Search syntax

The ELLIO Threat Intelligence search bar accepts both bare IPs and structured queries. The query language is Lucene-flavoured: field: value pairs, combined with boolean operators, parentheses, and wildcards.

Operators

Operator	Meaning	Example
:	equals	classification: "malicious"
!:	not equals	classification!: "benign"
AND	both must match	tag: "Shodan" AND src.geo.country.code: "US"
OR	either must match	classification: "malicious" OR classification: "promiscuous"
( )	group expressions	(classification: "malicious" OR classification: "promiscuous") AND spoofable: false
*	wildcard (zero or more characters)	rdns: "*.censys-scanner.com"
?	single-character wildcard	http.path: "/admin?"
"..."	exact string with spaces or special characters	tag: "Fast Scanner (i.e. Masscan / ZMap)"

Always quote string values that contain spaces, special characters, or slashes. Numeric and enum values can be unquoted.

Field reference

29 fields, organised the way the dashboard organises them.

Core (4)

Field	Description	Example values
ip	The IP being searched	66.240.219.146, 198.51.100.0/24
rdns	Reverse DNS hostname	"*censys*", "scanner-202.hk2.censys-scanner.com", "scanner-*.*.censys-scanner.com"
classification	Threat classification	malicious, benign, promiscuous, unknown
spoofable	Whether the source IP could be spoofed (no TCP handshake)	true, false

HTTP (2)

Field	Description	Example values
http.path	Paths the IP requested	"/.env", "/admin", "/wp-admin", "/api/*"
http.user_agent	User-Agent strings the IP presented	"*bot*", "curl*", "Mozilla*", "*scanner*"

SSH (2)

Field	Description	Example values
ssh.auth.username	SSH usernames attempted	"admin", "root", "user", "*test*"
ssh.auth.password	SSH passwords attempted	"123456", "password", "admin", "*root*"

Fingerprints (3)

Field	Description	Example values
fingerprints.muonfp	MuonFP TCP-stack fingerprint	"29200:2-4-8-1-3:1400:7", "1024:2:1400:", "65535:*:*:*"
fingerprints.ja4	JA4 TLS fingerprint	"t13i190800_9dc949149365_97f8aa674fd9", "*_9dc949149365_e7c285222651"
fingerprints.ja3	JA3 TLS client fingerprint	"ec99bcb2c1e021d8ccd7e9012ea285e9", "48eb9b1182293f55c0710654b7b12fc6"

Intelligence (5)

Field	Description	Example values
tag	Human-readable tag	"Apache Path Traversal", "Fast Scanner (i.e. Masscan / ZMap)", "TP-Link Archer AX21 (AX1800) vulnerability exploit"
tag_id	Programmatic tag identifier	"adminer_detector", "apache_path_traversal"
mitre_attack.techniques	ATT&CK technique IDs	"T1595", "T1082", "T1190", "T1213"
mitre_attack.tactics	ATT&CK tactic IDs	"TA0043", "TA0007", "TA0001", "TA0009"
mitre_attack.sub_techniques	ATT&CK sub-technique IDs	"T1595.001", "T1552.001", "T1505.003", "T1071.001"

Network (5)

Field	Description	Example values
network.port	Any observed port (spoofable or not)	443, 80, 22, 3389
network.non_spoofable_port	Ports with confirmed TCP handshake	443, 80, 22
network.spoofable_port	Ports without confirmed TCP handshake	53, 123, 161
src.asn.number	Source ASN	15169, 8075, 13335
src.asn.name	Source ASN organisation	"AS13335 CLOUDFLARENET", "*Stark*", "*Techoff*"

Geolocation (8)

Field	Description	Example values
src.geo.country.code	Source country (ISO 3166-1 alpha-2)	"US", "CN", "RU", "GB"
src.geo.country.name	Source country name	"United States", "China", "Russian Federation"
src.geo.continent.code	Source continent code	"NA", "AS", "EU", "AF"
src.geo.continent.name	Source continent name	"North America", "Asia", "Europe"
dst.geo.country.code	Destination country (where the IP targeted)	"US", "RU", "GB"
dst.geo.country.name	Destination country name	"United States", "China", "Russian Federation"
dst.geo.continent.code	Destination continent code	"NA", "AS", "EU", "AF"
dst.geo.continent.name	Destination continent name	"North America", "Asia", "Europe"

Recipes

Useful combinations to copy-paste into the search bar.

Mass scanners from China or Russia

(src.geo.country.code: "RU" OR src.geo.country.code: "CN") AND tag: "Fast Scanner (i.e. Masscan / ZMap)"

High-confidence indicators only

Always filter spoofable sources out of automated decision-making:

classification: "malicious" AND spoofable: false

IPs targeting Palo Alto GlobalProtect

tag: "Palo Alto GlobalProtect Scanner" AND spoofable: false

IPs exploiting a specific CVE

The dashboard surfaces CVEs on the IP detail page. To find every IP exploiting a given CVE, search by the matching tag - for example:

tag: "Apache Path Traversal"

Scanners by attribution

tag: "Academy for Internet Research" OR tag: "Shodan"

Filter by reverse DNS pattern

rdns: "*.censys-scanner.com"

Filter by HTTP path probe

http.path: "/.env" OR http.path: "/.git/config"

Filter by SSH credential attempt

ssh.auth.username: "root" AND ssh.auth.password: "*"

Filter by JA4 fingerprint

fingerprints.ja4: "t13d1516h2_8daaf6152771_02713d6af862"

Cross-region reconnaissance

IPs in one continent that targeted ELLIO sensors in another:

src.geo.continent.code: "AS" AND dst.geo.continent.code: "NA"

Tips

• Quote anything with spaces or special characters. Tag names, ASN names, RDNS hostnames, HTTP paths, and SSH credentials almost always need quotes.
• Use wildcards to match families. rdns: "*.censys-scanner.com" catches every Censys scanner host. tag: "*Scanner*" catches every scanner tag.
• Group with parentheses before joining with AND. Mixing OR and AND without parentheses leads to ambiguous parsing.
• Add spoofable: false to anything you intend to feed into a blocklist or alerting pipeline - spoofable observations can come from a forged source.

What's next

• IP detail page - every field you saw in this reference, rendered for a single IP.
• Tags - the canonical list of values for the tag field.
• CTI API - programmatic per-IP lookup (single, extended, bulk). The CTI API takes IPs, not search-syntax queries; this reference is for the dashboard search bar.