Datascan data model
Design
All ONYPHE categories related to Attack Surface Management (ASM) share a common data model, based on the Datascan category. Datascan, Vulnscan and Riskscan form the backbone of our ASM capabilities.
datascan is the broadest category. It contains results from active Internet scanning, storing application-level responses from every open service we probe. From a single service, datascan can capture the raw response, protocol fingerprints, TLS certificate details, detected products and OS, extracted URLs and IPs, and application-specific metadata. It supports a wide range of protocols: HTTP, SMB, FTP, Telnet, RDP, VNC, databases, industrial protocols (Modbus), and many more.
vulnscan builds on the same base data model as datascan but is exclusively focused on vulnerability detection. It targets known vulnerable products and services, applying two complementary detection techniques: check-based detection (active, non-intrusive exploit-derived probes that conclusively confirm or deny a vulnerability) and version-based detection (version fingerprinting cross-referenced against CVE lists). The tag and cve fields are central to vulnscan: they tell you exactly which CVEs were detected and how confident the detection is.
riskscan is an enriched subset of datascan, ctiscan, and vulnscan. After comparing scan results with a CTI-informed risk baseline, riskscan retains records that match at least one meaningful risk condition, such as an exposed database, a critical CVE, a sensitive protocol (RDP, SMB, Telnet), or a compromised device. Every riskscan entry carries one or more *risk::** tags that classify the risk type. The goal is to give security teams a pre-filtered, actionable view of their Internet-exposed attack surface, without having to write complex queries from scratch.
The shared data model is structured around a few organizing
principles:
- Flat object nesting: fields are grouped by protocol or function under a common prefix (e.g., app.http, app.smb, device), but without deep nesting, so that filtering on any field is straightforward.
- Application-specific sub-objects: the app object contains a sub-object for each detected application protocol. For instance, if the service speaks HTTP, an app.http object is populated with headers, title, body hash, and more.
- Protocol-independent base fields: network coordinates (IP, port, transport, country, ASN) are always present regardless of the application protocol detected.
- Vulnerability fields at the root: cve, cpe, and their associated counts are top-level fields, reflecting the central importance of vulnerability data across all three categories.
- Aggregated lists for hostnames and CPEs: the hostname field stores a deduplicated list of all hostnames associated with the service, regardless of whether they came from DNS resolution or the TLS certificate. Similarly, the cpe field aggregates all detected technologies into a single list, whether identified at the root level, via the device sub-object, or through app.http.component entries.
All three categories share the same field types, with the same search
implications:
- Keyword type allows exact, wildcard, or regex searches, but not full-text searches
- Text type allows full-text searches, but not wildcard or regex searches
- IP type allows CIDR searches, up to /8 subnets
- Boolean type allows searches with true or false values
- Integer type allows numeric and range searches
- Float type currently does not allow searches
- Geo point type currently does not allow searches
- Date type allows searches with time patterns
Sample queries
Find all exposed RDP services on a specific domain
category:datascan protocol:rdp domain:example.com
Find databases exposed without authentication
category:datascan device.class:database tag:open
Find a specific CVE across all vulnerable services
category:vulnscan cve:CVE-2021-44228
Find confirmed vulnerable services (check-based detection)
category:vulnscan tag:vulnerable
Find services with known exploited vulnerabilities (CISA KEV)
category:vulnscan tag:"cisa::kev"
Find all risks for a given IP
category:riskscan ip:198.51.100.1
Find all critical CVE risks
category:riskscan tag:risk::criticalcve
Find SMB null session exposures
category:riskscan tag:risk::smbnullsession
Find VPN servers as potential ransomware entry points
category:riskscan tag:risk::vpnserver
Find exposed management interfaces with login
category:riskscan tag:risk::loginmanagement
Find services with obsolete software
category:datascan tag:obsolete
Find services by HTTP title using full-text search
category:datascan app.http.title.text:admin
Find services by product name
category:datascan product:apache productversion:2.4.29
Find open S3-compatible buckets
category:riskscan tag:risk::openbucket
Find exposed SCADA and industrial devices
category:riskscan tag:risk::sensitivedevice
Find services with expired TLS certificates
category:riskscan tag:risk::certexpired
Search by certificate subject common name
category:datascan subject.commonname:"*.example.com"
Find services with anonymous FTP access
category:datascan app.ftp.anonymous:true
Search for a specific HTTP response body hash
category:datascan app.http.bodymd5:"d41d8cd98f00b204e9800998ecf8427e"
Find services with a specific ASN
Find compromised devices
category:riskscan tag:risk::compromised
Fields
Common fields
@timestamp
Type: date
Description: timestamp of when the data was collected. Allows tracking when a given service or vulnerability was last observed.
Categories: datascan, vulnscan, riskscan
@category
Type: keyword
Description: name of the data category. Values are datascan, vulnscan, or riskscan depending on the source index.
Categories: datascan, vulnscan, riskscan
tag
Type: keyword
Description: list of tags describing properties of the scanned service or detected risk. Tags serve multiple purposes: they classify detected protocols (e.g., tag:rdp), mark access conditions (e.g., tag:open for unauthenticated access), signal vulnerability status in vulnscan (tag:vulnerable, tag:notvulnerable, tag:maybevulnerable, tag:unknownvulnerable, tag:vulnerableversion, tag:notvulnerableversion, tag:partialversion, tag:version), and classify risks in riskscan using *risk::** prefixed tags. See the tag reference pages for vulnscan and riskscan for the complete list.
Categories: datascan, vulnscan, riskscan
source
Type: keyword
Description: identifies which ONYPHE collector process gathered the data.
Categories: datascan, vulnscan, riskscan
Network identification
ip
Type: IP
Description: the IP address of the scanned Internet asset. Supports CIDR range searches up to /8.
Categories: datascan, vulnscan, riskscan
alternativeip
Type: IP
Description: IP addresses parsed from the service response body or found in the TLS certificate. For example, an HTTP response may reference internal IPs, or a certificate may embed IP SANs.
Categories: datascan, vulnscan, riskscan
ipv6
Type: boolean
Description: whether the scanned IP address is an IPv6 address.
Categories: datascan, vulnscan, riskscan
port
Type: integer
Description: the destination TCP or UDP port on the scanned asset.
Categories: datascan, vulnscan, riskscan
transport
Type: keyword
Description: transport protocol used for the scan. Either tcp or udp.
Categories: datascan, vulnscan, riskscan
protocol
Type: keyword
Description: application-layer protocol detected on the scanned service (e.g., http, rdp, smb, ftp, telnet, ssh, vnc, sip, modbus, ntp).
Categories: datascan, vulnscan, riskscan
protocolversion
Type: keyword
Description: version of the detected application protocol, when available.
Categories: datascan, vulnscan, riskscan
status
Type: integer
Description: HTTP status code returned by the service, when applicable.
Categories: datascan, vulnscan, riskscan
reason
Type: keyword
Description: HTTP reason phrase associated with the status code, when applicable.
Categories: datascan, vulnscan, riskscan
tls
Type: boolean
Description: whether a TLS negotiation was performed during the scan.
Categories: datascan, vulnscan, riskscan
hostname
Type: keyword
Description: list of all hostnames associated with the scanned service, aggregated from both DNS resolution and TLS certificate fields (subject CN, SANs).
Categories: datascan, vulnscan, riskscan
host
Type: keyword
Description: the least significant label of a fully qualified domain name. For example, www is the host for the hostname www.onyphe.io.
Categories: datascan, vulnscan, riskscan
domain
Type: keyword
Description: registered domain extracted from the hostname or certificate.
Categories: datascan, vulnscan, riskscan
tld
Type: keyword
Description: top-level domain extracted from the hostname or certificate.
Categories: datascan, vulnscan, riskscan
subdomains
Type: keyword
Description: list of all hostname sections that are neither the registered domain nor the full hostname itself. For example, for the hostname www.qa.cloud.google.co.uk (where google.co.uk is the domain), subdomains would be ["qa.cloud.google.co.uk", "cloud.google.co.uk"].
Categories: datascan, vulnscan, riskscan
forward
Type: keyword
Description: the HTTP Host header value used in the scan request, and the forward DNS name used to resolve the target IP address.
Categories: datascan, vulnscan, riskscan
reverse
Type: keyword
Description: reverse DNS (PTR) resolution for the scanned IP address.
Categories: datascan, vulnscan, riskscan
url
Type: keyword
Description: URL used to reach the scanned service, when applicable (e.g., for HTTP scans).
Categories: datascan, vulnscan, riskscan
Geolocation (physical)
country
Type: keyword
Description: two-letter ISO country code for the physical location of the IP address.
Categories: datascan, vulnscan, riskscan
city
Type: keyword
Description: city associated with the physical location of the IP address.
Categories: datascan, vulnscan, riskscan
asn
Type: keyword
Description: autonomous system number (ASN) for the IP address, in ASXXXXX format.
Categories: datascan, vulnscan, riskscan
organization
Type: keyword
Description: hosting organization name associated with the IP address.
Categories: datascan, vulnscan, riskscan
subnet
Type: keyword
Description: IP subnet that contains the scanned IP address.
Categories: datascan, vulnscan, riskscan
location
Type: geo point
Description: GPS coordinates (latitude/longitude) of the IP address at country-level precision.
Categories: datascan, vulnscan, riskscan
Extended geolocation (logical, via whois)
The geolocus sub-object contains geolocation information derived from whois data, providing a logical view of the IP address ownership as opposed to the physical hosting location.
geolocus.asn
Type: keyword
Description: ASN from whois data.
Categories: datascan, vulnscan, riskscan
geolocus.continent
Type: keyword
Description: two-letter continent code from whois data.
Categories: datascan, vulnscan, riskscan
geolocus.continentname
Type: keyword
Description: full continent name from whois data.
Categories: datascan, vulnscan, riskscan
geolocus.country
Type: keyword
Description: two-letter ISO country code from whois data.
Categories: datascan, vulnscan, riskscan
geolocus.countryname
Type: keyword
Description: full country name from whois data.
Categories: datascan, vulnscan, riskscan
geolocus.domain
Type: keyword
Description: domain associated with the IP block in whois data.
Categories: datascan, vulnscan, riskscan
geolocus.isineu
Type: boolean
Description: whether the IP address belongs to a country within the European Union, according to whois data.
Categories: datascan, vulnscan, riskscan
geolocus.latitude
Type: float
Description: latitude from whois data at country-level precision.
Categories: datascan, vulnscan, riskscan
geolocus.longitude
Type: float
Description: longitude from whois data at country-level precision.
Categories: datascan, vulnscan, riskscan
geolocus.location
Type: geo point
Description: GPS coordinates from whois data at country-level precision.
Categories: datascan, vulnscan, riskscan
geolocus.netname
Type: keyword
Description: network name from whois data for the IP block.
Categories: datascan, vulnscan, riskscan
geolocus.organization
Type: keyword
Description: organization name from whois data for the IP block.
Categories: datascan, vulnscan, riskscan
geolocus.subnet
Type: keyword
Description: subnet from whois data for the IP block.
Categories: datascan, vulnscan, riskscan
Scanner node
The node sub-object contains information about the ONYPHE scanner that collected the data.
node.id
Type: keyword
Description: unique identifier of the scanner node that performed the scan.
Categories: datascan, vulnscan, riskscan
node.groupid
Type: keyword
Description: group identifier for the scanner node.
Categories: datascan, vulnscan, riskscan
node.country
Type: keyword
Description: logical country the scanner node is assigned to (may differ from physical location).
Categories: datascan, vulnscan, riskscan
node.physicalcountry
Type: keyword
Description: physical country where the scanner node is located.
Categories: datascan, vulnscan, riskscan
Software identification
product
Type: keyword
Description: name of the detected product or software running on the scanned service. For HTTP, this is typically derived from the Server header.
Categories: datascan, vulnscan, riskscan
productvendor
Type: keyword
Description: vendor of the detected product.
Categories: datascan, vulnscan, riskscan
productversion
Type: keyword
Description: version string of the detected product.
Categories: datascan, vulnscan, riskscan
productversionpatch
Type: keyword
Description: patch-level version string of the detected product, when available.
Categories: datascan, vulnscan, riskscan
OS identification
os
Type: keyword
Description: operating system identified on the scanned asset via fingerprinting.
Categories: datascan, vulnscan, riskscan
osvendor
Type: keyword
Description: vendor of the identified operating system.
Categories: datascan, vulnscan, riskscan
osversion
Type: keyword
Description: version of the identified operating system.
Categories: datascan, vulnscan, riskscan
osversionpatch
Type: keyword
Description: patch-level version of the identified operating system.
Categories: datascan, vulnscan, riskscan
osbits
Type: integer
Description: bitness of the identified OS (32 or 64).
Categories: datascan, vulnscan, riskscan
osdistribution
Type: keyword
Description: Linux distribution name, when the OS is identified as Linux.
Categories: datascan, vulnscan, riskscan
osdistributionversion
Type: keyword
Description: version of the Linux distribution, when applicable.
Categories: datascan, vulnscan, riskscan
Device classification
The device sub-object classifies the scanned asset into a functional category and associates it with a detected product.
device.class
Type: keyword
Description: functional class of the scanned device. Examples include database, vpn server, camera, printer, SCADA, medical, C2, IOT, Backup Solution, FTP Server, hvac, ups. This field is central to risk classification in riskscan.
Categories: datascan, vulnscan, riskscan
device.product
Type: keyword
Description: product name associated with the identified device class.
Categories: datascan, vulnscan, riskscan
device.productvendor
Type: keyword
Description: vendor of the product associated with the identified device class.
Categories: datascan, vulnscan, riskscan
device.productversion
Type: keyword
Description: version of the product associated with the identified device class.
Categories: datascan, vulnscan, riskscan
device.productversionpatch
Type: keyword
Description: patch-level version of the product associated with the identified device class.
Categories: datascan, vulnscan, riskscan
Vulnerability indicators
These fields are populated in all three categories but are especially central to vulnscan.
cve
Type: keyword
Description: list of CVE identifiers detected on the scanned service. In vulnscan, CVEs are set by both check-based and version-based detection. In datascan and riskscan, CVEs may be propagated from vulnscan results.
Categories: datascan, vulnscan, riskscan
cvecount
Type: integer
Description: number of CVEs detected on the scanned service.
Categories: datascan, vulnscan, riskscan
cpe
Type: keyword
Description: list of CPE (Common Platform Enumeration) identifiers associated with detected products and OS.
Categories: datascan, vulnscan, riskscan
cpecount
Type: integer
Description: number of CPEs associated with the scanned service.
Categories: datascan, vulnscan, riskscan
Application data
data
Type: text
Description: raw application response received from the scanned service. Stored as full-text searchable content up to 1 MB.
Categories: datascan, vulnscan, riskscan
datamd5
Type: keyword
Description: MD5 hash of the raw application response. Useful for deduplication and pivoting to identical services.
Categories: datascan, vulnscan, riskscan
datammh3
Type: integer
Description: MurmurHash3 hash of the raw application response. Useful for fast similarity matching.
Categories: datascan, vulnscan, riskscan
summary
Type: text
Description: a summarized, normalized representation of the application response. Useful for full-text searches on a cleaner form of the response data.
Categories: datascan, riskscan
summarymd5
Type: keyword
Description: MD5 hash of the summary field.
Categories: datascan, riskscan
summarymmh3
Type: integer
Description: MurmurHash3 hash of the summary field.
Categories: datascan, riskscan
app.length
Type: integer
Description: length in bytes of the raw application response.
Categories: datascan, vulnscan, riskscan
TLS certificate
These fields are populated when a TLS handshake was performed and a certificate was retrieved.
serial
Type: keyword
Description: serial number of the TLS certificate.
Categories: datascan, vulnscan, riskscan
ca
Type: boolean
Description: whether the certificate is a Certificate Authority (CA) certificate.
Categories: datascan, vulnscan, riskscan
basicconstraints
Type: keyword
Description: value of the Basic Constraints extension of the certificate.
Categories: datascan, vulnscan, riskscan
wildcard
Type: boolean
Description: whether the certificate contains a wildcard subject alternative name.
Categories: datascan, vulnscan, riskscan
version
Type: keyword
Description: X.509 version of the TLS certificate.
Categories: datascan, vulnscan, riskscan
keyusage
Type: keyword
Description: Key Usage extension values of the certificate (e.g., digitalSignature, keyEncipherment).
Categories: datascan, vulnscan, riskscan
extkeyusage
Type: keyword
Description: Extended Key Usage extension values of the certificate (e.g., serverAuth, clientAuth).
Categories: datascan, vulnscan, riskscan
fingerprint.md5
Type: keyword
Description: MD5 fingerprint of the TLS certificate.
Categories: datascan, vulnscan, riskscan
fingerprint.sha1
Type: keyword
Description: SHA-1 fingerprint of the TLS certificate.
Categories: datascan, vulnscan, riskscan
fingerprint.sha256
Type: keyword
Description: SHA-256 fingerprint of the TLS certificate.
Categories: datascan, vulnscan, riskscan
issuer.commonname
Type: keyword
Description: Common Name (CN) of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.organization
Type: keyword
Description: Organization (O) of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.organizationalunit
Type: keyword
Description: Organizational Unit (OU) of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.country
Type: keyword
Description: Country (C) of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.city
Type: keyword
Description: City (L, Locality) of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.email
Type: keyword
Description: Email address of the certificate issuer.
Categories: datascan, vulnscan, riskscan
issuer.serial
Type: keyword
Description: Serial number of the certificate issuer.
Categories: datascan, vulnscan, riskscan
subject.commonname
Type: keyword
Description: Common Name (CN) of the certificate subject. This is typically the hostname the certificate was issued for.
Categories: datascan, vulnscan, riskscan
subject.altname
Type: keyword
Description: Subject Alternative Names (SANs) of the certificate. Can contain multiple hostnames or IP addresses.
Categories: datascan, vulnscan, riskscan
subject.organization
Type: keyword
Description: Organization (O) of the certificate subject.
Categories: datascan, vulnscan, riskscan
subject.organizationalunit
Type: keyword
Description: Organizational Unit (OU) of the certificate subject.
Categories: datascan, vulnscan, riskscan
subject.country
Type: keyword
Description: Country (C) of the certificate subject.
Categories: datascan, vulnscan, riskscan
subject.city
Type: keyword
Description: City (L, Locality) of the certificate subject.
Categories: datascan, vulnscan, riskscan
subject.email
Type: keyword
Description: Email address of the certificate subject.
Categories: datascan, vulnscan, riskscan
subject.serial
Type: keyword
Description: Serial number of the certificate subject.
Categories: datascan, vulnscan, riskscan
publickey.algorithm
Type: keyword
Description: public key algorithm used in the certificate (e.g., RSA, EC).
Categories: datascan, vulnscan, riskscan
publickey.length
Type: keyword
Description: length in bits of the public key.
Categories: datascan, vulnscan, riskscan
publickey.exponent
Type: keyword
Description: RSA public key exponent, when applicable.
Categories: datascan, vulnscan, riskscan
signature.algorithm
Type: keyword
Description: signature algorithm used to sign the certificate (e.g., sha256WithRSAEncryption).
Categories: datascan, vulnscan, riskscan
validity.notbefore
Type: date
Description: date from which the certificate is valid.
Categories: datascan, vulnscan, riskscan
validity.notafter
Type: date
Description: date after which the certificate is no longer valid. Combined with the risk::certexpired tag, this can be used to find expired certificates.
Categories: datascan, vulnscan, riskscan
Application-specific fields
The app object contains protocol-specific sub-objects populated based on the detected application protocol. Only the sub-object corresponding to the detected protocol is populated for a given record.
app.extract.ip
Type: IP
Description: IP addresses extracted from the application response body.
Categories: datascan, vulnscan, riskscan
app.extract.hostname
Type: keyword
Description: hostnames extracted from the application response body.
Categories: datascan, vulnscan, riskscan
app.extract.domain
Type: keyword
Description: domain names extracted from the application response body.
Categories: datascan, vulnscan, riskscan
app.extract.url
Type: keyword
Description: URLs extracted from the application response body.
Categories: datascan, vulnscan, riskscan
app.extract.file
Type: keyword
Description: file paths or filenames extracted from the application response body.
Categories: datascan, vulnscan, riskscan
app.http.realm
Type: keyword
Description: HTTP authentication realm, present when the service requires HTTP Basic or Digest authentication.
Categories: datascan, vulnscan, riskscan
app.http.headermd5
Type: keyword
Description: MD5 hash of the HTTP response headers. The order of headers is preserved, making this suitable for server fingerprinting.
Categories: datascan, vulnscan, riskscan
app.http.headermmh3
Type: integer
Description: MurmurHash3 hash of the HTTP response headers.
Categories: datascan, vulnscan, riskscan
app.http.bodymd5
Type: keyword
Description: MD5 hash of the HTTP response body.
Categories: datascan, vulnscan, riskscan
app.http.bodymmh3
Type: integer
Description: MurmurHash3 hash of the HTTP response body.
Categories: datascan, vulnscan, riskscan
app.http.title
Type: text (with keyword sub-field)
Description: content of the HTML <title> tag in the HTTP response. Searchable as full-text (app.http.title.text) or as exact/wildcard keyword (app.http.title.keyword).
Categories: datascan, vulnscan, riskscan
app.http.keywords
Type: text (with keyword sub-field)
Description: content of the HTML <meta name="keywords"> tag.
Categories: datascan, vulnscan, riskscan
app.http.description
Type: text (with keyword sub-field)
Description: content of the HTML <meta name="description"> tag.
Categories: datascan, vulnscan, riskscan
app.http.copyright
Type: text (with keyword sub-field)
Description: copyright notice found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.component
Type: nested object list
Description: list of software components detected in the HTTP response (web frameworks, CMS, JavaScript libraries, etc.). Each entry has product, productvendor, productversion, and productversionpatch sub-fields. Being a nested type, use nested query syntax when filtering on multiple sub-fields of the same component entry.
Categories: datascan, vulnscan, riskscan
app.http.header
Type: nested object list
Description: list of HTTP response headers, each with a name and value sub-field. Useful for searching specific header values (e.g., app.http.header.name:server combined with app.http.header.value:"nginx"). Being a nested type, use nested query syntax when filtering on both name and value of the same header.
Categories: datascan, vulnscan, riskscan
app.http.tracker.ga
Type: keyword
Description: Google Analytics tracking ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.gaw
Type: keyword
Description: Google Ads (AdWords) tracking ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.gtm
Type: keyword
Description: Google Tag Manager ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.gpub
Type: keyword
Description: Google Publisher tag ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.fbq
Type: keyword
Description: Facebook Pixel tracking ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.snaptr
Type: keyword
Description: Snapchat Pixel tracking ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.http.tracker.newrelic
Type: keyword
Description: New Relic agent ID found in the HTTP response.
Categories: datascan, vulnscan, riskscan
app.smb.workgroup
Type: keyword
Description: SMB workgroup or Windows domain name announced by the service.
Categories: datascan, riskscan
app.smb.nullsession
Type: boolean
Description: whether the SMB service allows unauthenticated null session access. When true, this is a significant security risk (see risk::smbnullsession in riskscan).
Categories: datascan, riskscan
app.smb.servername
Type: keyword
Description: NetBIOS server name announced by the SMB service.
Categories: datascan, riskscan
app.smb.share
Type: keyword
Description: list of SMB shares advertised by the service.
Categories: datascan, riskscan
app.ftp.anonymous
Type: boolean
Description: whether the FTP service allows anonymous login without a password.
Categories: datascan, riskscan
app.telnet.fingerprint
Type: keyword
Description: Telnet protocol option negotiation fingerprint, used for Telnet service identification.
Categories: datascan, riskscan
app.database.name
Type: keyword
Description: name of a database found on the exposed database service.
Categories: datascan, riskscan
app.database.count
Type: integer
Description: number of databases found on the exposed database service.
Categories: datascan, riskscan
app.elasticsearch.clustername
Type: keyword
Description: Elasticsearch cluster name exposed by the service.
Categories: datascan, vulnscan, riskscan
app.elasticsearch.luceneversion
Type: keyword
Description: Lucene version reported by the Elasticsearch service.
Categories: datascan, vulnscan, riskscan
app.mongodb.name
Type: keyword
Description: MongoDB database name or instance name exposed by the service.
Categories: datascan, riskscan
app.dns.versionbind
Type: keyword
Description: BIND version string returned by the DNS service in response to a version.bind query.
Categories: datascan, riskscan
app.modbus.function
Type: keyword
Description: Modbus function code used in the probe response.
Categories: datascan, riskscan
app.modbus.code
Type: keyword
Description: Modbus exception or response code.
Categories: datascan, riskscan
app.modbus.objectcount
Type: integer
Description: number of Modbus objects returned.
Categories: datascan, riskscan
app.modbus.product
Type: keyword
Description: product name identified via Modbus Device Identification.
Categories: datascan, riskscan
app.modbus.productvendor
Type: keyword
Description: vendor name identified via Modbus Device Identification.
Categories: datascan, riskscan
app.modbus.productversion
Type: keyword
Description: product version identified via Modbus Device Identification.
Categories: datascan, riskscan
app.modbus.productversionpatch
Type: keyword
Description: product version patch level identified via Modbus Device Identification.
Categories: datascan, riskscan
app.modbus.information
Type: text
Description: raw Modbus Device Identification information string.
Categories: datascan, riskscan
app.ntp.leap
Type: keyword
Description: NTP leap indicator value.
Categories: datascan, riskscan
app.ntp.version
Type: keyword
Description: NTP protocol version reported by the service.
Categories: datascan, riskscan
app.ntp.mode
Type: keyword
Description: NTP operating mode (e.g., server, broadcast).
Categories: datascan, riskscan
app.ntp.stratum
Type: keyword
Description: NTP stratum level of the server.
Categories: datascan, riskscan
app.rtsp.realm
Type: keyword
Description: RTSP authentication realm, present when the RTSP stream requires authentication.
Categories: datascan
app.favicon.url
Type: keyword
Description: URL of the favicon detected on the HTTP service.
Categories: datascan
app.favicon.filename
Type: keyword
Description: filename of the favicon.
Categories: datascan
app.favicon.format
Type: keyword
Description: image format of the favicon (e.g., ico, png).
Categories: datascan
app.favicon.length
Type: integer
Description: size in bytes of the favicon image.
Categories: datascan
app.favicon.image
Type: binary
Description: raw binary content of the favicon image.
Categories: datascan
app.favicon.imagemd5
Type: keyword
Description: MD5 hash of the favicon image content. Commonly used for pivoting to services sharing the same favicon (shodan-style favicon hash hunting).
Categories: datascan
app.favicon.imagemmh3
Type: integer
Description: MurmurHash3 hash of the favicon image content.
Categories: datascan
Company context
The company sub-object provides business context about the organization associated with the scanned asset. This information is correlated externally and may not always be present.
company.name
Type: keyword
Description: name of the company or organization associated with the scanned asset.
Categories: datascan, vulnscan, riskscan
company.globalrank
Type: integer
Description: global ranking of the company (e.g., Fortune Global ranking).
Categories: datascan, vulnscan, riskscan
company.fortunerank
Type: integer
Description: Fortune 500/Global 500 rank of the company, if applicable.
Categories: datascan, vulnscan, riskscan
company.sector
Type: keyword
Description: industry sector of the company (e.g., Technology, Finance, Healthcare).
Categories: datascan, vulnscan, riskscan
company.industry
Type: keyword
Description: specific industry of the company within its sector.
Categories: datascan, vulnscan, riskscan
company.country
Type: keyword
Description: country of incorporation or headquarters of the company.
Categories: datascan, vulnscan, riskscan