urlscan Observe
urlscan Observe is our umbrella term for a combination of features on urlscan Pro. With the features that are part of urlscan Observe, you can automatically monitor and track changes to observables, such as hostnames, IPs, and URLs. urlscan Observe is not a single feature or product but rather the combination of existing and new concepts.
You can use Saved Searches to save interesting searches for scans and hostnames within the platform. If you create a Subscription for a saved search, you will be notified of any new hits matching that search. A subscription can also automatically create Incidents which are containers for tracking observables with urlscan Observe. You can set up a Channels to control where notifications from Subscriptions and Incidents should be delivered to. Each time a Notification is sent out it will be visible in a separate data source.
Incidents
Incidents are the key data structure behind urlscan Observe. For each thing you want to observe, an incident has to be created. An incident controls how an observable is monitored and how alerts are generated. Incidents collect the previously seen state of that observable so that urlscan Observe can compare past to current observations and determine any changes to the observable. An incident has the following responsibilities:
- Scanning: An incident will automatically trigger full website scans using urlscan on a regular schedule.
- DNS resolutions: An incident will automatically trigger DNS resolutions of the domain or hostname every few minutes.
- State Tracking: An incident will keep track of the scan results and other data it has seen for the observable in each time window.
- Alerting: An incident will notify you via notification channels when it has observed new results in its states.
Observation Intervals
Incidents are monitored in discrete 10-minute intervals. Each interval is a snapshot of the attributes that were observed for that incident during that interval. Whenever there are new and previously unseen values observed in an interval, a notification will be sent if the incident is configured to do so.
The intervals will automatically be truncated once they exceed 2000 states or 200kB total size per incident. The truncation process will remove the oldest intervals until the thresholds are no longer exceeded.
Quotas, Permissions, Scan Visibility
Incidents always belong to a single team. If multiple teams try to create an incident for the same observable, multiple unique incidents will be created. Only users from the team that owns the incident are able to modify or close the incident. For each team there will only be one incident created per subscription in case multiple subscriptions with the same incident profile match on the same observable.
Incidents work with per-day limits that are shared across the team and depend on your subscription level. As an example, a per-day limit of 100 will allow you to have 100 open unlisted incidents, or 25 open private incidents. Furthermore you can only create 100 incidents in a given 24-hour time window, regardless of how many incidents are currently active.
Scans which are triggered by incidents will have the same scan visibility as the incident itself and will be deducted from your team's scan quota. If you don't have any scan quota available, the incidents will retry the scan a few times before abandoning it. The incident will contain observed attributes from private scans by the same team.