Search Scans
Help & Examples
- All API actions (including Search) are subject to your individual API Quotas.
- The query field uses the ElasticSearch Query String to search for results. All queries are run in filter mode, sorted by date descending.
- Refer to the documentation for advanced queries such as wildcard, regex, boolean operators, fuzzy searches, etc.
- You can group and concatenate search-terms with brackets ( ),AND,OR, andNOT. The default operator isAND.
- Always use the field names of the fields you want to search. Wildcards for the field-name are not supported!
- Always escape reserved characters with backslash: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
- Always limit the time-range if possible using date, e.g.date:>now-7dordate:>now-1y.
- You can use wildcard (though no leading wildcard) and regex search on almost all fields. Regexes are always anchored to beginning/end of the tokens.
- The dateallows relative queries likedate:>now-7dor range-queries likedate:[2020-01-01 TO 2020-02-01]or both combined.
- Domain fields contain the whole domain and each smaller domain component domaincan be searched by google.com which will include www.google.com
- The page.urlfield is analysed as text, if you want to find multiple path components you should use phrase search withpage.url:"foo/bar/batz"
- The userandteamfield are special, you can search foruser:meorteam:meto get your own scans.
- Searchable fields:
ip,domain,page.url,hash,asn,asnname,country,server,filename,task.visibility,task.method
- The fields ip,domain,url,asn,asnname,countryandservercontain all requests of the scan.
- To just search for the primary IP/Domain/ASN, prefix it with page., e.g.page.domain:paypal.com.
Examples - Common searches and multiple query terms combined
- page.ip:* AND date:>now-7d Non-empty scans in the past seven days
- page.url.keyword:https\:\/\/www.paypal.com\/* Page URL Prefix search
- domain:paypal.com AND NOT page.domain:paypal.com Domain was contacted but isn't the page/primary domain
- page.domain:(paypal.com~ AND NOT paypal.com) Fuzzy Search for domain name (excluding the legitimate domain)
- page.domain:(/payp.*/ AND NOT paypal.com) Regex Search for domain name (excluding the legitimate domain)
- page.ip:(148.251.0.0\/16 AND NOT 148.251.45.170) AND date:[2018 TO 2019] IP from subnet excluding one particular IP, seen in 2018
- page.asn:AS24940 OR page.asnname:hetzner Page hosted on this AS, search by ASN or AS Name (Note: Search with 'AS' prefix!)
- page.url:"wp-content/uploads/" OR filename:"wp-content/uploads/" AND date:>now-1M Path wp-content/uploads either in page.url or by subrequest
- hash:d699f303... A resource with this SHA256 was downloaded