Traffic Queries Syntax

Traffic queries can be used in several contexts:

to search traffic in the Explore section
to define Custom Rules
to define Endpoints

A traffic query is composed of terms and operators.
Multiple terms can be combined together with Boolean operators and parenthesis ( ) to form a more complex query

Term

All fields are listed below.
Fields and values are case sensitive.

field:value

Boolean Operator

Three boolean operators are available: AND OR NOT

Wildcard Searches

Multi-character wildcard

Wildcard searches * look for 0 or more characters.
For example, to include test, tests or tester in the same search, you can type the following:

useragent:test*

The wildcard character * cannot be used inside a double quote. Therefore you should avoid special characters.

Single-character wildcard

The Wildcard searches ?can be used to search for an unknown single character. For example, if you want to search for text or testyou can use the following

useragent:te?t

Range Searches

Range queries allow to match documents with field(s) values that are between lower and upper bounds specified by the range query.
Range queries are inclusive of the lower and upper bounds.

📘
CIDR format is supported
Please note that IP addresses can be written following the CIDR format: ip:1.2.3.0/24

ip:[1.2.3.4 TO 1.2.3.9]

ip:[2001\:0db8\:85a3\:0000\:0000\:8a2e\:0000\:0000 TO 2001\:0db8\:85a3\:0000\:0000\:8a2e\:ffff\:ffff]

Range queries can also have numeric ranges, such as:

asn:[1234 TO 4567]

Grouping

Grouping is using parentheses to group clauses to form sub-queries. This can be very useful if you want to control the boolean logic for a query.

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

useragent:test
ip:1.2.3.4

(useragent:"test" OR ip:1.2.3.4) AND domain:"www.example.com"

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

useragent:test
useragent:mywork

useragent:("test" OR "mywork") AND domain:"www.example.com"

Special Characters

The following characters need to be escaped by using a backslash:
+ - & | ! ( ) { } [ ] ^ " ~ * ? : \ ␣

useragent:*Windows\\\ NT* AND url:*\+*

Available fields

The fields available to search traffic in the Explore section, define Custom Rules or define Endpoints are listed in the following table.

Field Name	Type	Validity	Example	Description
accept	String	Explore, Custom rules, Endpoints	`accept:"application/json"`	Identify request header Accept value matching
acceptcharset	String	Explore, Custom rules, Endpoints	`acceptcharset:utf-8`	Identify request header Accept-Charset value matching "utf-8"
acceptencoding	String	Explore, Custom rules, Endpoints	`acceptencoding: "deflate, gzip;q=1.0, \*;q=0.5"`	Identify request header Accept-Encoding value matching -"deflate, gzip;q=1.0, *;q=0.5"
acceptlanguage	String	Explore, Custom rules, Endpoints	`acceptlanguage: en-gb`	Identify request header Accept-Language value containing "en-GB"
as	String	Explore	`as: "Comcast"`	Identify requests IP AS Name matching "Comcast"
asn	Number	Explore, Custom rules	`asn:(14618 OR 16509 OR 38895)`	Identify requests using an (Autonomous System Number) ASN: 14618 16509 38895
cachecontrol	String	Explore, Custom rules, Endpoints	`cachecontrol: no-cache`	Identify request header Cache-Control value containing "no-cache"
city	String	Explore, Custom rules	`city:"Paris"`	Identify requests incoming from: Paris
contenttype	String	Explore, Custom rules, Endpoints	`contenttype: text/html`	Identify requests with Content-Type header value matching "text/html"
countrycode	String	Explore, Custom rules	`NOT countrycode:(BE OR BG OR CZ OR DK OR DE OR EE OR IE OR EL OR ES OR FR OR HR OR IT OR CY OR LV OR LT OR LU OR HU OR MT OR NL OR AT OR PL OR PT OR RO OR SI OR SK OR FI OR SE OR UK OR IS OR LI OR NO OR CH)`	Identify requests that are not incoming from: A European country When there is a link to all country codes
countryname	String	Explore	`countryname:"United States"`	Identify requests IP from the United States
datadomeregion	String	Explore	`datadomeregion: us*`	Identify requests handled by Datadome's POPs Located in the US
domain	String	Explore, Custom rules, Endpoints	`domain:\*.back.example.com`	Identify all requests going to: dashboard.back.example.com bo.back.example.com
fileextension	String	Explore, Custom rules, Endpoints	`fileextension:"php"`	Identify the file extension of the resource targeted by the HTTP request, if the request URL points to a file. This includes common extensions like "html", "js", "php", "css", "jpg", "pdf" etc. The field is not present if the URL does not point to a file.
graphqlopname	String	Explore, Custom rules, Endpoints	`graphqlopname:Login`	Identify requests sent on a GraphQL endpoint with the Operation Name: Login
graphqloptype	String	Explore, Custom rules, Endpoints	`graphqloptype:mutation`	Identify requests sent on a GraphQL endpoint the operation type: mutation
headers	String	Endpoints	`headers:(Authorization AND X\-Forwarded\-For)`	List of comma-separated request header keys. The example identifies requests with header keys matching Authorization X-Forwarded-For
ip	IP	Explore, Custom rules	`ip:[1.2.3.4 TO 1.2.3.6]` `ip:11.22.33.44/22` `ip:1.2.3.4` `ip:"2001:0db8:85a3:0000:0000:8a2e:0370:7334"`	Identify all requests with IP : Range: 1.2.3.4 , 1.2.3.5 , 1.2.3.4.6 Single IPv4: 1.2.3.4 Single IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
ipownertype	String	Explore, Custom rules	`ipownertype: isp`	Type of the owner of the address IP which sent the HTTP request
isnewsession	Boolean	Explore, Custom rules	`isnewsession: true`	Identify session's initial request.
ja3	String	Explore, Custom rules, Endpoints	`ja3: e7d705a3286e19ea42f58ee6865`	JA3 TLS fingerprint
ja4	String	Explore, Custom rules, Endpoints	`ja4: t13d1516h2_8daaf6152771_02713d6af`	JA4 TLS fingerprint
method	String	Explore, Custom rules, Endpoints	`method:"POST"`	Identify all requests with: POST Method
modulename	String	Explore, Endpoints	`modulename:"Nginx"`	Identify requests processed by NGinx server-side module
moduleversion	String	Explore, Endpoints	`moduleversion:"2.49.0"`	identify requests handled by a Datadome's Server-side module which the version 2.49.0
origin	String	Explore, Custom rules, Endpoints	`origin: .datadome.co` `origin: "https://origin.datadome.co:8080"`	Identify requests which HTTP Origin request header value matches the domain or the specified patterns
pragma	String	Explore, Custom rules, Endpoints	`pragma: no-cache`	Identify request header pragma
protection	Boolan	Explore	`protection:enabled` `protection:disabled`	Whether DataDome protection was applied when processing the request. In case of disabled protection, a threat request is identified, but allowed.
protocol	String	Explore, Custom rules, Endpoints	`protocol:"http"`	Identify all requests with: HTTP protocol
referer	String	Explore, Custom rules, Endpoints	`referer:www.example.com/example`	Identify all requests incoming from: "www.example.com/example"
refererdomain	String	Explore, Custom rules, Endpoints	`refererdomain:"www.google.fr"`	Identify all requests incoming from: "www.google.fr"
requestid	String	Explore	`requestid:"48d84144-b7a3-4fce-b2f8-eecf372e8128"`	Search a request with its unique DataDome request ID: "48d84144-b7a3-4fce-b2f8-eecf372e8128"
reversedns	String	Explore, Custom rules	`reversedns:\*.example.com`	Identify all requests with a Reverse DNS: mail.example.com IP-34-45-56-23-box.example.com
responseformat	String	Explore	`responseformat: json`	Identify requests with Datadome's response format is: json
responsestatus	Number	Explore	`responsestatus: 403`	Identify requests with Datadome's response status is: 403
sessionid	String	Explore, Custom rules	`sessionid:AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ==`	Identify a specific session ID: AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ==
tor	Boolean	Explore, Custom rules	`tor:true`	Identify all requests using tor network
trafficsource	String	Explore	`trafficsource:"Web Browser"`	Identify all requests matching Datadome's endpoint with traffic source matching: "Web Browser"
trafficusage	String	Explore	`trafficusage:"login"`	Identify all requests matching Datadome endpoint with traffic usage matching: login
url	String	Explore, Custom rules, Endpoints	`url:(\_\\?utm_source=myUtm OR \_utm_source=myUtm)`	Identify all requests including the URL parameter: utm_source=myUtm
useragent	String	Explore, Custom rules, Endpoints	`useragent:"AdsBot-Google (+<http://www.google.com/adsbot.html)>"`	Identify all requests with the user agent: AdsBot-Google (+http://www.google.com/adsbot.html)
useragentengine	String	Explore, Custom rules	`useragentengine:WebKit`	Identify all requests with User-Agent header engine value matching: Mac
useragentfamily	String	Explore, Custom rules	`useragentfamily:desktop`	Identify all requests with User-Agent header family type value matching: desktop
useragentname	String	Explore, Custom rules	`useragentname:"Chrome"`	Identify all requests with User-Agent header OS value matching: Mac
useragentos	String	Explore, Custom rules	`useragentos:"Mac"`	Identify all requests with User-Agent header OS value matching: Mac
useragentosversion	String	Explore, Custom rules	`useragentosversion:"10.15.7"`	Identify all requests with User-Agent header OS version value matching: 10.15.7
useragentversion	String	Explore, Custom rules	`useragentversion:"138.0.0.0"`	Identify all requests with User-Agent header version value matching: 138.0.0.0
utmcampaign	String	Explore, Custom rules, Endpoints	`utmcampaign:"spring_sale"`	Identify all requests utm campaign tag value matching with: -textlink
utmcontent	String	Explore, Custom rules, Endpoints	`utmcontent:textlink`	Identify all requests utm content tag value matching with: -textlink
utmmedium	String	Explore, Custom rules, Endpoints	`utmmedium:ppc`	Identify all requests utm medium tag value matching with: -ppc
utmsource	String	Explore, Custom rules, Endpoints	`utmsource:google`	Identify all requests utm source tag value matching with: -google
utmterm	String	Explore, Custom rules, Endpoints	`utmterm:"running+shoes"`	Identify all requests utm term tag value matching with: -running+shoes
xrequestedwith	String	Explore, Custom rules, Endpoints	`xrequestedwith:"XMLHttpRequest"`	Identify all requests x-requested-width header value matching with: -XMLHttpRequest
xforwardedfor	String	Explore, Custom rules, Endpoints	`xforwardedfor:"11.22.33.44,55.66.77.88"`	Identify all requests x-forwarded-for header value matching with: 11.22.33.44.55,55.66.77.88