Our Website scans UI & Search API allows you to find historical scans of URLs on urlscan.io. This page is a reference for the available fields that can be used to query the Search API. Please see explanations about the field types and visibility below.
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
apikey | virtual | Scans submitted using one of your API keys (Can only be me) |
asn | keyword | Any of the AS numbers that were contacted (e.g. AS123) |
asnname | text | Any of the AS Names that were contacted |
asnname.keyword | keyword | Any of the AS names that were contacted (analysed as keyword) |
canonical.page.url | keyword | Canonicalized version of the page URL |
canonical.task.url | keyword | Canonicalized version of the task URL |
country | keyword | ISO 3166-1 2-letter country code of any country that was contacted |
date | date | Datetime of when the scan was performed |
domain | domain | Any domain and subdomain that was contacted |
domain.keyword | keyword | Any domain and subdomain that was contacted |
filename | text | Any URL that was requested |
filename.keyword | keyword | Any URL that was requested |
files.filename | text | Filename of file downloaded by the website |
files.filename.keyword | keyword | Filename of file downloaded by the website (analyzed as keyword) |
files.filesize | integer | Filesize of file downloaded by the website |
files.mimeDescription | text | Files MIME type description |
files.mimeType | keyword | MIME type description of file downloaded by the website |
files.sha256 | keyword | SHA256 of file downloaded by the website |
files.state | keyword | Download state of the file |
files.url | text | URL of the file's location |
hash | keyword | Any SHA256 hash of any HTTP response |
ip | ip | Any IP that was contacted |
page.apexDomain | keyword | Apex domain of the page |
page.apexDomainAgeDays | integer | Age of the page apex domain in days |
page.asn | keyword | AS Number of the website |
page.asnname | text | Name of the main AS of the website |
page.asnname.keyword | keyword | Name of the main AS of the website (analyzed as keyword) |
page.country | keyword | Primary IP GeoIP Country (ISO 3166-1 2-letter country code) |
page.domain | domain | Primary Domain (Analysed as all levels of parent domains) |
page.domain.keyword | keyword | Primary Domain (Analysed as keyword) |
page.domainAgeDays | integer | Age of the page domain (hostname) in days |
page.ip | ip | Primary IP |
page.language | keyword | ISO-639 language code based on page text |
page.mimeType | keyword | MIME type of the primary HTTP response |
page.ptr | domain | DNS PTR record of primary IP |
page.redirected | keyword | Whether the page was redirected from task.url, can be one of same-domain, sub-domain, off-domain, https-only |
page.server | text | HTTP "Server" header of primary request |
page.status | keyword | HTTP status code of primary request response |
page.title | text | Title of the page |
page.title.keyword | keyword | Title of the page |
page.tlsAgeDays | integer | Age of TLS certificate when the page was scanned (in days) |
page.tlsIssuer | keyword | Issuer of the page TLS certificate |
page.tlsValidDays | integer | TLS certificate validity period in days |
page.tlsValidFrom | date | TLS certificate Valid-From date |
page.umbrellaRank | integer | Cisco Umbrella Top 1 Million rank of page domain |
page.url | text | URL of the primary page (after redirection) |
page.url.keyword | keyword | URL of the primary page (after redirection, analysed as keyword) |
server | keyword | Any HTTP "Server" header of subrequests |
stats.dataLength | integer | Data size of all subresources |
stats.encodedDataLength | integer | Transfer size of all subresources |
stats.requests | integer | Number of subrequests |
stats.uniqCountries | integer | Number of unique countries contacted |
stats.uniqIPs | integer | Number of unique IPs contacted |
task.apexDomain | keyword | Apex domain of the tasked hostname |
task.domain | domain | Domain of the tasked URL |
task.domain.keyword | keyword | Domain of the tasked URL (analysed as keyword) |
task.method | keyword | Can be manual, api, or automatic |
task.source | keyword | Examples: phishtank or certstream-suspicious |
task.tags | keyword | User-defined tags supplied during scan submission |
task.url | text | The original URL that was tasked |
task.url.keyword | keyword | The original URL that was tasked (analysed as keyword) |
task.uuid | keyword | The unique UUID of the scan |
task.visibility | keyword | Can be one of public, unlisted, or private |
team | virtual | Scans submitted by any of your teams (Can only be me) |
user | virtual | Scans submitted by yourself (Can only be me) |
The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
brand.country | keyword | ISO 3166-1 2-letter country code of the brand |
brand.key | keyword | Unique key of the brand |
brand.name | text | Name of the brand |
brand.name.keyword | keyword | Name of the brand (analyzed as keyword) |
brand.vertical | text | Industry vertical of the brand, e.g. "banking" |
brand.vertical.keyword | keyword | Industry vertical of the brand (analyzed as keyword) |
content.cookieNames | keyword | Names of cookies set by page |
content.globalNames | keyword | Names of non-standard JavaScript global variables |
content.inputNames | keyword | Name attributes of input fields on page |
content.inputTypes | keyword | Type attributes of input fields on page |
content.storageNames | keyword | Names of items in localStorage and sessionStorage set by page |
content.technologies | keyword | Names of technologies detected according to Wappalyzer |
dom.hash | keyword | SHA256 hash of the DOM before truncation |
dom.size | integer | Size of the DOM before truncation |
frames.domains | domain | Domains of frames |
frames.length | integer | Number of frames |
frames.urls | keyword | URLs of frames / iFrames |
image.aspectratio | float | Aspect ratio of screenshot (width / height) |
image.hash | integer | SHA256 hash of screenshot |
image.height | integer | Height of screenshot in pixels |
image.size | integer | Size of screenshot in bytes |
image.width | integer | Width of screenshot in pixels |
labels | keyword | High-level system labels applied by urlscan |
links.domains | domain | Domains of outgoing links |
links.length | integer | Number of outgoing links |
links.urls | keyword | URLs of outgoing links (to different domains than page.domain) |
meta | keyword | IDs of matching subscriptions / saved searches |
scanner.country | keyword | Scanner IP exit location (ISO 3166-1 2-letter country code) |
submitter.country | keyword | GeoIP country of the submission IP (ISO 3166-1 2-letter country code) |
text.content | text | Visible text on the website, truncated to the first 20kB |
text.hash | keyword | SHA256 hash of the text before truncation |
text.size | integer | Size of the text content before truncation |
usertags | keyword | User-defined tags for Saved Searches that matched the scan |
verdicts.community.malicious | boolean | The community verdict for a scan |
verdicts.engines.malicious | boolean | ML malicious verdict |
verdicts.engines.score | integer | ML score from -100 to 100 |
verdicts.lastVerdict | date | Date the latest verdict for this scan was added, only for verdicts created after the scan has finished |
verdicts.malicious | boolean | Whether a verdict exists for the page |
verdicts.score | integer | Maliciousness score of page from -100 (benign) to 100 (malicious) |
verdicts.urlscan.malicious | boolean | The urlscan malicious verdict |
visible.brandname | text | Brand name the website claims to represent (urlscan Brand AI) |
visible.brandname.keyword | keyword | Brand name the website claims to represent (analyzed as keyword) |
websockets.domains | domain | Domains of WebSocket connections |
websockets.length | integer | Number of WebSocket connections |
websockets.totalBytesReceived | integer | Total bytes received over WebSocket connections |
websockets.totalBytesSent | integer | Total bytes sent over WebSocket connections |
websockets.urls | keyword | URLs of WebSocket connections |