# Website Scans Search Reference

Our Website scans UI & Search API allows you to find historical scans of URLs on urlscan.io.
This page is a reference for the available fields that can be used to query the
Search API. Please see explanations about the field types and visibility below.

## Searchable Fields

| Field Name | Type | Field semantics, features, & notes |
|  --- | --- | --- |
| `apikey` | virtual | Scans submitted using one of your API keys (Can only be me) |
| `asn` | keyword | Any of the AS numbers that were contacted (e.g. AS123) |
| `asnname` | text | Any of the AS Names that were contacted |
| `asnname.keyword` | keyword | Any of the AS names that were contacted (analysed as keyword) |
| `canonical.page.url` | keyword | Canonicalized version of the page URL |
| `canonical.task.url` | keyword | Canonicalized version of the task URL |
| `country` | keyword | ISO 3166-1 2-letter country code of any country that was contacted |
| `date` | date | Datetime of when the scan was performed |
| `domain` | domain | Any domain and subdomain that was contacted |
| `domain.keyword` | keyword | Any domain and subdomain that was contacted |
| `filename` | text | Any URL that was requested |
| `filename.keyword` | keyword | Any URL that was requested |
| `files.filename` | text | Filename of file downloaded by the website |
| `files.filename.keyword` | keyword | Filename of file downloaded by the website (analyzed as keyword) |
| `files.filesize` | integer | Filesize of file downloaded by the website |
| `files.mimeDescription` | text | Files MIME type description |
| `files.mimeType` | keyword | MIME type description of file downloaded by the website |
| `files.sha256` | keyword | SHA256 of file downloaded by the website |
| `files.state` | keyword | Download state of the file |
| `files.url` | text | URL of the file's location |
| `hash` | keyword | Any SHA256 hash of any HTTP response |
| `ip` | ip | Any IP that was contacted |
| `page.apexDomain` | keyword | Apex domain of the page |
| `page.apexDomainAgeDays` | integer | Age of the page apex domain in days |
| `page.asn` | keyword | AS Number of the website |
| `page.asnname` | text | Name of the main AS of the website |
| `page.asnname.keyword` | keyword | Name of the main AS of the website (analyzed as keyword) |
| `page.country` | keyword | Primary IP GeoIP Country (ISO 3166-1 2-letter country code) |
| `page.domain` | domain | Primary Domain (Analysed as all levels of parent domains) |
| `page.domain.keyword` | keyword | Primary Domain (Analysed as keyword) |
| `page.domainAgeDays` | integer | Age of the page domain (hostname) in days |
| `page.ip` | ip | Primary IP |
| `page.language` | keyword | ISO-639 language code based on page text |
| `page.mimeType` | keyword | MIME type of the primary HTTP response |
| `page.ptr` | domain | DNS PTR record of primary IP |
| `page.redirected` | keyword | Whether the page was redirected from task.url, can be one of same-domain, sub-domain, off-domain, https-only |
| `page.server` | text | HTTP "Server" header of primary request |
| `page.status` | keyword | HTTP status code of primary request response |
| `page.title` | text | Title of the page |
| `page.title.keyword` | keyword | Title of the page |
| `page.tlsAgeDays` | integer | Age of TLS certificate when the page was scanned (in days) |
| `page.tlsIssuer` | keyword | Issuer of the page TLS certificate |
| `page.tlsValidDays` | integer | TLS certificate validity period in days |
| `page.tlsValidFrom` | date | TLS certificate Valid-From date |
| `page.umbrellaRank` | integer | Cisco Umbrella Top 1 Million rank of page domain |
| `page.url` | text | URL of the primary page (after redirection) |
| `page.url.keyword` | keyword | URL of the primary page (after redirection, analysed as keyword) |
| `server` | keyword | Any HTTP "Server" header of subrequests |
| `stats.dataLength` | integer | Data size of all subresources |
| `stats.encodedDataLength` | integer | Transfer size of all subresources |
| `stats.requests` | integer | Number of subrequests |
| `stats.uniqCountries` | integer | Number of unique countries contacted |
| `stats.uniqIPs` | integer | Number of unique IPs contacted |
| `task.apexDomain` | keyword | Apex domain of the tasked hostname |
| `task.domain` | domain | Domain of the tasked URL |
| `task.domain.keyword` | keyword | Domain of the tasked URL (analysed as keyword) |
| `task.method` | keyword | Can be manual, api, or automatic |
| `task.source` | keyword | Examples:  phishtank  or  certstream-suspicious |
| `task.tags` | keyword | User-defined tags supplied during scan submission |
| `task.url` | text | The original URL that was tasked |
| `task.url.keyword` | keyword | The original URL that was tasked (analysed as keyword) |
| `task.uuid` | keyword | The unique UUID of the scan |
| `task.visibility` | keyword | Can be one of public, unlisted, or private |
| `team` | virtual | Scans submitted by any of your teams (Can only be me) |
| `user` | virtual | Scans submitted by yourself (Can only be me) |


## urlscan Professional, Enterprise, Ultimate

The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.

| Field Name | Type | Field semantics, features, & notes |
|  --- | --- | --- |
| `brand.country` | keyword | ISO 3166-1 2-letter country code of the brand |
| `brand.key` | keyword | Unique key of the brand |
| `brand.name` | text | Name of the brand |
| `brand.name.keyword` | keyword | Name of the brand (analyzed as keyword) |
| `brand.vertical` | text | Industry vertical of the brand, e.g. "banking" |
| `brand.vertical.keyword` | keyword | Industry vertical of the brand (analyzed as keyword) |
| `content.cookieNames` | keyword | Names of cookies set by page |
| `content.globalNames` | keyword | Names of non-standard JavaScript global variables |
| `content.inputNames` | keyword | Name attributes of input fields on page |
| `content.inputTypes` | keyword | Type attributes of input fields on page |
| `content.storageNames` | keyword | Names of items in localStorage and sessionStorage set by page |
| `content.technologies` | keyword | Names of technologies detected according to Wappalyzer |
| `dom.hash` | keyword | SHA256 hash of the DOM before truncation |
| `dom.size` | integer | Size of the DOM before truncation |
| `frames.domains` | domain | Domains of frames |
| `frames.length` | integer | Number of frames |
| `frames.urls` | keyword | URLs of frames / iFrames |
| `image.aspectratio` | float | Aspect ratio of screenshot (width / height) |
| `image.hash` | integer | SHA256 hash of screenshot |
| `image.height` | integer | Height of screenshot in pixels |
| `image.size` | integer | Size of screenshot in bytes |
| `image.width` | integer | Width of screenshot in pixels |
| `labels` | keyword | High-level system labels applied by urlscan |
| `links.domains` | domain | Domains of outgoing links |
| `links.length` | integer | Number of outgoing links |
| `links.urls` | keyword | URLs of outgoing links (to different domains than page.domain) |
| `meta` | keyword | IDs of matching subscriptions / saved searches |
| `scanner.country` | keyword | Scanner IP exit location (ISO 3166-1 2-letter country code) |
| `submitter.country` | keyword | GeoIP country of the submission IP (ISO 3166-1 2-letter country code) |
| `text.content` | text | Visible text on the website, truncated to the first 20kB |
| `text.hash` | keyword | SHA256 hash of the text before truncation |
| `text.size` | integer | Size of the text content before truncation |
| `usertags` | keyword | User-defined tags for Saved Searches that matched the scan |
| `verdicts.community.malicious` | boolean | The community verdict for a scan |
| `verdicts.engines.malicious` | boolean | ML malicious verdict |
| `verdicts.engines.score` | integer | ML score from -100 to 100 |
| `verdicts.lastVerdict` | date | Date the latest verdict for this scan was added, only for verdicts created after the scan has finished |
| `verdicts.malicious` | boolean | Whether a verdict exists for the page |
| `verdicts.score` | integer | Maliciousness score of page from -100 (benign) to 100 (malicious) |
| `verdicts.urlscan.malicious` | boolean | The urlscan malicious verdict |
| `visible.brandname` | text | Brand name the website claims to represent (urlscan Brand AI) |
| `visible.brandname.keyword` | keyword | Brand name the website claims to represent (analyzed as keyword) |