Our Incidents feature within urlscan Observe allows you to continuously monitor specific observables and receive updates when changes occur. Incidents can be customized with options such as perpetual monitoring, custom scan intervals, stop conditions, scanner locations, and user-agents. This page provides a reference for the available fields and parameters used to create and manage Incidents via the API.
The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
allTags | keyword | Tags from all observation periods |
asn | keyword | The ASN number of the last observed IP |
asnname | text | The ASN description of the last observed IP |
asnname.keyword | keyword | The ASN description of the last observed IP (analyzed as keyword) |
cname | domain | Last observed CNAME records |
countries | keyword | Scan location list |
countriesPerInterval | integer | Numer of countries incident scan was observed from per interval |
createdAt | date | Datetime of when the incident was created |
domain | domain | Contains the registered (apex) domain, indexed as individual levels of subdomains. Wildcard / Regular Expression supported |
expireAt | date | Datetime for when the incident is due to expire |
hostname | domain | The full hostname. Wildcard / Regular Expression supported |
incidentProfile | keyword | The ID of the incident profile used to create the incident |
ip | ip | Last observed IPv4/IPv6 values for A/AAAA records |
mx | domain | Last observed MX records |
nameserver | domain | Last observed NS records |
observable | keyword | The observable of the incident |
scanInterval | integer | Interval between triggering full website scan (in seconds) |
scanIntervalAfterMalicious | integer | The scan interval of the incident after the hostname/domain/URL was detected as malicious (in seconds) |
scanIntervalAfterSuspended | integer | The scan interval of the incident after the site was suspended or taken down (in seconds) |
scanIntervalMode | keyword | The scan mode type |
sourceId | keyword | ID of the trigger source |
sourceType | keyword | Incident source type |
state | keyword | Current incident state, can be active or closed |
stateCount | integer | How many intervals we have stored for the incident |
stateSize | integer | The size of the state internally |
stopDelayInactive | integer | Control for when the incident is automatically closed |
stopDelayMalicious | integer | Control for when the incident is automatically closed |
stopDelaySuspended | integer | Control for when the incident is automatically closed |
tags | keyword | Tags from the latest observation period |
tld | domain | The top level domain of the observable |
type | keyword | The type of observable: hostname, ip, or url |
uniqueId | keyword | Unique ID for the incident |
uniqueIPs | integer | Count of unique IPs observed in the incident |
updatedAt | date | Datetime of when the incident was updated |
userAgentsPerInterval | integer | Count of user agents per scan interval |
verdict | keyword | Incident malicious or benign verdict |
visibility | keyword | Incident visibility private or unlisted |