Traffic Queries Syntax

Traffic queries can be used in several contexts:

A traffic query is composed of terms and operators.
Multiple terms can be combined together with Boolean operators and parenthesis ( ) to form a more complex query

Term

All fields are listed below.
Fields and values are case sensitive.

field:value

Boolean Operator

Three boolean operators are available: AND OR NOT

Wildcard Searches

Multi-character wildcard

Wildcard searches * look for 0 or more characters.
For example, to include test, tests or tester in the same search, you can type the following:

useragent:test*

The wildcard character * cannot be used inside a double quote. Therefore you should avoid special characters.

Single-character wildcard

The Wildcard searches ?can be used to search for an unknown single character. For example, if you want to search for text or testyou can use the following

useragent:te?t

Range Searches

Range queries allow to match documents with field(s) values that are between lower and upper bounds specified by the range query.
Range queries are inclusive of the lower and upper bounds.

📘

CIDR format is supported

Please note that IP addresses can be written following the CIDR format: ip:1.2.3.0/24

ip:[1.2.3.4 TO 1.2.3.9]

ip:[2001\:0db8\:85a3\:0000\:0000\:8a2e\:0000\:0000 TO 2001\:0db8\:85a3\:0000\:0000\:8a2e\:ffff\:ffff]

Range queries can also have numeric ranges, such as:

asn:[1234 TO 4567]

Grouping

Grouping is using parentheses to group clauses to form sub-queries. This can be very useful if you want to control the boolean logic for a query.

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

  • useragent:test
  • ip:1.2.3.4
(useragent:"test" OR ip:1.2.3.4) AND domain:"www.example.com"

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

  • useragent:test
  • useragent:mywork
useragent:("test" OR "mywork") AND domain:"www.example.com"

Special Characters

The following characters need to be escaped by using a backslash:
+ - & | ! ( ) { } [ ] ^ " ~ * ? : \

useragent:*Windows\\\ NT* AND url:*\+*

Available fields

The fields available to search traffic in the Explore section, define Custom Rules or define Endpoints are listed in the following table.

Field NameTypeValidityExampleDescription
acceptStringExplore, Custom rules, Endpointsaccept:"application/json"Identify request header Accept value matching
acceptcharsetStringExplore, Custom rules, Endpointsacceptcharset:utf-8Identify request header Accept-Charset value matching

- "utf-8"
acceptencodingStringExplore, Custom rules, Endpointsacceptencoding: "deflate, gzip;q=1.0, \*;q=0.5"Identify request header Accept-Encoding value matching
-"deflate, gzip;q=1.0, *;q=0.5"
acceptlanguageStringExplore, Custom rules, Endpointsacceptlanguage: *en-gb*Identify request header Accept-Language value containing "en-GB"
asStringExploreas: "Comcast"Identify requests IP AS Name matching "Comcast"
asnNumberExplore, Custom rulesasn:(14618 OR 16509 OR 38895)Identify requests using an (Autonomous System Number) ASN:

- 14618
- 16509
- 38895
cachecontrolStringExplore, Custom rules, Endpointscachecontrol: *no-cache*Identify request header Cache-Control value containing "no-cache"
cityStringExplore, Custom rulescity:"Paris"Identify requests incoming from:

- Paris
contenttypeStringExplore, Custom rules, Endpointscontenttype: *text/html*Identify requests with Content-Type header value matching

- "text/html"
countrycodeStringExplore, Custom rulesNOT countrycode:(BE OR BG OR CZ OR DK OR DE OR EE OR IE OR EL OR ES OR FR OR HR OR IT OR CY OR LV OR LT OR LU OR HU OR MT OR NL OR AT OR PL OR PT OR RO OR SI OR SK OR FI OR SE OR UK OR IS OR LI OR NO OR CH)Identify requests that are not incoming from:

- A European country
- When there is a link to all country codes
countrynameStringExplorecountryname:"United States"Identify requests IP from the United States
datadomeregionStringExploredatadomeregion: us*Identify requests handled by Datadome's POPs Located in the US
domainStringExplore, Custom rules, Endpointsdomain:\*.back.example.comIdentify all requests going to:

- dashboard.back.example.com
- bo.back.example.com
fileextensionStringExplore, Custom rules, Endpointsfileextension:"php"Identify the file extension of the resource targeted by the HTTP request, if the request URL points to a file.
This includes common extensions like "html", "js", "php", "css", "jpg", "pdf" etc.
The field is not present if the URL does not point to a file.
graphqlopnameStringExplore, Custom rules, Endpointsgraphqlopname:LoginIdentify requests sent on a GraphQL endpoint with the Operation Name:

- Login
graphqloptypeStringExplore, Custom rules, Endpointsgraphqloptype:mutationIdentify requests sent on a GraphQL endpoint the operation type:

- mutation
headersStringEndpointsheaders:(*Authorization* AND *X\-Forwarded\-For*)List of comma-separated request header keys.
The example identifies requests with header keys matching

- Authorization
- X-Forwarded-For
ipIPExplore, Custom rulesip:[1.2.3.4 TO 1.2.3.6]
ip:11.22.33.44/22
ip:1.2.3.4
ip:"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
Identify all requests with IP :

- Range: 1.2.3.4 , 1.2.3.5 , 1.2.3.4.6
- Single IPv4: 1.2.3.4
- Single IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
ipownertypeStringExplore, Custom rulesipownertype: isp Type of the owner of the address IP which sent the HTTP request
isnewsessionBooleanExplore, Custom rulesisnewsession: trueIdentify session's initial request.
ja3StringExplore, Custom rules, Endpointsja3: e7d705a3286e19ea42f58ee6865JA3 TLS fingerprint
ja4StringExplore, Custom rules, Endpointsja4: t13d1516h2_8daaf6152771_02713d6afJA4 TLS fingerprint
methodStringExplore, Custom rules, Endpointsmethod:"POST"Identify all requests with:

- POST Method
modulenameStringExplore, Endpointsmodulename:"Nginx"Identify requests processed by NGinx server-side module
moduleversionStringExplore, Endpointsmoduleversion:"2.49.0"identify requests handled by a Datadome's Server-side module which the version

- 2.49.0
originStringExplore, Custom rules, Endpointsorigin: *.datadome.co*
origin: "https://origin.datadome.co:8080"
Identify requests which HTTP Origin request header value matches the domain or the specified patterns
pragmaStringExplore, Custom rules, Endpointspragma: no-cacheIdentify request header pragma
protectionBoolanExploreprotection:enabled
protection:disabled
Whether DataDome protection was applied when processing the request. In case of disabled protection, a threat request is identified, but allowed.
protocolStringExplore, Custom rules, Endpointsprotocol:"http"Identify all requests with:

- HTTP protocol
refererStringExplore, Custom rules, Endpointsreferer:www.example.com/exampleIdentify all requests incoming from:

- "www.example.com/example"
refererdomainStringExplore, Custom rules, Endpointsrefererdomain:"www.google.fr"Identify all requests incoming from:

- "www.google.fr"
requestidStringExplorerequestid:"48d84144-b7a3-4fce-b2f8-eecf372e8128"Search a request with its unique DataDome request ID:

- "48d84144-b7a3-4fce-b2f8-eecf372e8128"
reversednsStringExplore, Custom rulesreversedns:\*.example.comIdentify all requests with a Reverse DNS:

- mail.example.com
- IP-34-45-56-23-box.example.com
responseformatStringExploreresponseformat: jsonIdentify requests with Datadome's response format is:

- json
responsestatusNumberExploreresponsestatus: 403Identify requests with Datadome's response status is:

- 403
sessionidStringExplore, Custom rulessessionid:AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ==Identify a specific session ID:

- AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ==
torBooleanExplore, Custom rulestor:trueIdentify all requests using tor network
trafficsourceStringExploretrafficsource:"Web Browser"Identify all requests matching Datadome's endpoint with traffic source matching:

- "Web Browser"
trafficusageStringExploretrafficusage:"login"Identify all requests matching Datadome endpoint with traffic usage matching:

- login
urlStringExplore, Custom rules, Endpointsurl:(\_\\?utm_source=myUtm OR \_utm_source=myUtm)Identify all requests including the URL parameter:

- utm_source=myUtm
useragentStringExplore, Custom rules, Endpointsuseragent:"AdsBot-Google (+<http://www.google.com/adsbot.html)>"Identify all requests with the user agent:

- AdsBot-Google (+http://www.google.com/adsbot.html)
useragentengineStringExplore, Custom rulesuseragentengine:WebKitIdentify all requests with User-Agent header engine value matching:

- Mac
useragentfamilyStringExplore, Custom rulesuseragentfamily:*desktop*Identify all requests with User-Agent header family type value matching:

- desktop
useragentnameStringExplore, Custom rulesuseragentname:"Chrome"Identify all requests with User-Agent header OS value matching:

- Mac
useragentosStringExplore, Custom rulesuseragentos:"Mac"Identify all requests with User-Agent header OS value matching:

- Mac
useragentosversionStringExplore, Custom rulesuseragentosversion:"10.15.7"Identify all requests with User-Agent header OS version value matching:

- 10.15.7
useragentversionStringExplore, Custom rulesuseragentversion:"138.0.0.0"Identify all requests with User-Agent header version value matching:

- 138.0.0.0
utmcampaignStringExplore, Custom rules, Endpointsutmcampaign:"spring_sale"Identify all requests utm campaign tag value matching with:
-textlink
utmcontentStringExplore, Custom rules, Endpointsutmcontent:textlinkIdentify all requests utm content tag value matching with:
-textlink
utmmediumStringExplore, Custom rules, Endpointsutmmedium:ppcIdentify all requests utm medium tag value matching with:
-ppc
utmsourceStringExplore, Custom rules, Endpointsutmsource:googleIdentify all requests utm source tag value matching with:
-google
utmtermStringExplore, Custom rules, Endpointsutmterm:"running+shoes"Identify all requests utm term tag value matching with:
-running+shoes
xrequestedwithStringExplore, Custom rules, Endpointsxrequestedwith:"XMLHttpRequest"Identify all requests x-requested-width header value matching with:
-XMLHttpRequest
xforwardedforStringExplore, Custom rules, Endpointsxforwardedfor:"11.22.33.44,55.66.77.88"Identify all requests x-forwarded-for header value matching with:

- 11.22.33.44.55,55.66.77.88