Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Search syntax reference

The ELLIO Threat Intelligence search bar accepts both bare IPs and structured queries. The query language is Lucene-flavoured: field: value pairs, combined with boolean operators, parentheses, and wildcards.

Operator Meaning Example
: equals classification: "malicious"
!: not equals classification!: "benign"
AND both must match tag: "Shodan" AND src.geo.country.code: "US"
OR either must match classification: "malicious" OR classification: "promiscuous"
( ) group expressions (classification: "malicious" OR classification: "promiscuous") AND spoofable: false
* wildcard (zero or more characters) rdns: "*.censys-scanner.com"
? single-character wildcard http.path: "/admin?"
"..." exact string with spaces or special characters tag: "Fast Scanner (i.e. Masscan / ZMap)"

Always quote string values that contain spaces, special characters, or slashes. Numeric and enum values can be unquoted.

29 fields, organised the way the dashboard organises them.

Field Description Example values
ip The IP being searched 66.240.219.146, 198.51.100.0/24
rdns Reverse DNS hostname "*censys*", "scanner-202.hk2.censys-scanner.com", "scanner-*.*.censys-scanner.com"
classification Threat classification malicious, benign, promiscuous, unknown
spoofable Whether the source IP could be spoofed (no TCP handshake) true, false
Field Description Example values
http.path Paths the IP requested "/.env", "/admin", "/wp-admin", "/api/*"
http.user_agent User-Agent strings the IP presented "*bot*", "curl*", "Mozilla*", "*scanner*"
Field Description Example values
ssh.auth.username SSH usernames attempted "admin", "root", "user", "*test*"
ssh.auth.password SSH passwords attempted "123456", "password", "admin", "*root*"
Field Description Example values
fingerprints.muonfp MuonFP TCP-stack fingerprint "29200:2-4-8-1-3:1400:7", "1024:2:1400:", "65535:*:*:*"
fingerprints.ja4 JA4 TLS fingerprint "t13i190800_9dc949149365_97f8aa674fd9", "*_9dc949149365_e7c285222651"
fingerprints.ja3 JA3 TLS client fingerprint "ec99bcb2c1e021d8ccd7e9012ea285e9", "48eb9b1182293f55c0710654b7b12fc6"
Field Description Example values
tag Human-readable tag "Apache Path Traversal", "Fast Scanner (i.e. Masscan / ZMap)", "TP-Link Archer AX21 (AX1800) vulnerability exploit"
tag_id Programmatic tag identifier "adminer_detector", "apache_path_traversal"
mitre_attack.techniques ATT&CK technique IDs "T1595", "T1082", "T1190", "T1213"
mitre_attack.tactics ATT&CK tactic IDs "TA0043", "TA0007", "TA0001", "TA0009"
mitre_attack.sub_techniques ATT&CK sub-technique IDs "T1595.001", "T1552.001", "T1505.003", "T1071.001"
Field Description Example values
network.port Any observed port (spoofable or not) 443, 80, 22, 3389
network.non_spoofable_port Ports with confirmed TCP handshake 443, 80, 22
network.spoofable_port Ports without confirmed TCP handshake 53, 123, 161
src.asn.number Source ASN 15169, 8075, 13335
src.asn.name Source ASN organisation "AS13335 CLOUDFLARENET", "*Stark*", "*Techoff*"
Field Description Example values
src.geo.country.code Source country (ISO 3166-1 alpha-2) "US", "CN", "RU", "GB"
src.geo.country.name Source country name "United States", "China", "Russian Federation"
src.geo.continent.code Source continent code "NA", "AS", "EU", "AF"
src.geo.continent.name Source continent name "North America", "Asia", "Europe"
dst.geo.country.code Destination country (where the IP targeted) "US", "RU", "GB"
dst.geo.country.name Destination country name "United States", "China", "Russian Federation"
dst.geo.continent.code Destination continent code "NA", "AS", "EU", "AF"
dst.geo.continent.name Destination continent name "North America", "Asia", "Europe"

Useful combinations to copy-paste into the search bar.

(src.geo.country.code: "RU" OR src.geo.country.code: "CN") AND tag: "Fast Scanner (i.e. Masscan / ZMap)"

Always filter spoofable sources out of automated decision-making:

classification: "malicious" AND spoofable: false
tag: "Palo Alto GlobalProtect Scanner" AND spoofable: false

The dashboard surfaces CVEs on the IP detail page. To find every IP exploiting a given CVE, search by the matching tag - for example:

tag: "Apache Path Traversal"
tag: "Academy for Internet Research" OR tag: "Shodan"
rdns: "*.censys-scanner.com"
http.path: "/.env" OR http.path: "/.git/config"
ssh.auth.username: "root" AND ssh.auth.password: "*"
fingerprints.ja4: "t13d1516h2_8daaf6152771_02713d6af862"

IPs in one continent that targeted ELLIO sensors in another:

src.geo.continent.code: "AS" AND dst.geo.continent.code: "NA"
  • Quote anything with spaces or special characters. Tag names, ASN names, RDNS hostnames, HTTP paths, and SSH credentials almost always need quotes.
  • Use wildcards to match families. rdns: "*.censys-scanner.com" catches every Censys scanner host. tag: "*Scanner*" catches every scanner tag.
  • Group with parentheses before joining with AND. Mixing OR and AND without parentheses leads to ambiguous parsing.
  • Add spoofable: false to anything you intend to feed into a blocklist or alerting pipeline - spoofable observations can come from a forged source.
  • IP detail page - every field you saw in this reference, rendered for a single IP.
  • Tags - the canonical list of values for the tag field.
  • CTI API - programmatic per-IP lookup (single, extended, bulk). The CTI API takes IPs, not search-syntax queries; this reference is for the dashboard search bar.