The ELLIO Threat Intelligence search bar accepts both bare IPs and structured
queries. The query language is Lucene-flavoured: field: value pairs,
combined with boolean operators, parentheses, and wildcards.
Operator
Meaning
Example
:
equals
classification: "malicious"
!:
not equals
classification!: "benign"
AND
both must match
tag: "Shodan" AND src.geo.country.code: "US"
OR
either must match
classification: "malicious" OR classification: "promiscuous"
( )
group expressions
(classification: "malicious" OR classification: "promiscuous") AND spoofable: false
*
wildcard (zero or more characters)
rdns: "*.censys-scanner.com"
?
single-character wildcard
http.path: "/admin?"
"..."
exact string with spaces or special characters
tag: "Fast Scanner (i.e. Masscan / ZMap)"
Always quote string values that contain spaces, special characters, or
slashes. Numeric and enum values can be unquoted.
29 fields, organised the way the dashboard organises them.
Field
Description
Example values
ip
The IP being searched
66.240.219.146, 198.51.100.0/24
rdns
Reverse DNS hostname
"*censys*", "scanner-202.hk2.censys-scanner.com", "scanner-*.*.censys-scanner.com"
classification
Threat classification
malicious, benign, promiscuous, unknown
spoofable
Whether the source IP could be spoofed (no TCP handshake)
true, false
Field
Description
Example values
http.path
Paths the IP requested
"/.env", "/admin", "/wp-admin", "/api/*"
http.user_agent
User-Agent strings the IP presented
"*bot*", "curl*", "Mozilla*", "*scanner*"
Field
Description
Example values
ssh.auth.username
SSH usernames attempted
"admin", "root", "user", "*test*"
ssh.auth.password
SSH passwords attempted
"123456", "password", "admin", "*root*"
Field
Description
Example values
fingerprints.muonfp
MuonFP TCP-stack fingerprint
"29200:2-4-8-1-3:1400:7", "1024:2:1400:", "65535:*:*:*"
fingerprints.ja4
JA4 TLS fingerprint
"t13i190800_9dc949149365_97f8aa674fd9", "*_9dc949149365_e7c285222651"
fingerprints.ja3
JA3 TLS client fingerprint
"ec99bcb2c1e021d8ccd7e9012ea285e9", "48eb9b1182293f55c0710654b7b12fc6"
Field
Description
Example values
tag
Human-readable tag
"Apache Path Traversal", "Fast Scanner (i.e. Masscan / ZMap)", "TP-Link Archer AX21 (AX1800) vulnerability exploit"
tag_id
Programmatic tag identifier
"adminer_detector", "apache_path_traversal"
mitre_attack.techniques
ATT&CK technique IDs
"T1595", "T1082", "T1190", "T1213"
mitre_attack.tactics
ATT&CK tactic IDs
"TA0043", "TA0007", "TA0001", "TA0009"
mitre_attack.sub_techniques
ATT&CK sub-technique IDs
"T1595.001", "T1552.001", "T1505.003", "T1071.001"
Field
Description
Example values
network.port
Any observed port (spoofable or not)
443, 80, 22, 3389
network.non_spoofable_port
Ports with confirmed TCP handshake
443, 80, 22
network.spoofable_port
Ports without confirmed TCP handshake
53, 123, 161
src.asn.number
Source ASN
15169, 8075, 13335
src.asn.name
Source ASN organisation
"AS13335 CLOUDFLARENET", "*Stark*", "*Techoff*"
Field
Description
Example values
src.geo.country.code
Source country (ISO 3166-1 alpha-2)
"US", "CN", "RU", "GB"
src.geo.country.name
Source country name
"United States", "China", "Russian Federation"
src.geo.continent.code
Source continent code
"NA", "AS", "EU", "AF"
src.geo.continent.name
Source continent name
"North America", "Asia", "Europe"
dst.geo.country.code
Destination country (where the IP targeted)
"US", "RU", "GB"
dst.geo.country.name
Destination country name
"United States", "China", "Russian Federation"
dst.geo.continent.code
Destination continent code
"NA", "AS", "EU", "AF"
dst.geo.continent.name
Destination continent name
"North America", "Asia", "Europe"
Useful combinations to copy-paste into the search bar.
(src.geo.country.code: "RU" OR src.geo.country.code: "CN") AND tag: "Fast Scanner (i.e. Masscan / ZMap)"
Always filter spoofable sources out of automated decision-making:
classification: "malicious" AND spoofable: false
tag: "Palo Alto GlobalProtect Scanner" AND spoofable: false
The dashboard surfaces CVEs on the IP detail page. To find every IP exploiting
a given CVE, search by the matching tag - for example:
tag: "Apache Path Traversal"
tag: "Academy for Internet Research" OR tag: "Shodan"
rdns: "*.censys-scanner.com"
http.path: "/.env" OR http.path: "/.git/config"
ssh.auth.username: "root" AND ssh.auth.password: "*"
fingerprints.ja4: "t13d1516h2_8daaf6152771_02713d6af862"
IPs in one continent that targeted ELLIO sensors in another:
src.geo.continent.code: "AS" AND dst.geo.continent.code: "NA"
Quote anything with spaces or special characters. Tag names, ASN names, RDNS hostnames, HTTP paths, and SSH credentials almost always need quotes.
Use wildcards to match families. rdns: "*.censys-scanner.com" catches every Censys scanner host. tag: "*Scanner*" catches every scanner tag.
Group with parentheses before joining with AND. Mixing OR and AND without parentheses leads to ambiguous parsing.
Add spoofable: false to anything you intend to feed into a blocklist or alerting pipeline - spoofable observations can come from a forged source.
IP detail page - every field you saw in this reference, rendered for a single IP.
Tags - the canonical list of values for the tag field.
CTI API - programmatic per-IP lookup (single, extended, bulk). The CTI API takes IPs, not search-syntax queries; this reference is for the dashboard search bar.