Traffic Queries Syntax
Traffic queries can be used in several contexts:
- to search traffic in the Explore section
- to define Custom Rules
- to define Endpoints
A traffic query is composed of terms and operators.
Multiple terms can be combined together with Boolean operators and parenthesis ( ) to form a more complex query
Term
All fields are listed below.
Fields and values are case sensitive.
field:value
Boolean Operator
Three boolean operators are available: AND OR NOT
Wildcard Searches
Multi-character wildcard
Wildcard searches * look for 0 or more characters.
For example, to include test, tests or tester in the same search, you can type the following:
useragent:test*
The wildcard character * cannot be used inside a double quote. Therefore you should avoid special characters.
Single-character wildcard
The Wildcard searches ?can be used to search for an unknown single character. For example, if you want to search for text or testyou can use the following
useragent:te?t
Range Searches
Range queries allow to match documents with field(s) values that are between lower and upper bounds specified by the range query.
Range queries are inclusive of the lower and upper bounds.
CIDR format is supported
Please note that IP addresses can be written following the CIDR format: ip:1.2.3.0/24
ip:[1.2.3.4 TO 1.2.3.9]
ip:[2001\:0db8\:85a3\:0000\:0000\:8a2e\:0000\:0000 TO 2001\:0db8\:85a3\:0000\:0000\:8a2e\:ffff\:ffff]
Range queries can also have numeric ranges, such as:
asn:[1234 TO 4567]
Grouping
Grouping is using parentheses to group clauses to form sub-queries. This can be very useful if you want to control the boolean logic for a query.
The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:
- useragent:test
- ip:1.2.3.4
(useragent:"test" OR ip:1.2.3.4) AND domain:"www.example.com"
The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:
- useragent:test
- useragent:mywork
useragent:("test" OR "mywork") AND domain:"www.example.com"
Special Characters
The following characters need to be avoided by using a backslash:
+ - & | ! ( ) { } [ ] ^ " ~ * ? : \ ␣
useragent:*Windows\\\ NT* AND url:*\+*
Available fields
The fields available to search traffic in the Explore section, define Custom Rules or define Endpoints are listed in the following table.
| Field Name | Type | Validity | Example | Description |
|---|---|---|---|---|
| asn | Number | Explore, Custom rules, Endpoints | asn:(14618 OR 16509 OR 38895) | Identify requests using an (Autonomous System Number) ASN: - 14618 - 16509 - 38895 |
| city | String | Explore, Custom rules | city:"Paris" | Identify requests incoming from: - Paris |
| countrycode | String | Explore, Custom rules | NOT countrycode:(BE OR BG OR CZ OR DK OR DE OR EE OR IE OR EL OR ES OR FR OR HR OR IT OR CY OR LV OR LT OR LU OR HU OR MT OR NL OR AT OR PL OR PT OR RO OR SI OR SK OR FI OR SE OR UK OR IS OR LI OR NO OR CH) | Identify requests that are not incoming from: - A European country - When there is a link to all country codes |
| domain | String | Explore, Custom rules, Endpoints | domain:*.back.example.com | Identify all requests going to: - dashboard.back.example.com - bo.back.example.com |
| fileextension | String | Explore, Custom rules, Endpoints | fileextension:"php" | Identify all php requests |
| graphqlopname | String | Explore, Custom rules, Endpoints | graphqlopname:Login | Identifies requests sent on a GraphQL endpoint with the Operation Name: - Login |
| graphqloptype | String | Explore, Custom rules, Endpoints | graphqloptype:mutation | Identifies requests sent on a GraphQL endpoint the operation type: - mutation |
| ip | IP | Explore, Custom rules, Endpoints | ip:[1.2.3.4 TO 1.2.3.6] ip:1.2.3.4 ip:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" | Identify all requests with IP : - Range: 1.2.3.4 , 1.2.3.5 , 1.2.3.4.6 - Single IPv4: 1.2.3.4 - Single IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
| method | String | Explore, Custom rules, Endpoints | method:"POST" | Identify all requests with: - POST Method |
| protocol | String | Explore, Custom rules, Endpoints | protocol:"http" | Identify all requests with: - HTTP protocol |
| referer | String | Explore, Custom rules, Endpoints | referer:www.example.com/example | Identify all requests incoming from: - "www.example.com/example" |
| refererdomain | String | Explore, Custom rules, Endpoints | refererdomain:"www.google.fr" | Identify all requests incoming from: - "www.google.fr" |
| requestid | String | Explore | requestid:"48d84144-b7a3-4fce-b2f8-eecf372e8128" | Search a request with its unique DataDome request ID: - "48d84144-b7a3-4fce-b2f8-eecf372e8128" |
| reversedns | String | Explore, Custom rules, Endpoints | reversedns:*.example.com | Identify all requests with a Reverse DNS: - mail.example.com - IP-34-45-56-23-box.example.com |
| sessionid | String | Explore, Custom rules | sessionid:AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ== | Identify a specific session ID: - AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ== |
| tor | Boolean | Explore, Custom rules | tor:true | Identify all requests using tor network |
| url | String | Explore, Custom rules, Endpoints | url:(\_\\?utm_source=myUtm OR \_utm_source=myUtm) | Identify all requests including the URL parameter: - utm_source=myUtm |
| useragent | String | Explore, Custom rules, Endpoints | useragent:"AdsBot-Google (+http://www.google.com/adsbot.html)" | Identify all requests with the user agent: - AdsBot-Google (+http://www.google.com/adsbot.html) |
Updated about 7 hours ago