Host Search Parameters¶

The API has endpoints for querying our data in which you can use free text search together with one or more of the filters listed below.

Notes¶

Free Text: not specifying a field will search on the full records, which can include other information not stated below. Although free text search without specifying fields is available, it might be processed differently from searching on specific fields. For better results and performance, always use search fields.

NOTE: Free text search without specifying a field is considered deprecated and will be removed in the near future.

Conditionals: the following conditionals are available: NOT, AND, OR. Must be UPPERCASE. You can also use the minus sign (-) as a replacement for the NOT conditional. By default, a sequence of search terms without conditionals will be interpreted as if using the AND conditional.

Comparison: you can use comparison operators on number fields. E.g. field:>100.

Field existence or omission: you can search for records that have a specific field by using _exists_:field. Conversely, for records missing a field it would be NOT _exists_:field.

Wildcards: you can use wildcards on your query terms. However, for the best results and performance, try to be as specific as you can. E.g. field:security*

Regular Expressions: you can use regular expressions on your query terms. For the best results and performance, try to be as specific as you can. If you need to use regular expressions, specify the field you want to search in. E.g. field:/.*microsoft..{2}/

String fields: if the string is expected to have spaces, some kind of punctuation in the middle, or special symbols, try quoting the search terms, i.e. instead of querying field:value try field:"value". You can also try instead field.keyword:"value". The first one will search for any occurrence of any of the words in value, while the second one will search for an exact match of the string. Finally, in the case of some special symbols, you might require escaping in order to make the query valid.

General Fields¶

as_name: (string)¶

Search by AS name.

e.g. as_name:amazon

asn: (int)¶

Search by ASN.

e.g. asn:4812

country: (string)¶

Search using ISO2 Country Codes.

e.g. country:ES

created_at: (date)¶

Search by timestamp.

e.g.
    created_at:[2018-09-01 TO 2018-10-01]
    created_at:2018-09-01

ip: (string)¶

Search by IP address or CIDR.

e.g ip:"192.168.1.1/24" or ip:192.168.1.1

ipv4: (boolean)¶

Search for IPv4 results:

e.g ipv4:true

ipv6: (boolean)¶

Search for IPv6 results:

e.g ipv6:true

geoip.city_name: (string)¶

Search using city names.

e.g. geoip.city_name:madrid

geoip.country_name: (string)¶

Search using country names.

e.g. geoip.country_name:spain

has_screenshot: (boolean)¶

Search for screenshots, true or false (VNC, RDP or X11 module types only).

e.g. has_screenshot:true

port: (int)¶

Search by port number.

e.g. port:80

protocol: (string)¶

Search by protocol. Can be TCP or UDP.

e.g. protocol:tcp

type: (string)¶

Search by event type. Can be service-simple (the default service identification module), ssl, ssh, vnc, rdp, x11, mongodb, memcached, elasticsearch, redis.

e.g. type:ssl

tag: (string)¶

Search by tags. Can be ICS, MALWARE, DATABASE, WEBSERVER, IOT, CAMERA. Tag list and matches are constantly being updated.

e.g. tag:IOT

Service-Simple¶

type:service-simple
Our service identification module.

Search by banner.

e.g. banner:admin

banner_sha256: (string)¶

Search by banner fingerprint.

e.g. banner_sha256:0fc17aa37277eae40d6f0a85f15df006f033c9bc2957265ab9e7b9d05210c850

cpe: (string)¶

Search by CPE.

e.g. cpe.keyword:"cpe:/a:lighttpd:lighttpd"

device: (string)¶

Search by device type.

e.g. device:webcam

extrainfo: (string)¶

Search by extra info (can include information such as build, extensions, OS, etc).

e.g. extrainfo:"PHP/5.4.19"

name: (string)¶

Search by service names.

e.g. name:http

ostype: (string)¶

Search by OS type.

e.g. ostype:Windows

product: (string)¶

Search by product names.

e.g. product:nginx

version: (string)¶

Search by product versions. Better used together with product.

e.g. version:1.1.0

RDP¶

reason: (string)¶

Search by RDP status reason.

e.g. rdp.reason:error

security: (string)¶

Search by RDP security detected.

e.g. rdp.security:NLA

Bluekeep¶

vulnerable: (boolean)¶

Search by whether an RDP server is vulnerable to Bluekeep or not.

e.g. bluekeep.vulnerable:NLA

VNC¶

auth_enabled: (boolean)¶

Search by whether VNC has auth enabled or not.

e.g. vnc.auth_enabled:false

height: (int)¶

Search by VNC height.

e.g. vnc.height:768

msg: (string)¶

Search by VNC returned message.

e.g. vnc.msg:incompatible

title: (string)¶

Search by VNC title.

e.g. vnc.title:android

version: (string)¶

Search by VNC version.

e.g. vnc.version:"3.8"

width: (int)¶

Search by VNC width.

e.g. vnc.width:1024

X11¶

connected: (boolean)¶

Search by whether X11 server was successfully connected to or not.

e.g. x11.connected:true

height: (int)¶

Search by X11 height.

e.g. x11.height:768

vendor: (string)¶

Search by X11 vendor.

e.g. x11.vendor:"The X.Org Foundation"

vendor_release: (string)¶

Search by X11 vendor release.

e.g. x11.vendor_release:"10706000"

version: (string)¶

Search by X11 version.

e.g. x11.version:"11.0"

width: (int)¶

Search by X11 width.

e.g. x11.width:1024

SSH¶

compression: (string)¶

Search by compression algorithms.

e.g. ssh.algorithms.compression:zlib

encryption: (string)¶

Search by encryption algorithms.

e.g. ssh.algorithms.encryption.keyword:"aes256-cbc"

kex: (string)¶

Search by Key Exchange algorithms.

e.g. ssh.algorithms.kex.keyword:"diffie-hellman-group-exchange-sha256"

mac (string)¶

Search by Message Authentication Code algorithms.

e.g. ssh.algorithms.mac.keyword:"hmac-sha1"

server_host_key: (string)¶

Search by Host key encryption.

e.g. ssh.algorithms.server_host_key.keyword:"ssh-rsa"

Search by banner.

e.g. ssh.banner.keyword:"SSH-2.0-OpenSSH_LeadSec"

banner_sha256: (string)¶

Search by banner fingerprint.

e.g. ssh.banner_sha256:0fc17aa37277eae40d6f0a85f15df006f033c9bc2957265ab9e7b9d05210c850

cyphers: (string)¶

Search by SSH cyphers.

e.g. ssh.cyphers:"ssh-rsa"

fingerprint: (string)¶

Search by SSH fingerprints.

e.g. ssh.fingerprint:"c0:76:ed:4a:b6:85:7f:cb:b8:ff:20:ac:fc:a9:aa:fb, e9:d6:05:d1:a2:55:76:aa:bb:d8:18:15:ac:b9:01:4b"

hassh: (string)¶

Search by HASSH hash.

e.g. ssh.hassh:0f5053d1cc689128b6db47f340f3285f

hassh_algorithms: (string)¶

Search by HASSH algorithms string.

e.g. ssh.hassh_algorithms:"diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected],hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96,none,[email protected]"

SSL¶

cert.issuer.common_name: (string)¶

Search by leaf certificate issuer's Common Name.

e.g. ssl.cert.issuer.common_name:microsoft

cert.issuer.organization_name: (string)¶

Search by leaf certificate issuer's Organization Name.

e.g. ssl.cert.issuer.organization_name:microsoft

For exact match use ssl.cert.issuer.organization_name.keyword .

cert.issuer.organizational_unit_name: (string)¶

Search by leaf certificate issuer's Organizational Unit Name.

e.g. ssl.cert.issuer.organizational_unit_name:microsoft

For exact match use ssl.cert.issuer.organizational_unit_name.keyword .

e.g. ssl.cert.issuer.organizational_unit_name.keyword:"CloudFlare Origin SSL Certificate Authority"

cert.issuer.distinguished_name: (string)¶

Search by leaf certificate issuer's Distinguished Name.

e.g. ssl.cert.issuer.distinguished_name:"Common Name: SUV, Organization: SUV999, State/Province: CA, Country: HK"

For exact match use ssl.cert.issuer.distinguished_name.keyword:

e.g. ssl.cert.issuer.distinguished_name.keyword:"Common Name: SUV, Organization: SUV999, State/Province: CA, Country: HK"

cert.issuer.country_name: (string)¶

Search by leaf certificate issuer's Country Name.

e.g. ssl.cert.issuer.country_name:CN

cert.issuer.locality_name: (string)¶

Search by leaf certificate issuer's Locality Name.

e.g. ssl.cert.issuer.locality_name:"Scottsdale"

cert.issuer.state_or_province_name: (string)¶

Search by leaf certificate issuer's State or Province Name.

e.g. ssl.cert.issuer.state_or_province_name:"Greater Manchester"

cert.issuer_names: (string)¶

Search by leaf certificate issuer's names (common_name, organization_name, organizational_unit_name combined).

e.g. ssl.cert.issuer_names:kubernetes

cert.not_after: (date)¶

Search by leaf certificate's expiration date.

e.g. ssl.cert.not_after:[2018-12-01 TO 2019-01-01]
     ssl.cert.not_after:2019-01-01

cert.not_before: (date)¶

Search by leaf certificate's lifetime.

e.g. ssl.cert.not_before:[2018-12-01 TO 2019-01-01]
     ssl.cert.not_before:2019-01-01

cert.validity_length: (int)¶

Search by leaf certificate's creation date.

e.g. ssl.cert.validity_length:>31536000

cert.public_key_info.algorithm: (string)¶

Search by Public Key algorithm.

e.g. cert.public_key_info.algorithm:ec

cert.public_key_info.curve: (string)¶

Search by Public Key curve.

e.g. cert.public_key_info.curve:secp256r1

cert.public_key_info.key_size: (string)¶

Search by Public Key key size.

e.g. cert.public_key_info.key_size:2048

cert.public_key_info.sha256_fingerprint: (string)¶

Search by Public Key SHA256 fingerprint.

e.g. cert.public_key_info.sha256_fingerprint:"4f:53:aa:f3:c6:6b:28:32:3f:77:cf:d7:1b:96:f8:7b:a0:b6:ee:a3:12:a7:62:b1:0a:c5:a1:2d:7d:29:09:e9"

cert.serial: (string)¶

Search by leaf certificate's Serial Number.

e.g. ssl.cert.serial:160000708D70A2A4CB63ABA1C700000000708D

cert.signature_algorithm: (string)¶

Search by leaf certificate's signature algorithm.

e.g. ssl.cert.signature_algorithm:sha256_rsa

cert.signature_value: (string)¶

Search by leaf certificate's signature.

e.g. ssl.cert.signature_value:" 5d:d1:60:d1:57:1f:3f:ba:ed:c1:36:c9:08:fa:7a:8a:53:78:73:5d:93:c9:cc:11:cc:c8:f5:2c:3e:af:aa:12:73:46:1b:99:35:d7:b6:17:1c:ba:19:c0:f0:d1:eb:92:af:60:a4:b8:2d:18:2c:25:43:59:51:a6:74:26:43:73:d9:dd:58:0b:6f:ba:4d:f0:98:82:a1:0a:e3:3b:1d:d4:c7:5e:20:7a:8d:49:55:92:d5:82:f9:85:2d:0b:7e:01:2c:b0:a4:ff:fe:23:25:04:9b:25:46:69:23:4c:33:e7:24:97:2a:13:d4:26:0b:c8:48:30:9d:84:38:aa:bd:fe:e6:42:e6:a0:48:0a:47:f0:18:4c:fb:e3:ce:fd:43:e9:44:ab:85:2f:ba:61:70:a7:a3:9c:a7:93:3b:a5:f5:90:23:4f:20:fb:57:3e:4c:9d:ac:e8:61:b4:ef:30:2a:0a:b6:33:bc:0b:12:f6:85:1a:e4:48:a8:8d:04:5c:b9:49:a0:b8:91:f1:35:3e:a6:bd:7d:06:c1:af:27:ae:78:6a:b7:9e:2b:d1:9e:a9:b3:57:07:0b:6d:14:f1:5d:57:ab:ed:50:c0:f1:7c:17:de:61:be:2e:af:bc:ab:60:c2:f0:ca:21:77:e6:4f:0f:94:25:74:a4:6d:dd:d9:dd:8d:1d"

cert.sha1_fingerprint: (string)¶

Search by leaf certificate's SHA1 fingerprint.

e.g. ssl.cert.sha1_fingerprint:"4e:aa:aa:fd:d1:d5:b6:7f:e5:a1:f2:df:02:58:11:40:c7:8e:04:73"

cert.sha256_fingerprint: (string)¶

Search by leaf certificate's SHA256 fingerprint.

e.g. ssl.cert.sha256_fingerprint:"df:4a:62:74:eb:16:18:48:0e:2e:da:41:b1:80:f0:d5:62:69:24:6c:38:2b:08:e5:83:26:52:ca:d5:71:2b:ec"

cert.spki_subject_fingerprint: (string)¶

Search by leaf certificate's SPKI subject fingerprint.

e.g. ssl.cert.spki_subject_fingerprint:"d0:0f:ae:7c:ae:5d:c8:b9:37:38:fb:b3:5f:6a:24:cc:e9:51:71:ca:ba:21:3f:73:c5:cd:f6:bc:5b:bf:03:1e"

cert.subject.common_name: (string)¶

Search by leaf certificate subject's Common Name.

e.g. ssl.cert.subject.common_name:microsoft

cert.subject.organization_name: (string)¶

Search by leaf certificate subject's Organization Name.

e.g. ssl.cert.subject.organization_name:microsoft

For exact match use ssl.cert.subject.organization_name.keyword .

cert.subject.organizational_unit_name: (string)¶

Search by leaf certificate subject's Organizational Unit Name.

e.g. ssl.cert.subject.organizational_unit_name:cloudFlare

For exact match use ssl.cert.subject.organizational_unit_name.keyword .

e.g. ssl.cert.subject.organizational_unit_name.keyword:"CloudFlare Origin SSL Certificate Authority"

cert.subject.distinguished_name: (string)¶

Search by leaf certificate subject's Distinguished Name.

e.g. ssl.cert.subject.distinguished_name:"SUV999"

For exact match use ssl.cert.subject.distinguished_name.keyword:

e.g. ssl.cert.subject.distinguished_name.keyword:"Common Name: SUV, Organization: SUV999, State/Province: CA, Country: HK"

cert.subject.country_name: (string)¶

Search by leaf certificate subject's Country Name.

e.g. ssl.cert.subject.country_name:CN

cert.subject.locality_name: (string)¶

Search by leaf certificate subject's Locality Name.

e.g. ssl.cert.subject.locality_name:"Scottsdale"

cert.subject.state_or_province_name: (string)¶

Search by leaf certificate subject's State or Province Name.

e.g. ssl.cert.subject.state_or_province_name:"Greater Manchester"

cert.subject_names: (string)¶

Search by leaf certificate subject's names (common_name, organization_name, organizational_unit_name combined).

e.g. ssl.cert.subject_names:kubernetes

cert.subject_dns: (string)¶

Search by leaf certificate subject's DNS (if available).

e.g. ssl.cert.subject_dns:azure

cert.extensions.key_usage.*: (boolean)¶

Search by leaf certificate key usage extension parameters.

e.g. ssl.cert.extensions.key_usage.digital_signature:true

Example parameters¶

crl_sign
data_encipherment
decipher_only
digital_signature
encipher_only
key_agreement
key_cert_sign
key_encipherment
non_repudiation

cert.extensions.extended_key_usage.*: (boolean)¶

Search by leaf certificate extended key usage extension parameters.

e.g. ssl.cert.extensions.extended_key_usage.server_auth:true

Example parameters¶

adobe_authentic_documents_trust
any_extended_key_usage
capwap_ac
capwap_wtp
client_auth
code_signing
dvcs
eap_over_lan
eap_over_ppp
email_protection
ike_intermediate
ipsec_end_system
ipsec_ike
ipsec_tunnel
ipsec_user
microsoft_document_signing
microsoft_efs
microsoft_efs_recovery
microsoft_embedded_nt
microsoft_key_recovery
microsoft_lifetime_signing
microsoft_nt5
microsoft_oem_whql
microsoft_qualified_subordination
microsoft_root_list_signer
microsoft_server_gated
microsoft_smart_card_logon
microsoft_time_stamp_signing
microsoft_trust_list_signing
microsoft_whql
ocsp_signing
piv_content_signing
pkinit_kpclientauth
pkinit_kpkdc
scvp_client
scvp_server
secure_shell_client
secure_shell_server
send_owner
send_router
server_auth
sip_domain
time_stamping

ciphers: (string)¶

Search by ciphers.

e.g. ssl.ciphers:TLSV1_2

client_auth_requirement_string: (string)¶

Search by whether the client requires auth or not.

e.g. ssl.server_info.client_auth_requirement_string:"DISABLED"

highest_ssl_version_supported: (string)¶

Search by highest SSL version supported.

e.g. ssl.server_info.highest_ssl_version_supported_string:TLSV1

ja3: (string)¶

Search by JA3 fingerprint string:

e.g. ssl.server_info.ja3:"771,159,0-65281-35"

ja3_digest: (string)¶

Search by JA3 fingerprint hash:

e.g. ssl.server_info.ja3_digest:"8a17b6c8d5c6e1711cb236cc77aaa388"

ja3_description: (string)¶

Search by JA3 description:

e.g. ssl.server_info.ja3_description:nginx

openssl_cipher_string_supported: (string)¶

Search by SSL cypher supported.

e.g. ssl.server_info.openssl_cipher_string_supported:"AES256-SHA"

tls_wrapped_protocol_string: (string)¶

Search by TLS protocol string.

e.g. ssl.server_info.tls_wrapped_protocol_string:"PLAIN_TLS"

truststores: (string)¶

Search by SSL truststores.

e.g. ssl.truststores:mozilla

compression_name: (string)¶

Search for Compression name.

e.g. ssl.vulnerabilities.compression.compression_name:zlib

supports_compression: (boolean)¶

Search for Compression support.

e.g. ssl.vulnerabilities.compression.supports_compression:true

supports_fallback_scsv: (boolean)¶

Search for Fallback SCSV support.

e.g. ssl.vulnerabilities.fallback.supports_fallback_scsv:true

is_vulnerable_to_heartbleed: (boolean)¶

Search for Heartbleed.

e.g. ssl.vulnerabilities.heartbleed.is_vulnerable_to_heartbleed:true

is_vulnerable_to_ccs_injection: (boolean)¶

Search for OpenSSL CCS injection.

e.g. ssl.vulnerabilities.openssl_ccs.is_vulnerable_to_ccs_injection:true

accepts_client_renegotiation: (boolean)¶

Search for Renegotiation support.

e.g. ssl.vulnerabilities.renegotiation.accepts_client_renegotiation:true

supports_secure_renegotiation: (boolean)¶

Search for Secure Renegotiation support.

e.g. ssl.vulnerabilities.renegotiation.supports_secure_renegotiation:true

robot_result_enum: (string)¶

Search for ROBOT.

e.g. ssl.vulnerabilities.robot.robot_result_enum:NOT_VULNERABLE_NO_ORACLE

JARM¶

jarm: (string)¶

Search by JARM fingerprint string:

e.g. jarm.jarm:"c02b|0303|h2|0000-0017-ff01-000b-0023-0010,cc14|0303|h2|0000-0017-ff01-000b-0023-0010,cc14|0303|h2|0000-0017-ff01-000b-0023-0010,|||,cc14|0303||0000-0017-ff01-000b-0023,c009|0302|h2|0000-0017-ff01-000b-0023-0010,1302|0303||0033-002b,1303|0303||0033-002b,|||,1301|0303||0033-002b"

jarm_hash: (string)¶

Search by JARM fingerprint hash:

e.g. jarm.jarm_hash:"27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c"

Web¶

body.content: (string)¶

Search by HTTP body.

e.g. web.body.content:bitcoin

body.sha256: (string)¶

Search by HTTP body SHA256 fingerprint.

e.g. web.body.sha256:"a9aa9ec7ef3ec92e7eb52220a9f0cb578ff2ba0a71cb3e9c1a0b828857529fcc"

body.ssdeep: (string)¶

Search by HTTP body SSDEEP fingerprint.

e.g. web.body.ssdeep:"333a484c75636771434d4142623a48535072"

favicon.md5: (string)¶

Search by favicon MD5 fingerprint.

e.g. web.favicon.md5:"a3d6fc11b6c0dc1f43742944823954d3"

favicon.mmh3: (string)¶

Search by favicon MMH3 fingerprint.

e.g. web.favicon.mmh3:"2780979020"

favicon.content: (string)¶

Search by favicon Base64 of the content.

e.g. web.favicon.content:"AAABAAEAICACAAEAAQAwAQAAFgAAACgAAAAgAAAAQAAAAAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="

headers.*: (string)¶

Search on specific HTTP headers.

e.g. web.headers.accept:"json"

Available headers¶

Search Available Headers

headers.all: (string)¶

Search on all HTTP headers.

e.g. web.headers.all:"confluence"

headers.header_order: (string)¶

Search by HTTP header order fingerprint string.

e.g. web.headers.header_order:"user_agent,host,connection"

headers.header_order_md5: (string)¶

Search by HTTP header order fingerprint hash.

e.g. web.headers.header_order_md5:"ea54a5e969c426b7815aa5540ab4dd93"

path: (string)¶

Search by HTTP path.

e.g. web.path:"index.php"

rendered.content: (string)¶

Search by rendered HTTP body.

e.g. web.rendered.content:bitcoin

rendered.sha256: (string)¶

Search by rendered HTTP body SHA256 fingerprint.

e.g. web.rendered.sha256:"a9aa9ec7ef3ec92e7eb52220a9f0cb578ff2ba0a71cb3e9c1a0b828857529fcc"

rendered.ssdeep: (string)¶

Search by rendered HTTP body SSDEEP fingerprint.

e.g. web.rendered.ssdeep:"333a484c75636771434d4142623a48535072"

server: (string)¶

Search by HTTP Server header.

e.g. web.server:apache

status.code: (int)¶

Search by HTTP status code.

e.g. web.status.code:200

status.message: (string)¶

Search by HTTP status message.

e.g. web.status.message:ok

title: (string)¶

Search by HTTP title.

e.g. web.title:amazon

url: (string)¶

Search by final url.

e.g. web.url:"index.php"

MQTT¶

auth: (boolean)¶

Search by whether MQTT has auth enabled or not.

e.g. mqtt.auth:false

connected: (boolean)¶

Search by whether MQTT server was successfully connected to or not.

e.g. mqtt.connected:true

num_topics: (int)¶

Search by MQTT number of topics.

e.g. mqtt.num_topics:10

messages: (string)¶

Search by MQTT messages.

e.g. mqtt.messages:sms

protocol: (string)¶

Search by MQTT protocol (mqtt or mqtts).

e.g. mqtt.protocol:mqtts

version: (string)¶

Search by MQTT protocol version (4 or 5).

e.g. mqtt.version:4

topics: (string)¶

Search by MQTT topics.

e.g. mqtt.topics:sms

Kubernetes¶

auth_required: (boolean)¶

Search by whether Kubernetes has auth enabled or not.

e.g. kubernetes.auth_required:false

connected: (boolean)¶

Search by whether Kubernetes server was successfully connected to or not.

e.g. kubernetes.connected:true

pods_names: (string)¶

Search by Kubernetes pods names.

e.g. kubernetes.pods_names:credit

version: (string)¶

Search by Kubernetes version.

e.g. kubernetes.version:"1.15"

RSYNC¶

Search by RSYNC banner.

e.g. rsync.banner:confidential

banner_sha256: (string)¶

Search by RSYNC banner fingerprint.

e.g. rsync.banner_sha256:0fc17aa37277eae40d6f0a85f15df006f033c9bc2957265ab9e7b9d05210c850

modules.module: (string)¶

Search by RSYNC module name.

e.g. rsync.modules.module:release

modules.status: (string)¶

Search by RSYNC module status.

e.g. rsync.modules.status:"@RSYNCD:OK"

status: (string)¶

Search by RSYNC status.

e.g. rsync.status:public

version: (string)¶

Search by RSYNC version.

e.g. rsync.version:"31.0"

SMB¶

cpe: (string)¶

Search by CPE.

e.g. smb.cpe.keyword:"cpe:/o:microsoft:windows_10"

os_platform: (string)¶

Search by SMB.

e.g. smb.os_platform:windows

dialects: (string)¶

Search by SMB dialects.

e.g. smb.dialects:"2.0.2"

shares: (string)¶

Search on SMB shares.

e.g. smb.shares:admin

names: (string)¶

Search on SMB shares names.

e.g. smb.names:admin

TOR¶

exit_node: (boolean)¶

Search by whether it is a TOR exit node or not.

e.g. tor.exit_node:true

first_seen: (date)¶

Search by date of TOR node first seen.

e.g.
    tor.first_seen:[2018-09-01 TO 2018-10-01]
    tor.first_seen:2018-09-01

hostname: (string)¶

Search by hostname running TOR.

e.g. tor.hostname:"vultr"

last_seen: (date)¶

Search by date of TOR node last seen.

e.g.
    tor.last_seen:[2018-09-01 TO 2018-10-01]
    tor.last_seen:2018-09-01

platform: (string)¶

Search by platform running TOR node.

e.g. tor.platform:"windows"

router_name: (string)¶

Search by TOR router name.

e.g. tor.router_name:"xenial"

MongoDB¶

Available search fields¶

mongodb.ismaster (boolean)
mongodb.listDatabases (string)
mongodb.names (string)
mongodb.readonly (boolean)
mongodb.serverInfo (string)
mongodb.totalSize (int)
mongodb.version (string)

ElasticSearch¶

Available search fields¶

elasticsearch.build (string)
elasticsearch.build_flavor (string)
elasticsearch.build_hash (string)
elasticsearch.build_type (string)
elasticsearch.cluster_name (string)
elasticsearch.cluster_nodes (int)
elasticsearch.docs (int) - number of documents
elasticsearch.hostname (string)
elasticsearch.indices (string) - name of indices
elasticsearch.indices_raw (string)
elasticsearch.jvm.version (string)
elasticsearch.jvm.vm_name (string)
elasticsearch.jvm.vm_vendor (string)
elasticsearch.jvm.vm_version (string)
elasticsearch.modules (string)
elasticsearch.name (string)
elasticsearch.node_name (string)
elasticsearch.os.arch (string)
elasticsearch.os.cpu.model (string)
elasticsearch.os.cpu.vendor (string)
elasticsearch.os.name (string)
elasticsearch.os.pretty_name (string)
elasticsearch.os.version (string)
elasticsearch.plugins (string)
elasticsearch.roles (string)
elasticsearch.settings (string)
elasticsearch.size (int)
elasticsearch.size_in_bytes (int)
elasticsearch.total_indexing_buffer (int)
elasticsearch.version (string)

Cassandra¶

Available search fields¶

cassandra.cluster (string)
cassandra.cluster_name (string)
cassandra.cql_version (string)
cassandra.datacenter (string)
cassandra.dse (boolean)
cassandra.dse_version (string)
cassandra.keyspaces (string)
cassandra.keyspace_names (string)
cassandra.rack (string)
cassandra.table_names (string)
cassandra.thrift_version (string)
cassandra.version (string)

Redis¶

Available search fields¶

redis.aof_enabled (string)
redis.arch_bits (string)
redis.cluster_enabled (int)
redis.connected_slaves (int)
redis.dbs (int)
redis.keys (int)
redis.maxmemory (string)
redis.multiplexing_api (string)
redis.os (string)
redis.redis_build_id (string)
redis.redis_mode (string)
redis.redis_version (string)
redis.repl_backlog_size (int)
redis.role (string)
redis.stats (string)
redis.uptime_in_days (int)
redis.uptime_in_seconds (int)
redis.used_memory (int)
redis.used_memory_human (string)
redis.used_memory_lua (int)
redis.used_memory_overhead (string)
redis.used_memory_peak (int)
redis.used_memory_peak_human (string)
redis.used_memory_rss (string)
redis.used_memory_startup (string)
redis.versions (string)

Memcached¶

Available search fields¶

memcached.bytes (int)
memcached.pointer_size (int)
memcached.replication (string)
memcached.server (string)
memcached.size (int)
memcached.total_items (int)
memcached.uptime (int)
memcached.version (string)

RethinkDB¶

Available search fields¶

rethinkdb.database_names (string)
rethinkdb.databases (string)
rethinkdb.tables_names (string)

Host Search Parameters¶

Notes¶

General Fields¶

as_name: (string)¶

asn: (int)¶

country: (string)¶

created_at: (date)¶

ip: (string)¶

ipv4: (boolean)¶

ipv6: (boolean)¶

geoip.city_name: (string)¶

geoip.country_name: (string)¶

has_screenshot: (boolean)¶

port: (int)¶

protocol: (string)¶

type: (string)¶

tag: (string)¶

Available tags¶

Service-Simple¶

banner: (string)¶

banner_sha256: (string)¶

cpe: (string)¶

device: (string)¶

extrainfo: (string)¶

name: (string)¶

ostype: (string)¶

product: (string)¶

version: (string)¶

RDP¶

reason: (string)¶

security: (string)¶

Bluekeep¶

vulnerable: (boolean)¶

VNC¶

auth_enabled: (boolean)¶

height: (int)¶

msg: (string)¶

title: (string)¶

version: (string)¶

width: (int)¶

X11¶

connected: (boolean)¶

height: (int)¶

vendor: (string)¶

vendor_release: (string)¶

version: (string)¶

width: (int)¶

SSH¶

compression: (string)¶

encryption: (string)¶

kex: (string)¶

mac (string)¶

server_host_key: (string)¶

banner: (string)¶

banner_sha256: (string)¶

cyphers: (string)¶

fingerprint: (string)¶

hassh: (string)¶

hassh_algorithms: (string)¶

SSL¶

cert.issuer.common_name: (string)¶

cert.issuer.organization_name: (string)¶

cert.issuer.organizational_unit_name: (string)¶

cert.issuer.distinguished_name: (string)¶

cert.issuer.country_name: (string)¶

cert.issuer.locality_name: (string)¶

cert.issuer.state_or_province_name: (string)¶

cert.issuer_names: (string)¶

cert.not_after: (date)¶

cert.not_before: (date)¶

cert.validity_length: (int)¶

cert.public_key_info.algorithm: (string)¶

cert.public_key_info.curve: (string)¶

cert.public_key_info.key_size: (string)¶

cert.public_key_info.sha256_fingerprint: (string)¶

cert.serial: (string)¶

cert.signature_algorithm: (string)¶

cert.signature_value: (string)¶

cert.sha1_fingerprint: (string)¶

cert.sha256_fingerprint: (string)¶