Website Scans Search Reference
Our Website scans UI & Search API allows you to find historical scans of URLs on urlscan.io. This page is a reference for the available fields that can be used to query the Search API. Please see explanations about the field types and visibility below.
Searchable Fields
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
apikey | virtual | Scans submitted using one of your API keys (Can only be me) |
asn | keyword | Any of the AS numbers that were contacted (e.g., AS123) |
asnname.keyword | keyword | Any of the AS names that were contacted (analyzed as keyword) |
asnname | text | Any of the AS names that were contacted |
country | keyword | ISO 3166-1 2-letter country code of any country that was contacted |
date | date | Datetime of when the scan was performed |
domain.keyword | keywordRE | Any domain or subdomain that was contacted |
domain | domain | Any domain or subdomain that was contacted |
filename.keyword | keywordRE | Any URL that was requested |
filename | text | Any URL that was requested |
files.filename | keywordRE | Filename of file downloaded by the website |
files.filesize | integer | Filesize of file downloaded by the website |
files.mimeType | keyword | MIME type description of file downloaded by the website |
files.sha256 | keyword | SHA256 of file downloaded by the website |
hash | keyword | Any SHA256 hash of any HTTP response |
ip | ip | Any IP that was contacted |
page.apexDomainAgeDays | keyword | Age of the page apex domain (registered domain) in days |
page.apexDomain | keyword | Apex domain of the page |
page.asn | keyword | AS number of the website |
page.asnname | text | Name of the main AS of the website |
page.country | keyword | Primary IP GeoIP Country (ISO 3166-1 2-letter country code) |
page.domain.keyword | keywordRE | Primary domain (analyzed as keyword) |
page.domainAgeDays | keyword | Age of the page domain (i.e. hostname) in days |
page.domain | domain | Primary hostname (analyzed as all levels of parent domains) |
page.ip | ip | Primary IP |
page.language | keyword | ISO-639 language code based on the text page code |
page.mimeType | keyword | MIME type of the primary HTTP response |
page.ptr | domain | DNS PTR record of primary IP |
page.redirected | keyword | Whether the page was redirected from task.url |
page.server | text | HTTP "Server" header of primary request |
page.status | keyword | HTTP status code of primary request response |
page.title.keyword | keywordRE | Title of the page |
page.title | text | Title of the page |
page.tlsAgeDays | date | Age of TLS certificate when the page was scanned (in days) |
page.tlsIssuer | keyword | Issuer of the page TLS certificate |
page.tlsValidDays | date | TLS certificate validity period in days |
page.tlsValidFrom | date | TLS certificate Valid-From date |
page.umbrellaRank | integer | Cisco Umbrella Top 1 Million rank of page domain |
page.url.keyword | keywordRE | URL of the primary page (after redirection, analyzed as keyword) |
page.url | text | URL of the primary page (after redirection) |
server | keyword | Any HTTP "Server" header of subrequests |
stats.dataLength | integer | Data size of all subresources |
stats.encodedDataLength | integer | Transfer size of all subresources |
stats.requests | integer | Number of subrequests |
stats.uniqCountries | integer | Number of unique countries contacted |
stats.uniqIPs | integer | Number of unique IPs contacted |
task.apexDomain | keyword | Apex domain of the tasked hostname |
task.domain.keyword | keywordRE | Hostname of the tasked URL (analyzed as keyword) |
task.domain | domain | Domain of the tasked URL |
task.method | keyword | Can be manual, api, or automatic |
task.source | keyword | Examples: phishtank or certstream-suspicious |
task.tags | keyword | User-defined tags supplied during scan submission |
task.url.keyword | keywordRE | The original URL that was tasked (analyzed as keyword) |
task.url | text | The original URL that was tasked |
task.uuid | keyword | The unique UUID of the scan |
task.visibility | keyword | Can be one of public, unlisted, or private |
team | virtual | Scans submitted by any of your teams (Can only be me) |
user | virtual | Scans submitted by yourself (Can only be me) |
urlscan Professional, Enterprise, Ultimate
The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.
| Field Name | Type | Field semantics, features, & notes |
|---|---|---|
brand.country | keyword | ISO 3166-1 2-letter country code of the brand |
brand.key | keyword | Unique key of the brand |
brand.name | text | Name of the brand |
brand.vertical | text | Industry vertical of the brand, e.g., "banking" |
content.cookieNames | keyword | Names of cookies set by page |
content.globalNames | keyword | Names of non-default JavaScript global variables |
content.inputNames | keyword | Name attributes of input fields on page |
content.inputTypes | keyword | Type attributes of input fields on page |
content.technologies | keyword | Names of technologies detected according to Wappalyzer |
dom.hash | keyword | SHA256 hash of the DOM before truncation |
dom.size | integer | Size of the DOM before truncation |
frames.domains | domain | Domains of frames |
frames.length | integer | Number of frames |
frames.urls | keywordRE | URLs of frames |
image.aspectration | float | Aspect ratio of the screenshot |
image.hash | keyword | SHA256 hash of the screenshot |
image.height | integer | Height (in pixels) of the screenshot |
image.size | integer | Size (in bytes) of the screenshot |
image.width | integer | Width (in pixels) of the screenshot |
labels | keyword | High-level system labels applied by urlscan |
links.domains | domain | Domains of outgoing links |
links.length | integer | Number of outgoing links |
links.urls | keywordRE | URLs of outgoing links (to different domains than page.domain) |
meta | keyword | IDs of matching subscriptions / saved searches |
scanner.country | keyword | Scanner IP exit location (2-letter country code) |
submitter.country | keyword | GeoIP country of the submitter (2-letter country code) |
text.content | text | Visible text on the website and inline JS (first 20kB) |
text.hash | keyword | SHA256 hash of the text before truncation |
text.size | integer | Size of the text content before truncation |
usertags | keyword | User-defined tags for Saved Searches that matched the scan |
verdicts.engines.malicious | integer | ML malicious verdict |
verdicts.engines.score | integer | ML score of page from -100 (benign) to 100 (malicious) |
verdicts.lastVerdict | date | Date the latest verdict for this scan was added |
verdicts.malicious | boolean | Whether the page is considered malicious |
verdicts.score | integer | Maliciousness score of page from -100 (benign) to 100 (malicious) |
visible.brandname | text | Name of the brand the website claims to represent as determined by urlscan Brand AI |