# Website Scans Search Reference

Our Website scans UI & Search API allows you to find historical scans of URLs on urlscan.io.
This page is a reference for the available fields that can be used to query the
Search API. Please see explanations about the field types and visibility below.

## Searchable Fields

| Field Name | Type | Field semantics, features, & notes |
|  --- | --- | --- |
| `apikey` | virtual | Scans submitted using one of your API keys (Can only be `me`) |
| `asn` | keyword | Any of the AS numbers that were contacted (e.g., AS123) |
| `asnname.keyword` | keyword | Any of the AS names that were contacted (analyzed as keyword) |
| `asnname` | text | Any of the AS names that were contacted |
| `canonical.page.url` | keyword | Canonicalised version of the page URL |
| `canonical.task.url` | keyword | Canonicalised version of the task URL |
| `country` | keyword | ISO 3166-1 2-letter country code of any country that was contacted |
| `date` | date | Datetime of when the scan was performed |
| `domain.keyword` | keyword **RE** | Any domain or subdomain that was contacted |
| `domain` | domain | Any domain or subdomain that was contacted |
| `filename.keyword` | keyword **RE** | Any URL that was requested |
| `filename` | text | Any URL that was requested |
| `files.filename` | keyword **RE** | Filename of file downloaded by the website |
| `files.filesize` | integer | Filesize of file downloaded by the website |
| `files.mimeType` | keyword | MIME type description of file downloaded by the website |
| `files.sha256` | keyword | SHA256 of file downloaded by the website |
| `hash` | keyword | Any SHA256 hash of any HTTP response |
| `ip` | ip | Any IP that was contacted |
| `page.apexDomain` | integer | Apex domain of the page |
| `page.apexDomainAgeDays` | integer | Age of the page apex domain (registered domain) in days |
| `page.asn` | keyword | AS number of the website |
| `page.asnname` | text | Name of the main AS of the website |
| `page.country` | keyword | Primary IP GeoIP Country (ISO 3166-1 2-letter country code) |
| `page.domain.keyword` | keyword **RE** | Primary domain (analyzed as keyword) |
| `page.domain` | domain | Primary hostname (analyzed as all levels of parent domains) |
| `page.domainAgeDays` | keyword | Age of the page domain (i.e. hostname) in days |
| `page.ip` | ip | Primary IP |
| `page.language` | keyword | ISO-639 language code based on the text page code |
| `page.mimeType` | keyword | MIME type of the primary HTTP response |
| `page.ptr` | domain | DNS PTR record of primary IP |
| `page.redirected` | keyword | Whether the page was redirected from `task.url`, can be one of same-domain, sub-domain, off-domain, https-only |
| `page.server` | text | HTTP "Server" header of primary request |
| `page.status` | keyword | HTTP status code of primary request response |
| `page.title.keyword` | keyword **RE** | Title of the page |
| `page.title` | text | Title of the page |
| `page.tlsAgeDays` | date | Age of TLS certificate when the page was scanned (in days) |
| `page.tlsIssuer` | keyword | Issuer of the page TLS certificate |
| `page.tlsValidDays` | date | TLS certificate validity period in days |
| `page.tlsValidFrom` | date | TLS certificate Valid-From date |
| `page.umbrellaRank` | integer | Cisco Umbrella Top 1 Million rank of page domain |
| `page.url.keyword` | keyword **RE** | URL of the primary page (after redirection, analyzed as keyword) |
| `page.url` | text | URL of the primary page (after redirection) |
| `server` | keyword | Any HTTP "Server" header of subrequests |
| `stats.dataLength` | integer | Data size of all subresources |
| `stats.encodedDataLength` | integer | Transfer size of all subresources |
| `stats.requests` | integer | Number of subrequests |
| `stats.uniqCountries` | integer | Number of unique countries contacted |
| `stats.uniqIPs` | integer | Number of unique IPs contacted |
| `task.apexDomain` | keyword | Apex domain of the tasked hostname |
| `task.domain.keyword` | keyword **RE** | Hostname of the tasked URL (analyzed as keyword) |
| `task.domain` | domain | Domain of the tasked URL |
| `task.method` | keyword | Can be manual, api, or automatic |
| `task.source` | keyword | Examples: phishtank or certstream-suspicious |
| `task.tags` | keyword | User-defined tags supplied during scan submission |
| `task.url.keyword` | keyword **RE** | The original URL that was tasked (analyzed as keyword) |
| `task.url` | text | The original URL that was tasked |
| `task.uuid` | keyword | The unique UUID of the scan |
| `task.visibility` | keyword | Can be one of public, unlisted, or private |
| `team` | virtual | Scans submitted by any of your teams (Can only be `me`) |
| `user` | virtual | Scans submitted by yourself (Can only be `me`) |


## urlscan Professional, Enterprise, Ultimate

The following fields can only be searched on the Professional, Enterprise, and Ultimate plans.

| Field Name | Type | Field semantics, features, & notes |
|  --- | --- | --- |
| `brand.country` | keyword | ISO 3166-1 2-letter country code of the brand |
| `brand.key` | keyword | Unique key of the brand |
| `brand.name` | text | Name of the brand |
| `brand.vertical` | text | Industry vertical of the brand, e.g., "banking" |
| `content.cookieNames` | keyword | Names of cookies set by page |
| `content.globalNames` | keyword | Names of non-default JavaScript global variables |
| `content.inputNames` | keyword | Name attributes of input fields on page |
| `content.inputTypes` | keyword | Type attributes of input fields on page |
| `content.storageNames` | keyword | Names of items in `localStorage` and `sessionStorage` set by page |
| `content.technologies` | keyword | Names of technologies detected according to Wappalyzer |
| `dom.hash` | keyword | SHA256 hash of the DOM before truncation |
| `dom.size` | integer | Size of the DOM before truncation |
| `frames.domains` | domain | Domains of frames |
| `frames.length` | integer | Number of frames |
| `frames.urls` | keyword **RE** | URLs of frames |
| `image.aspectration` | float | Aspect ratio of the screenshot |
| `image.hash` | keyword | SHA256 hash of the screenshot |
| `image.height` | integer | Height (in pixels) of the screenshot |
| `image.size` | integer | Size (in bytes) of the screenshot |
| `image.width` | integer | Width (in pixels) of the screenshot |
| `labels` | keyword | High-level system labels applied by urlscan |
| `links.domains` | domain | Domains of outgoing links |
| `links.length` | integer | Number of outgoing links |
| `links.urls` | keyword **RE** | URLs of outgoing links (to different domains than page.domain) |
| `meta` | keyword | IDs of matching subscriptions / saved searches |
| `scanner.country` | keyword | Scanner IP exit location (2-letter country code) |
| `submitter.country` | keyword | GeoIP country of the submitter (2-letter country code) |
| `text.content` | text | Visible text on the website and inline JS (first 20kB) |
| `text.hash` | keyword | SHA256 hash of the text before truncation |
| `text.size` | integer | Size of the text content before truncation |
| `usertags` | keyword | User-defined tags for Saved Searches that matched the scan |
| `verdicts.community.malicious` | text | The community verdict for a scan |
| `verdicts.engines.malicious` | integer | ML malicious verdict |
| `verdicts.engines.score` | integer | ML score of page from -100 (benign) to 100 (malicious) |
| `verdicts.lastVerdict` | date | Date the latest verdict for this scan was added |
| `verdicts.malicious` | boolean | Whether the page is considered malicious |
| `verdicts.score` | integer | Maliciousness score of page from -100 (benign) to 100 (malicious) |
| `verdicts.urlscan.malicious` | text | The urlscan malicious verdict |
| `visible.brandname` | text | Name of the brand the website claims to represent as determined by urlscan Brand AI |