Incidents Search
Our Incidents feature within urlscan Observe allows you to continuously monitor specific observables and receive updates when changes occur. Incidents can be customized with options such as perpetual monitoring, custom scan intervals, stop conditions, scanner locations, and user-agents. This page provides a reference for the available fields and parameters used to create and manage Incidents via the API.
Searchable Fields
The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
| asn | text | ASN number the observable has been seen on |
| asnname | keyword | Name of the ASN of the observable |
| countries | text | Scan location list |
| countriesPerInterval | integer | |
| createdAt | date | Datetime of when the incident was created |
| domain | keyword | The root domain |
| expireAt | date | Datetime for when the incident is due to expire |
| hostname | keyword | The full hostname |
| incidentProfile | text | The ID of the incident profile used to create the incident |
| observable | text | The observable of the incident |
| scanInterval | integer | Interval between triggering full website scan |
| scanIntervalAfterMalicious | integer | The scan interval of the incident after the hostname/domain/URL was detected as malicious |
| scanIntervalAfterSuspended | integer | The scan interval of the incident after the site was suspended or taken down |
| scanIntervalMode | text | The scan mode type |
| sourceId | text | ID of the trigger source |
| sourceType | text | Incident source type |
| state | text | Current incident state |
| stateCount | integer | How many intervals we have stored for the incident |
| stateSize | integer | The size of the state internally |
| stopDelayInactive | integer | Control for when the incident is automatically closed |
| stopDelayMalicious | integer | Control for when the incident is automatically closed |
| stopDelaySuspended | integer | Control for when the incident is automatically closed |
| tld | keyword | The top level domain of the observable |
| type | text | Observable type |
| uniqueId | text | Unique ID for the incident |
| uniqueIPs | integer | Count of unique IPs observed in the incident |
| updatedAt | date | Datetime of when the incident was updated |
| userAgentsPerInterval | integer | Count of user agents per scan interval |
| verdict | text | Incident malicious or benign verdict |
| visibility | text | Incident visibility |