Skip to content

Explore guide

Explore is the query workbench for monitored-domain lookup results in Have I Been Squatted. It searches data already collected for the organization, including permutations, registration data, Domain Name System (DNS) records, Hypertext Transfer Protocol (HTTP) signals, Transport Layer Security (TLS) certificate data, passive DNS and TLS observations, classification scores, screenshots, tags, and notes.

Use Explore when a question is too specific for a table filter but not ready to become a standing rule. The same Upsilon query language powers Explore and the Rules Engine, so a working Explore query can become a detection rule with minimal translation.

Explore query workbench

Open Domain monitoring > Explore from the application sidebar.

The page has three main areas:

  • Build your query: Query editor, examples, saved queries, field browser, time range, result limit, grouping, and rule actions
  • Results: Rich and raw result views for matching lookup results
  • Result details: A modal with the same enrichment panels used elsewhere in lookup review

Explore runs Upsilon queries against lookup results owned by the current organization. The query is combined with the selected time range, so both the lookup and result timestamps must fall inside the chosen window.

The default time range is Last 14 days. Available presets are Last 24 hours, Last 7 days, Last 14 days, and Last 30 days. The result limit can be 10, 25, 50, or 100.

Example queries:

permutation:*amazon*
levenshtein_distance:<3
classification.phishing:>0.7
classification.phishing:>0.8 AND registration_metadata.registration_date:>now-7d
(permutation:*login* OR permutation:*verify*) AND classification.phishing:>0.5

For syntax details, see the Upsilon query syntax reference.

Explore supports both guided filtering and raw Upsilon input.

  • Type plain text to search domains by permutation contains logic.
  • Use field clauses for exact, wildcard, numeric, date, array, and existence queries.
  • Use AND, OR, NOT, and parentheses to combine clauses.
  • Select Query help for syntax examples.
  • Select Fields to browse available fields by category and insert a field into the query.

The field browser groups fields into categories such as basic domain information, DNS records, server and infrastructure, web enrichment, classification scores, geolocation, TLS certificate, passive DNS/TLS, and registration data.

Useful field patterns:

dns_ns:@*cloudflare*
_exists_:rdap
registration_metadata.registration_date:>now-7d

Use GROUP BY to return one representative result per group. This is useful when a broad query returns many duplicate-looking rows and the review needs variety rather than every row.

Supported grouping fields are:

  • permutation
  • kind
  • levenshtein_distance
  • smtp
  • http_banner
  • origin_x509.issuer
  • origin_x509.subject
  • origin_x509.serial_number

Grouped results are still constrained by the selected time range, query, and result limit.

The Rich view shows compact cards for analyst review. The Raw view shows structured row data closer to the underlying lookup result shape. Selecting a result opens the detailed result modal for deeper inspection.

Export downloads the currently loaded result set in one of three formats:

  • Comma-separated values (CSV): Spreadsheet-friendly columns
  • JavaScript Object Notation (JSON): Pretty-printed JSON array
  • JSON Lines (JSONL): One JSON object per line for downstream processing

The export is bounded by the selected result limit. If a query matches more rows than the selected limit, narrow the query or run additional passes with different time windows or criteria.

Use Save Query to store a query with a name, description, time range, result limit, and optional group-by field. Use Saved queries to reload previous searches.

Saved queries are useful for repeat investigations, team handoff, and recurring review patterns that are not yet ready to become rules.

Explore is often the safest place to prototype a rule:

  1. Start with a broad query in Explore.
  2. Use the time range and result limit to test against recent lookup history.
  3. Inspect false positives and adjust the query.
  4. Select Generate Rule to open the rule builder with the current query.
  5. Finish severity, status, and notification behavior in the rule builder.

Only valid, non-empty queries can be sent to the rule builder. The action also requires the permissions needed to create rules.

Use Monitoring > Rules to manage existing rules, or open the rule builder directly when the query is already known. The rule builder accepts the same q query parameter that Explore uses when it generates a rule.

Explore keeps query state in the Uniform Resource Locator (URL). The q, t, limit, and groupBy parameters can be shared with another signed-in user in the same organization.

Example:

https://haveibeensquatted.com/app/monitoring/explore?q=classification.phishing%3A%3E0.7&t=14d&limit=25&groupBy=none

Shared URLs run against the receiving user’s organization access and current data. They do not expose result rows by themselves.