Free Text
In many cases, you can “just type” a free-text query.
| Example | Description |
|---|---|
/a/path/here sqli -7h |
Show all SQLI in last 7 hours with this particular path |
RU |
All recent requests from Russia |
cn 500 |
All recent requests from China that had a 500 error |
404 233.252.0.23 |
Recent requests from an IP that had a 404 error |
Let us know if a free-text query did something you didn’t expect.
Explicit queries are made through the use of keys and operators. The previous sample queries can be made with keys and operators:
| Free Text | Explicit Keys |
|---|---|
/a/path/here sqli -7h |
path:/a/path/here sqli from:-7h |
RU |
country:ru |
cn 500 |
country:cn httpcode:500 |
404 233.252.0.23 |
httpcode:404 ip:233.252.0.23 |
Operators
- All values below can be quoted to allow for spaces.
- Adding
-(minus) before any key negates the operation. - Different key names function as an AND operator (
from:-1h path:/foo). - Multiple keys with the same name function as an OR operator (
path:/foo path:/barshould return paths matching either/fooor/bar).
| Operator | Meaning |
|---|---|
key:value |
equals |
key:=value |
equals, alternate syntax |
-key:value |
not equals, general negation of all operators |
key:!=value |
not equals, alternate syntax |
key:>value |
greater-than, integers only |
key:>=value |
equals or greater-than, integers only |
key:<value |
less-than, integers only |
key:<=value |
equals or less-than, integers only |
key:value1..value2 |
in range between value1 and value2, integers only. For time see from and until |
key:~value |
search on the field with the terms provided |
Time
Time ranges can be specified in a number of ways using the from and until keys.
Queries on the Requests page of the console are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to see results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.
Relative time
| Suffix | Meaning |
|---|---|
-5s |
5 seconds ago (from now) |
-5min |
5 minutes ago |
-5h |
5 hours ago |
-5d |
5 days ago |
-5w |
5 weeks ago |
-5mon |
5 months ago |
-5y |
5 year ago |
Example:
from:-5h(until now)from:-5h until:-4h(one hour range)
Absolute time
Absolute time is also allowed using
- Unix UTC Seconds Since Epoch
- Java/JavaScript UTC Milliseconds since Epoch
- ISO Date format
YYYYMMDD
Example Absolute Time: Unix UTC Seconds
from:141384000(until now)from:141384000 until:1413844691
Example Absolute Time: Java/JavaScript Milliseconds UTC
from:141384000000(until now)from:141384000000 until:1413844691000
Example Absolute Date: YYYYMMDD
from:20141031(until now)from:20141031 until:20141225
You can also mix and match time formats:
from:20141031 until:-1h
Fields
| Name | Type | Description |
|---|---|---|
agent |
string | The server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname) |
agentcode |
integer | The agents internal response code |
bytesout |
integer | HTTP response size in bytes |
country |
string | Request estimated country of origin (e.g., US, RU) |
from |
time | Filter output with requests since a particular date |
httpcode |
integer | The response’s http response code |
ip |
string | Single IPv4 (ip:198.51.100.128)Single IPv6 ( ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225)IPv4 CIDR ( ip:198.51.100.0/24)IPv6 CIDR ( ip:2001:0db8:1681:f16f::/64)IPv4 range ( ip:198.51.100.0..198.51.100.255)IPv6 range ( ip:2001:0db8:1681:f16f::..2001:0db8:1681:f16f:ffff:ffff:ffff:ffff) |
method |
string | HTTP Method (e.g., GET, POST) |
path |
string | Request URL path, does not include query parameters |
payload |
string | The data that triggered a signal (i.e., the attack value) |
protocol |
string | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0 |
ratelimited |
string | Requests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal>. You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for. |
responsemillis |
integer | HTTP response time in milliseconds |
remotehost |
string | Remote hostname (remotehost:www.example.com) or subdomain match (remotehost:~example.com) |
server |
string | Requested server name in the http request (e.g., “example.com” if http://example.com/name) |
tag |
string | A particular signal on a request (e.g., SQLI, XSS) |
target |
string | Server + Path |
sort |
string | Sort with time-asc (oldest first) or time-desc (most recent first) |
until |
time | Filter output with request before a particular date |
useragent |
string | The request’s user agent (browser) |