Search syntax
Last updated 2024-04-04
The Requests page lists individual requests that have been tagged with signals and that fit into the all or sampled data storage category. You can use the search bar and filter menus to narrow this list.
Filter menus
You can select values from the filter menus to find requests that meet specific criteria. Selected values auto-populate in the search bar where you can further modify the query. Filter options include:
- Time: filters the requests list based on when the requests were sent. For example, when
2 hours
is selected, only requests that were made in the last two hours appear on the page. - Attack signals: filters the requests list based on the attack signals that requests are tagged with. For example, when
Attack Tooling
is selected, only requests tagged with theAttack Tooling
signal appear on the page. - Anomaly signals: filters the requests list based on the anomaly signals that requests are tagged with. For example, when
Address Changed
is selected, only requests tagged with theAddress Changed
signal appear on the page. - Response codes: filters the requests list based on the response codes associated with requests. For example, when
404
is selected, only requests with a404
response code appear on the page.
Search bar
You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the <key><operator><value>
syntax, where:
- the key is the field to search upon.
- the operator defines the relationship of the key to the value.
- the value is the specific value used to filter the requests list.
Example free-text and explicit queries are as follows:
Free-text query | Explicit query | Description |
---|---|---|
/a/path/here sqli -7h | path:/a/path/here sqli from:-7h | Show all SQLI in last 7 hours with this particular path |
RU | country:ru | All recent requests from Russia |
cn 500 | country:cn httpcode:500 | All recent requests from China that had a 500 error |
404 233.252.0.23 | httpcode:404 ip:233.252.0.23 | Recent requests from an IP that had a 404 error |
Keys
The keys that you can search on are as follows:
Name | Type | Description |
---|---|---|
agent | string | The server hostname (or alias) for the agent (agent:~hostname , agent:~appname , agent:hostname.appname , or agent:hostname-appname ) |
agentcode | integer | The agents internal response code |
bytesout | integer | HTTP response size in bytes |
country | string | Request estimated country of origin (e.g., US, RU) |
from | time | Filter output with requests since a particular date |
httpcode | integer | The response's http response code |
ip | string | Single IPv4 (ip:198.51.100.128 )Single IPv6 ( ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225 )IPv4 CIDR ( ip:198.51.100.0/24 )IPv6 CIDR ( ip:2001:0db8:1681:f16f::/64 )IPv4 range ( ip:198.51.100.0..198.51.100.255 )IPv6 range ( ip:2001:0db8:1681:f16f:: through 2001:0db8:1681:f16f:ffff:ffff:ffff:ffff ) |
ja3 | string | JA3 fingerprint |
method | string | HTTP Method (e.g., GET, POST) |
path | string | Request URL path, does not include query parameters |
payload | string | The data that triggered a signal (i.e., the attack value) |
protocol | string | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0 |
ratelimited | string | Requests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal> . You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for. |
responsemillis | integer | HTTP response time in milliseconds |
remotehost | string | Remote hostname (remotehost:www.example.com ) or subdomain match (remotehost:~example.com ) |
server | string | Requested server name in the http request (e.g., example.com if http://example.com/name ) |
tag | string | A particular signal on a request (e.g., SQLI, XSS) |
target | string | Server + Path |
sort | string | Sort with time-asc (oldest first) or time-desc (most recent first) |
until | time | Filter output with request before a particular date |
useragent | string | The request's user agent (browser) |
Operators
When using operators, keep in mind the following:
- All values below can be quoted to allow for spaces.
- Adding
-
(minus) before any key negates the operation. - Different key names function as an AND operator (
from:-1h path:/foo
). - Multiple keys with the same name function as an OR operator (
path:/foo path:/bar
should return paths matching either/foo
or/bar
).
Supported operators include:
Operator | Meaning |
---|---|
key:value | equals |
key:=value | equals, alternate syntax |
-key:value | not equals, general negation of all operators |
key:!=value | not equals, alternate syntax |
key:>value | greater-than, integers only |
key:>=value | equals or greater-than, integers only |
key:<value | less-than, integers only |
key:<=value | equals or less-than, integers only |
key:value1..value2 | in range between value1 and value2 , integers only. For time see from and until |
key:~value | search on the field with the terms provided |
Time
Time ranges can be specified in a number of ways using the from
and until
keys.
Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use from:-21d until:-14d
, which would be a 7 day window. A query of just from:-21d
would not yield any results as that would be a 21 day window.
Relative time
Suffix | Meaning |
---|---|
-5s | 5 seconds ago (from now) |
-5min | 5 minutes ago |
-5h | 5 hours ago |
-5d | 5 days ago |
-5w | 5 weeks ago |
-5mon | 5 months ago |
-5y | 5 year ago |
Example:
from:-5h
(until now)from:-5h until:-4h
(one hour range)
Absolute time
Absolute time is also allowed using
- Unix UTC Seconds Since Epoch
- Java/JavaScript UTC Milliseconds since Epoch
- ISO Date format
YYYYMMDD
Example Absolute Time: Unix UTC Seconds
from:141384000
(until now)from:141384000 until:1413844691
Example Absolute Time: Java/JavaScript Milliseconds UTC
from:141384000000
(until now)from:141384000000 until:1413844691000
Example Absolute Date: YYYYMMDD
from:20141031
(until now)from:20141031 until:20141225
You can also mix and match time formats:
from:20141031 until:-1h
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.