOT paypal.com) Fuzzy Search for domain name (excluding the legitimate domain)
- page.domain:(/payp.*/ AND NOT paypal.com) Regex Search for domain name (excluding the legitimate domain)
- page.ip:(148.251.0.0\/16 AND NOT 148.251.45.170) AND date:[2018 TO 2019] IP from subnet excluding one particular IP, seen in 2018
- page.asn:AS24940 OR page.asnname:hetzner Page hosted on this AS, search by ASN or AS Name (Note: Search with 'AS' prefix!)
- page.url:"wp-content/uploads/" OR filename:"wp-content/uploads/" AND date:>now-1M Path wp-content/uploads either in page.url or by subrequest
- hash:d699f303... A resource with this SHA256 was downloaded